Tag Archives: server

Securing a New Linux Installation

http://linuxgazette.net/105/odonovan.html

Linux Internet Server Security and Configuration Tutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialInternetSecurity.html

Install basic security tools

aptitude install portsentry fail2ban denyhosts logwatch rkhunter

Configure basic security tools

OSSEC

http://www.ossec.net/main/manual/manual-installation
http://dcid.me/texts/my-ossec-setup-manual.php

apt-get install gcc make libc-dev
wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
tar zxvf ossec-hids-2.6.tar.gz
cd ossec-hids-2.6
sudo ./install.sh
Select: local (if you only have one system to monitor), root@localhost, enable active response [n]
ln -s /var/ossec/bin/ossec-logtest /var/ossec/ossec-logtest

Find what is running and what type of logs are available.
lsof | grep log

Compare with what OSSEC added automatically
cat /var/ossec/etc/ossec.conf |grep "/"

Add manually the logs that are missing using the util.sh tool that comes with OSSEC:
(Get util.sh, run hg clone https://bitbucket.org/dcid/ossec-hids, find it in contrib directory)

/var/ossec/bin/util.sh addfile /var/log/httpd/site4.access.log

  • Tests the logs
  • cat /var/log/syslog | /var/ossec/bin/ossec-logtest -a

  • Add monitoring of important files or directories
  • /var/ossec/etc/ossec.conf
    /var/www
    or ignore often changed files

    /etc/motd
    

  • To start/stop OSSEC HIDS
  • /var/ossec/bin/ossec-control

    Fail2ban

    http://www.fail2ban.org/wiki/index.php/Whitelist

    /etc/fail2ban/jail.local

    action = %(action_mw)s
    

    /etc/fail2ban/fail2ban.conf

    ignoreip = 127.0.0.1 192.168.1.0/24
    

    http://linux.m2osw.com/zmeu-attack

    [apache-badbots]
    enabled = true
    port = http,https
    filter = apache-badbots
    logpath = /var/log/apache*/*access.log
    maxretry = 3
    findtime = 5
    bantime = 14400
    
    [webmin-auth]
    enabled = true
    port = 10000
    filter = webmin-auth
    logpath = /var/webmin/miniserv.log
    maxretry = 3
    findtime = 5
    bantime = 14400

    /etc/fail2ban/filter.d/apache-badbots.conf

    [Definition]
    badbotsmy = admin|phpmyadmin|phpMyAdmin|pma|PMA|forum|board|guestbook|scripts|db|web|sql|php|mysql|
    
    failregex = ^ -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
    ^ -.*"(GET|POST).*(?:%(badbotsmy)s).*HTTP.*"$

    /etc/init.d/fail2ban restart

    RK Hunter

    /etc/default/rkhunter

    CRON_DAILY_RUN="true"
    CRON_DB_UPDATE="true"

    /etc/cron.daily/rkhunter change parameter

    --report-warnings-only
    
    to
    --no-mail-on-warning
    

    Logwatch

    /etc/logwatch/conf/logwatch.conf

    LogDir = /var/log
    TmpDir = /var/cache/logwatch
    Output = stdout
    Format = text
    Encode = none
    MailTo = root
    MailFrom = Logwatch
    Range = yesterday
    Detail = High
    Service = All
    Service = "-eximstats"
    mailer = "/usr/sbin/sendmail -t"

    mkdir /var/cache/logwatch

    Denyhosts

    /etc/denyhosts.conf

    ADMIN_EMAIL =
    

    Prey for notebooks

    http://preyproject.com

    aptitude install curl
    wget http://preyproject.com/releases/0.5.3/prey-0.5.3-linux.zip
    unzip prey-0.5.3-linux.zip
    mv prey /usr/share
    rm -f unzip prey-0.5.3-linux.zip
    touch /var/log/prey.log
    touch /tmp/prey-curl-headers.txt

    /usr/share/prey/config

    # you can get both of these from Prey's web service
    api_key='xyz'
    device_key='xyz'
    # mailbox to send the report
    mail_to='jan@faix.cz'
    # the password is now stored base64 encrypted
    # if you wish to generate it by hand, run
    # $ echo -n "password" | openssl enc -base64
    smtp_server='mail.faix.cz:25'
    smtp_username='jan@faix.cz'
    smtp_password='cHJkZWw='

    (sudo crontab -l | grep -v prey; echo "*/20 * * * * /usr/share/prey/prey.sh > /var/log/prey.log") | sudo crontab -

    Tripwire

    is obsolete, use OSSEC instead!!!