Re: [CentOS] Help: Server security compromised?
On Thu, Aug 7, 2008 at 11:53 PM, Ray Leventhal [EMAIL PROTECTED] wrote: My US$0.02 on this.I'm a fan of apf as a front-end to iptables...but it takes some reading to understand the switches and the entire RAB (reactive address blocking) configuration options. Sadly, RAB is poorly documented, but with a bit of tinkering, I've enjoyed this feature tremendously as it cuts down on the hammering I used to get to port 22 by the bots and script kiddies. Sad to say my usual tasks keep me sufficiently occupied that I hardly have the time to study what APF actually does. It came with ELS (Easy Linux Security) scripts with directadmin, sounds like A Good Idea (tm) so I just installed it. Personally I'm aghast at the manner in which I'm running the server but practically there is only that much time I can devote to being the server admin. If you've a static IP at your workstation, add your IP address to the apf nicely formed 'allow_hosts.rules' file, usually located in /etc/apf. This is a simple IP address or IP block list (using slash notation, i.e. 192.168.1.0/24) to allow access to an IP or range of IPs. Further, the deny_hosts.rules list is the same format for hosts to always deny. I had considered this allowed only x.x.x.x ip strategy very early on since it appeared to be an obvious way to head off attacks/probes from external parties. Unfortunately, like most folks, I'm on dynamic IP. My primary role also requires me to run around very often, necessitating urgent administration from a variety of potential sub-networks from whichever ISP happens to be providing access at the location. So I figured it would be quite impractical to attempt to limit access to only certain IP addresses. Although thinking about it now, extending the concept from a previous suggestion, I suppose it is theoretically possible to write a privileged script accessible from one of the server hosted domains to activate an allow-host rule addition to the firewall and a cronjob that routinely activates another script to removed added hosts after 1 hour or something. So anytime access is needed, I would hit the website to activate the script to open up SSH access to the IP I am using at the moment and then SSH in. But of course, easier said than done since I barely know shell scripting and allowing exec in PHP had always been met with a big frown personally. :D ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Help: Server security compromised?
_ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noob Centos Admin Sent: Thursday, August 07, 2008 5:17 AM To: CentOS mailing list Subject: Re: [CentOS] Help: Server security compromised? On Thu, Aug 7, 2008 at 1:54 AM, Sorin Srbu [EMAIL PROTECTED] wrote: Seen this? http://www.askbjoernhansen.com/2007/09/18/safely_change_firewall_rules_remotel y.html Unfortunately, only after you pointed it out :( But thankfully whoever wrote APF apparently knows this, hence it does insert an automatic reset of the firewall after 5 minutes. No worries, we've all been there at one time or another. Consider it a learning experience. 8-) smime.p7s Description: S/MIME cryptographic signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help: Server security compromised?
Noob Centos Admin wrote: On Thu, Aug 7, 2008 at 1:54 AM, Sorin Srbu [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Seen this? http://www.askbjoernhansen.com/2007/09/18/safely_change_firewall_rules_remotely.html Unfortunately, only after you pointed it out :( But thankfully whoever wrote APF apparently knows this, hence it does insert an automatic reset of the firewall after 5 minutes Hi, My US$0.02 on this.I'm a fan of apf as a front-end to iptables...but it takes some reading to understand the switches and the entire RAB (reactive address blocking) configuration options. Sadly, RAB is poorly documented, but with a bit of tinkering, I've enjoyed this feature tremendously as it cuts down on the hammering I used to get to port 22 by the bots and script kiddies. If you've a static IP at your workstation, add your IP address to the apf nicely formed 'allow_hosts.rules' file, usually located in /etc/apf. This is a simple IP address or IP block list (using slash notation, i.e. 192.168.1.0/24) to allow access to an IP or range of IPs. Further, the deny_hosts.rules list is the same format for hosts to always deny. /usr/local/sbin/apf -a ip address || ip block will add to the allow list *and* flush and reload the iptables back-end so you don't have to restart apf likewise /usr/local/sbin/apf -d ip address || ip block will add to the deny list *and* flush and reload the iptables back-end so you don't have to restart apf Once the firewall is configured properly, set DEVEL to 0 in the conf.apf file, then restart apf. The authors rightly include DEVEL mode which crons a shutdown every 5 mins so you're not locked out for long. Trust me, I've been bitten by this (more than I care to admit) There are other CLI switches, all well documented on the apf site (http://rfxnetworks.com/apf.php) http://rfxnetworks.com/appdocs/README.apf HTH, -Ray -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help: Server security compromised?
