# when does paranoia turn into obsession?

## ixion

well after my entire network was wiped out from a flood, I've started rebuilding everything one piece at a time... right now I'm working on my web server...

With my previous Web box I had apache 1.3 (with mod_php and mod_ssl) running within a chroot on a seperate partition. I was wondering, is chrooting services worth the agony and trouble? I remember it took me about a month to get everything working... and all I was using it for was remote retrieval of mail with Squirrelmail... I'm planning now to possibly share files, but even still, does chrooting services actually provide that much more security? I will have my web server on a seperate network from my main LAN (although it still can access boxes on that LAN), and am running a Linux firewall (will have one port forwarded to the web box) operating in stealth mode. Is this enough?

Obviously I'm one paranoid individual, but when does paranoia turn into an obsession? (my wife would already tell you that I'm obsessed  :Wink:  )

----------

## cchapman

It should be enough but if someone were to compromise your web server in non chrooted mode the could get to system files.  in chrooted mode all they could do is destroy your web pages and not the underlying OS....

----------

## Xor

there has been a discussion between openbsd folks and grsecurity folks, chroot gives you a security hmm... forgive my lousy english... add-on - and as said security is as an onion, it has layers... while you get a quite good fs namespace security, you have to think about memory and other stuff only the wizards at deadly.org really understand  :Smile: 

I really LOVE the aspect, that you can't call a bash, perl, /etc/passwd or other things by a little broken CGI.

----------

## cchapman

I will have to ask the head wizard 

james r phillips

He works in our security area where I work.

----------

## ixion

that would be excellent! Please PM or reply here with your discovery... if chrooting is really worth the hassle, then I won't let my server go public until Apache is fully chroot'ed...

thank you for your comments!

----------

## elzbal

Chrooted environments are useful security tools, but you need to remember... if this is a simple home network, then it is likely that your site is a hobby. You know... something fun you do after working hours. If setting up chroot makes things particularly un-fun, then don't do it.

Step back, take a deep breath, and remember why you do all this. If you still want to chroot everything, then go for it. If you still think you can't sleep at night without chroot, then set it up (it probably won't take a month the second time around). Otherwise, have fun with something a bit less.

For the record, I have chrooted environments on my BSD and Solaris server systems (and of course, that's just one of many security layers). I do this because I love the challenge, and I am interested in learning things that could become useful in my professional life. However, certain home network projects I have tried have burned me out a bit. I had to learn where my limits were, and to respect them.

Cheers!

Edit: As for the usefulness to your site... You're doing a lot of things right. You have a transparent firewall with only one port open to the web server box. However, it would only take a single Apache (or Apache module) vulnerability like the Chunked Encoding issue that affected Apache 1.3.24 and lower, and someone can have shell access to your box as the 'nobody' user (or whatever user Apache uses to run), right through the firewall. From there, it's just a priviledge escalation vulnerability (and those come out frequently enough), and someone can root your box. (Note, by the way, that Apache vulnerabilies are extremely rare - that was the first one in years.  However, if you run php or the like, security issues come out much more frequently...)

----------

## madchaz

a simple equasion of security.

for your box to be "vulnerable" it as to follow this rule

difficulty of hacking the box / how worth it it is to hack the box = how secure you are

if you are over 1 in this, then you're safe. basicaly, you have to make it harder to hack the thing then the worth of the information inside. 

the trick is that there is no such thing as a perfect security safe for a computer siting alone in a locked room without any connection, screen or keyboard. but that's also rather useless. 

If you run an enterprise server on that machine and have a load of personal information and confidential data on the box, then by all means chroot it, and run most of it on read-only media. if it's just your personal web site with only your own code on there, may not be worth it.

my 2 cents

----------

## Xor

 *Quote:*   

> 
> 
> difficulty of hacking the box / how worth it it is to hack the box = how secure you are 
> 
> if you are over 1 in this, then you're safe. basicaly, you have to make it harder to hack the thing then the worth of the information inside. 
> ...

 

The equasion might be usable, but the way you use it is wrong as it doesn't matter what information is on the system (it's just a little part in todays hacked boxes), but if the box is not firewalled and has a 2Mb connection, its probably more attractive to someone than a guarded/firewalled box. To explain this, there a folks out there that do hacking for hobby, to get just a "count" to hack a box, to host a silly little site (parasit) or have need for an irc, ftp (warez/mp3) server... all you can think of. And my favorite, using it as a spam-relay.

my 2c

xor

----------

## madchaz

 *Xor wrote:*   

>  *Quote:*   
> 
> difficulty of hacking the box / how worth it it is to hack the box = how secure you are 
> 
> if you are over 1 in this, then you're safe. basicaly, you have to make it harder to hack the thing then the worth of the information inside. 
> ...

 

true enough  :Smile: 

but it was basicaly an exemple. Course, if you have a very good connection, someone using it comes into the "how worth it" part. 

most times, it's kiddies that will do it as a hobby and parasite, so it comes to wondering if it's worth there time and is in there possibility. 

then again, I'm a bit paranoid and run things rather secure, so I tend to get it as high as I can. Good practice

----------

## pmjdebruijn

GRSecurity has process-based ACL's you might try those?

I'm really no expert on these matters...

But it might be worth looking at!

