View previous topic :: View next topic |
Author |
Message |
majoron Apprentice
Joined: 12 Oct 2005 Posts: 239 Location: Frankfurt
|
Posted: Tue Apr 29, 2014 8:48 am Post subject: advice for little server |
|
|
Hello,
I'm going to install linux on a server, and I have decided to go for Gentoo, which is my favourite distro for many reasons.
But my experience with servers is limited, so I would like to ask for suggestions from more experienced people.
Some requirements:
- X
- MySQL
- Apache
- Django
- Java
- Security: It is NOT going to provide a critical service. Security will not be the most important thing, not at all. Still, of course, we want a reasonable level of security.
Things that I would like to get opinions about:
- kernel options
- Recommended profile. Hardened? I would say no, but I'm not really sure...
- Other important components: logging system(?), bootloader(Grub?), filesystems (ext4?), ...
- USE flags
- Some simple security suggestions?
Another thing I would like to know (I'm sure there must be some documents around, but I don't find what I'm looking for) is: a recommended policy of system upgrades for servers. Do you know some kind of "official" link for that?
TIA.
Best regards _________________ Computers are like air conditioners, they stop working properly if you open Windows |
|
Back to top |
|
|
schorsch_76 Guru
Joined: 19 Jun 2012 Posts: 450
|
Posted: Tue Apr 29, 2014 12:31 pm Post subject: |
|
|
My recommendation:
-X
-Java
+Security
+fail2ban
+shorewall
+hardened profile
+regular backup
+rkhunter
+chkrootkit
+wiretrap
+openvpn
If you design the server from the begin, not with respect to security, you will for sure get hacked (and deserve to get hacked) and the server be misused. In Germany you can get really trouble if _your_ server is used as a spam sending machine. [1]
Some points to consider:
* SSH not on default port
* long and secure passwrds
* SSH better use keyfile instead of password
* Disallow root to login, only by regular user and su
* Maybe allow ssh only via VPN
[1] http://serverzeit.de/tutorials/admins-haften |
|
Back to top |
|
|
majoron Apprentice
Joined: 12 Oct 2005 Posts: 239 Location: Frankfurt
|
Posted: Mon May 05, 2014 2:33 pm Post subject: |
|
|
schorsch_76 wrote: | My recommendation:
-X
-Java
+Security
+fail2ban
+shorewall
+hardened profile
+regular backup
+rkhunter
+chkrootkit
+wiretrap
+openvpn
If you design the server from the begin, not with respect to security, you will for sure get hacked (and deserve to get hacked) and the server be misused. In Germany you can get really trouble if _your_ server is used as a spam sending machine. [1]
Some points to consider:
* SSH not on default port
* long and secure passwrds
* SSH better use keyfile instead of password
* Disallow root to login, only by regular user and su
* Maybe allow ssh only via VPN
[1] http://serverzeit.de/tutorials/admins-haften |
Thanks a lot for the answer!
I think most of the suggestions are ok. Some of them are not viable. For the rest, I have some questions/comments:
- I have convinced my folks here to avoid X, which makes me relatively happy.
- Although I must say that I don't like Java, and I don't trust very much when a programming language is under the control of a big company, apparently Java is not optional in this project. Still, I'm curious about what is the argument in favour of banning Java for the sake of security, particularly given the ubiquity of Java.
- What do you mean by "+Security"? Do you mean "@security" (the portage set)? Or are you talking about some specific program?
- Why simultaneously rkhunter and chkrootkit? Aren't they both rootkits finders?
- wiretrap? Do you mean "wiretap", or some other sniffer in general?
- Does it really help to use a different port for ssh?
Thank you again, and best regards. _________________ Computers are like air conditioners, they stop working properly if you open Windows |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Mon May 05, 2014 7:25 pm Post subject: |
|
|
majoron wrote: | Does it really help to use a different port for ssh? |
the logs are more readable I use another port myself just for that. No real security involved, though.
security? configure your services properly, don't run unnecessary services in the first place. if you want to do odd things not required for your application, like running an openvpn or irc bouncer on the side - do that on another server, any cheap vserver will do.
Proper configuration of the services you offer is so much more important than, say, hardened or watertight iptables... if your sshd allows plaintext passwords and your password is root123 then well, no one can help you really
don't give anyone access you don't trust intimately, and... oh well |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Mon May 05, 2014 7:45 pm Post subject: |
|
|
Speaking about ports, I'd say for sure go above 5000, and preferably above 10,000. I'd do that for every remote terminal connection, and/or a VPN.
It does nothing with respect to a serious attempt, but most of the generic port scanning of non-named sites happens port 1-5000, because that's where the common standard services are. The higher you go, the less likely that somebody will "accidentally" stumble on your port.
+1 on no root login by remote, and +1 on requiring a key for ssh.
With regards to Java, Oracle (and Sun before them) have a pretty bad track record for security problems. That said, I'd recommend using the oracle version above others. It seems that the Open Source community strongly dislikes Java and most don't take it seriously. I'm skeptical about their devotion to security fixes in that regard. As well, Oracle is the reference standard, so it's likely to be more universally compatible with apps. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3150
|
Posted: Mon May 05, 2014 9:46 pm Post subject: |
|
|
I would not change standard ports becouse standards were introduced to make things easier to manage, remember, use, etc. And it's a really poor design in terms of security as it's security by obscurity, and rather poor one. If someone can get your user's private key and root password changing port is not going to stop him. If he can't, changing port makes no difference anyway.
