Securing SSH Using Denyhosts
Sun, 08/26/2007 - 11:50 — david23SSH is a great way to remotely administer a server. However, it still has a number of issues when you open it up to the world. The server and client communications are secure but that doesn’t mean the hosts involved are. Opening an SSH service to the world allows for brute force attacks and means that the carbon interface is still the weakest link.
- david23's blog
- Login or register to post comments
services that are not necessary on a web server
Tue, 08/21/2007 - 15:45 — sandipThese are some services I would normally turn off on web servers.
NOTE: usage may vary.
- gpm -- mouse
- mdmonitor -- monitor raid devices
- netfs -- nfs, samba etc...
- autofs -- automount, nfs, cd etc...
- kudzu -- detect new hardware
- restorecond -- monitor selinux file context
- mcstrans -- mandatory access control selinux translation
- messagebus -- routes messages between applications
- haldaemon -- maintains database of devices connected
There may be more, but if you've cleaned up your rpm packages, it would probably not exist.
- sandip's blog
- Login or register to post comments
- Read more
rpm packages not necessary for a web server
Tue, 08/21/2007 - 15:37 — sandipBelow is a list of rpm packages that are not necessary on a web server. Use it as a reference starting point for cleaning up servers. You may also want to make sure not to run services not required by the server.
NOTE: usage may vary and removal should be in the order listed:
-
redhat-lsb cups system-config-printer-libs system-config-printer paps -- printer support
-
system-config-soundcard -- gui for sound setup
-
system-config-securitylevel-tu
i -- gui for setting up security
-
nfs-utils system-config-nfs nfs-utils-lib -- nfs server
- portmap -- manage RPC connections
- ypbind yp-tools -- NIS client binding
-
htmlview -- view webpages via gui
-
system-config-services system-config-samba pinfo system-config-users system-config-date -- gui configs
-
samba samba-client samba-common -- samba support
- oprofile oprofile-devel oprofile-gui qt
- vnc
-
libglade2 libgnomecanvas usermode-gtk libbonoboui libgnomeui libglade-java pygtk2-libglade system-config-httpd system-config-network gnome-mount libgnome-java gnome-python2-bonobo gnome-python2-canvas gnome-python2 authconfig-gtk system-config-lvm authconfig-gtk pirut gnome-vfs2 gnome-python2-gnomevfs gnome-python2-gconf libgnome libgsf librsvg2 librsvg2
ImageMagick -
gnome-mime-data gnome-keyring notify-python
- GConf2 notification-daemon bluez-gnome libgconf-java libnotify bluez-utils
- libgtk-java libvte-java
- pygtk2 system-config-language system-config-rootpassword
- vte
- libwnck
- glib-java cairo-java frysk
- libwmf
- gtk2
-
cups-libs
-
ghostscript ghostscript-fonts
- avahi avahi-glib
- wpa_supplicant NetworkManager
- system-config-rootpassword
-
system-config-language
- system-config-keyboard
- system-config-network-tui firstboot-tui
-
system-config-securitylevel-tu
i -
dhcpv6_client dhcdbd dhclient -- dhcp support
- irda-utils -- Infra Red communications
- isdn4k-utils -- ISDN
- apmd -- laptop power management
- cpuspeed -- dynamically changing cpu speed
- bluez-libs -- bluetooth
- irqbalance -- irq load balancing on multi-cpus (remove only in single cpu situation)
- rsh -- unsecure remote access
- talk -- internet talk protocol
- foomatic -- printer driver database
- finger -- finger client
- eject -- eject removable media
-
cvs -- concurrent version control
- rcs -- revision control system
- dosfstools mkbootdisk -- bootdisk
- redhat-menus desktop-file-utils startup-notification -- desktop
- ppp rp-pppoe wvdial -- dialup
- esound -- sound daemon
- pcmciautils -- PCMCIA Cardbus
- pcsc-lite coolkey ifd-egate ccid
- OpenIPMI net-snmp-libs
- ImageMagick-devel -- ImageMagick development package xorg-x11-devel -- X server development package
- acpid -- power management (remove if you don't shutdown using power button)
Check your server for rootkits with Chkrootkit
Thu, 08/09/2007 - 16:25 — sandipchkrootkit is a tool to locally check your system for signs of a compromise via rootkits. It contains a shell script that checks system binaries for rootkit modification, signs of LKM trojans, interface modes and lastlog, wtmp, utmp deletions.