----------

## cchapman

Here is the answer I got from the head goon of deadly.org

 *Quote:*   

> Apache is pretty damn secure unchrooted. chrooted it will meet even the most demanding security needs. From a chrooted environment, an attacker who gains a shell will inherit the privileges of id www and will not have access to any system binaries. Their root path will be /var/www and they would have to code, compile and run a local 'sploit within the chroot jail in order to get root (really tough to do without access to any binaries). Once root, they could break out of the jail.
> 
> I think you're just being paranoid. If I were attacking an openbsd box, I would look for an easier target such as any isc produced software which is usually crap (bind, dhcpd) or I'd attack ssh. You're far more likely to get r00t3d from a misconfiguration you made after installation than from a hole in apache.
> 
> james r phillips 
> ...

 

----------

## ixion

excellent info and opinions, thanks!!  :Very Happy: 

this then brings me to the question: How do I secure Apache with mod_php and mod_ssl? I mean hardcore secure that beast..

----------

## cchapman

you might want to check apache.org, openbsd.org, and deadly.org

----------

## paradox508

i think that apache security summery is pretty accurate assuming your not running any mods that are vunerable.

i personally have been hacked thru a hole in a bad mod_php configuration.

altho i dont know the exact method that was used, it does appear that the attacker used a malformed url to run a php script and modify system files.

after spending a few days trying to clean things up, i found it was just easier to reinstall gentoo from scratch just to be safe. 

now im not so willing to run apache/mod_php with out chrooting.

for the record i was firewalled with port 80 open and every other incomming closed.

simple home machine with a dyns.net dns.

personally i think that n00b hackers looking for a good time just scour dynamic dns domains looking for easy targets.

it can happen to you!

food for thought

'Dox

----------

## ixion

very true... well before this baby gets exposed, I'm going to lock her down.. Apache suggestions, GRSecurity, chroot, and possibly an iptables (EXTRA) firewall is in order before I feel confident about it going public..

but first off, I won't be running dyndns (although it would be convenient), and I will have the server on a totally obscure port number (ie, not 80  :Wink: ).. and then there's my firewall which is pretty harshly locked down.. all packets (currently) are denied (no 'blocked' message returned, ie stealth)... an onslaught from nessus turned up nothing, so that help with some peace of mind...

I hate to use mod_php, but is there any other way to run squirrelmail? Or is there an alternative to Squirrelmail that does not use php?

----------

## xcham

Why not install php as a CGI application, i.e. an interpreter executable?

Might not work well for your purposes but it may be worth looking into.

----------

## ixion

that's interesting, but doesn't CGI present worlds more of security problems?? This is intrigueing, though.. has it ever worked with Squirrelmail?

----------

## paradox508

i dont see why it wouldn't work with squirelmail. the main difference between using mod_php and a cgi php interpreter is that with the cgi interpreter there is an extra step involved. the page is requested, the cgi php interpreter parses the code and passes the html to apache. instead of apache using a modual to parse the code itself. the use of cgi interpreters for php is being phased out almost completely now. it is a serious security risk when compared to mod_php.

anyway, network security is an artform and it is pretty much impossible to completely lock down a machine 100%. if someone wants to get in bad enough and they are skilled enough, they will eventually succeed. 

if you are running apache chrooted, then you really dont have to worrie about people doing to much to your machine. the worst they could do is screw up apache. the only time i have heard of people breaking out of a chroot jail is if they have access to system binaries. if you chroot properly you shouldnt have any system binaries in the new root.

im no expert on this but i presume most attempted hacks on home servers are from reletively new hackers who are looking for some fun. i doubt anyone who has any substantial skill would be wasting thier time on a home webserver.

i think a good firewall and a chrooted apache should be all you would need. esp if you are using an obscure portnumber.

'Dox

----------

## paradox508

i dont see why it wouldn't work with squirelmail. the main difference between using mod_php and a cgi php interpreter is that with the cgi interpreter there is an extra step involved. the page is requested, the cgi php interpreter parses the code and passes the html to apache. instead of apache using a modual to parse the code itself. the use of cgi interpreters for php is being phased out almost completely now. it is a serious security risk when compared to mod_php.

anyway, network security is an artform and it is pretty much impossible to completely lock down a machine 100%. if someone wants to get in bad enough and they are skilled enough, they will eventually succeed. 

if you are running apache chrooted, then you really dont have to worrie about people doing to much to your machine. the worst they could do is screw up apache. the only time i have heard of people breaking out of a chroot jail is if they have access to system binaries. if you chroot properly you shouldnt have any system binaries in the new root.

im no expert on this but i presume most attempted hacks on home servers are from reletively new hackers who are looking for some fun. i doubt anyone who has any substantial skill would be wasting thier time on a home webserver.

i think a good firewall and a chrooted apache should be all you would need. esp if you are using an obscure portnumber.

'Dox

----------

## ixion

that is very reassuring to hear.. thank you for your advice!

I'm thinking of DMZ'ing my webserver and game server and then setting them up with IPTABLES.. so in case they are cracked, there will be my main firewall to crack before reaching my LAN...

Thanks!  :Smile: 

----------

## ixion

double post   :Embarassed: 

----------

## ixion

triple post.. sorry   :Embarassed: 

----------

## paradox508

Firewall +DMZ + chroot and you should have a sensibly secure setup. No system is ever 100%.

it has been said that the only secure machine is one that is unplugged, sealed in a safe, and burried 20ft down in an unknown location. and maybe even then... hehe

'dox

----------

## ixion

THIS is awesome

----------

## ixion

ok, I've made my server public, but did fail to lock something down... PHP... I did get the latest version, but did not patch it before compiling into Apache.. could this alone (not patching it) present a security threat? What configuration should I worry about in PHP to lock it down harder? I have followed Apache.org's suggestions, which are great...  :Very Happy: 

After locking down PHP, I think I will finally have the peace of mind I'm looking for.. but before that, I'm still going to be pulling my hair out!  :Shocked:   :Rolling Eyes: 

off the top of my head, these are the security measures I've taken on my web server:

1. Mounting seperate partitions for: /, /tmp (noexec), /var, /usr, /home,  /var/chroot/www, /var/chroot/games, /var/chroot/courier.

2. Running Apache in chroot with only essential environment (with mod_php, and mod_ssl). Also configured it according to Apache.org's security advice. Extra logging enabled. Running on obscure port.

3. Running IPTABLES with strict incoming rules, but wide open outgoing policy. (This will soon be changed. I intend to lock down outgoing ports as well).

4. Sitting behind an IPFWADM firewall with a different obscure port forwarded to the Apache server.

5. Working on quotas... haven't quite got that working yet..

6. Have SSH running, but with pubkey authentication and listening on an obscure port (not accessible via internet, only by LAN). Root is not allowed to log in via SSH. Only Protocol 2 is accepted.

7. Courier-imap running, but I plan on chrooting this puppy once I get the time to sit down and figure it out.

8. Syslog-ng with extra logging

9. GRSecurity to tighten chroot security and increase logging.

10. Working on Usermode Linux to run my gameserver(s) from.

11. Intrusion detection is planned, but I don't see this happening anytime soon.

----------

## ixion

 *Quote:*   

> 
> 
> 1. Mounting seperate partitions for: /, /tmp (noexec), /var, /usr, /home, /var/chroot/www, /var/chroot/games, /var/chroot/courier.
> 
> 2. Running Apache in chroot with only essential environment (with mod_php, and mod_ssl). Also configured it according to Apache.org's security advice. Extra logging enabled. Running on obscure port.
> ...

 

with the above mentioned...... is my server safe to be exposed on public ports (80/443 (HTTP/HTTPS))?? Can I feel enough peace of mind to expose it? Oh, and I do have one more layer of security... Squirrelmail logins will be handled via MySQL db (Virtual Users, not actual system users). But, another vulnerability has been added: Dynamic DNS.

Am I the MOST paranoid user of Gentoo?????   :Laughing:   :Embarassed:   :Rolling Eyes: 

----------

## hellbringer

 *ixion wrote:*   

> 
> 
> with the above mentioned...... is my server safe to be exposed on public ports (80/443 (HTTP/HTTPS))?? Can I feel enough peace of mind to expose it? Oh, and I do have one more layer of security... Squirrelmail logins will be handled via MySQL db (Virtual Users, not actual system users). But, another vulnerability has been added: Dynamic DNS.
> 
> Am I the MOST paranoid user of Gentoo?????    

 

You are probably the must paranoid user ever. Common, there is no fun if you never get hacked, open some stuff  :Twisted Evil: . Now seriously, you cannot feel enough peace of mind. Never. If you want to have security, you have to be update with all the security stuff that is installed on you computers. Make a list on every single software you have and subscribe to their respective security lists. Also subscribe to BugTraq and others and be update on security issues. And even then fear!!

----------

## hellbringer

 *ixion wrote:*   

> 
> 
> with the above mentioned...... is my server safe to be exposed on public ports (80/443 (HTTP/HTTPS))?? Can I feel enough peace of mind to expose it? Oh, and I do have one more layer of security... Squirrelmail logins will be handled via MySQL db (Virtual Users, not actual system users). But, another vulnerability has been added: Dynamic DNS.
> 
> Am I the MOST paranoid user of Gentoo?????    

 

You are probably the must paranoid user ever. Common, there is no fun if you never get hacked, open some stuff  :Twisted Evil: . Now seriously, you cannot feel enough peace of mind. Never. If you want to have security, you have to be update with all the security stuff that is installed on you computers. Make a list on every single software you have and subscribe to their respective security lists. Also subscribe to BugTraq and others and be update on security issues. And even then fear!!

----------

## hellbringer

 *ixion wrote:*   

> 
> 
> with the above mentioned...... is my server safe to be exposed on public ports (80/443 (HTTP/HTTPS))?? Can I feel enough peace of mind to expose it? Oh, and I do have one more layer of security... Squirrelmail logins will be handled via MySQL db (Virtual Users, not actual system users). But, another vulnerability has been added: Dynamic DNS.
> 
> Am I the MOST paranoid user of Gentoo?????    

 

You are probably the must paranoid user ever. Common, there is no fun if you never get hacked, open some stuff  :Twisted Evil: . Now seriously, you cannot feel enough peace of mind. Never. If you want to have security, you have to be update with all the security stuff that is installed on you computers. Make a list on every single software you have and subscribe to their respective security lists. Also subscribe to BugTraq and others and be update on security issues. And even then fear!!

