Author Topic: Linux (Web)server security  (Read 7564 times)

0 Members and 2 Guests are viewing this topic.

Offline Pillus

  • Serf
  • *
  • Posts: 21
  • Cookies: 2
  • RTFM
    • View Profile
    • ChaseNET
Linux (Web)server security
« on: March 28, 2011, 02:06:40 pm »
Here's one of my tutorials on linux security. It's not FULLY finished yet, and will get edited. But most of it is there already ;) Have fun.

I wanted to post a few tips on how you can easily secure your network on a debian based distro,

All written by us and is a part of tutorials i post on chasenet, please don't copy this without asking!

In this tutorial we will be using CSF/LFD (IPtable integrated firewalls), PSAD for anti portscans and DDoS-Deflate for protection against (D)DoS attacks, for more security on your server. We will also be using a webinterface on some places instead of console to make things easier for beginners as well, for this i choosed webmin, as it is intergrated into everything you can do on a linux system.


Before we start we would need to install apache/php and mysql on your server as well, not going to much into that you can read about how to easily do that on a debian based system HERE:
Code: [Select]
http://www.howtoforge.com/ubuntu_debian_lamp_server
Please also try to use an updated debian system so we don't have any crash on dependencies.
In some cases you might want to get the build-essential package as well
Code: [Select]
apt-get install build-essentialYou will also have to get syslog-ng for logging.
Code: [Select]
apt-get install syslog-ng

First step:
Installing webmin,

We start of with our web interface for easy management and set up of the firewall etc:
Code: [Select]
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.500_all.deb
Installing webmin with:
Code: [Select]
dpkg -i webmin_1.500_all.deb
If you get an error saying you don't have all the dependencies just run:
Code: [Select]
apt-get -f install
So after this has installed itself you can easily access your webinterface by going to this address:
Code: [Select]
http://localhost:10000
If this now display a login page you have done it right.

Now we can start the fun part of setting up the firewall

Step two:
Installing and configuring CSF firewall

Downloading CSF:
Code: [Select]
wget http://configserver.com/free/csf.tgz
Untar the package:
Code: [Select]
tar xvzf csf.tgz
Switch to the csf directory
Code: [Select]
cd csf
And just run the install script:
Code: [Select]
sh install.sh
If this completed without errors we can now load csf into webmin.

Loading the module:
Log into your webmin interface and go to Webmin > Webmin Configuration > Webmin Modules.
On local file you fill in the path to the webmin module installed by csf,
Code: [Select]
/etc/csf/csfwebmin.tgzAnd press Install Module.

If this goes well you will now see "ConfigServer Security & Firewall" Under the SYSTEM tab in webmin.


Step three:
Configuring ConfigServer Security & Firewall

Go to the ConfigServer Security & Firewall tab in webmin and press "Firewall Configuration"
For this tutorial we will just fill out the easiest part of the configuration but feel free to explore more of the big potentials of CSF.

Change these areas of the config,

Stop running CSF in testmode:
Code: [Select]
TESTING=1 to TESTING=0
Set the open ports (here we will just fill in what we need at the moment)
Code: [Select]
TCP_IN=21,22,80,10000 21 for ftp, 22 for ssh, 80 for the www and 10000 for webmin (the last one here is very important to remember)
Code: [Select]
TCP_OUT=21,22,80,10000
Changing ICMP requests (optional) This will disable ping requests and answers. I personaly like to set this to off, so no specific ping attacks can be made with special packets.
Code: [Select]
ICMP_IN=0
Code: [Select]
ICMP_OUT=0
Protection against synflood (for webservers etc)
Code: [Select]
SYNFLOOD=1
Protection against portfloods
Code: [Select]
PORTFLOOD=1
That should be all, scroll down to the end and press CHANGE to save all the changes you have made to the config.

The usage of CSF will be explained in another tutorial later on, but the interface is very easy to understand. "View iptable logs" To see what csf have banned and why, "View LFD logs" to see what it has picked up as suspicious processes, who has logged in through ssh and if any portscans have been detected.


Step four:
Installing PSAD

As mentioned before, you would need to have syslog-ng installed before running psad properly, with this done, let's start!

