Need advice on security
Wed Mar 28 09:49:26 PDT 2007
On Thu, Mar 29, 2007, Chong Yu Meng wrote:
>So right now I'm more than a little confused about the subject of
>securing servers -- specifically, UNIX/Linux mail servers -- in a data
>center. I spoke to some friends who may have had a vested interest in
>selling me equipment, and though we all agreed that security was
>important, I could not understand how certain firewalls could actually
>provide me with better security than a properly configured bastion host.
>Here is my scenario: a few years ago, I setup a server for a friend that
>would run your typical web and mail services, but because there was no
>budget for an additional firewall, I was told to just try to make the
>server as secure as possible. I read a few articles in magazines and
>online, and I thought that I could make it reasonably secure if I just
>did the following:
>-- install ONLY what you absolutely need
>-- turn off all unneeded services (in this case, only DNS, web, SSH,
>SMTP and POP3 were running)
>-- block all ports in iptables except those that are absolutely needed
>-- change the default SSH port to something other than 22 to thwart
Configuring ssh to only accept identities in authorized_keys
files, building it with libwrap support, and restricting ssh
access via the /etc/hosts.allow file makes it extremely hard for
outsiders to gain unauthorized access to the system.
Setting user's shells to /bin/false makes it difficult to get
shell access (but not impossible as I found a cracked system in
which /bin/bash had been hard-linked to /bin/false).
Most non-rootkit attacks I've seen on *nix systems have been made
through web exploits of php, webmin, or usermin. There have been
numerous PHP exploits, many of which are the result of poor
programming practices where user input isn't checked for
malicious code. While webmin and usermin are writting in perl,
it's pretty ugly perl, and I have found areas where they don't do
reasonable sanity checking (webmin deleting the entire /home
directory when changing a user account in which the user's $HOME
directory was set to /home and a request to change the home
directory does nasties :-).
The usermin miniserv.conf file built by default doesn't have any
denyusers specified (it's commented out in the build scripts).
If you're going to use usermin, at least add a line to the
miniserv.conf file similar to this.
denyusers=root bin daemon ftp games gdm hacluster
Be aware that there may well be security problems with the
``chfn'' command which allow a malicious user with shell or
usermin access to gain root priviledges by changing the uid field
in the /etc/passwd file.
That's all I have time to address now.
INTERNET: bill at Celestial.COM Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
``Now if there is one thing that we do worse than any other nation, it is
try and manage somebody else's affairs.''
More information about the Linux-users