Turn your Linux web server into Fort Knox
An in depth article on how to secure your Linux web server. Who says that security is ever "easy"? It's a must-have for anybody running a web server - even if it's at home.
I'm really surprised he didn't mention Denyhosts. Excellent program that prevents brute force SSH logins.
http://denyhosts.sourceforge.net/
Denyhosts has definitely helped out our production servers by keeping the load averages down by blocking abusive ssh denial of service attacks. With some of the hardening mentioned in the article applied alongside Hardened Gentoo Linux a server could withstand allot of abusive exploit attacks. By using a system which compiles binaries as position independent every binaries memory execution insertion address is randomized. While this can be something more suited to administrators with a moderate to advanced understanding of compilers and programming architecture when used alongside grsecurity framework execution of a binary uses a different hexadecimal memory address which enforces a policy akin to winning the lottery for any malicious cracker. Our production 64bit and 32bit servers all have been using hardened gentoo for years and to date we have never experienced a system compromise. http://hardened.gentoo.org
Anti-virus/Anti-malware/anti-rootkit items like chkrootkit or rootkit hunter are, unfortunately, pretty useless when it comes to security.
There is two reasons:
A. Because the rootkit writers have access to those tools also. So all they have to do to defeat them is setup a Linux server and run those programs. If they are detected, then they simply have to modify how thier program works so that they aren't detected anymore. It's almost trivially easy to defeat them with old fasion 'conventional' rootkits.
B. Also kernel module rootkits are popular nowadays anyways. These are kernel modules that modify how a kernel behaves in order to mask the rootkit itself. These are nearly impossible to detect.
BTW since Windows 2000 started having acceptable security kernel driver level rootkits for Windows have become popular.
The only realy effective way to detect a rootkit is to setup a program like Tripwire.
Tripwire is a program that you use to make checksums of all the files on your computer, then later you can run it to check the checksums. You have to store the checksums output on a secure computer or secure read-only medium (like a cdrom disk.). Also Tripwire is only usefull if you run it from a different operating system then the one your currently running (like say booted up in knoppix cdrom).. This is because it can be defeated by false reports created by a kernel module level rootkit.
OpenBSD folks are probably going to be the formost on things like this that don't require special propriatory stuff or charge you money for information and such things, and are stuff you can impliment yourself.
http://www.bytelabs.org/papers.html
Check out the paper Paper title: "Integration of Security Measures and Techniques in an Operating System (considering OpenBSD as an example)"
For Linux and GCC Redhat took a lot of work into rewriting ProPolice SSP (developed originally out of IBM's japan branch) and getting into the GCC release. I beleive it's in GCC 4.1.
Also introduced into the lifetime of the 2.6.x kernel release has been things like heap protection and support for the 'no execute' bit and such.
A example of this being used to protect a vunerable program is outlined in this Debian-Administrator.org article..
http://www.debian-administration.org/articles/408
And of course Wikipedia has a good article on it.
http://en.wikipedia.org/wiki/StackGuard
Other things for Linux (like he mentioned)
grsecurity http://www.grsecurity.net/
AppArmor (from Novell) http://www.novell.com/apparmor
SELinux (from the NSA (United States Government) and made workable by Redhat for their Enterprise Linux and Fedora Core stuff.
I'm really surprised he didn't mention Denyhosts. Excellent program that prevents brute force SSH logins.
http://denyhosts.sourceforge.net/
Denyhosts has definitely helped out our production servers by keeping the load averages down by blocking abusive ssh denial of service attacks. With some of the hardening mentioned in the article applied alongside Hardened Gentoo Linux a server could withstand allot of abusive exploit attacks. By using a system which compiles binaries as position independent every binaries memory execution insertion address is randomized. While this can be something more suited to administrators with a moderate to advanced understanding of compilers and programming architecture when used alongside grsecurity framework execution of a binary uses a different hexadecimal memory address which enforces a policy akin to winning the lottery for any malicious cracker. Our production 64bit and 32bit servers all have been using hardened gentoo for years and to date we have never experienced a system compromise. http://hardened.gentoo.org
Anti-virus/Anti-malware/anti-rootkit items like chkrootkit or rootkit hunter are, unfortunately, pretty useless when it comes to security.
There is two reasons:
A. Because the rootkit writers have access to those tools also. So all they have to do to defeat them is setup a Linux server and run those programs. If they are detected, then they simply have to modify how thier program works so that they aren't detected anymore. It's almost trivially easy to defeat them with old fasion 'conventional' rootkits.
B. Also kernel module rootkits are popular nowadays anyways. These are kernel modules that modify how a kernel behaves in order to mask the rootkit itself. These are nearly impossible to detect.
BTW since Windows 2000 started having acceptable security kernel driver level rootkits for Windows have become popular.
The only realy effective way to detect a rootkit is to setup a program like Tripwire.
Tripwire is a program that you use to make checksums of all the files on your computer, then later you can run it to check the checksums. You have to store the checksums output on a secure computer or secure read-only medium (like a cdrom disk.). Also Tripwire is only usefull if you run it from a different operating system then the one your currently running (like say booted up in knoppix cdrom).. This is because it can be defeated by false reports created by a kernel module level rootkit.
OpenBSD folks are probably going to be the formost on things like this that don't require special propriatory stuff or charge you money for information and such things, and are stuff you can impliment yourself.
http://www.bytelabs.org/papers.html
Check out the paper Paper title: "Integration of Security Measures and Techniques in an Operating System (considering OpenBSD as an example)"
For Linux and GCC Redhat took a lot of work into rewriting ProPolice SSP (developed originally out of IBM's japan branch) and getting into the GCC release. I beleive it's in GCC 4.1.
Also introduced into the lifetime of the 2.6.x kernel release has been things like heap protection and support for the 'no execute' bit and such.
A example of this being used to protect a vunerable program is outlined in this Debian-Administrator.org article..
http://www.debian-administration.org/articles/408
And of course Wikipedia has a good article on it.
http://en.wikipedia.org/wiki/StackGuard
Other things for Linux (like he mentioned)
grsecurity http://www.grsecurity.net/
AppArmor (from Novell) http://www.novell.com/apparmor
SELinux (from the NSA (United States Government) and made workable by Redhat for their Enterprise Linux and Fedora Core stuff.
<< Home