Security Basics mailing list archives
Re: Protecting a server
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Sat, 24 Jan 2009 04:36:23 -0430
El Thursday 22 January 2009 09:14:28 rapha.ottoni () gmail com escribió:
hi guys, first i would like to apologize for my bad english. then i want to ask ur help to protect one of my servers . By now i have an server with real ip at the edge of my network which runs this services: Nagios on port 5667, ssh on 22,ajp13 on 8009,domain on 80 and http-proxy on 8080. knowing this serveces i would like to ask what kind of attacks should i expect and what are the solutions to proctect it from those attacks.
Hi rapha. i would make you some basic recommendations. 1. First of all: Keep updated. Automatic updates... 2. One of the biggest problem today on Network Security, are the product lifetimes and maintenance... So, keep automatic updates on aren't enought. You must keep a notepad with planned migration dates... Why?... suppose that you are using "ubuntu vX.YZ", this version of ubuntu have a maintenance period, and expiration date... if you continue using this version after the expiration date, no update are guaranteed. I recommend you plan a migration about 6 months before that happens... 3. (Specially focus on WEB) Plan every non-automated update of software... Some software doesn't come with automatic updates... (like CMS's)... you must have a periodic update plan on this kind of software. 4. (Specially focus on WEB) Audit all homemade code... Im assuming that you are using jsp or something else... Common attacks starts on application level and not on service level... That means that an attacker will look for vulnerabilities like: - SQL Injection - File Injection - XSS - Input validation - etc... Starting with this vulns, an attacker will grow up on the system, and may reach root. 5. Hardening jsp... look for guides and configuration examples that isolate any damage caused by unexpected success attack. An example on php (not jsp) is use the safe mode, use SELinux, use php suExec, and security modules... 6. Disable and uninstall every unused property/software/service... (Ex. disable support of CGI directory, uninstall NFS, uninstall compilators, check for unused services, etc...) 7. Firewall every nonpublic port... some recomandations: - Nagios Collector and Proxy/5667 must be oppened only to concerned computers (Nagios clients). - SSH/22: check your authentication method... could be public. I recommend you use public-key authentication. - ajp13 connector/8009: This service are generally used only from apache... (apache<->ajp13...) Keep it listening on 127.0.0.1 unless you have more servers using this server as application server. - domain on 80 or 53?: Domain on 53.... Check for zone-transfers allow zone transfer none would be useful. Also keep it only openned to LAN - http on 80?: OK both sides WAN/LAN - http-proxy on 8080: keep it listening only on LAN. Some reverse proxy attacks and new techniques must be used on this service... 8. Use IDS's like snort could prevent an attack... you need to be aware of logs and periodically check them 9. Keep eyes on your logs... useful applications are "Logwatch", it resume important log information and make it easy to monitor.
recently, it was attacked from a romenian guy which was able to insert some shell scripts on /var/tmp as user www-data. I quite certanly that he was using an exploit from apache1. Searching a little on web i found this site http://budacsik.blog.hu/2008/11/23/backdoor_bindtty that has most of the scripts that he tried to use. oh, almost forgot to say, once he entered as www-data he started an brute-force ssh on my network ( luckly, he failed ) as well an su root brute-force with an dictionary ( failed again, since we dont use root user). At last he tried to open a backdoor for him.
He was an average attacker... and be careful of EVERY FILE that you are moving from old server to new server... An medium-high profile attacker will modify some files from your homemade applications to hide a backdoor and keep access. Usually, and for our own tranquility, this kinds of attacks are trophy attacks... and are being executed by average attackers and sometimes by automated scripts.
Guys, once again i would like to apologize for my english, and thx for ur patience, grateful, Raphael Ottoni Santiago Machado de Faria
You need to be aware that network/computer security are a meticulous process. and you are trying to reach a balance between usability, costs and risks... Extreme security will be very expensive and will impact the usability of this server... But low security will lead on a disaster, information leakage, data loss, etc. You need to make a risk evaluation to know how far you need to go on security... Im writting here the basic's... but i dont know anything of the kind of information that you are managing. Sometimes, you need to do periodically backups, sometimes not. Sometimes you need to authenticate proxy users, and sometimes not. Sometimes you need to train your people, sometimes that aren't necessary.. It ever depends on that balance and risk managment.
Current thread:
- Protecting a server rapha . ottoni (Jan 22)
- Re: Protecting a server Aarón Mizrachi (Jan 27)