Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
most time-effective security tools/measures against zombies?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
idiotprogrammer
Apprentice
Apprentice


Joined: 29 Jul 2002
Posts: 179
Location: Texas

PostPosted: Thu Jun 16, 2005 6:14 am    Post subject: most time-effective security tools/measures against zombies? Reply with quote

Hi, there, I'm reinstalling gentoo for my home web server. I expect it to get a good amount of traffic, though nothing on the level of a commercial server. (That could change over time, and I bought a fairly robust server for this possibility). I'll have a very small number of users with shell accounts.

Frankly, I fell behind on a lot of security things for my last server, namely, updating the emerge packages. I know, it is so easy in gentoo, but I am always falling behind on sys admin tasks.

I do a fair amount of programming and writing, and the sys admin stuff takes away valuable time. (I'm toyed with the idea of going with hosting, but every time I examine my options, I prefer the flexibility of a home server).

I know a little bit about security and I have fairly good unix habits. My main goal is NOT protecting data or preventing DOS, but preventing a Chinese hacker from zombifying my web server. I do a lot of admin stuff using Webmin, and I'll be using postfix to do SMTP (for my web forms). Also, I'll have apache, mysql, the usual stuff.

For this second server, I'm going to spend more time to applying security patches/merges and I have a feeling that will solve a lot of my problems.

QUESTION: HOW OFTEN SHOULD I BE RECOMPILING THE KERNEL FOR SECURITY REASONS?
QUESTION: IS THERE ANY WAY TO FILTER MY emerge world just to see what security updates need to be applied. I am growing weary of doing this and finding that gcc or php is coming up in my emerge world list.

Here are some other things I'm considering. Can you give me an opinion about whether these things are worth the trouble to configure and maintain? Consider maintenance time along with strength.

iptables---overkill for me?
monit --anybody tried?
chrootkit
quotas --will this have any impact on zombification?
snort--is this going to bug the hell out of me?
LIDS

Am I forgetting something?

I browsed a little bit on the security section and will probably do some more later. I mainly want comments about tools from the standpoint of maintenance time and effectiveness. Thanks.

Robert Nagle
idiotprogrammer
Back to top
View user's profile Send private message
tukachinchila
Apprentice
Apprentice


Joined: 11 Mar 2005
Posts: 274
Location: Oregon

PostPosted: Thu Jun 16, 2005 8:12 am    Post subject: Reply with quote

The most likely way you'll get rooted is through easy to guess, or non-existant passwords. Sometimes people setup "test" accounts with no password or "test" as the password. Make sure you don't have anything like that. Gentoo also comes with a lot of accounts that you probably don't need for a webserver (e.g., audio, games, etc.). An easy fix is to delete any accounts you don't plan on using.

Quote:
QUESTION: HOW OFTEN SHOULD I BE RECOMPILING THE KERNEL FOR SECURITY REASONS?
I don't think it's too hard to recompile a kernel if you save the config file, so I always upgrade to the latest stable kernel. I think it's easier than monitoring kernel patches for remote exploit fixes.

Quote:
QUESTION: IS THERE ANY WAY TO FILTER MY emerge world just to see what security updates need to be applied.
Code:
emerge gentoolkit
glsa-check -l


Quote:
iptables---overkill for me?
You should be behind a hardware firewall, if not then you should use iptables.

Quote:
chrootkit

chkrootkit is helpful, and so is rkhunter (which will also help you determine which services have security updates available).

Quote:
quotas --will this have any impact on zombification?
I doubt it. It's mainly going to prevent DoS.

Quote:
snort--is this going to bug the hell out of me?
There are a lot worms that attack IIS (and have no effect on Apache other than lots of log entries) and snort will alert you to many of these. I find that Snort is most useful for reporting frequent attackers to their ISPs. If you're behind a firewall and keep your services up-to-date, I don't think you really need Snort or any IDS for your setup.

You shouldn't run any services you don't need (especially sshd). If you do need SSH consider looking into port-knocking, and public key encryption. If you know the IP address of the machine you want to connect to your server from, then set your firewall to only allow that machine access to port 22 on your server.

If you're only running MySQL for your website, then you should disallow remote access to MySQL.

You could really tighten things up by chrooting any services you run, and using one of the gentoo kernels that includes the grsecurity patch (e.g., gentoo-hardened sources). But setting-up Apache with PHP in a chroot jail is a lot of work.

If you haven't had a chance yet, you might take a look at the gentoo security guide which has a lot of great advice: http://www.gentoo.org/doc/en/security/index.xml
Back to top
View user's profile Send private message
idiotprogrammer
Apprentice
Apprentice


Joined: 29 Jul 2002
Posts: 179
Location: Texas

PostPosted: Thu Jun 16, 2005 5:14 pm    Post subject: glsa-check Reply with quote

Great info. Call me blind, but I'd never heard of glsa-check -l

That sounds like a great tool and just what I needed.

The document describing it though makes it sound as though it's not terribly reliable. I'lll definitely check it out though.
Thanks.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum