Re: [CentOS] Hardening Apache on CentOS 7

[SternData]

On 07/09/2017 11:01 AM, Nicolas Kovacs wrote:
> Hi,
> 
> Some time ago one of my public servers (running Slackware64 14.0) got
> attacked and was misused to send phishing emails.
> 
> This misadventure made me more concerned about security, so I spent the
> last few weeks catching up on security, reading docs about SELinux and
> how to use it, etc.
> 
> I have a public sandbox server running CentOS 7, and I'm currently
> experimenting quite a lot with Apache and how to secure it. My approach
> is very much trial-and-error. I've started with these two articles:
> 
> https://devops.profitbricks.com/tutorials/how-to-harden-the-apache-web-server-on-centos-7/
> 
> https://www.tecmint.com/apache-security-tips/
> 
> I've also discovered the Nikto vulnerability scanner, and I'm playing
> around with it.
> 
> Besides all this, I'd be curious to know your approach in securing
> Apache, the tools you use, maybe the odd do's and don'ts, suggestions,
> some good books and/or online docs about the subject, etc.
> 
> Cheers from the sunny South of France,
> 
> Niki
> 

If you're using PHP, use php-fpm running each host under a different
user.  https://wp-root.org/server/install-php-fpm-tcp-unix-sockets-centos/

-- 
-- Steve
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening Apache on CentOS 7

[John Jasen]

If your site(s) are simple enough, look into modsecurity for Apache web
servers.

Also, use either iptables or the built-in firewalld stuff on centos7 to
restrict in/outbound ports.



On 07/09/2017 12:01 PM, Nicolas Kovacs wrote:
> Hi,
>
> Some time ago one of my public servers (running Slackware64 14.0) got
> attacked and was misused to send phishing emails.
>
> This misadventure made me more concerned about security, so I spent the
> last few weeks catching up on security, reading docs about SELinux and
> how to use it, etc.
>
> I have a public sandbox server running CentOS 7, and I'm currently
> experimenting quite a lot with Apache and how to secure it. My approach
> is very much trial-and-error. I've started with these two articles:
>
> https://devops.profitbricks.com/tutorials/how-to-harden-the-apache-web-server-on-centos-7/
>
> https://www.tecmint.com/apache-security-tips/
>
> I've also discovered the Nikto vulnerability scanner, and I'm playing
> around with it.
>
> Besides all this, I'd be curious to know your approach in securing
> Apache, the tools you use, maybe the odd do's and don'ts, suggestions,
> some good books and/or online docs about the subject, etc.
>
> Cheers from the sunny South of France,
>
> Niki

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Hardening Apache on CentOS 7

[Nicolas Kovacs]

Hi,

Some time ago one of my public servers (running Slackware64 14.0) got
attacked and was misused to send phishing emails.

This misadventure made me more concerned about security, so I spent the
last few weeks catching up on security, reading docs about SELinux and
how to use it, etc.

I have a public sandbox server running CentOS 7, and I'm currently
experimenting quite a lot with Apache and how to secure it. My approach
is very much trial-and-error. I've started with these two articles:

https://devops.profitbricks.com/tutorials/how-to-harden-the-apache-web-server-on-centos-7/

https://www.tecmint.com/apache-security-tips/

I've also discovered the Nikto vulnerability scanner, and I'm playing
around with it.

Besides all this, I'd be curious to know your approach in securing
Apache, the tools you use, maybe the odd do's and don'ts, suggestions,
some good books and/or online docs about the subject, etc.

Cheers from the sunny South of France,

Niki
-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Fernando Hallberg]

Agile,

http://flexbox.sf.net/centos/5/SRPMS

You can generate packet by specfile.

Att
Fernando

On Mon, 28 Dec 2009 18:45:29 -0800
Agile Aspect  wrote:

> On Mon, Dec 28, 2009 at 4:44 PM, Fernando Hallberg
>  wrote:
> > Hi,
> >
> > Test my repositoriy http://flexbox.sf.net/
> >
> > I'm personalized sectool from fedora to centos, rkhunter, unhid, 
> > chkrootkit, and more...
> >
> > And contribute ! Source RPMS and spec files are in the repository and svn.
> >
> 
> Note, I couldn't find any source RPMs in svn.
> 
> And I hasten to add, I would never delegate the task of building
> security software for my system to another person.
> 
> -- 
>   Enjoy global warming while it lasts.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos


-- 
Fernando Hallberg 
Flex Digital Soluções em Redes de Dados
http://www.flexdigital.com.br
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Fernando Hallberg]

Hi,

I get the fedora srpm, installed, apply modify for centos and recompiled, for 
rkhunter, sectool.

ipset and ipset kmod i've made by hand to use ipset function with iptables, 
blocking dinamical blacklists with fail2ban and shorewall.