Bent Terp wrote: On Wed, Aug 6, 2008 at 7:48 AM, Noob Centos Admin [EMAIL PROTECTED] wrote: /sbin/iptables -A RH-Firewall-1-INPUT -s 219.64.114.52 -j DROP I'd recommend you add the extra rules by editing /etc/sysconfig/iptables instead. At least that way you can be sure they'll survive restarts off iptables. I rather prefer to add rules using the command and then issuing service iptables save when I'm adding one or two simple rules.. If completely redesigning the firewall or adding in many complex rules, then I edit the iptables file. -- Cheers, Morten ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Help: Server security compromised?
If server is not compromised, just edit the smtp configs to deny acceptance from that ip block Why doesn't the server have an ILO port or something to that effect? - rh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help: Server security compromised?
On Wed, Aug 6, 2008 at 3:06 PM, Bent Terp [EMAIL PROTECTED] wrote: On Wed, Aug 6, 2008 at 8:29 AM, Noob Centos Admin [EMAIL PROTECTED] wrote: Since I followed some of the rules about SSH and used a non-standard port for SSH and disable SSHD listening on the default port 22, I've no way back IMNSHO that's not particularly effective - much better to set up SSH keys and either set 'PermitRootLogin without-password' in /etc/ssh/sshd_config; or set 'PermitRootLogin no', and then su or sudo from your regular user - I know the latter IS more secure, but it's also more annoying to work with I did that too, no root login and everytime I have to su from normal user. It is a pain to work with especially with having to use full pathnames for commands instead of say just doing a service httpd restart. But I figured it was better safe than sorry and as well as I can do since I could not figure out how to properly create a self-sign SSL cert. Remember to reinstall from scratch if your server has been compromised - there are thousands of dark dusty corners for the bugs to hide, once they're inside, so don't expect to be able to flush them out. Well, the thing is I'm not sure if it's compromised since now it became obvious that the iptables is just being reset by the apf settings.. which is at the moment a good thing since on reboot, apf re-added the lines to disable the firewall every 5 minutes so I'm able to get back into the server. Now I just have to figure out where exactly can I add the block for the offending VNSL IP address and have it work without choking up. However, I decided to try whatever it is on Saturday so clients won't be hopping mad why everything's dead. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help: Server security compromised?
On Wed, 2008-08-06 at 15:14 +0800, Noob Centos Admin wrote: .. snip I did that too, no root login and everytime I have to su from normal user. It is a pain to work with especially with having to use full pathnames for commands instead of say just doing a service httpd restart. If you use su only, you assume root privileges without the root environment. Rather do su - which gives you the full root environment, including path. The same holds for other users, i..e su - joe switches the user to the user joe with full environment. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help: Server security compromised?
Hi, On Wed, Aug 6, 2008 at 3:07 PM, Robert - elists [EMAIL PROTECTED]wrote: If server is not compromised, just edit the smtp configs to deny acceptance from that ip block The EXIM configurations are even more nightmarish than iptables, which at least made some sort of sense. I've been plugging the ip address into the various bad_sender bad_host etc files in the exim configuration directory but it's still not ignoring it. The EXIM smpt/MTA will still accept the connection, then check and realize hey something's not quite right, then issue a reject before the VNSL machine terminates the connection. So the server's still wasting resources handling tens of thousands of such transaction and chewing up log space at the same time. Hence I have to resort to just blocking from iptables. Of course, it could very well be my own admitted incompetence that I'm doing something wrong here so Exim is not working the way I expect. I'm very very wary about messing any deeper with the mail settings because a server that's obviously dead to the world is much easier to notice than client emails mysteriously disappearing for days due to bad config before they realize it. Why doesn't the server have an ILO port or something to that effect? Well, my boss's a cheapskate and his clients are cheapskate so a couple of years back I was assigned the server administration job on top of my regular day role to setup the server with OTS parts. Hence the half baked setup based on a tight budget and whatever information I can glean from the internet and the good folks on forums and mailing lists. So for the ILO? Well, only today did the term enter my mind. Although I did vaguely remember suggestions for a remote reboot button but it was beyond my know how to setup. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help: Server security compromised?