----------

## hellbringer

 *ixion wrote:*   

> 
> 
> with the above mentioned...... is my server safe to be exposed on public ports (80/443 (HTTP/HTTPS))?? Can I feel enough peace of mind to expose it? Oh, and I do have one more layer of security... Squirrelmail logins will be handled via MySQL db (Virtual Users, not actual system users). But, another vulnerability has been added: Dynamic DNS.
> 
> Am I the MOST paranoid user of Gentoo?????    

 

You are probably the must paranoid user ever. Common, there is no fun if you never get hacked, open some stuff  :Twisted Evil: . Now seriously, you cannot feel enough peace of mind. Never. If you want to have security, you have to be update with all the security stuff that is installed on you computers. Make a list on every single software you have and subscribe to their respective security lists. Also subscribe to BugTraq and others and be update on security issues. And even then fear!!

----------

## hellbringer

 *ixion wrote:*   

> 
> 
> with the above mentioned...... is my server safe to be exposed on public ports (80/443 (HTTP/HTTPS))?? Can I feel enough peace of mind to expose it? Oh, and I do have one more layer of security... Squirrelmail logins will be handled via MySQL db (Virtual Users, not actual system users). But, another vulnerability has been added: Dynamic DNS.
> 
> Am I the MOST paranoid user of Gentoo?????    

 

You are probably the must paranoid user ever. Common, there is no fun if you never get hacked, open some stuff  :Twisted Evil: . Now seriously, you cannot feel enough peace of mind. Never. If you want to have security, you have to be update with all the security stuff that is installed on you computers. Make a list on every single software you have and subscribe to their respective security lists. Also subscribe to BugTraq and others and be update on security issues. And even then fear!!

----------

## hellbringer

 *ixion wrote:*   

> 
> 
> with the above mentioned...... is my server safe to be exposed on public ports (80/443 (HTTP/HTTPS))?? Can I feel enough peace of mind to expose it? Oh, and I do have one more layer of security... Squirrelmail logins will be handled via MySQL db (Virtual Users, not actual system users). But, another vulnerability has been added: Dynamic DNS.
> 
> Am I the MOST paranoid user of Gentoo?????    

 

You are probably the must paranoid user ever. Common, there is no fun if you never get hacked, open some stuff  :Twisted Evil: . Now seriously, you cannot feel enough peace of mind. Never. If you want to have security, you have to be update with all the security stuff that is installed on you computers. Make a list on every single software you have and subscribe to their respective security lists. Also subscribe to BugTraq and others and be update on security issues. And even then fear!!

----------

## hellbringer

 *ixion wrote:*   

> 
> 
> with the above mentioned...... is my server safe to be exposed on public ports (80/443 (HTTP/HTTPS))?? Can I feel enough peace of mind to expose it? Oh, and I do have one more layer of security... Squirrelmail logins will be handled via MySQL db (Virtual Users, not actual system users). But, another vulnerability has been added: Dynamic DNS.
> 
> Am I the MOST paranoid user of Gentoo?????    

 

You are probably the must paranoid user ever. Common, there is no fun if you never get hacked, open some stuff  :Twisted Evil: . Now seriously, you cannot feel enough peace of mind. Never. If you want to have security, you have to be update with all the security stuff that is installed on you computers. Make a list on every single software you have and subscribe to their respective security lists. Also subscribe to BugTraq and others and be update on security issues. And even then fear!!

----------

## paradox508

some one got a little crazy with the submit button.. hehe

'Dox

----------

## cbreaker

Okay, let me put it this way.   The only truely secure computer is the computer that's unplugged. 

That being said, you really need to think about when "enough is enough."   For me, I tend to run a fairly loose shop compared to you.   I make sure my system is updated, and I run chroot when I feel it's necessary.  Most of the time I don't.   I firewall my machines and I use strong passwords.  I make sure there's no unnessary software installed and running, which is one of the reasons I like Gentoo.   Most "breakins" are attributed to overlooking the simple things.

There's some cases where you need a really rock solid secure system.  I suppose if you were trying to design a large web-site where protecting the data contained within is absolutely life or death, you'd really want to impliment the best security possible.

For the other 95% of web sites out there, it can be more trouble then what it's worth.  Troubleshooting high-security setups can be a nightmare.  "Normal" configurations work fine for most people without problems.

It gets to a point where it doesn't matter how much you, the administrator, do to secure the machine.   If there's a hidden explot in the code, sometimes there's little you can do to protect yourself ahead of time.    So, you need to make sure that if something DOES happen you can recover from it quickly.   Backups are your friend.

----------

## paradox508

so you dont run a firewall and you rely on updates to stay secure? what's your ip?   :Twisted Evil:   hehe  :Wink: 

i think a firewall is paramount as the least security measure you should have. i definitly think there is a balance between security and usability that is key. finding this balance is dificult and is generally on a per-use  basis. it really depends what your doing with the machine, how important your data is and how likely of a target you are/think you are.

'Dox

----------

## cbreaker

What?   Re-read my post... I said I run firewalls and keep software up to date...  among other things..Last edited by cbreaker on Sun Sep 21, 2003 6:21 am; edited 1 time in total

----------

## paradox508

OUCH! my bad i miss read what you wrote!

i thought you said you didnt firewall haha. thats like making sure you have the most up to date window locks and keeping your front door open all the time.

sorry. but yea i agree there is no such thing as a secure machine. just decide for yourself when security starts to infringe on usability and then stop there. 

i dont think there is anything wrong with running a tight ship like ixion does. he would do well in a production server enviroment with his attitude on security hehe. 