Att
fernando
On Tue, 29 Dec 2009 01:09:21 -0800
John R Pierce  wrote:

> Agile Aspect wrote:
> > Note, I couldn't find any source RPMs in svn.
> >
> > And I hasten to add, I would never delegate the task of building
> > security software for my system to another person.
> >   
> 
> so you compile your whole system from scratch, after audting all the code?
> 
> how do you ever get anything done?
> 
> 
> 
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos


-- 
Fernando Hallberg 
Flex Digital Soluções em Redes de Dados
http://www.flexdigital.com.br
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[John R Pierce]

Agile Aspect wrote:
> Note, I couldn't find any source RPMs in svn.
>
> And I hasten to add, I would never delegate the task of building
> security software for my system to another person.
>   

so you compile your whole system from scratch, after audting all the code?

how do you ever get anything done?




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Nicolas Sulek]

Another great guide
:http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#linux2



2009/12/29 Agile Aspect :
> On Mon, Dec 28, 2009 at 4:44 PM, Fernando Hallberg
>  wrote:
>> Hi,
>>
>> Test my repositoriy http://flexbox.sf.net/
>>
>> I'm personalized sectool from fedora to centos, rkhunter, unhid, chkrootkit, 
>> and more...
>>
>> And contribute ! Source RPMS and spec files are in the repository and svn.
>>
>
> Note, I couldn't find any source RPMs in svn.
>
> And I hasten to add, I would never delegate the task of building
> security software for my system to another person.
>
> --
>      Enjoy global warming while it lasts.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Agile Aspect]

On Mon, Dec 28, 2009 at 4:44 PM, Fernando Hallberg
 wrote:
> Hi,
>
> Test my repositoriy http://flexbox.sf.net/
>
> I'm personalized sectool from fedora to centos, rkhunter, unhid, chkrootkit, 
> and more...
>
> And contribute ! Source RPMS and spec files are in the repository and svn.
>

Note, I couldn't find any source RPMs in svn.

And I hasten to add, I would never delegate the task of building
security software for my system to another person.

-- 
  Enjoy global warming while it lasts.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Fernando Hallberg]

Hi,

Test my repositoriy http://flexbox.sf.net/

I'm personalized sectool from fedora to centos, rkhunter, unhid, chkrootkit, 
and more...

And contribute ! Source RPMS and spec files are in the repository and svn.

Sorry for my english.

Att
On Mon, 28 Dec 2009 11:53:27 -0800
ML  wrote:

> Hi Guys,
> 
> I would like advice for best practices to secure my linux boxes. Know if I 
> have been hacked, know of security breaches, etc.
> 
> Can anyone provide advice?
> 
> -Jason
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos


-- 
Fernando Hallberg 
Flex Digital Soluções em Redes de Dados
http://www.flexdigital.com.br
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Tom Bishop]

Annother vote for bastille, it works very well.

On 12/28/09, m.r...@5-cent.us  wrote:
>> Hi Guys,
>>
>> I would like advice for best practices to secure my linux boxes. Know if I
>> have been hacked, know of security breaches, etc.
>>
>> Can anyone provide advice?
>
> Check out Bastille Linux. It's not a distro, it's a system hardening tool,
> and many things it does are referred to by the NIST guidelines.
>
> I, personally, used a firewall/router that I build using it on RH 9, and
> for around 10 years, never had an intrusion.
>
> mark
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[m . roth]

> Hi Guys,
>
> I would like advice for best practices to secure my linux boxes. Know if I
> have been hacked, know of security breaches, etc.
>
> Can anyone provide advice?

Check out Bastille Linux. It's not a distro, it's a system hardening tool,
and many things it does are referred to by the NIST guidelines.

I, personally, used a firewall/router that I build using it on RH 9, and
for around 10 years, never had an intrusion.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Lincoln Zuljewic Silva]

Take a look at the CIS guide for Red Hat 5:
http://www.cisecurity.org/bench_linux.html (you do not need to be
registered to download the PDFs).

