Re: Protecting a server

[Aarón Mizrachi <unmanarc () gmail com>]

El Thursday 22 January 2009 09:14:28 rapha.ottoni () gmail com escribió:
> hi guys,
>
> first i would like to apologize for my bad english. then i want to ask ur
> help to protect one of my servers . By now i have an server with real ip at
> the edge of my network which runs this services: Nagios on port 5667, ssh
> on 22,ajp13 on 8009,domain on 80 and http-proxy on 8080. knowing this
> serveces i would like to ask what kind of attacks should i expect and what
> are the solutions to proctect it from those attacks.

Hi rapha. i would make you some basic recommendations.

1. First of all: Keep updated. Automatic updates... 

2. One of the biggest problem today on Network Security, are the product 
lifetimes and maintenance... So, keep automatic updates on aren't enought. You 
must keep a notepad with planned migration dates... 

Why?... suppose that you are using "ubuntu vX.YZ", this version of ubuntu have 
a maintenance period, and expiration date... if you continue using this 
version after the expiration date, no update are guaranteed. I recommend you 
plan a migration about 6 months before that happens...
 
3. (Specially focus on WEB) Plan every non-automated update of software... 
Some software doesn't come with automatic updates... (like CMS's)... you must 
have a periodic update plan on this kind of software.

4. (Specially focus on WEB) Audit all homemade code... Im assuming that you 
are using jsp or something else... Common attacks starts on application level 
and not on service level... That means that an attacker will look for 
vulnerabilities like:

- SQL Injection
- File Injection
- XSS
- Input validation
- etc...

Starting with this vulns, an attacker will grow up on the system, and may 
reach root.

5. Hardening jsp... look for guides and configuration examples that isolate any 
damage caused by unexpected success attack. An example on php (not jsp) is use 
the safe mode, use SELinux, use php suExec, and security modules... 

6. Disable and uninstall every unused property/software/service... (Ex. 
disable support of CGI directory, uninstall NFS, uninstall compilators, check 
for unused services, etc...)

7. Firewall every nonpublic port... 

some recomandations:

- Nagios Collector and Proxy/5667 must be oppened only to concerned computers 
(Nagios clients). 
- SSH/22: check your authentication method... could be public. I recommend you 
use public-key authentication.
- ajp13 connector/8009: This service are generally used only from apache... 
(apache<->ajp13...) Keep it listening on 127.0.0.1 unless you have more 
servers using this server as application server.
- domain on 80 or 53?: Domain on 53.... Check for zone-transfers allow zone 
transfer none would be useful. Also keep it only openned to LAN
- http on 80?: OK both sides WAN/LAN
- http-proxy on 8080: keep it listening only on LAN. Some reverse proxy 
attacks and new techniques must be used on this service...

8. Use IDS's like snort could prevent an attack... you need to be aware of 
logs and periodically check them

9. Keep eyes on your logs... useful applications are "Logwatch", it resume 
important log information and make it easy to monitor.

> recently, it was attacked from a romenian guy which was able to insert some
> shell scripts on /var/tmp as user www-data. I quite certanly that he was
> using an exploit from apache1. Searching a little on web i found this site
> http://budacsik.blog.hu/2008/11/23/backdoor_bindtty that has most of the
> scripts that he tried to use. oh, almost forgot to say, once he entered as
> www-data he started an brute-force ssh on my network ( luckly, he failed )
> as well an su root brute-force with an dictionary ( failed again, since we
> dont use root user).  At last he tried to open a backdoor for him.
He was an average attacker... and be careful of EVERY FILE that you are moving 
from old server to new server... An medium-high profile attacker will modify 
some files from your homemade applications to hide a backdoor and keep access.

Usually, and for our own tranquility, this kinds of attacks are trophy 
attacks... and are being executed by average attackers and sometimes by 
automated scripts. 

> Guys, once again i would like to apologize for my english, and thx for ur
> patience,
>
>
> grateful,
>
> Raphael Ottoni Santiago Machado de Faria


You need to be aware that network/computer security are a meticulous process. 
and you are trying to reach a balance between usability, costs and risks... 

Extreme security will be very expensive and will impact the usability of this 
server... But low security will lead on a disaster, information leakage, data 
loss, etc.

You need to make a risk evaluation to know how far you need to go on 
security... Im writting here the basic's...  but i dont know anything of the 
kind of information that you are managing. Sometimes, you need to do 
periodically backups, sometimes not. Sometimes you need to authenticate proxy 
users, and sometimes not. Sometimes you need to train your people, sometimes 
that aren't necessary.. It ever depends on that balance and risk managment.