'Dox

----------

## cbreaker

 *Quote:*   

> he would do well in a production server enviroment with his attitude on security hehe. 

 

While I agree to a point, being paranoid about security and locking everything down to high hell is futile when most of the major vulnerabilities are beyond your control.

The most important security considerations are the most simple ones to impliment.

----------

## paradox508

agreed! solutions should be as simple as possible and no simpler.

'Dox

----------

## Crg

 *ixion wrote:*   

> 
> 
> Am I the MOST paranoid user of Gentoo?????    
> 
> 

 

Maybe you're trying to be the most paranoid, but I'd never let you near my servers  :Smile: 

You've concentrated on making it more complicated that it needs to be, not a good idea when it comes to security, and you've not implemented simple stuff that should have been done.  For example why aren't outgoing firewall rules implemented?  It'd take a couple of seconds.

Also on your firewall rules, have you had it viewed by someone else (who knows it throughly).

Have you looked at using inline-snort with iptables?

Running services on different ports from what they're supposed to be is just silly,  especially if you don't have a setup which prevents portscans.

----------

## ixion

/me clears throat   :Wink: 

I have implemented outgoing firewall rules (as suggested by the Gentoo Security Guide) before I made the server public... I may look into adding Snort later this week. Thanks for the tip!!

 *Quote:*   

> 
> 
> i dont think there is anything wrong with running a tight ship like ixion does. he would do well in a production server enviroment with his attitude on security hehe.
> 
> 

 

Thanks bro.  :Smile:  Mainly the reason I did all this is to learn how to do it, and how to do it properly.. and the reason I make posts like this is to see more and more opinions on making it even tighter (thanks,  Crg;)). I eventually (although my current employer chooses convenience HIGH above security) want to get in an environment where security is at its highest concern. I grew up being paranoid, and I grew up loving computers... what better way to implement this than to get a job that exploits my talents/concerns...

Please anyone who has any comments on locking things down some more (or if you just feel like telling me I'm wasting my time  :Laughing:  ), post away! I'm open to debate/opinions...

EDIT:

Here is my firewall script... whatcha think?

```

#!/sbin/runscript

IPTABLES=/sbin/iptables

IPTABLESSAVE=/sbin/iptables-save

IPTABLESRESTORE=/sbin/iptables-restore

FIREWALL=/etc/firewall.rules

DNS1=10.0.0.1

IIP=10.0.0.5

IINTERFACE=eth0

LOCAL_NETWORK=10.0.0.0/24

opts="${opts} showstatus panic save restore showoptions rules"

depend() {

  need net procparam

}

rules() {

  stop

  ebegin "Setting internal rules"

  einfo "Setting default rule to drop"

  $IPTABLES -P FORWARD DROP

  $IPTABLES -P INPUT   DROP

  $IPTABLES -P OUTPUT  DROP

  #default rule

  einfo "Creating states chain"

  $IPTABLES -N allowed-connection

  $IPTABLES -F allowed-connection

  $IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT

  $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix "Bad packet from ${IINTERFACE}:"

  $IPTABLES -A allowed-connection -j DROP

  #ICMP traffic

  einfo "Creating icmp chain"

  $IPTABLES -N icmp_allowed

  $IPTABLES -F icmp_allowed

  $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT

  $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT

  $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"

  $IPTABLES -A icmp_allowed -p icmp -j DROP

  #Incoming traffic

  einfo "Creating incoming ssh traffic chain"

  $IPTABLES -N allow-ssh-traffic-in

  $IPTABLES -F allow-ssh-traffic-in

  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT

  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT

  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT

  $IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 22 -j ACCEPT

  einfo "Creating incoming http/https traffic chain"

  $IPTABLES -N allow-www-traffic-in

  $IPTABLES -F allow-www-traffic-in

  $IPTABLES -A allow-www-traffic-in -p tcp --dport 80 -j ACCEPT

  $IPTABLES -A allow-www-traffic-in -p tcp --dport 443 -j ACCEPT

  einfo "Creating outgoing dns traffic chain"

  $IPTABLES -N allow-dns-traffic-out

  $IPTABLES -F allow-dns-traffic-out

  $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport 53 -j ACCEPT

  einfo "Creating outgoing http/https traffic chain"

  $IPTABLES -N allow-www-traffic-out

  $IPTABLES -F allow-www-traffic-out

  $IPTABLES -A allow-www-traffic-out -p tcp --dport 80 -j ACCEPT

  #$IPTABLES -A allow-www-traffic-out -p tcp --dport 443 -j ACCEPT

  einfo "Creating outgoing rsync traffic chain"

  $IPTABLES -N allow-rsync-traffic-out

  $IPTABLES -F allow-rsync-traffic-out

  $IPTABLES -A allow-rsync-traffic-out -p tcp --dport 873 -j ACCEPT

  einfo "Creating outgoing smtp traffic chain"

  $IPTABLES -N allow-smtp-traffic-out

  $IPTABLES -F allow-smtp-traffic-out

  $IPTABLES -A allow-smtp-traffic-out -p tcp --dport 25 -j ACCEPT

  einfo "Creating outgoing email traffic chain"

  $IPTABLES -N allow-email-traffic-out 

  $IPTABLES -F allow-email-traffic-out

  $IPTABLES -A allow-email-traffic-out -p tcp --dport 110 -j ACCEPT

  #Catch portscanners

  einfo "Creating portscan detection chain"

  $IPTABLES -N check-flags

  $IPTABLES -F check-flags

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:" 

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit -

-limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"

  $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"

  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

  # Apply and add invalid states to the chains

  einfo "Applying chains to INPUT"

  $IPTABLES -A INPUT -m state --state INVALID -j DROP

  $IPTABLES -A INPUT -j icmp_allowed 

  $IPTABLES -A INPUT -j check-flags

  $IPTABLES -A INPUT -i lo -j ACCEPT

  $IPTABLES -A INPUT -j allow-ssh-traffic-in

  $IPTABLES -A INPUT -j allow-www-traffic-in

  $IPTABLES -A INPUT -j allowed-connection

  einfo "Applying chains to OUTPUT"

  $IPTABLES -A OUTPUT -m state --state INVALID -j DROP

  $IPTABLES -A OUTPUT -j icmp_allowed

  $IPTABLES -A OUTPUT -j check-flags

  $IPTABLES -A OUTPUT -o lo -j ACCEPT

  $IPTABLES -A OUTPUT -j allow-dns-traffic-out

  $IPTABLES -A OUTPUT -j allow-www-traffic-out

  $IPTABLES -A OUTPUT -j allow-rsync-traffic-out

  $IPTABLES -A OUTPUT -j allow-smtp-traffic-out

  $IPTABLES -A OUTPUT -j allow-email-traffic-out

  $IPTABLES -A OUTPUT -j allowed-connection

  eend $?

}

start() {

  ebegin "Starting firewall"

  if [ -e "${FIREWALL}" ]; then

    restore

  else

    einfo "${FIREWALL} does not exists. Using default rules."

    rules

  fi

  eend $?

}

stop() {

  ebegin "Stopping firewall"

  $IPTABLES -F

  $IPTABLES -t nat -F

  $IPTABLES -X

  $IPTABLES -P FORWARD ACCEPT

  $IPTABLES -P INPUT   ACCEPT

  $IPTABLES -P OUTPUT  ACCEPT

  eend $?

}

showstatus() {

  ebegin "Status"

  $IPTABLES -L -n -v --line-numbers

  einfo "NAT status"

  $IPTABLES -L -n -v --line-numbers -t nat

  eend $?

}

panic() {

  ebegin "Setting panic rules"

  $IPTABLES -F

  $IPTABLES -X

  $IPTABLES -t nat -F

  $IPTABLES -P FORWARD DROP

  $IPTABLES -P INPUT   DROP

  $IPTABLES -P OUTPUT  DROP

  $IPTABLES -A INPUT -i lo -j ACCEPT

  $IPTABLES -A OUTPUT -o lo -j ACCEPT

  eend $?

}

save() {

  ebegin "Saving Firewall rules"

  $IPTABLESSAVE > $FIREWALL

  eend $?

}

restore() {

  ebegin "Restoring Firewall rules"

  $IPTABLESRESTORE < $FIREWALL

  eend $?

}

restart() {

  svc_stop; svc_start

}

showoptions() {

  echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"

  echo "start)      will restore setting if exists else force rules"

  echo "stop)       delete all rules and set all to accept"

  echo "rules)      force settings of new rules"

  echo "save)       will store settings in ${FIREWALL}"

  echo "restore)    will restore settings from ${FIREWALL}"

  echo "showstatus) Shows the status" 

}

```

----------

## ixion

Snort is now up and running...  :Smile: 

What did you mean by: *Quote:*   

> Have you looked at using inline-snort with iptables?

 

I am currently using it as a service outputting to Syslog... Is there a better/more secure/more thorough way of implementing Snort?

Speaking of logs, how would I get my Syslog emailed to me hourly? I would like to monitor what's going on instead of blindly trusting that my setup is secure..  :Wink: 

Edit:

Ok, in the crontab I'm having Syslog emailed to me hourly... I'm also looking at the snort logs to be emailed to me... which ones should I be concerned about? Just the 'alert' log?

Speaking of the snort logs, I saw this:

```

[**] WEB-IIS ISAPI .ida attempt [**]

09/21-12:44:45.503337 68.202.163.26:1442 -> 10.0.0.5:80

TCP TTL:122 TOS:0x0 ID:53027 IpLen:20 DgmLen:1500 DF

***A**** Seq: 0x3DAB9F7A  Ack: 0xF7ABDD2F  Win: 0x4470  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]

09/21-12:44:45.536471 68.202.163.26:1442 -> 10.0.0.5:80

TCP TTL:122 TOS:0x0 ID:53028 IpLen:20 DgmLen:1500 DF

***A**** Seq: 0x3DABA52E  Ack: 0xF7ABDD2F  Win: 0x4470  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

```

What's this mean?

----------

## cbreaker

Are you kidding?