Regards
Lincoln

On Mon, Dec 28, 2009 at 5:56 PM, Larry Vaden  wrote:
> On Mon, Dec 28, 2009 at 1:53 PM, ML  wrote:
>> Hi Guys,
>>
>> I would like advice for best practices to secure my linux boxes. Know if I 
>> have been hacked, know of security breaches, etc.
>>
>> Can anyone provide advice?
>
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
Lincoln Zuljewic Silva
More contact info.: http://www.system.adm.br/contact.php

"How often must a question be asked before it’s considered a
frequently asked question?"
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Larry Vaden]

On Mon, Dec 28, 2009 at 1:53 PM, ML  wrote:
> Hi Guys,
>
> I would like advice for best practices to secure my linux boxes. Know if I 
> have been hacked, know of security breaches, etc.
>
> Can anyone provide advice?


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Hardening

[ML]

Hi Guys,

I would like advice for best practices to secure my linux boxes. Know if I have 
been hacked, know of security breaches, etc.

Can anyone provide advice?

-Jason
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Lanny Marcus]

On Fri, May 1, 2009 at 11:19 AM, Jason Todd Slack-Moehrle
 wrote:
> What tips does everyone have on hardening a CenOS Server that is
> running web, e-mail, ssh, ftp, mysql, coldfusion and will be
> processing payments from www?

Jason: In addition to the other recommendations in this thread, IMHO,
you should contemplate offloading the credit card processing, to a
company who has the expertise and network required, to try to protect
that data. Lanny
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[James Matthews]

It also depends on which service you are running on the server. It depends
on what you are running etc

On Fri, May 8, 2009 at 4:59 PM, Lanny Marcus wrote:

> On Fri, May 1, 2009 at 11:19 AM, Jason Todd Slack-Moehrle
>  wrote:
> > What tips does everyone have on hardening a CenOS Server that is
> > running web, e-mail, ssh, ftp, mysql, coldfusion and will be
> > processing payments from www?
>
> I was out of town and I just read your post. I would strongly suggest
> that you download the free manual about hardening RHEL 5,  in .pdf
> form, from nsa.gov   As I recall, they do *NOT* recommend running more
> than one service on a server, if possible. Among many other
> recommendations. Search for "Guide to the Secure Configuration of Red
> Hat Enterprise Linux 5", Revision 2, December 20, 2007. HTH
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 

http://www.goldwatches.com/Watches.asp?Brand=71
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Lanny Marcus]

On Fri, May 1, 2009 at 11:19 AM, Jason Todd Slack-Moehrle
 wrote:
> What tips does everyone have on hardening a CenOS Server that is
> running web, e-mail, ssh, ftp, mysql, coldfusion and will be
> processing payments from www?

I was out of town and I just read your post. I would strongly suggest
that you download the free manual about hardening RHEL 5,  in .pdf
form, from nsa.gov   As I recall, they do *NOT* recommend running more
than one service on a server, if possible. Among many other
recommendations. Search for "Guide to the Secure Configuration of Red
Hat Enterprise Linux 5", Revision 2, December 20, 2007. HTH
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[luc...@lastdot.org]

On Sat, May 2, 2009 at 11:28 AM, Michael A. Peters  wrote:
> Jim Perrin wrote:
>> On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen  
>> wrote:
>>> On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle
>>>  wrote:
 Hi All,

 What tips does everyone have on hardening a CenOS Server that is
 running web, e-mail, ssh, ftp, mysql, coldfusion and will be
 processing payments from www?
>>> NSA hardening guidelines would be a good start. The CIS hardening
>>> guidelines would be also good. After that you want to look at specific
>>> hardening guidelines for apache
>>
>> The NSA guide is a very good start, and
>> http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments
>> it rather well.
>> You might also want to have a look at the DoD STIG guidelines, though
>> reading them will make your eyes bleed.
>>
>
> For php, you really want to run php built with the suhosin patch and run
> the suhosin module as well.
>
> I'm not sure, but I seem to recall there being a suhosin patched php
> either in testing or centos plus.
>
> Assuming you run php.
>
> I can't really comment on the others.
>
> One of the nice things about suhosin is it does transparent encryption
> of cookies / sessions (you can tweak it) making things like session
> theft a lot more difficult.
>
> I believe suhosin patch/module is standard in bsd ports, I'm not sure
> why it isn't standard in RHEL (maybe because it can cause issues with
> some php accelerators ??)