Hi, If you use su only, you assume root privileges without the root environment. Rather do su - which gives you the full root environment, including path. The same holds for other users, i..e su - joe switches the user to the user joe with full environment. Thanks a million for that! Going to save me a ton of time from issuing whereis command to find commands when I need to follow instructions off a website! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help: Server security compromised?
Hi, the more completely you lock down a server, the harder it will be for you to do some useful work on it. These matters require a balance between security and ease-of-use for the admins. Its especially important not to cut your bridges when administering a remote server. Despite many people advising to use keys and change ports etc etc, you really only need to do 3 things to stop dead any unauthorised SSH logins: 1. prevent direct root logins 2. create a user account (just for SSH logins) with an unusual name and give that account a very good password (20 character alphanumeric). Only allow that user to login via SSH. 3. give root a password of similar complexity. Doing just these three will ensure that not only will no-one ever be likely to get in via SSH, but you will be able to SSH in from anywhere from any computer. Furthermore, when doing any work with firewalls or ssh on a remote server, you must *always* have more than one SSH shell open. Don't close the last shell until you have tested your changes and are confident you won't lock yourself out. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Help: Server security compromised?
A possible remote reboot can be setup from a on that server obscure web page URL to a privileged script that is password protected Inexpensive reset button - rh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help: Server security compromised?
Thanks Steward and Robert for those suggestions, they make plenty of sense!. About the two SSH terminal, if I activate a wrong firewall change that blocks the SSH port, would it not also terminate the existing terminals since new packets going in would be rejected, or does it not affect already established TCP connections? Probably also going to make a script to shutdown the firewall as well as one for reboot. Since so far all 3 times my noobness involves firewalling myself out, although in a slightly different way each time! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Help: Server security compromised?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noob Centos Admin Sent: Wednesday, August 06, 2008 5:31 PM To: CentOS mailing list Subject: Re: [CentOS] Help: Server security compromised? Thanks Steward and Robert for those suggestions, they make plenty of sense!. About the two SSH terminal, if I activate a wrong firewall change that blocks the SSH port, would it not also terminate the existing terminals since new packets going in would be rejected, or does it not affect already established TCP connections? Probably also going to make a script to shutdown the firewall as well as one for reboot. Since so far all 3 times my noobness involves firewalling myself out, although in a slightly different way each time! Seen this? http://www.askbjoernhansen.com/2007/09/18/safely_change_firewall_rules_remotel y.html smime.p7s Description: S/MIME cryptographic signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help: Server security compromised?
On Thu, Aug 7, 2008 at 1:54 AM, Sorin Srbu [EMAIL PROTECTED] wrote: Seen this? http://www.askbjoernhansen.com/2007/09/18/safely_change_firewall_rules_remotely.html Unfortunately, only after you pointed it out :( But thankfully whoever wrote APF apparently knows this, hence it does insert an automatic reset of the firewall after 5 minutes. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help: Server security compromised?
About the two SSH terminal, if I activate a wrong firewall change that blocks the SSH port, would it not also terminate the existing terminals since new packets going in would be rejected, or does it not affect already established TCP connections? It depends upon what you are doing and in which order you do it. Unfortunately, I'm not an expert in iptables - I refuse to spend time learning more than the basics on it, since I don't like it. IMO the structure and rules are byzantine and unnecessarily flexible/complex, so when fiddling about with the firewall, usually its just simple commands to open/close ports or do connection limiting/throttling, and I don't ever touch port 22. FWIW, when doing a complex task, instead of typing in commands in a terminal, I begin writing a script to do those commands. At the very same time I develop a 'rollback' script to undo those commands in case of error. Experimenting on a Centos 5.2 server which I have console access. Upon an error condition, I then modify the script, play the 'rollback' script, and reissue the script. So gradually the script and its 'antidote' are built to where I'm satisfied they work. Then and only then, do I use that script on production and remote servers which are also running CentOS 5.2 The only problem which my method is that getting these scripts to be 100% correct even in the face of malevolent conditions such as DNS timeouts and hardware errors makes them 2-3 times as long and yukky and hard to read. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
