Wiki Index All Recent Edit Bottom

Quick 'n Dirty Security and Visibility

1.   Introduction
2.   Firewall
2.1   FireHOL
2.2   ufw
3.   Intrusion Prevention
3.1   Fail2Ban
3.2   sshdfilter
4.   Intrusion Detection
4.1   chkrootkit
4.2   rkhunter
5.   Log Monitoring
5.1   LogWatch and Dropbear
6.   Security Update Notification

Introduction

This article describes some of the tools and utilities I use to better secure and monitor my servers. Simply following the article below does not get you a secure box, you also need to ensure any services you have running are correctly configured and you should disable, or better yet remove, any services or software you do not require.

Firewall

FireHOL

I used to use FireHOL to firewall my Debian servers. The link below summarises the basic steps.

• FireHOL

ufw

I now use 'ufw' to firewall my Ubuntu Servers.

 aptitude install ufw

Add the first rules

NOTE! When enabling the firewall using '/etc/init.d/ufw start' or 'ufw start' the chains are flushed and connections may be dropped. You can add rules to the firewall before enabling it however, so if you are testing 'ufw' on a remote machine it is recommended you perform...

 ufw allow ssh/tcp

...before running 'ufw enable'. Once the firewall is enabled, adding and removing rules will not flush the firewall, although modifying an existing rule will.

Adding/Modifying Rules

The following rules are typical for internet facing servers.

DNS

 ufw allow domain

FTP Protocols

 ufw allow ftp-data/tcp
 ufw allow ftp/tcp
 ufw allow 60021/tcp      # I use a single port for passive connections

Web Protocols

 ufw allow www/tcp
 ufw allow https/tcp

Mail Protocols

 ufw allow smtp/tcp
 ufw allow pop3/tcp
 ufw allow imap/tcp  
 ufw allow smtps/tcp
 ufw allow imaps/tcp  
 ufw allow pop3s/tcp

Jabber

eJabberd in fact.

 ufw allow 5222/tcp
 ufw allow 5223/tcp
 ufw allow 5269/tcp
 ufw allow 5280/tcp

Munin

 ufw allow munin

Get Status

 ufw status

References

• https://wiki.ubuntu.com/UbuntuFirewall
• http://pario.no/tag/ubuntu/

Intrusion Prevention

The problem with firewalls is that you are deliberately letting stuff access specific ports, for example, what if someone is trying to compromise your server using the ports you have deliberately exposed? Intrusion detection and prevention systems (IDS/IPS) can help here.

Fail2Ban

I use the excellent Fail2Ban which dynamically blocks IP addresses from which suspicious activity is originating. I use the etch-backports package of Fail2Ban since it is the current stable release and includes several security fixes.

Debian Etch

 apt-get -t etch-backports install fail2ban

Ubuntu Hardy

 aptitude install fail2ban

Fail2Ban Configuration

First thing to do is to configure the basic settings.

 nano /etc/fail2ban/jail.conf

Change the following configuration options to select where reports are sent and what report type you want.

 destemail = root@example.org
 action = %(action_mwl)s

Fail2Ban and Dropbear

As I use Dropbear on some of my computers so need to add some rules to Fail2Ban to recognise break in attempts via Dropbear.

 vi /etc/fail2ban/filter.d/sshd.conf

Find...

 sshd(?:\[\d+\])?: refused connect from \S+ \(<HOST>\)\s*$

...and add this after...

 bad password attempt .* from <HOST>\s*S 
 login attempt for nonexistent .* from <HOST>\s*$  

Restart Fail2ban.

 /etc/init.d/fail2ban start

Once I have verified that Fail2Ban is working correctly, I update '/etc/fail2ban/jail.conf' and enable the filters for vsftpd and sasl.

sshdfilter

Another tool similar to Fail2Ban which only supports SSH. I don't use it.

References

• http://www.csc.liv.ac.uk/~greg/sshdfilter/

Intrusion Detection

I use chkrootkit and rkhunter to check for signs of a rootkit.

Please note that using chkrootkit and rkhunter is not a definitive test, it does not ensure that the computer has not been compromised. In addition to running chkrootkit and rkhunter, you should perform more specific tests.

• http://www.cert.org/tech_tips/intruder_detection_checklist.html

chkrootkit

 aptitude install chkrootkit

Run chkrootkit as root

 chkrootkit

...to perform a scan and report everything, or run...

 chkrootkit -q

...which will run chkrootkit in quiet mode and just report anything suspicious.

By default chkrootkit will not run automatically on a daily basis. If you want it to run each day, then update '/etc/chkrootkit.conf'

 vi /etc/chkrootkit.conf

Change RUN_DAILY to be true.

 RUN_DAILY="true"

I suggest you keep the '-q' option so you will only be alerted if anything suspicious is detected.

rkhunter

 aptitude install rkhunter libmd5-perl

Run rkhunter as root to check the system...

 rkhunter --checkall

By default rkhunter is configured to run automatically on a daily basis and send email reports. If you want to change where email reports are sent then edit '/etc/default/rkhunter' as required.

References

• http://www.chkrootkit.org/
• http://rkhunter.sourceforge.net/

Log Monitoring

You need to monitor you log files, it is essential.

However, logs are full of information and most of it is not important. Therefore I use the excellent LogWatch which sends me an e-mail digest of the previous days important log activity which makes identifying mis-configurations and suspicious activity very simple.

Simply installing LogWatch is all that is required, the defaults should be sufficient.

 aptitude install logwatch libdate-manip-perl

LogWatch and Dropbear

I haven't got LogWatch integrated with Dropbear yet.

References

• http://forums.gentoo.org/viewtopic.php?t=461926

Security Update Notification

I have tested various scripts which notify you as to what updates your server is missing. The best I found found is apticron although I install it without the recommended package otherwise you get most of the Xorg packages.

 aptitude -R install apticron

When installed you may want to change where emails are sent.

 nano /etc/apticron/apticron.conf

Change EMAIL="root" as required.

By default apticron runs every day, which IMO is a bit too often. So I move the cron job so it runs once a week.

 mv /etc/cron.daily/apticron /etc/cron.weekly/

$Id: QuicknDirtySecurityandVisibility,v 1.42 2008/08/27 17:38:39 martin Exp www-data $

Wiki Index All Recent Edit Top