I think there are issues with suhosin vs zend optimizer (other
encoders/loaders/decoders may have issues as well). I tested php
suhosin enabled + APC accelerator and haven't had a problem,
eaccelerator also will probably work just fine with it.
There's a rpm for suhosin compatible with the php version in rhel5/centos5 at:
http://repo.redhat-club.org/redhat/5/i386/

> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Michael A. Peters]

Jim Perrin wrote:
> On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen  
> wrote:
>> On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle
>>  wrote:
>>> Hi All,
>>>
>>> What tips does everyone have on hardening a CenOS Server that is
>>> running web, e-mail, ssh, ftp, mysql, coldfusion and will be
>>> processing payments from www?
>> NSA hardening guidelines would be a good start. The CIS hardening
>> guidelines would be also good. After that you want to look at specific
>> hardening guidelines for apache
> 
> The NSA guide is a very good start, and
> http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments
> it rather well.
> You might also want to have a look at the DoD STIG guidelines, though
> reading them will make your eyes bleed.
> 

For php, you really want to run php built with the suhosin patch and run 
the suhosin module as well.

I'm not sure, but I seem to recall there being a suhosin patched php 
either in testing or centos plus.

Assuming you run php.

I can't really comment on the others.

One of the nice things about suhosin is it does transparent encryption 
of cookies / sessions (you can tweak it) making things like session 
theft a lot more difficult.

I believe suhosin patch/module is standard in bsd ports, I'm not sure 
why it isn't standard in RHEL (maybe because it can cause issues with 
some php accelerators ??)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Ross Walker]

On May 1, 2009, at 12:22 PM, Stephen John Smoogen   
wrote:

> On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle
>  wrote:
>> Hi All,
>>
>> What tips does everyone have on hardening a CenOS Server that is
>> running web, e-mail, ssh, ftp, mysql, coldfusion and will be
>> processing payments from www?
>
> NSA hardening guidelines would be a good start. The CIS hardening
> guidelines would be also good. After that you want to look at specific
> hardening guidelines for apache

Also using Xen to build out a CentOS guest PV host for the separate  
functions while hardening the main dom0 host to the teeth would allow  
you to zone the risks between the virtual hosts.

-Ross
  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Stephen John Smoogen]

On Fri, May 1, 2009 at 11:14 AM, Jim Perrin  wrote:
> On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen  
> wrote:
>> On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle
>>  wrote:
>>> Hi All,
>>>
>>> What tips does everyone have on hardening a CenOS Server that is
>>> running web, e-mail, ssh, ftp, mysql, coldfusion and will be
>>> processing payments from www?
>>
>> NSA hardening guidelines would be a good start. The CIS hardening
>> guidelines would be also good. After that you want to look at specific
>> hardening guidelines for apache
>
> The NSA guide is a very good start, and
> http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments
> it rather well.
> You might also want to have a look at the DoD STIG guidelines, though
> reading them will make your eyes bleed.
>

Bah the STIGS are wonderful things... they make my heart sing.



-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[John R Pierce]

Stephen John Smoogen wrote:
> On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle
>  wrote:
>   
>> Hi All,
>>
>> What tips does everyone have on hardening a CenOS Server that is
>> running web, e-mail, ssh, ftp, mysql, coldfusion and will be
>> processing payments from www?
>> 
>
> NSA hardening guidelines would be a good start. 


extremely good start, 2 useful documents here specific to RHEL5

here -> 
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#linux2


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Ryan Duff]

Jason Todd Slack-Moehrle wrote:
> Hi All,
> 
> What tips does everyone have on hardening a CenOS Server that is  
> running web, e-mail, ssh, ftp, mysql, coldfusion and will be  
> processing payments from www?
> 
> -Jason


Linux Server Security is one I'm reading through right now. Covers most
of the bases.

http://www.amazon.com/Linux-Server-Security-Michael-Bauer/dp/0596006705


--
Ryan Duff
web: http://www.ryanduff.net
aim: ryancduff
twitter: ryancduff



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Ned Slider]

