Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
System configuration best practices for server security
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Amity88
Apprentice
Apprentice


Joined: 03 Jul 2010
Posts: 209
Location: Third planet from the Sun

PostPosted: Tue Jan 10, 2017 4:37 am    Post subject: System configuration best practices for server security Reply with quote

Hi,
Could you guys help guide me on the things that I need to look into and the critical settings that needs to be set in order to end up with a computer that is relatively safe from being broken into. Here are the things I already do:

1) Monitoring
1.1) Set up Syslog-ng (but the information in the logs seem insufficient)
1.2) Set up AIDE to checksum system files (but I'm not really able to separate expected changes from the unexpected ones)
2) Defense
2.1) IPtables are configured to block all incoming except the ones I specifically allow and packets that are a part of an existing connection.
2.2) efi and boot partitions are set to not auto mount because in the past my computer had abruptly erased the boot sector after leaving it on overnight.
2.3) running certain applications (like irssi) as a user with minimal rights
_________________
Ant P. wrote:
The enterprise distros sell their binaries. Canonical sells their users.


Also... Be ignorant... Be happy! :)
Back to top
View user's profile Send private message
augustin
Guru
Guru


Joined: 23 Feb 2015
Posts: 318

PostPosted: Tue Jan 10, 2017 5:09 am    Post subject: Reply with quote

A related question, in passing:
is there a wiki page somewhere with a checklist for the above?
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1692

PostPosted: Tue Jan 10, 2017 5:14 am    Post subject: Reply with quote

well, 2 more things you may want to do, is first setup some kind of backup routine (a raid setup is not a backup).
The other item, to help provide some protection, is setting up like Snort, while Aide is nice for monitoring file integrity, it doesn't really monitor for other issues.
Back to top
View user's profile Send private message
mvaterlaus
Apprentice
Apprentice


Joined: 01 Oct 2010
Posts: 202
Location: Switzerland

PostPosted: Tue Jan 10, 2017 9:38 am    Post subject: Reply with quote

hi,
have you looked at the gentoo security handbook [1]? It has a lot of information about about securing gentoo. Also, there are a lot of advanced topics. If you would tell us, what services you are running on that host, we could help you better.

Further questions are:

    * What kernel sources do you use? hardened-sources? do you have grsec or SELinux enabled?
    * What libc do you use? There are more security focused glib implementations than glibc (like musl)


[1]https://wiki.gentoo.org/wiki/Security_Handbook
_________________
For calming down your eyes or clearing your mind: www.patrickwehli.ch
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 829

PostPosted: Tue Jan 10, 2017 11:36 am    Post subject: Reply with quote

use a strong password for root
do not run telnetd
secure each service you allow

I wrote a homebrew script that takes advantage of syslog-ng's ability to direct log messages to a program. The script watches for errors in sshd, mail, dovecot, and certain activity logged by iptables. I am amazed at the amount of probing that comes from the outside.

https://forums.gentoo.org/viewtopic-t-1017864-start-0.html

You don't need the complication of the script and its dynamic banning. You will learn quite a bit if you use syslog-ng to direct certain program output to a file that is monitored.

Code:

filter f_sshd_warn { program(sshd) and message("Failed "); };
log { source(src); filter(f_sshd_warn); destination(watch-logs); };

filter f_imap_warn { program(dovecot) and message("no auth attempts "); };
log { source(src); filter(f_imap_warn); destination(watch-logs); };

filter f_mail      { facility(mail); };
filter f_warn     { level(warn); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); destination(watch-logs); };


In my case, "destination(watch-logs)" is a script that reacts to input on stdin. But "destination(watch-logs)" could more easily be a logfile. It would contain a mix of warnings from sshd, dovecot, and mail.
Back to top
View user's profile Send private message
Amity88
Apprentice
Apprentice


Joined: 03 Jul 2010
Posts: 209
Location: Third planet from the Sun

PostPosted: Tue Jan 10, 2017 2:12 pm    Post subject: Reply with quote

@mvaterlaus,
I'm running vsftpd and sshd inside a VM, both of them configured to listen on different interfaces. One of the interfaces is open to the internet while the other one faces the LAN. It's a personal file server of sorts and I'm using hardened kernel. However, I haven't enabled any MAC yet. I feel that SELinux is too fine grained, complex and prone to misconfiguration.