----------

## ixion

Add a couple more things to my list of security measures  :Cool: 

1. Locked down PHP some (there is a php.ini-recommended config file with tons of tips) and disabled File Uploading.

2. Through HTTPS I only allow SSLv2. No Medium Chiphers are available, although some Export Ciphers are. Still trying to disable them (if possible).

3. Outgoing Firewall ruleset (previously posted above).

4. Snort is now implemented, and its log is emailed to me hourly.

5. Syslog is emailed to me hourly

----------

## Crg

 *ixion wrote:*   

> 
> 
> I am currently using it as a service outputting to Syslog... Is there a better/more secure/more thorough way of implementing Snort?
> 
> 

 

http://www.snort.org/dl/contrib/patches/inline/

I use it quite a bit on the firewalls I look after.  All packets going through your firewall get put through snort and dodgy packets dropped.

I also set snort up to send a (forged) TCP rst packet to the destination when dropping packets - this means for the common case, say, a http based attack, the TCP session open to your webserver is closed straight away instead of timing out (the attacking ip keeps on resending the packet till it's tcp session times out so waste a bit of time).

Inline-snort is particularly effective in one (IIS based) webhosting firm whose firewall I look after.

I'm forever telling them to update them but they never do, but with the inline-snort rules reqularly updated it protects them from their laziness/sillyness.

 *ixion wrote:*   

> 
> 
> Speaking of logs, how would I get my Syslog emailed to me hourly? I would like to monitor what's going on instead of blindly trusting that my setup is secure.. 
> 
> 

 

Would you read it if it's sent every hour?  :Smile: 

Too much information can tend to hide the stuff you need to be concerned about, or make you bored and not read all of it properly, which then makes it pointless.

You might want to check out www.logwatch.com, it looks like it might be good at sorting out the information in logs and sending a better summary so what's important isn't lost in the mass of information, or you could write your own customised montoring scripts

For example one that sorts through your snort logs/firewall logs and mails you a summary of all the information sorted by active ip and/or most unusual activity.

 *ixion wrote:*   

> 
> 
> WEB-IIS cmd.exe access
> 
> 

 

It's an exploit aimed at IIS servers.Last edited by Crg on Sun Sep 21, 2003 10:36 pm; edited 2 times in total

----------

## Crg

 *ixion wrote:*   

> 
> 
> stop() {
> 
>   ebegin "Stopping firewall"
> ...

 

Personally I would change this to be equal to what's in "panic"  :Smile: 

```

  $IPTABLES -A INPUT -j allow-www-traffic-in 

```

Are you running a webserver on the firewall machine itself?

What's the setup here?

----------

## think4urs11

Hi!

just for my couriosity...

why do you run the snort IIS-sensors while you're only on Apache?

Would be a good idea to tune you snort setup in a way that you only activate sensors for services you have. Activating each and every sensor is unneeded overkill.

Also AIDE might be something to look at.

HTH

T.

----------

## ixion

all excellent information.. I will post back as I implement each suggestion.... thanks!!

Crg, I am running a Freesco firewall, but the Webserver also has a firewall (overkill, I know). Soon I will be placing the Webserver in a DMZ where, if compromised, it won't be able to touch my LAN. I'm waiting on a plugin for Freesco that's being written specifically for this. This is why I have an IPTABLES firewall on it. I didn't want to have to wait until the plugin for freesco is written before I tighten down the hatches with a firewall.  :Wink: 

Thanks again guys for all your suggestions... I will be implementing them soon!

----------

## Crg

 *Think4UrS11 wrote:*   

> 
> 
> why do you run the snort IIS-sensors while you're only on Apache?
> 
> 

 

IHMO you should do because it's an attempt against your servers.

Most of the time it is just silly scanning that goes on, occasionally it is some script kiddie running a whole range of attacks without checking your webserver type/version (in my case I edit the apache source so that it doesn't give out what type of webserver it is).

Which is another thing you can do, change your services so they don't give out that they are sendmail/apache/exim/version/whatever.

(With my notification script I'm only notified on IIS attacks if the same IP has attempted other attacks).

----------

## Crg

 *ixion wrote:*   

> 
> 
> Crg, I am running a Freesco firewall, but the Webserver also has a firewall (overkill, I know).
> 
> 

 

Not really an overkill as it only takes a little while to implement, also the firewalling of your webserver is more advanced than freesco.

----------

## ixion

 *Crg wrote:*   

>  *Think4UrS11 wrote:*   
> 
> why do you run the snort IIS-sensors while you're only on Apache?
> 
>  
> ...

 

I have this very same pholosophy. Any attack is a threat, whether it's attacking something you have or something you don't have. 

 *Quote:*   

> Which is another thing you can do, change your services so they don't give out that they are sendmail/apache/exim/version/whatever.

 

I edited Apache's (1.3) source to prevent the server/version from being obtainable, but then I couldn't get it to compile. I didn't look much more into it. Maybe that will be one of my next steps. Currently, an attacker is unable to obtain the version number. Just that it's Apache.

 *Quote:*   

> (With my notification script I'm only notified on IIS attacks if the same IP has attempted other attacks).