Install via:
# cd /usr/local
# wget ftp://ftp.pangeia.com.br/pub/s eg/pac/chkrootkit.tar.gz
# tar xvzf chkrootkit.tar.gz
# rm chkrootkit.tar.gz
# ln -s chkrootkit-x.xx chkrootkit
# cd chkrootkit
# make sense
Make sure to check the md5sum of the download as well.
Put the below into "/etc/cron.daily/chkrootkit.sh
#!/bin/bash
# chkrootkit.sh
cd /usr/local/chkrootkit/
./chkrootkit 2>&1 |grep "INFECTED\|Vulnerable&quo t;| grep -v "Checking \`bindshell'... INFECTED (PORTS: 465)"
The cron script will only output an email if it detects anything suspicious.
Note, that bindshell port 465 infection is a false alarm as in my case EXIM uses port 465 for secure connections. So, you could similarly grep out any such false alarm and adjust the cron script.
- sandip's blog
- Login or register to post comments
Generating Apache SSL Self-Signed Certificate
Thu, 07/26/2007 - 21:59 — sandip# openssl req -x509 -newkey rsa:1024 -keyout /etc/httpd/conf/ssl.key/server .key -out /etc/httpd/conf/ssl.crt/server .crt -days 9999 -nodes
# chown root:root /etc/httpd/conf/ssl.key/server .key
# chmod 400 /etc/httpd/conf/ssl.key/server .key
lftp with TLS/SSL
Tue, 07/24/2007 - 22:52 — sandiplftp ftp client support tls/ssl so why not use a secure connection for ftp.
$ lftp
lftp :~> set ftp:ssl-force true
lftp :~> connect ftp.domain.tld
lftp ftp.domain.tld:~> login <username>
Insist on your host to serve up ftp with tls/ssl support so all data is secured.
If using proftpd server, tls/ssl can be configured via "/etc/proftpd.conf":
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off
# Server's certificate
TLSRSACertificateFile /etc/pki/tls/proftpd/server.ce rt.pem
TLSRSACertificateKeyFile /etc/pki/tls/proftpd/server.ke y.pem
# CA the server trusts
#TLSCACertificateFile /etc/pki/tls/proftpd/root.cert .pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
TLSRenegotiate required off
</IfModule>
The certificate can be generated to be used on the ftp server via:
# cd /etc/pki/tls/proftpd/
# openssl req -new -x509 -days 3650 -nodes -out server.cert.pem -keyout server.key.pem
Reference:
Flushing iptables rules
Thu, 07/19/2007 - 11:17 — sandipIf you need to flush your firewall iptables rules, do not do a direct `iptables --flush` from a remote machine if the default policy is set to DROP packets, you will lock yourself out.
Run the below script instead:
#!/bin/bash
# flushIptables.sh
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F
or set the default policy to ACCEPT before flushing.
To find the default policy:
# iptables -L -n | grep policy
- sandip's blog
- Login or register to post comments
New Server CentOS 4.4 at LT Grid with ISPConfig Installed
Tue, 01/23/2007 - 23:52 — sandipThese are notes, I had taken down while setting up ISPConfig Hosting Control Panel on LayeredTechs Grid. Most of the steps were referenced via howtoforge and ispconfig installation notes. There were some gotchas to look out for and has bee noted below:
Checking for rootkits, exploits and backdoors with Rootkit Hunter
Fri, 04/14/2006 - 09:26 — sandiprkhunter (or Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and local exploits. It does this by comparing MD5 hash of important files with known good ones in an online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules. It should run on almost every Unix clone.