# most time-effective security tools/measures against zombies?

## idiotprogrammer

Hi, there, I'm reinstalling gentoo for my home web server. I expect it to get a good amount of traffic, though nothing on the level of a commercial server. (That could change over time, and I bought a fairly robust server for this possibility). I'll have a very small number of users with shell accounts.

Frankly, I fell behind on a lot of security things for my last server, namely, updating the emerge packages. I know, it is so easy in gentoo, but I am always falling behind on sys admin tasks. 

I do a fair amount of programming and writing, and the sys admin stuff takes away valuable time. (I'm toyed with the idea of going with hosting, but every time I examine my options, I prefer the flexibility of a home server). 

I know a little bit about security and I have fairly good unix habits. My main goal is NOT protecting data or preventing DOS, but preventing a Chinese hacker from zombifying my web server. I do a lot of admin stuff using Webmin, and I'll be using postfix to do SMTP (for my web forms). Also, I'll have apache, mysql, the usual stuff. 

For this second server, I'm going to spend more time to applying security patches/merges and I have a feeling that will solve a lot of my problems. 

QUESTION: HOW OFTEN SHOULD I BE RECOMPILING THE KERNEL FOR SECURITY REASONS?

QUESTION: IS THERE ANY WAY TO FILTER MY emerge world just to see what security updates need to be applied. I am growing weary of doing this and finding that gcc or php is coming up in my emerge world list. 

Here are some other things I'm considering. Can you give me an opinion about whether these things are worth the trouble to configure and maintain? Consider maintenance time along with strength. 

iptables---overkill for me? 

monit --anybody tried? 

chrootkit

quotas --will this have any impact on zombification? 

snort--is this going to bug the hell out of me? 

LIDS

Am I forgetting something? 

I browsed a little bit on the security section and will probably do some more later. I mainly want  comments about tools from the standpoint of maintenance time and effectiveness. Thanks. 

Robert Nagle 

idiotprogrammer

----------

## tukachinchila

The most likely way you'll get rooted is through easy to guess, or non-existant passwords. Sometimes people setup "test" accounts with no password or "test" as the password. Make sure you don't have anything like that. Gentoo also comes with a lot of accounts that you probably don't need for a webserver (e.g., audio, games, etc.). An easy fix is to delete any accounts you don't plan on using.

 *Quote:*   

> QUESTION: HOW OFTEN SHOULD I BE RECOMPILING THE KERNEL FOR SECURITY REASONS? 

  I don't think it's too hard to recompile a kernel if you save the config file, so I always upgrade to the latest stable kernel. I think it's easier than monitoring kernel patches for remote exploit fixes.

 *Quote:*   

> QUESTION: IS THERE ANY WAY TO FILTER MY emerge world just to see what security updates need to be applied.

  

```
emerge gentoolkit

glsa-check -l
```

 *Quote:*   

> iptables---overkill for me?

  You should be behind a hardware firewall,  if not then you should use iptables.

 *Quote:*   

> chrootkit

 

chkrootkit is helpful, and so is rkhunter (which will also help you determine which services have security updates available).

 *Quote:*   

> quotas --will this have any impact on zombification?

  I doubt it. It's mainly going to prevent DoS.

 *Quote:*   

> snort--is this going to bug the hell out of me?

  There are a lot worms that attack IIS (and have no effect on Apache other than lots of log entries) and snort will alert you to many of these. I find that Snort is most useful for reporting frequent attackers to their ISPs. If you're behind a firewall and keep your services up-to-date, I don't think you really need Snort or any IDS for your setup.

You shouldn't run any services you don't need (especially sshd). If you do need SSH consider looking into port-knocking, and public key encryption. If you know the IP address of the machine you want to connect to your server from, then set your firewall to only allow that machine access to port 22 on your server.

If you're only running MySQL for your website, then you should disallow remote access to MySQL.

You could really tighten things up by chrooting any services you run, and using one of the gentoo kernels that includes the grsecurity patch (e.g., gentoo-hardened sources). But setting-up Apache with PHP in a chroot jail is a lot of work.

If you haven't had a chance yet, you might take a look at the gentoo security guide which has a lot of great advice: http://www.gentoo.org/doc/en/security/index.xml

----------

## idiotprogrammer

Great info. Call me blind, but I'd never heard of glsa-check -l 

That sounds like a great tool and just what I needed. 

The document describing it though makes it sound as though it's not terribly reliable.  I'lll definitely check it out though. 

Thanks.

----------

