| General Advices |
|
|
Many people think: "My machine cannot be hacked. There are so manny computers over internet, why would happen this to me? Also I've taken some security measures. It will not happend to me." Well try not to think that way because is bad. If we make an experiment and setup a server, exposed to the internet, and monitor only auth.log file, which is responsable for logins, we'll see every day breaking attempts to that server. And that's only for SSH. But there are many ways to hack. Is sad to say that many servers exposed to the internet have to little security, in fact most of them have the default security offered by the operating sistem installed. FreeBSD (and also OpenBSD) offer good security by default. This is good. But this is not enough, when we are dealing with servers. Even if we install a simple router, we have to configure firewall to DEFAULT TO DENY mode, for example. What's that? We'll discuss this issue later. Ok, let's discuss some more practical ideas. The following ideas are rules that must be implement into your server security. 1. Keep up with Security Advisories. So you will know when to patch your kernel, or an application that become vulnerable. 2. Do not forget that most attacks are successful now by web, using HTTP port 80. So Always be sure to update/patch your web server with the latest version. If you use scripts, like PHPBB or Awstats, read security advisories, always update your scripts to the last version (there was security issues discovered in this scripts, machine was compromised). Also security problems were found in PostNuke cms modules but those are only examples, you shoud verify every script you run on your server. Search for Security Advisories, there are a lot of valuable informations on the net. 3. Use virtualization to restrict machine processes. Users with privilieges will be limited to a particular virtual machine. 4. Disable SSH access for users, disable ftp which is an old (unencrypted service), if ftp is needed use ftpchroot. 5. Use private keys for SSH Login 6. Check for open ports (with nmap for example) to see if any strange or unneeded ports are open. Sometimes it is possible that your server is compromised, but the actions made by attacker do not affect your server functionality, so you may never find that your machine was compromised. So, is good from time to time to check your server security, to see if any strange activities/processes are in your system. Check if your server resources are affected. You could check CPU usage by issuing top command. Look for applications/scripts that consume your CPU. Check for strange processes with ps -awux command. Check your /tmp directory and also your /var/tmp directory for scripts/binaries copied there. When a server is compromised sometimes the attacker use it to host a IRC bot (like psybnc or eggdrop) that connects to port 6667. You could check if any of your applications connect to that port with sockstat: #sockstat | grep 6667 If there's not much traffic on your server you could use netstat command to see if suspect connections are made. #netstat -a Install and run at regular period of times an rootkit finder application (for example /usr/ports/security/rkhunter). Check your open ports with nmap. See if you have other open ports than the ones you use for your running services. Practical measures to improve your security For beginners a good start could be to read man page security(7). 1. Secure your SSH --------------------- Every day in a server's life SSH tentative to break into your server are made by trying to guess ssh users and passwords. By default FreeBSD does not permit to root user to login via ssh which is good. Measures to be done: a) permit SSH access only for the users you need, for the rest of users disable SSH access. This is done by adding the following line in /etc/ssh/sshd_config: AllowUsers john, bob You could also permit SSH login to wheel group, adding in /etc/ssh/sshd_config the line: AllowGroups wheel If you need other users to login, add them all in a group and permit ssh login to that group too. b) if you login to your server via SSH only from known IPs, you could allow logins only from those IPs. c) change your SSH port. This measure blocks almost 80% of worms, automated programs/scripts. d) update SSH at regular times. This would help to protect against bugs/exploits found in SSH. Always run SSH protocol 2 (which is enabled by default in SSH daemon). Another idea would be to edit /root/.cshrc file and add a line to email you when somebody log in as root, ading the date and time too. If you offer SSH access to your users, enforce them to use secure passwords. 2. Secure your console ------------------------- a) Secure your console so nobody could boot into single mode and change root password in order to break in. b) Disable reboot of machine using Ctrl+Alt+Del edit your configuration kernel file, add the following option and compile/reinstall the kernel: 3. Turn off non esential services ----------------------------------- You should always turn off the services you do not need/use. 4. Scan for open ports To see if there are any open ports scan your server with a tool like nmap. ( /usr/ports/security/nmap). You will need to have ports open only for your needed services. 5. Protect from DOS/DDOS. ----------------------------- Some measures can be taken to add some level of protection to DOS attacks. Total protectin is almost impossible to achieve because when your server is flooded is already too late to do anything. You should contact your ISP. Also if you have multiple sources of attack is very hard to do something. 6. Make a checksum for your files ------------------------------------ If your machine will be compromised, it will be useful to check the sum of your files, to see if was not modified. You can install an application like tripwire to build a MD5 sum of your every file. |