Download and install psad:
Code: [Select]
apt-get install psad
Setup syslog-ng to log things from PSAD (You don't need to use nano if you like other editing tools better.
Code: [Select]
nano /etc/syslog-ng/syslog-ng.conf
Search for the "# pipes" Section and add this to the list:
Code: [Select]
destination psadpipe { pipe("/var/lib/psad/psadfifo"); };
Search for the "# filters" section of the config and add this line
Code: [Select]
filter f_kerninfo { facility(kern); };
And all the way on the bottom of the config, add these lines:
Code: [Select]
log {
        source(s_all);
        filter(f_kerninfo);
        destination(psadpipe);
};

Restart syslog-ng:
Code: [Select]
/etc/init.d/syslog-ng restart
Now we have the logging in place, and we can start configure psad:
Code: [Select]
nano /etc/psad/psad.conf
The most important parts will be these, fill them in with your own information:
Your email address
Code: [Select]
EMAIL_ADDRESSESYour Hostname (like http://localhost)
Code: [Select]
HOSTNAMESet home_net to not used:
Code: [Select]
HOME_NET                NOT_USED;  ### only one interface on boxIf you want to set ports to ignore on scans you can do it like this (optional):
Code: [Select]
IGNORE_PORTS                tcp/88, udp/3000;For IDS and iptable support:
Code: [Select]
ENABLE_AUTO_IDS             Y;
IPTABLES_BLOCK_METHOD       Y;

Now save and close the config.
Restart PSAD:
Code: [Select]
/etc/init.d/psad restart
Now all we need is to add two iptable rules so psad can use iptable logging, done with these two commands:
Code: [Select]
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

That was all for PSAD, it should now be up and running and scan reports can be made using this command:
Code: [Select]
psad -S

Step five:
Anti-DDoS
Setting up DDoS-Deflate is easier than you think, with just a few commands and changes,
Downloading and installing DDoS-Deflate:
Code: [Select]
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

To configure ddos deflate you will need to do a few small changes:
Open up the script in your favourite editor,
Code: [Select]
nano /usr/local/ddos/ddos.shScroll down to add_to_cron() and you will find 2x of these lines
Code: [Select]
service crond restartChange it to:
Code: [Select]
service cron restartSave and close the script and open up the ddos.conf:
Code: [Select]
nano /usr/local/ddos/ddos.confHere you can change how ddos should react in different situations and you can put your own config on these lines,

How often the script is going to run (minutes):
Code: [Select]
FREQ=1Number of connections a user will need to have at the same time before he get's banned by the script:
Code: [Select]
NO_OF_CONNECTIONS=30Set this to 0 to use IPtables since we don't use APF:
Code: [Select]
APF_BAN=0Kill connections or not:
Code: [Select]
KILL=1If you want emails of the banned IP's then set your email inside the "":
Code: [Select]
EMAIL_TO=""
Now save and close the config and run this command to add the script to crontab so it runs every minute:
Code: [Select]
/usr/local/ddos/ddos.sh --cron
A few extra things you might want to add to your linux servers for extra functionality against (D)DoS attacks:
Enable SYN_Cookies:
Code: [Select]
sysctl -w net.ipv4.tcp_syncookies=1Increase the Connection backlog, allowing more connections
Code: [Select]
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
If you want to make it permanent just add them to the sysctl config in the /etc/sysctl dir so it will stay like that even after reboots.


And that's everything you need to set up a bit more security on your linux box, even if it's at home or on your server. Feel free to read around on the different documentation (provided by a google search) and implement more secure solutions and take use of all the other nice features these tools have.

If you have any questions please PM me or post here.

Not finished implemented in the guide yet:
PHPIDS
Mod_security
Gresecurity and PAX - Added
« Last Edit: March 29, 2011, 01:08:50 pm by Pillus »

Offline I_Learning_I

  • Knight
  • **
  • Posts: 267
  • Cookies: 26
  • Nor black or white, not even grey. What hat am I?
    • View Profile
    • Hacking F0r Fr33
Re: Linux (Web)server security
« Reply #1 on: March 29, 2011, 10:26:58 pm »
I know it-s not finished, but just to be sure, this won't in any way protect you from FIN,XMAS, NUL scans or so am I right?
After all, when you receive such requests you are forced to send a RST packet.
Just to clarify, there might be an option for it, although I don't think there is.
Thanks for reading,
I_Learning_I

Offline iyepb0

  • NULL
  • Posts: 3
  • Cookies: 0
    • View Profile
Re: Linux (Web)server security
« Reply #2 on: March 30, 2011, 11:28:08 am »
How about adding mod_security2 and fail2ban for server self support...
I prefer put those 2 in every server...  ;)
And sometimes with shorewall for an easy "coffe"mix...  :P

Offline Pillus

  • Serf
  • *
  • Posts: 21
  • Cookies: 2
  • RTFM
    • View Profile
    • ChaseNET
Re: Linux (Web)server security
« Reply #3 on: March 31, 2011, 09:42:02 am »
I know it-s not finished, but just to be sure, this won't in any way protect you from FIN,XMAS, NUL scans or so am I right?
After all, when you receive such requests you are forced to send a RST packet.
Just to clarify, there might be an option for it, although I don't think there is.