I was hoping that the virtualization would give an additional layer of protection but a few days ago my efi partition got corrupted somehow and the disk looked okay when I checked it offline. The recent logs were missing also, so I'm not entirely sure what happened.

I'm chasing the fundamentals though, like proper log configurations etc. The stuff @ct85711 suggested sounds good, I'm gonna look into using Snort and also the watch-logs.sh that @cboldt mentioned.
_________________
Ant P. wrote:
The enterprise distros sell their binaries. Canonical sells their users.


Also... Be ignorant... Be happy! :)
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42596
Location: 56N 3W

PostPosted: Tue Jan 10, 2017 2:34 pm    Post subject: Reply with quote

Amity88,

SELinux and Grsecurity have different aims.

SELinux assumes that everything is working perfectly and only authorised users have access to the system.
It aims to prevent these authorised users doing things that they are not authorised to do.
Grsecurity assumes that everything is not working perfectly and aims to limit the damage caused by potential exploits.
That's an over simplification but the broad brush is correct.
e.g. grsecurity will add 'canary values' to stacks and check that they are still there later. If not, there has been a buffer overflow and the app will be killed.
You need an entire hardened install, not just a hardened kernel and yes, there is a performance impact. Security comes at a price.

Security is like the layers of an onion, the more you add, the 'better' your security and the more invasive your security measures become.
You need to choose the layers to guard against your threat model.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13512

PostPosted: Wed Jan 11, 2017 2:08 am    Post subject: Reply with quote

Your remark about irssi is a good start. In general, you want as many things as possible to run with the bare minimum permissions necessary for them to do their jobs. High risk processes that have no business writing to certain filesystems can be in a chroot with those filesystems mounted read-only.

Every filesystem that can be mounted noexec,nodev without breaking something should be. Any filesystem that cannot be mounted noexec, but can be mounted nosuid, should be. (Caution: improper use of these options can break the running system in ways that may require a reboot to recover; if you have the option set to activate on boot, you might need a recovery environment to undo the change. Learn exactly what these do and test carefully before scheduling any changes to activate on boot.)

Every process that has no business running privileged children should have enabled PR_SET_NO_NEW_PRIVS (see man prctl for what this is; use /usr/bin/setpriv --no-new-privs to run child processes with the flag enabled), so that any children it runs cannot elevate through execve (barring a kernel bug, of course).
Back to top
View user's profile Send private message
mvaterlaus
Apprentice
Apprentice


Joined: 01 Oct 2010
Posts: 202
Location: Switzerland

PostPosted: Wed Jan 11, 2017 10:01 am    Post subject: Reply with quote

Amity88 wrote:

I'm running vsftpd and sshd inside a VM, both of them configured to listen on different interfaces.

Since you didn't mention which service listens on WAN, I will suggest the following:


    * Make sure to use certificate based authentication for ssh when this service is exposed to the WAN interface. When certificate based authentication is running, disable password logins to ssh.
    * If vsftpd is facing the WAN interface, make sure you have enabled ssl (only the tls option) and regenerated the certificate as described in [1]


Also, as mentioned by NeddySeagoon, GRSecurity will add some overhead and needs a hardened profile to be selected. But since it is a personal fileserver, I would look in into that, because I suppose you can live with a little performance impact.

[1]http://wiki.vpslink.com/Configuring_vsftpd_for_secure_connections_%28TLS/SSL/SFTP%29


[edit]formatting[/edit]
_________________
For calming down your eyes or clearing your mind: www.patrickwehli.ch
Back to top
View user's profile Send private message
Ordinateur91
n00b
n00b


Joined: 25 Oct 2016
Posts: 15

PostPosted: Tue Jan 17, 2017 10:54 am    Post subject: Reply with quote

I agree with NeddySeagoon, SELinux and Grsecurity are both good, however used for different purposes. SELinux is more for when everything works, and Grsecurity is for when it doesn't work perfectly and there might be potential exploits. On an additional note, does anybody have experience with Fail2ban as a security framework? Apparently it can be used on all Linux systems. I stumbled upon this article about it: https://www.1and1.com/digitalguide/server/security/securing-servers-with-fail2ban/. It would be great if someone has experience with it and could share with us.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum