Flexion.Org Wiki

Quick 'n Dirty Security and Visibility

1.   Introduction
2.   Firewall
2.1   Add the first rules
2.2   Adding/Modifying Rules
2.3   Get Status
3.   Intrusion Detection
3.1   chkrootkit
3.2   rkhunter

Introduction

This article describes some of the tools and utilities I use to better secure and monitor my servers. Simply following the article below does not get you a secure box, you also need to ensure any services you have running are correctly configured and you should disable, or better yet remove, any services or software you do not require.

Firewall

I use 'ufw' to firewall my Ubuntu Servers.

 aptitude install ufw

Add the first rules

NOTE! When enabling the firewall using '/etc/init.d/ufw start' or 'ufw start' the chains are flushed and connections may be dropped. You can add rules to the firewall before enabling it however, so if you are testing 'ufw' on a remote machine it is recommended you perform...

 ufw allow ssh/tcp

...before running 'ufw enable'. Once the firewall is enabled, adding and removing rules will not flush the firewall, although modifying an existing rule will.

Adding/Modifying Rules

The following rules are typical for internet facing servers.

DNS

 ufw allow domain

FTP Protocols

 ufw allow ftp-data/tcp
 ufw allow ftp/tcp
 ufw allow 60021/tcp      # I use a single port for passive connections

Web Protocols

 ufw allow www/tcp
 ufw allow https/tcp

Mail Protocols

 ufw allow smtp/tcp
 ufw allow pop3/tcp
 ufw allow imap/tcp  
 ufw allow smtps/tcp
 ufw allow imaps/tcp  
 ufw allow pop3s/tcp

Jabber

eJabberd in fact.

 ufw allow 5222/tcp
 ufw allow 5223/tcp
 ufw allow 5269/tcp
 ufw allow 5280/tcp

Munin

 ufw allow munin

Get Status

 ufw status

References

• https://wiki.ubuntu.com/UbuntuFirewall
• http://pario.no/tag/ubuntu/

Intrusion Detection

I use chkrootkit and rkhunter to check for signs of a rootkit.

Please note that using chkrootkit and rkhunter is not a definitive test, it does not ensure that the computer has not been compromised. In addition to running chkrootkit and rkhunter, you should perform more specific tests.

• http://www.cert.org/tech_tips/intruder_detection_checklist.html

chkrootkit

 aptitude install chkrootkit

Run chkrootkit as root

 chkrootkit

...to perform a scan and report everything, or run...

 chkrootkit -q

...which will run chkrootkit in quiet mode and just report anything suspicious.

By default chkrootkit will not run automatically on a daily basis. If you want it to run each day, then update '/etc/chkrootkit.conf'

 vi /etc/chkrootkit.conf

Change RUN_DAILY to be true.

 RUN_DAILY="true"

I suggest you keep the '-q' option so you will only be alerted if anything suspicious is detected.

rkhunter

 aptitude install rkhunter libmd5-perl

Run rkhunter as root to check the system...

 rkhunter --checkall

By default rkhunter is configured to run automatically on a daily basis and send email reports. If you want to change where email reports are sent then edit '/etc/default/rkhunter' as required.

References

• http://www.chkrootkit.org/
• http://rkhunter.sourceforge.net/

$Id: QuicknDirtySecurityandVisibility,v 1.43 2010/07/29 15:41:15 martin Exp $

• Connect with me