Stephen John Smoogen wrote:
> On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle
>  wrote:
>> Hi All,
>>
>> What tips does everyone have on hardening a CenOS Server that is
>> running web, e-mail, ssh, ftp, mysql, coldfusion and will be
>> processing payments from www?
> 
> NSA hardening guidelines would be a good start. The CIS hardening
> guidelines would be also good. After that you want to look at specific
> hardening guidelines for apache
> 
> 

And we have our very own Wiki guide for hardening SSH:

http://wiki.centos.org/HowTos/Network/SecuringSSH

As for ftp - disable it IMHO :)

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Jim Perrin]

On Fri, May 1, 2009 at 12:22 PM, Stephen John Smoogen  wrote:
> On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle
>  wrote:
>> Hi All,
>>
>> What tips does everyone have on hardening a CenOS Server that is
>> running web, e-mail, ssh, ftp, mysql, coldfusion and will be
>> processing payments from www?
>
> NSA hardening guidelines would be a good start. The CIS hardening
> guidelines would be also good. After that you want to look at specific
> hardening guidelines for apache

The NSA guide is a very good start, and
http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf compliments
it rather well.
You might also want to have a look at the DoD STIG guidelines, though
reading them will make your eyes bleed.




-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening

[Stephen John Smoogen]

On Fri, May 1, 2009 at 10:19 AM, Jason Todd Slack-Moehrle
 wrote:
> Hi All,
>
> What tips does everyone have on hardening a CenOS Server that is
> running web, e-mail, ssh, ftp, mysql, coldfusion and will be
> processing payments from www?

NSA hardening guidelines would be a good start. The CIS hardening
guidelines would be also good. After that you want to look at specific
hardening guidelines for apache


-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Hardening

[Jason Todd Slack-Moehrle]

Hi All,

What tips does everyone have on hardening a CenOS Server that is  
running web, e-mail, ssh, ftp, mysql, coldfusion and will be  
processing payments from www?

-Jason
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening CentOS by removing "hacker" tools

[Ray Leventhal]

Filipe Brandenburger wrote:

On Fri, Jun 6, 2008 at 10:09 PM, Jim Wildman <[EMAIL PROTECTED]> wrote:
  

Better, google for "tiny centos" and build a new box with the minimum on it.



Hmmm, that looks exactly like what I'm looking for! I'm actually
trying to find someone who has already done the tough work and could
give me some tips on what to expect on that path. I'll see what Google
has to offer and if I find something useful I'll post it here.

Thanks!
Filipe
___
  
Applying apf (http://rfxnetworks.com/apf.php) as a front end for 
iptables enables a sweet setup for RAB (Reactive Address Blocking).
I liked it a lot starting back when I was using  FC1...I know the 
project is still around and I have it running on my CentOS5.1 box as 
well.  There's no rpm of which I'm aware, but it's a simple install.  
Makes iptables very easy to manage.


YMMV,
-R
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening CentOS by removing "hacker" tools

[Ralph Angenendt]

Erek Dyskant wrote:
> 
> > Not if /home and /tmp and /var/tmp are mounted with noexec,nodev,nosuid,...
> 
> Actually, wrong.
> 
>  /lib/ld-2.5.so ~/bin/wget 

Actually, wrong:

[EMAIL PROTECTED] ~]$bin/true ; echo $?
0
[EMAIL PROTECTED] ~]$/lib64/ld-2.5.so bin/true; echo $?
0
[EMAIL PROTECTED] ~]$sudo mount -o remount,noexec /home
[EMAIL PROTECTED] ~]$bin/true ; echo $?
-bash: bin/true: Permission denied
126
[EMAIL PROTECTED] ~]$/lib64/ld-2.5.so bin/true; echo $?
bin/true: error while loading shared libraries: bin/true: failed to map
segment from shared object: Operation not permitted
127
[EMAIL PROTECTED] ~]$

Ralph


pgp18SNj8sRRD.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening CentOS by removing "hacker" tools

[Erek Dyskant]

> Not if /home and /tmp and /var/tmp are mounted with noexec,nodev,nosuid,...

Actually, wrong.

 /lib/ld-2.5.so ~/bin/wget 


--Erek

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening CentOS by removing "hacker" tools

[Filipe Brandenburger]

On Fri, Jun 6, 2008 at 10:09 PM, Jim Wildman <[EMAIL PROTECTED]> wrote:
> Better, google for "tiny centos" and build a new box with the minimum on it.

