Archive

Tag Archives: secure linux

10 Ways to secure your Linux server

December 14, 2008
Freaky Serverzzz
3 Comments

So many people are getting their own dedicated servers but are completely clueless about security. Usually they leave it up to the company where they purchase it or hire someone. That’s fine but make sure you have these 10 items covered.

1) Use a Firewall
Make absolutely sure that your server has a firewall running all the time. A firewall is like a screen door to your porch. It blocks out flies, rodents and other pests but you can still walk out and use your BBQ. If someone ever were to get into your server, which is very very likely, the first thing they’re going to try and do is upload something to start a daemon or their own service like an IRC server or use a port to launch attacks to other systems. A firewall with egress and ingress protection can stop both incoming and outgoing attacks even when you’re not aware of it. We recommend using APF on Linux systems or TinyFirewall on Windows Servers. These are software firewalls so there’s no extra monthly cost like a hardware firewall. For very busy systems a hardware firewall is recommended so it takes the burden off your system CPU/RAM and resources to do the work.

Know what ports are open and why, know how to block and unblock an IP. These are basic things you need to understand in the daily security of your system. If someone from an IP begins a brute force attack you want to know how to stop them, right away. Installing APF Firewall, Preventing Brute Force Attacks, Installing KISS Firewall

2) Update your kernel and OS
Make sure your server is using current, updated software. Use the stable version which has been tested more than any beta and update as soon as possible. An old kernel can lead to an easy target for your server. If you’re not sure then ask your provider for the latest update.

3) Monitor Logs
Do you know what logs record which activities? How often are they updated and rotated?
LogWatch is a great tool to email you the daily reports of your systems activity of anything it determines unusual, EG repeated failed logins. Besides using this you should check your logs manually to see what’s up. Tail –f /var/log/messages and view your Apache logs as well. Apache Log Files Explained

4) Backups
I still never understand why no one backs up their data yet you spend hundreds of hours working on your website or application then you absolutely must have a second hard drive for backups or use a remote back up system or a combination of these. Second Hard Drive Means Life or Death

5) Limit Access to a Minimum
Do not give users more access than the absolute minimum they require. Never give them shell access, restrict file access to a bare minimum and leave other services turned off by default until specifically requested and you determine that its safe to do so.

6) Lock down PHP and use Mod_Security with Apache
PHP is actually a large security risk but there are a few things to do to help lock it down. CGI has Suexec,which helps runs proccesess as the user and PHP has something similar called PHPSuexec but there are a few downfalls. You should also use open_base directory protection, have safe_mode on system wide, turn off register_globals, enable_dl and allow_url_open to help lock things down further.

You can use server wide protection with mod_security, a web server filter that can watch all requests to see if they match a rule and react by logging, denying the request or other programs. I highly recommend this on Apache based servers and can be extremely useful in blocking attacks and stopping hackers before they do any damage. Securing Safe Mode , Installing Mod_Security

7) Lock /tmp /var/tmp and /dev/shm partitions
On Linux each partition can have certain access restrictions. Since /tmp /var/tmp and /dev/shm are world writable directories they’re often home to uploads, sessions storage and hacker executables. Since anyone can read-write-excute anything from these directories it becomes a major security concern. With /etc/fstab however you can limit what can be done in these locations. If you see defaults beside the /tmp line remove it and replace it with noexec,nosuid this will stop any executables from being allowed to run. Do the same for /dev/shm and make /var/tmp and shortcut (symbolic link) to /tmp. Securing Your TMP Partition

8) Intrusion Detection System (IDS)
An intrusion detection system or IDS is like a burglar alarm on your server. It keeps a record of which files were changed when and alerts you of anything new or altered. This is critical because hackers usually try to replace binary applications like ps, top, netstat and others. This means when you run this new version of ps or top to see processes running they make it so it actually HIDES their hacker software, even though its running it won’t show up. Some IDS systems include TripWire, Snort and AIDE. Installing Chkrootkit

9) Review Processes Running and Remove Extra Software
You can’t protect a system if you don’t know what’s on it. If a hacker adds an extra process that you see in PS but you wouldn’t notice if you didn’t know what should be there usually. Know what runs on your system and why which user. How does Perl or Apache run, under which user? You can check your processes usually with top or ps auxfww which gives you a tree view. Check these every time you login to your server. Getting started with Shell (SSH) , Common Shell Commands

10) Keep an Eye on the Servers Performance
Know what speed your server is running at and how much bandwidth it uses on a daily basis. If an attacker compromises your system and you don’t know you’ll probably notice the system responding slowly or using a lot of bandwidth. If you don’t know what your system is usually like how will you notice something out of the ordinary. This is all common sense but some people never bother to check until they ask their provider after a system has been slow for 2 weeks – it’s usually to late then. Server Loads Explained

Knowing your system makes you one step ahead of an intruder. Check it often and ask an expert if you’re ever over your head. There are MANY other things you can and should do to ensure your server is secure but these are a few basics that everyone should use.