So:
* Disable login on root (at least password login)
* prefferably disable user login with password as well - but this might be hard to do in real life case. Well, at least it's reasonable as long as people know at least abit about passwords. Show them some easy way to get unbreakable password (4-5 words is a good password, first letters from 10 word-long sentence will do fine too). Oh, and if you make passwords expire, you may be sure they will either chose weak passwords or write them down.
* fail2ban
* block on firewall everything except ports you actually WANT to be visible from outside world. Policy drop, then whitelist ssh, vpn, http/https and you're probably done.
* separating weird stuff with virtual machines might be a good idea. Qemu allows you run several such machines with network interfaces bridged together with phisical NIC, so every single virtual server would have it's own IP (and MAC)
filesystem: ext is nice, well tested etc, but IMO lacks checksums which potentialy puts you at risk of silent data corruption. This is something that needs some more digging into before saing whether or not it is an issue enough. Yes, sure, disks are supposed to keep their content, but you know, shit happens. Question is "how often" and "what a downside would be"
I do use ext myself, however with server I'd expect more storage. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Tue May 06, 2014 4:42 am Post subject: |
|
|
I've never really understood the reasoning behind that.
Yes, if all you're doing is changing ports then it's really a terrible security measure. But obscuring an outward facing port through which the public is not invited certainly can't hurt anything provided the other measures are taken as well.
EVERY ssh server I've ever had exposed on the standard port for any length of time has had brute force attacks. None of the high-numbered ports I've used have had them. While disabling root login and demanding a key definitely will make a huge difference, it also helps if the bad guys don't know the thing is there in the first place.
Whether or not the brute force attacks can be successful is important, but given the choice I'd rather not pay for the bandwidth being used by some joker trying to break in.
So, just to put things into perspective, let's say a strong password policy is worth a dollar, and requiring a key is worth a dollar fifty in security terms. The nonstandard port might only be worth a nickel, but 2.55 is more than 2.50, and it's one line of the file you're editing anyway. It takes an extra 20 seconds to change it. |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6102 Location: Dallas area
|
Posted: Tue May 06, 2014 9:52 am Post subject: |
|
|
If possible with things like ssh it would be better to simply block out IP addresses that you know won't be used.
If one is in the US, does one really expect to access their machine from Russia, Saudi Arabia, Mexico, Europe, etc.
For me, I keep it open for local machines, but closed to outside access.
And when I have traveled then I try and find out what provider they have where I'm traveling and only open those IP range(s) _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
schorsch_76 Guru
Joined: 19 Jun 2012 Posts: 450
|
Posted: Tue May 06, 2014 11:00 am Post subject: |
|
|
majoron wrote: | Thanks a lot for the answer!
I think most of the suggestions are ok. Some of them are not viable. For the rest, I have some questions/comments:
- I have convinced my folks here to avoid X, which makes me relatively happy.
- Although I must say that I don't like Java, and I don't trust very much when a programming language is under the control of a big company, apparently Java is not optional in this project. Still, I'm curious about what is the argument in favour of banning Java for the sake of security, particularly given the ubiquity of Java.
- What do you mean by "+Security"? Do you mean "@security" (the portage set)? Or are you talking about some specific program?
- Why simultaneously rkhunter and chkrootkit? Aren't they both rootkits finders?
- wiretrap? Do you mean "wiretap", or some other sniffer in general?
- Does it really help to use a different port for ssh?
Thank you again, and best regards. |
My point is, that +Security, you should put a strong focus on security, because your initial post did indicate, hat security is really unimportant for you.
Java as a laguage has a really bad security reputation regarding bugs and security holes. If you need them, try to insulate its potential impact. Maybe a simple chroot for your apache/lighttpd/whatever or a qemu VM. Keyword: "Barrier around it"
rkhunter and chkrootkit are both run by crond . Both have different sets of signatures. They dont interfere with each other (unlike virus scanner on windows).
I did mean wiretrap. The intrusion detection system.
About the ssh port, the others have already discusses about it. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54300 Location: 56N 3W
|
Posted: Tue May 06, 2014 1:02 pm Post subject: |
|
|
rkhunter and chkrootkit may find rootkits - your only option then is to reinstall.
Have a look at tripwire - you need to store the signatures on another system.
Hardend is good - it makes attackers find an easier box to break into, which is really the object of security.
Any suffciently determinded attacker will find a way in.
Security is in layers.
Stopping them getting in.
Limiting the damage when they get in
Stoppimg them phoning home once they are in.
Hardened, with more than the default partions, allows things to be mounted with -o ro,nodev,noexec ... and so on ... not all on the same partition.
e.g. /home and /tmp can both be -o noexec,nodev
There are other useful no options _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
majoron Apprentice
Joined: 12 Oct 2005 Posts: 239 Location: Frankfurt
|
Posted: Tue May 06, 2014 3:08 pm Post subject: |
|
|
Thank you very much for the interesting discussion and suggestions.
Now, I'm digesting and deciding.
Best regards _________________ Computers are like air conditioners, they stop working properly if you open Windows |
|
Back to top |
|
|
majoron Apprentice
Joined: 12 Oct 2005 Posts: 239 Location: Frankfurt
|
Posted: Tue May 06, 2014 3:15 pm Post subject: |
|
|
Thank you, schorsch_76, for the reply.
schorsch_76 wrote: | I did mean wiretrap. The intrusion detection system. |
Do you have a link or the name of the package in portage?
Best _________________ Computers are like air conditioners, they stop working properly if you open Windows |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|