I know about XMAS and FIN, and CSF will in most times catch those. An XMAS packet (SYN,ACK,RST, FIN,URG,PSH) Should never be on a network anyway and csf automaticly drops those.

When it comes to NUL i don't know (those are the packets without flags right?) That i haven't tested yet, and it's a good question, i will come back after i tested it and add it to the guide if needed.


How about adding mod_security2 and fail2ban for server self support...
I prefer put those 2 in every server...  ;)
And sometimes with shorewall for an easy "coffe"mix...  :P

Fail2ban isn't needed since LFD (that is built into csf) has just the same features and is also intergrated into the firewall, makes it alot easier to follow with logs and automaticly ban rules in the firewall.

Mod_security is on the "todo" list.

And why need 2 firewalls? :P That's like shooting yourself in the foot with a shotgun :)


Offline I_Learning_I

  • Knight
  • **
  • Posts: 267
  • Cookies: 26
  • Nor black or white, not even grey. What hat am I?
    • View Profile
    • Hacking F0r Fr33
Re: Linux (Web)server security
« Reply #4 on: March 31, 2011, 10:06:33 am »
Thanks for the quick answer, I didn't know there were security measures against such scans, always thought nmap was 100% certain to succeed with certain scans.
Tell me when you've tested NULL scans :)
Thanks for reading,
I_Learning_I

Offline Pillus

  • Serf
  • *
  • Posts: 21
  • Cookies: 2
  • RTFM
    • View Profile
    • ChaseNET
Re: Linux (Web)server security
« Reply #5 on: March 31, 2011, 10:54:58 am »
Thanks for the quick answer, I didn't know there were security measures against such scans, always thought nmap was 100% certain to succeed with certain scans.
Tell me when you've tested NULL scans :)

I really need to update this guide, gonna do it later.

No need for me to start up portscan with CSF when we use PSAD in the guide. But as it seems, you CSF also blocks NULL packets.

When not using CSF, just PSAD, we can add this to iptables to fix :)

Code: [Select]
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets

Offline I_Learning_I

  • Knight
  • **
  • Posts: 267
  • Cookies: 26
  • Nor black or white, not even grey. What hat am I?
    • View Profile
    • Hacking F0r Fr33
Re: Linux (Web)server security
« Reply #6 on: April 02, 2011, 02:58:23 am »
Looks really good, which makes me wonder, why aren't there more websites or servers with those configurations?
I mean, service and OS fingerprint is something actually important, if it's so easy to block, why not do it?
Thanks for reading,
I_Learning_I

Offline Pillus

  • Serf
  • *
  • Posts: 21
  • Cookies: 2
  • RTFM
    • View Profile
    • ChaseNET
Re: Linux (Web)server security
« Reply #7 on: April 05, 2011, 10:04:14 pm »
Looks really good, which makes me wonder, why aren't there more websites or servers with those configurations?
I mean, service and OS fingerprint is something actually important, if it's so easy to block, why not do it?

Because most people either don't have the skill, or just don't give a damn, and you always have to sacrifice either functionality or security :p

Offline I_Learning_I

  • Knight
  • **
  • Posts: 267
  • Cookies: 26
  • Nor black or white, not even grey. What hat am I?
    • View Profile
    • Hacking F0r Fr33
Re: Linux (Web)server security
« Reply #8 on: April 06, 2011, 08:26:54 pm »
Well a XMAS scan could never occur in a real world situation, neither could a FIN scan, so I don't understand what functionality are you loosing in there :O
Unless you mean the waste of CPU resources with that, instead of being handling clients.
Thanks for reading,
I_Learning_I

Offline ZonTa

  • /dev/null
  • *
  • Posts: 10
  • Cookies: 0
  • -[s3cr3tz]-
    • View Profile
Re: Linux (Web)server security
« Reply #9 on: April 14, 2011, 03:30:40 am »
It wasn't finished when u posted in opensc a long time ago :\
- People Hate BlackHats , But They Ignore WhiteHats.
                                                                                 - NeX

Offline Techie

  • /dev/null
  • *
  • Posts: 9
  • Cookies: 0
  • Knowledge is no good unless it is shared & passed.
    • View Profile
    • Techie's Blog
Re: Linux (Web)server security
« Reply #10 on: November 17, 2011, 02:21:22 pm »
Will be useful. :)