 

How do you do this? I am having some trouble with Logwatch. It's great with default setup, but once I start adding my own logs to watch (snort), it doesn't work. I'm not a scripting veteran by any means, so writing my own script would turn out to be a tragedy.  :Wink: 

btw, is there a tutorial on the Inline Snort? I haven't gotten that to work as of yet.  :Sad:  It'd sure be nice to have that in Portage..  :Twisted Evil: 

----------

## Crg

 *ixion wrote:*   

> 
> 
> I edited Apache's (1.3) source to prevent the server/version from being obtainable, but then I couldn't get it to compile. I didn't look much more into it. Maybe that will be one of my next steps. Currently, an attacker is unable to obtain the version number. Just that it's Apache.
> 
> 

 

Just edit line 458-461ish of src/include/httpd.h

```

#define SERVER_BASEVENDOR   "SomeRandomVendor"

#define SERVER_BASEPRODUCT  "My Web Server"

#define SERVER_BASEREVISION "x.xxxx"

```

 *ixion wrote:*   

> 
> 
> How do you do this?
> 
> 

 

Some messy perl code which written one day when I realised I wasn't really paying attention to the logs and figured it needed to be delivered in more crg friendly format for me to pay attention  :Smile: 

 *ixion wrote:*   

> 
> 
> btw, is there a tutorial on the Inline Snort? I haven't gotten that to work as of yet.  It'd sure be nice to have that in Portage.. 
> 
> 

 

There is some stuff written about it here http://project.honeynet.org/tools/index.html

----------

## ixion

I've found an awesome utility (in portage, nonetheless  :Twisted Evil:  ) called SnortSnarf. It takes your Snort logs and puts them into a web page. Works terrifically organizing things to where I (n00b) can read them. I'm still using logwatch for system logs, though. Works like a champ.

This brings me to a couple questions, though.

First of all, currently I have the snort snarf directory bzipped up, and emailed to me daily. This is turning into one LARGE file. Would it be safe to just host this on my web server somewhere with password access? If so, how can I really lock it down so only I (w/ username and password) will be able to access the area? I've heard of .htaccess.. is that what I need to utilize?

Secondly, the number one thing seen by Snort is the Cross-site Scripting Attempt (about 450 in just one day). What can I do to protect myself against this? I googled for a solution, but the Rewrite scripts don't work (Nessus picks up the vulnerability every time). Do I possibly not have mod_rewrite installed? Should I even be worried about this vulnerability since it's targeted at cross-domain hosting?

I'm still having trouble grasping snort inline.. the documentation for this thing is scarce... I know it'll be worth it once I finally do get it going, though... would anyone happen to have some advice/experience on setting it up?

----------

## Bones McCracker

I wonder how it worked out?

----------

## ixion

hello there... interesting that you ask..  :Smile: 

Snort has matured quite a bit over the past few years with inline ability now built in (-Q I believe). I haven't been observing the snort logs as I should as of late, mainly with the security that such attacks are being dropped. When I was observing them, however, I logged snort to a mysql database (be careful doing this as if mysql crashes or is restarted, snort crashes and if you are using snort inline you lose access to your box;)) and there was a nice front-end that gave me graphs and all kinds of pretty things. That was quite some time ago so I don't remember what it was called.

Cross-site scripting is a danger and the best defenses against it are running snort inline, keeping all your web apps up to date, and using as minimal web apps as possible (if you do have to use them, try to password protecting that area out with Apache's Auth modules). Also, if you must use php, use the hardened version (USE="hardened hardenedphp" I believe), and google for security tips in php.ini (safe_mode, safe_mode_exec_dir, open_basedir, etc).

There are many things you can do, some of which are touched on nicely in the Gentoo Security Handbook: http://www.gentoo.org/doc/en/security/security-handbook.xml

Edit: Using hardened-sources as a monolithic kernel (no module support) is a great start to securing a system. Be sure to enable all the grsecurity/PaX options (except Emulate Trampolines, SysCtl support, or Soft Mode). Also make sure to mount /tmp and /var/tmp with (noexec,nosuid,nodev) options.

----------

## Bones McCracker

Thanks for the update.  I've implemented just about everything recommended in the Gentoo Security Handbook (or some equivalent of those suggestions).  I was looking at snort and trying to decide if it is worth it.  Snort-inline in particular seems it would be valuable.

I'm wondering what the overhead is on the machine and also if it slows down traffic?  And what's your verdict on snortsam?

----------

## ixion

Ah have not tried SnortSAM. Looks like a nice little plugin.

I don't think snort_inline uses much overhead as far as system horsepower. As far as network slowdowns, I really don't think it'd be noticeable (especially for internet sites).

Be sure to use oinkmaster (I can attach a sample config) to update/modify your rules. I have all my rules drop, not just alert.

If I come across the web frontend software I used to use I'll post it back here. It's just been so very long since I've used it..  :Wink: 

Just remember no matter how many security layers you implement now, they will all require maintenance or else they are rendered useless or even an exploitable weakness. Take for instance snort or mod_security for Apache.. if there is a vuln. in one of those then your system could be at higher risk than it would be without running either of them. Not saying this to scare you, just something I've learned over the years. Another example, I used to chroot every service I could get my hands on.. but it got to be such a hassle I was falling behind when security fixes were released.. I came to the conclusion I'd rather be running up to date sfw outside of a chroot than an older version inside a chroot.

Just some food for thought..  :Smile: 

----------

## ixion

FYI, the web frontend I used was ACID: http://acidlab.sourceforge.net/

Am thinking of implementing that again.. quite a nice little program..

----------