The 7 Habits of Highly Effective Linux Users

August 23, 2008
1
Leave a comment

Switching to Linux can be very daunting, most seasoned Linux users experienced that first hand. After all, at some point they were also “noobs”. However, the Linux community has excelled in making the switch for beginners as easy as possible by providing guides, howtos, tweaks, and general advocacy articles. When I first made the switch 3 years ago, I found the community welcoming me with open hands on forums, IRC channels, and E-mail, I was surprised how helpful these penguins were!

For this, I feel obliged to give back to the community that has always been there for me. To pass down the torch to newer Linux generations. Over here I compiled a list of 7 habits that I wish someone told me when I started out. I believe that getting into these habits will make the Linux experience more secure, convenient, educational, and ultimately more enjoyable.

1-Never Login Using ‘root’ GUI

If there was one habit that one should strictly abide by, it’s probably this one. Most of us come from a Windows background, and we have the notion that more power is better, so we login using our administrator accounts. Well let me tell you my friend, that this is a major reason that Windows is plagued with viruses and insecurities, half the world is currently running ‘root’ accounts!

Suse on RootWith great power comes great responsibility, and with ‘root’ powers you should be aware of the consequences of EVERYTHING you’re doing, and even then, mistakes happen. I remember my beginnings with SUSE Linux, there were lot of administrative tasks I needed to do but had no idea how to go about them without the GUI, so I so innocently log out and login onto the ‘root‘ GUI. The default wallpaper of the ‘root‘ GUI on SUSE were lit fuse bombs tiled beside each other. Back then, the symbolism totally flew over my head, coming from a Windows background, I wasn’t really doing anything wrong.

But what are the dangers of logging in as root?

  1. Well imagine you’re on the trapeze without a safety net, frightening isn’t it? Well that’s effectively what you are doing when you login as root, you can inadvertently hose your whole system
  2. You are at the risk of running malware. Any program that is started under root mode will automatically be given root privileges
  3. If there is a common security hole that hasn’t been patched yet, you could be totally “pwned”
  4. It’s common Unix convention, never run anything in root mode unless absolutely necessary. If a non-admin program asks for root access, you should be suspicious

Generally, instead of logging onto your root GUI, use any of the following techniques:

  • Use “sudo” or “su” , and kill the session when your done
  • If you don’t know how to do it in the command line, use “gksu” or “kdesu”. For example, press alt+f2 and type “gksu nautilus“. Close the app as soon as you finish

2-Properly Name Your Files

In a Linux environment, you can name your files whatever you want except for, 1) the forward slash “/” which is reserved for the root directory, and 2) a null character. Anything else is technically acceptable, however there are some best practices that you should abide by in order to avoid any future complications:

  • As a rule of thumb, only use alphanumeric characters, hyphens, periods, and underscores
  • Avoid special symbols like dollar signs, brackets, and percentages. These symbols have special meanings to the shell, and could cause conflicts
  • Avoid using spaces, handling files with spaces in the terminal is kind of awkward. Replace spaces with either hyphens or underscores

I personally have grown into this habit, I find myself following these guidelines even in a Windows or Mac environment.

3-Place /home on a Different Partition

Doing this gives you extreme flexibility, a kind that you never imagined before. Having /home in a separate partition enables you to reinstall your system or even change your whole distro without losing your data and personal settings. Just keep the “/home” partition intact and reinstall whatever you want on your “/”. Now you can try out distros as much as you want, without worrying about your data and personal settings, they go with you on the go ;).