Hmmm, that looks exactly like what I'm looking for! I'm actually
trying to find someone who has already done the tough work and could
give me some tips on what to expect on that path. I'll see what Google
has to offer and if I find something useful I'll post it here.

Thanks!
Filipe
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening CentOS by removing "hacker" tools

[Filipe Brandenburger]

On Fri, Jun 6, 2008 at 7:54 PM, Luke S Crawford <[EMAIL PROTECTED]> wrote:
> Removing network tools does not make it harder to break into the box,
> however, it can make it harder to do something with it once you are in.

That's the idea.

> (also, [not] installing the programs just
> means that if your box get compromised, the hacker needs to install
> some new packages.  Not difficult, even without root-  the attacker
> can install to the compromised user homedir.)

Not if /home and /tmp and /var/tmp are mounted with noexec,nodev,nosuid,...

> It sounds like your boss doesn't know much about this.  you have 2
> choices...  You can do what he says (largely useless.)  or you can try to
> educate yourself (and your boss) on ways to actually make your systems more
> secure.

Actually his argument (with which I agree) is that no box is
uncompromisable. Once compromised, you want to limit what can be done
from that box to reach more critical and secure parts of your network.

Also, removing those tools certainly WON'T make the box LESS secure.

> First, turn off all daemons you don't need.  if it's not running, you
> don't need to worry if there is a security hole in it.

This is a worry for this box because it will need to be particularly
exposed to the world (that's inherent to its role).

> I think a good firewall is useful...
> apply security updates immediately
> make sure that PermitRootLogin is set to no in /etc/ssh/sshd_config
> Beyond here, look at selinux, look at mounting all user-accessible partitions
> (/tmp, /home/ and /var)  as noexec
> some people remove development tools, because many people transport exploit
> code as c source code to the box, compile it and then execute it.

Yes, I'm doing all of those, including SELinux, and I'm planning on
doing yet more (like chroot'ed SSH).

Thanks!
Filipe
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening CentOS by removing "hacker" tools

[Jim Wildman]

On Fri, 6 Jun 2008, Filipe Brandenburger wrote:


Hi,

My boss asked me to harden a CentOS box by removing "hacker" tools,
such as nmap, tcpdump, nc (netcat), telnet, etc.

I would like to know which list of packages would you remove from a
base install. I would appreciate if someone could point me to a
"standard" way of doing this. I know there are procedures for
hardening a machine (I remember reading about Bastille Linux) but I
don't know how effective they are and if they include the removal of
such tools in their procedures.

Any advice would be very appreciated!

Thanks,
Filipe


Assuming from the question that a) the box is already installed and b)
the application for which it exists is installed via a well formed
rpm...

(Tell your boss the box or the app may go down unexpectedly while
you're doing this.  This will almost certainly happen if condition b) is
not met.  And the app may not come back up right when you reboot the box
or restart the app.  Definitely schedule a power cycle or two for after
you think you're done.  Maybe freshen up your resume too.  Probably
should mention to the boss that if the app has gone through any internal
certification process, you are probably going to invalidate it and he
needs to talk to the development/enduser folks to schedule a recert.)

rpm -qa | sort > rpm.lst

look at the list, anything you don't know what it is, rpm -qi.  Season
with a liberal dose of "man -k package;man "less /usr/share/doc/" If you think you probably don't need it

yum erase.  If it doesn't try to erase the application or
something else necessary (like ssh or the kernel), say yes.  Use yum not
rpm so you have a record in /var/log/yum.log of what you did.  Maybe
start a screen session with history or a typescript session.  Read
everything c.a.r.e.f.u.l.l.y and slowly.  Don't multitask.  If you're
really paranoid (twitch, twitch), run your application test suite after
each deletion (you do have a test suite, right???).

Better, google for "tiny centos" and build a new box with the minimum on
it.  Then get the well formed application rpm from the vendor (evil laughter), 
put it in a local repository and use yum to install it and it's

dependencies.

And do all the firewall, selinux, hosts.{allow,deny} and NSA stuff too.


