Web server security issues [solved]

[orange_juice]

---COPMLETELY REPHRASED VERSION---

Hallo!

I have built a system in grips with the Gentoo Security Handbook using the hardened toolchain with pie/ssp and having grsec and pax enabled in the system specific tailored kernel.

In this system I need to be running one service: Apache web server on port 80.

I am not sure I can chroot Apache since it will be proxying zope, necessary to run plone. On apache, however, I will enable mod_security.

What I need are tools which can help me learn how to perform the following:

1) Detect IPs that will be acting in a malicious way towards my web server and ban them for e.g. 30 minutes.
2) Monitor and ban possible traffic that has nothing to do with my website e.g. someone performing an invasive attack towards my computer.
3) Make sure that if an attack is successfull I will be notified for the possible changes through my logs.

According to the above needs, a beautiful answer would be:

You need a Host-Based Intrusion Detection System (HIDS) and a Network Intrusion Detection System (NIDS) such as AIDE and SNORT.

However,...

My question is:

Since my box will be a dedicated web server, is it possible that the time needed to learn how to configure SNORT and AIDE properly, renders those two options an overkill? In other words, the complexity of those full blown applications has to do with the difficulty of the task they have to confront with, or it has also to do with the elevated needs of more complicated network setups than a dedicated web-server running plone?

Kind regards,
orange_juice

------------------------------------------
---OLD VERSION---
Hallo!

Searching on the net, I have found the following solutions for enhanced security for my web server:

a) SNORT
b) Psad
c) Portsentry

I consider Snort as the one that includes the others. Am I wrong?

What is the difference between Psad and Portsentry?

Is it better that those solutions were installed only on my Openbsd box serving as firewall and apache reverse proxy, or they should also be included on my actual Gentoo web server?

(I am currently using IpCop with Snort enabled) but I plan to build an OpenBSD firewall as a way of learning through practicing).

I would appreciate your advice on any of the subjects.

Kind regards,
orange_juice

[gtfx123]

if u already have a firewall to take care of network/ports/ACL level security requirements, you can certainly add them again on the webserver with say iptables, etc. However to furher ur security model, you may wanna consider adding mod_security layer on your (apache) webserver.

[orange_juice]

Thank you for your reply.

I think that now I have a fresh mind and I will take the opportunity to make my question more clear.

Kind regards,
orange_juice

[lxg]

Maybe Prelude is an option for you?
_________________
lxg.de – codebits and tech talk

[orange_juice]

Thank you very much for both your suggestions!

I think that tomorrow I will have a very interesting digging around to perform!

I will not put [solved] yet, I need some time to get in close grips with all that worthful and new interesting details...

I' ll be back!

Kind regards,
orange_juice

[orange_juice]

Sounds astonishing!!!

This is the plan I figured out: (However, this is only imagination, meaning lack of experience since I am not familliar with those applications)

DMZ Network with 3 computers: a) firewall b) snort sniffer, remote logging box, website's database backup, rsync server, ntp server, etc c) dedicated web server

Each computer will have:

1) Firewall
2) Psad to support the firewall
3) Portsentry to monitor open ports
4) AIDE
5) Nagios
6) Fail2ban for certain applications on open ports if needed.

a) The Firewall will be an openbsd box with chrooted apache serving as a reverse proxy with mod security enabled.
b) The snort sniffer etc will be a gentoo box struggling with all that stuff
c) The dedicated web server will be a dedicated gentoo box running plone/zope and apache proxying zope

Prelude will be lying above all this system to centralize the security results with its reverse relaying feature and give the information to a gentoo desktop at the home network.

How does this sound... extraterrestial? The idea is to learn through building the system.

Kind regards,
orange_juice

[lxg]

Alright, now tell us... which bank do you work for? Or is it the CIA?
_________________
lxg.de – codebits and tech talk

[orange_juice]

But... I did not apply selinux!



I started the project of a home web-server a couple of months ago, and the idea was to keep it as simple as possible. I just re-read my post and ...

But my idea is to have a standard secure base-setup on a CD-ROM (or DVD-ROM, as it seems...) and then emerge the necessary applications for a certain box so as further development (in case that a network grows bigger) is feasible without much fuss.

After all the searching, newer and newer issues were raising most of them regarding security and kiddies!

I just came to this coclusion bearing in mind that I need a robust and security consious setup that can handle some further development like being expanded in a small home based business ran by 1 or 2 people. If this project is about to have its base on the equipment I am currently building, they have to stand up for themselves even in a critical situation regarding some cracker that is having fun while his victim is trying to convince some people that they can surely find a nice potential solution for one of their needs, online at his web-site...

This is the idea, not that I am paranoid about security or even affraid of myself! I need to be sure that the possibilities of a cracker having fun will not prove to be catastrophical at the completely wrong moment! And of course learn all the way through!

I have the luxury of being dedicated to this idea day and night and I hope that I will manage to come up with a solution close to the Gentoo philosophy: Last summer, it took me 3 months to build my first Gentoo desktop and on September I was able to reproduce it from my backups in almost one hour. Through trial and error, I learned, and now I can build from scratch a descent desktop in about one week with all compiling and new deeper learning issues included. And the result... a very robust and powerfull "computer-related imaginative provider of incitation" inside a piece of computer equipment. This experience was and still is unforgettable!

This is my story more or less. Thank you for giving me the opportunity to share it because I need to say that in a very difficult period in my life, I found the philosophy of people behind linux and Gentoo, like a drip of water in the desert of every Micro$oft's "heaven" (metaphorically speaking for all the aspects of someone's life)... Thank you!!!

Kind regards,
orange_juice

[orange_juice]

OK... I am kind of... extroverted while writing... I just... feel it loud!

Must be the mediterranean tamperament...

Anyway!

Kind regards,
orange_juice