If you weren’t lucky enough to know this before installing your system, then do not despair! Carthik from Ubuntu Blog takes you in a step-by-step guide titled “Move /home to it’s own partition

4-Proper Crash Management

Learn how to avoid this!Linux is very robust and stable, however every system can come down to it’s knees every once in a while. Before you head to CTRL-ALT-DEL, the restart button, or the plug, you should know how to properly handle any crash. As opposed to another un-named operating system, you should be able to easily recover your system without actually restarting! I personally go through different levels, if one doesn’t work I elevate it to next step:

  1. I have the “force quit” applet on my taskbar, if any app starts to act up just click on the “force quit” icon and then kill the app
  2. If that doesn’t work, draw up a terminal and type “ps -A” , and take note of the Process ID (PID) of the culprit app, then kill it. “kill PID”
  3. Use the “killall” command, for example, “killall firefox-bin”
  4. If your whole GUI is frozen, and drawing up a terminal is impossible, then press CTRL-ALT-F1, this will take you to another terminal, and virtually a whole new session. From there kill the culprit app using step 2 and 3.
  5. If that doesn’t work, you might want to restart your GUI using the CTRL-ALT-Backspace combo. Beware, that this will kill all your GUI apps currently running
  6. Invoke CTRL-ALT-F1 and do CTRL+ALT+DEL from here. This will not instantly reset your system, merely perform a standard reboot, it’s safe. (Assuming you want to restart and CTLR-ALT-F1 works)
  7. Finally if nothing works, don’t rush to the hard reset button, try to Raise a Skinny Elephant

5-Play The Field

You were probably recruited to your current distro by a friend, it suited you, and stuck with it. That’s great, but there is probably something better for you out there. Why not harness the flexibility and richness of Linux and Open Source? Don’t be afraid to experiment around with different distros, apps, window managers, and desktops. Experiment until you find the best fit. Think of it this way, if you are currently living in the best place on earth for you, traveling around the world wouldn’t really harm right? In fact you might find a better place to live in, but if you didn’t, the time you spent traveling would not have gone to waste, you would have learned a lot about other countries, other people and traditions, different ways of thinking, and ultimately had fun!

Every new thing you try out will contribute to your incremental learning, in a year’s time you will have a good grasp on Linux and the Open Source world. I personally tried out at least 10 distros, 4 desktops, and 5 window managers. My recent article Etymology of A Distro got me interested in a couple more distros such as Zenwalk, Foresight, and Sabayon. Play the field, my friend, it will do you good.

But before you proceed, pay heed to these few hints:

  • Set up your perfect system that you feel comfortable with, you need a workable system 24/7 right? Then test around using one of the below points
  • Harness the power of virtualization! Install Vmware or Virtualbox. Use them to test out the distros
  • Alternatively, if you are not big on virtualization, you can set up a separate partition to test new distros. A partition that you couldn’t care less about
  • Ultimately, you can have a main PC and a test one. Wreak havoc on the test one
Anime image is licensed by Creative Commons BY-NC 3.0
Original Artwork by Juzo Kun, Modified by Wayne Richardson.

6-Nurture Your CLI Adoption

Now I am not going to advocate learning the command line, there are numerous articles that emphasise on it’s importance. What I am assuming here is that you already know it’s importance, and have a rudimentary understanding on how to do some simple administrative tasks. You are already hacking away, tweaking and configuring, following the different guides and howtos scattered all over the tubes, but don’t just copy and paste!! Meaning, instead of just headlessly executing commands some random guy half way across the world told you to execute, try to understand what every command does. Why did the guide ask you to do this, as opposed to something else? Understand the rationale of the steps you are asked to do. These commands are highly relevant to you, and will help you gain a better understanding than any 101 guide.

After a while you will notice that you have amassed a good deal of CLI lore.

At the end of the day it’s just a pseudo-language! Every command is probably just an acronym of something, or a cut down version of a real word. You expect your dog to understand “Spike fetch ball” so why don’t you expect to understand “sudo mv /file1 /file2″?

7-Always Be Ready to Unleash The Power Within

Personally, I had numerous occasions when a friend asked me to do something on his/her computer, but found myself crippled because of his/her choice of OS. At other times I wanted to do something urgently but the only computer had another crippled OS. Spare yourself the agony, have Linux with you all the time, whether it’s on a USB pendrive, a live CD, or even a live CD business card ! There are dozens of good Linuces out there that are perfect for on-the-go computing. Knoppix, DSL, and Puppy Linux are just a few examples.

I personally don’t apply this habit, which is a shame, I really need to get my act together! P </publishes and heads to pendrivelinux.com>