Jim Wildman, CISSP, RHCE   [EMAIL PROTECTED] http://www.rossberry.com
"Society in every state is a blessing, but Government, even in its best
state, is a necessary evil; in its worst state, an intolerable one."
Thomas Paine
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening CentOS by removing "hacker" tools

[Matt Shields]

On Fri, Jun 6, 2008 at 7:54 PM, Luke S Crawford <[EMAIL PROTECTED]> wrote:
> "Filipe Brandenburger" <[EMAIL PROTECTED]> writes:
>> My boss asked me to harden a CentOS box by removing "hacker" tools,
>> such as nmap, tcpdump, nc (netcat), telnet, etc.
>
> Removing network tools does not make it harder to break into the box,
> however, it can make it harder to do something with it once you are in.
> removing those tools might help keep an infection from spreading, but it
> wont protect the box itself.  (also, just installing the programs just
> means that if your box get compromised, the hacker needs to install
> some new packages.  Not difficult, even without root-  the attacker
> can install to the compromised user homedir.)

But removing networking would :)

-- 
-matt
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening CentOS by removing "hacker" tools

[Luke S Crawford]

"Filipe Brandenburger" <[EMAIL PROTECTED]> writes:
> My boss asked me to harden a CentOS box by removing "hacker" tools,
> such as nmap, tcpdump, nc (netcat), telnet, etc.

Removing network tools does not make it harder to break into the box, 
however, it can make it harder to do something with it once you are in.
removing those tools might help keep an infection from spreading, but it
wont protect the box itself.  (also, just installing the programs just 
means that if your box get compromised, the hacker needs to install 
some new packages.  Not difficult, even without root-  the attacker
can install to the compromised user homedir.)  

It sounds like your boss doesn't know much about this.  you have 2
choices...  You can do what he says (largely useless.)  or you can try to 
educate yourself (and your boss) on ways to actually make your systems more 
secure.

I would advise the latter course, personally, -  if the boss is a good 
boss, he will listen to his technical people.  

here are the basics: 

First, turn off all daemons you don't need.  if it's not running, you 
don't need to worry if there is a security hole in it.  

I think a good firewall is useful... it saves your ass if you
accidentally leave a daemon running that you don't need, or if
the new guy starts up a demon that you weren't running before, or if 
you need a daemon to be accessibly to the office but not the world.  use the 
centos iptables default setup-  make sure you can take the box offline,
then change the, default to 'reject' and then open things
up one service at a time until your system works again.  

third, subscribe to the announce list for your distro-  and check it 
every day.   apply security updates immediately (you can't just do this
with cron;  some require reboots)  

also, make sure that PermitRootLogin is set to no in /etc/ssh/sshd_config
-  all of the successful brute-force attacks I've seen have been against
the root user.  Brute-forcing other users is more difficult, as the
attacker (usually an automated process) needs to first obtain the 
username;  if you watch /var/log/secure you see a lot more attempts at root
than others.

if you use applications that are not provided by your distro's standard
distribution, subscribe to the mailing lists for those, as well.

the idea being that the majority of hacks are known exploits... if you
watch the mailing lists, you can at least solve the known problems 
soon after they become generally known.  

those are the minimum steps you need to take... it's thousands of times
better than nothing.these are the 'easy' steps that get you a lot
of security while minimally interfering with usability


going beyond here, you must recognize that in the optimal case, there
is a tradeoff between usability and security. this is the optimal
case;  sometimes you can make things less usable without increasing 
security.


Beyond here, look at selinux, look at mounting all user-accessible partitions
(/tmp, /home/ and /var)  as noexec and ensuring that nobody but root can
write anywhere else...-  it doesn't help if you get rooted, but it
makes things mildly more difficult for a local user to run a local root
exploit.  

some people remove development tools, because many people transport exploit
code as c source code to the box, compile it and then execute it.  

many other things can be done... but don't bother until you take down 
unnecessary demons, put up a firewall, subscribe to the announce lists
for your distro, and disable remote root login.  
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening CentOS by removing "hacker" tools

[John R Pierce]

Have a search on google for NSA Hardening RHEL5, you will find a very
good document (pdf) which will help you start you're hardening.

  

http://www.nsa.gov/snac/downloads_redhat.cfm?MenuID=scg10.3.1.1
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening CentOS by removing "hacker" tools

[Ruslan Sivak]

Dennis McLeod wrote:
They basically detect port 
  
scans and add a firewall rule to temporarily block that ip.  
Does anyone know what tool that is?


Also disabling remote login as root should help.

Russ




Fail2ban, is what you are looking for, I think

http://www.fail2ban.org/wiki/index.php/Main_Page

Dennis


  


Sweet, actually this looks more like what I wanted, but rackspace said 
wasn't available.  This bans the ips if there are a lot of password 
failures.


There is also another tool which bans ips for port scans.  I think it's 
been discontinued, but perhaps there is another one out there?


Russ


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] Hardening CentOS by removing "hacker" tools

[Dennis McLeod]

They basically detect port 
> scans and add a firewall rule to temporarily block that ip.  
> Does anyone know what tool that is?
> 
> Also disabling remote login as root should help.
> 
> Russ


Fail2ban, is what you are looking for, I think

http://www.fail2ban.org/wiki/index.php/Main_Page

Dennis

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening CentOS by removing "hacker" tools

[Erik Bussink]

On Fri, 2008-06-06 at 19:03 -0400, Filipe Brandenburger wrote:
> Hi,
> 
> My boss asked me to harden a CentOS box by removing "hacker" tools,
> such as nmap, tcpdump, nc (netcat), telnet, etc.
> 
> I would like to know which list of packages would you remove from a
> base install. I would appreciate if someone could point me to a
> "standard" way of doing this. I know there are procedures for
> hardening a machine (I remember reading about Bastille Linux) but I
> don't know how effective they are and if they include the removal of
> such tools in their procedures.
> 
> Any advice would be very appreciated!

Filipe,

Have a search on google for NSA Hardening RHEL5, you will find a very
good document (pdf) which will help you start you're hardening.

Regards,
Erik

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening CentOS by removing "hacker" tools

[Ruslan Sivak]

Filipe Brandenburger wrote:

Hi,

My boss asked me to harden a CentOS box by removing "hacker" tools,
such as nmap, tcpdump, nc (netcat), telnet, etc.

I would like to know which list of packages would you remove from a
base install. I would appreciate if someone could point me to a
"standard" way of doing this. I know there are procedures for
hardening a machine (I remember reading about Bastille Linux) but I
don't know how effective they are and if they include the removal of
such tools in their procedures.

Any advice would be very appreciated!

Thanks,
Filipe
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
  
I don't think that removing these tools would make the box any more 
secure.  If a hacker is able to get into the system through exploiting a 
service, he can download the necessary tools or compile them himself. 

I suggest to start setting up the firewall to only have the necessary 
ports open (which is usually already done), moving anything you can to a 
non standard port (especially things like ssh), and disabling any 
unneeded services.  You would be surprised how many attacks a public 
server can get on standard ports like ssh.  People will run scripts that 
will just try to bruteforce a password, and can lead to DOS attacks, 
especially on slower servers.


There are also tools, such as the ones that rackspace installs, that 
stop port scans.  They basically detect port scans and add a firewall 
rule to temporarily block that ip.  Does anyone know what tool that is?


Also disabling remote login as root should help.

Russ


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Hardening CentOS by removing "hacker" tools

[John R Pierce]

Filipe Brandenburger wrote:

Hi,

My boss asked me to harden a CentOS box by removing "hacker" tools,
such as nmap, tcpdump, nc (netcat), telnet, etc.

I would like to know which list of packages would you remove from a
base install. I would appreciate if someone could point me to a
"standard" way of doing this. I know there are procedures for
hardening a machine (I remember reading about Bastille Linux) but I
don't know how effective they are and if they include the removal of
such tools in their procedures.
  


those are all client-side tools. if someone gains access to them, 
the box is already hacked.how exactly does that harden it?


most all of those (certainly, nmap, tcpdump and telnet) are useful 
diagnostic tools for troubleshooting network connectivity issues.





___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Hardening CentOS by removing "hacker" tools

[Filipe Brandenburger]

Hi,

My boss asked me to harden a CentOS box by removing "hacker" tools,
such as nmap, tcpdump, nc (netcat), telnet, etc.

I would like to know which list of packages would you remove from a
base install. I would appreciate if someone could point me to a
"standard" way of doing this. I know there are procedures for
hardening a machine (I remember reading about Bastille Linux) but I
don't know how effective they are and if they include the removal of
such tools in their procedures.

Any advice would be very appreciated!

Thanks,
Filipe
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos