hello, I found something that may interest some of you, good luck, flavius Security (Beginner): Secure Installation of Apache Web Server Posted by hakimkt Tuesday, September 02, 2003 - 08:11 PM CEST The webserver is one of the favourite targets on the internet today. Webservers must be accessible from any location on the internet inorder to allow computers/users to view the websites. One of the most common dangers is defacements of sites, which is mostly done by so called script kiddies or crackers. Defacements can lead to serious company damage as in downtime, and confidence towards its customers and the net in general. Even worse is if the webserver holds sensitive information like credit card details, that on some defacements are published openly on the defaced site. Hi all, i was about to setup a new webserver for some of my private sites that i wanna host, and since i love security i wanted to set it up as secure as possible, and share with you how to setup a secure webserver using SuSE linux 7.3 (since its the distro i use). I hope that it will help you in setting up a secure web server. Each service must be tightend as well as possible for security reasons, meaning that the services should be launched as standalone only and not launched as root. That secures the point that if a service is compromised, the attacker has only as much access as the service is running on (eg for webserver, let user www be the one to start that service instead of root). To setup the webserver securely, create 7 partitions on the HD. / /var /tmp /home /usr /usr/local /etc You then install the MINIMUM installation only (no gui, gpms, inetd, rpc, pico, compilers etc...). Just the minimum OS installation, and add the following packets to it. compat sudo apache bindutil SuSEfirewall II harden_suse mod_ssl scanlogd seccheck Aide proftpD ftpdir (instead of sendmail, install postfix) plus anything else you need (e.g. data bases, modules for the Apache) Before installing any of the above mentioned packages, check to make sure if any updates are available for them, and update them if necessary. Before starting with the actual work, all "standard" Linux configurations such as entering the name server, configuration of the network interface, setting up users, etc. should be executed. Initially all unnecessary services should be inactivated and authorizations withdrawn from privileged programs not absolutely needed. This can easily be done with the harden_suse tool. server# harden_suse This causes extensive changes to the system, which are all recorded in /etc/harden_suse.log and which can be undone with the /etc/undo_harden_suse script. Users of other Linux distributions like Red Hat can possibly use the Bastille script or something similar, although these represent a slightly different approach. All services with net access except SSH are deactivated and only the following privileged suid and sgid programs remain: server# find / -perm -04000 -type f -exec ls -ld {} ; -rwsr-x--- 1 root trusted 23840 Mar 11 11:26 /bin/ping -rwsr-x--- 1 root trusted 30750 Mar 11 11:37 /bin/su -rwsr-x--- 1 root trusted 21268 Mar 11 11:10 /usr/bin/crontab -rwsr-xr-x 1 man root 85460 Mar 11 11:24 /usr/bin/man -rwsr-xr-x 1 root root 15308 Mar 11 11:26 /usr/bin/rcp -rwsr-xr-x 1 root root 11052 Mar 11 11:26 /usr/bin/rlogin -rwsr-xr-x 1 root root 8104 Mar 11 11:26 /usr/bin/rsh -rwsr-x--- 1 root shadow 38340 Mar 11 11:50 /usr/bin/gpasswd -rwsr-x--- 1 root trusted 22184 Mar 11 11:50 /usr/bin/newgrp -rwsr-xr-x 1 root shadow 27920 Mar 11 11:50 /usr/bin/passwd -rwsr-x--- 1 root trusted 56600 Mar 11 18:41 /usr/bin/sudo -rwsr-xr-x 1 root root 20300 Mar 11 11:26 /usr/sbin/traceroute -rwsr-xr-x 1 root root 6132 Mar 11 09:36 /usr/lib/pt_chown server# find / -perm -02000 -type f -exec ls -ld {} ; -rwxr-sr-x 1 root tty 9452 Mar 11 11:26 /usr/bin/write Next, vi into /etc/rc.config and edit the following: START_HTTPD="yes" START_FW2="yes" START_SCANLOGD="yes" That makes sure that the webserver, the firewall and the scanlog daemon are started upon system boot. Now we continue with the configuration of the local firewall and change the following lines in the file /etc/rc.config.d/firewall2.rc.config (a detailed description of the individual variables is included in the file): (I usually setup my own firewall rules via iptables, but since this is not a firewall tutorial i'll just copy paste my webservers firewall here that comes along with my suse distro I will only paste the options that i have edited or need, depending on my network setup. There are many more options, but i will only paste the ones related to the webserver as a standalone computer (not any lans, DMZ etc....) ) : # 1.) # Should the Firewall be started? # # This setting is done in /etc/rc.config (START_FW2="yes") ######################################## # # 2.) # Which is the interface that points to the internet/untrusted networks? # # Enter all the network devices here which are untrusted. # # Choice: any number of devices, seperated by a space # e.g. "eth0", "ippp0 ippp1 eth0:1" # FW_DEV_EXT="eth0" #This is what connect with to my router. ######################################## # 8.) # Do you want to autoprotect all running network services on the firewall? # # If set to "yes", all network access to services TCP and UDP on this machine # will be prevented (except to those which you explicitly allow, see below: # FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP}) # # Choice: "yes" or "no", defaults to "yes" # FW_AUTOPROTECT_SERVICES="yes" ######################################## # 9.) # Which services ON THE FIREWALL should be accessible from either the internet # (or other untrusted networks), the dmz or internal (trusted networks)? # (see no.13 & 14 if you want to route traffic through the firewall) XXX # # Enter all ports or known portnames below, seperated by a space. # Common: smtp domain FW_SERVICES_EXT_TCP="80 443 22 21" #http, https, ssh, 21 for ftp uploads # Common: domain FW_SERVICES_EXT_UDP="" # Common: domain ######################################## # # 11.) # How is access allowed to high (unpriviliged [above 1023]) ports? # # You may either allow everyone from anyport access to your highports ("yes"), # disallow anyone ("no"), anyone who comes from a defined port (portnumber or # known portname) [note that this is easy to circumvent!], or just your # defined nameservers ("DNS"). # Note that if you want to use normal (active) ftp, you have to set the TCP # option to ftp-data. If you use passive ftp, you don't need that. # Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root # from a firewall using this script (well, you can if you include range # 600:1023 in FW_SERVICES_EXT_UDP ...). # # Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no" # if not set # # Common: "ftp-data", better is "yes" to be sure that everything else works :-( FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" # Common: "DNS" or "domain ntp", better is "yes" to be sure ... FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" ############################################# # # 12.) # Are you running some of the services below? # They need special attention - otherwise they won?t work! # # Set services you are running to "yes", all others to "no", defaults to "no" # FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting # # If you are running bind/named set to yes. Remember that you have to open # port 53 (or "domain") as udp/tcp to allow incoming queries. # Also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes" FW_SERVICE_DNS="no" # # if you use dhclient to get an ip address you have to set this to "yes" ! FW_SERVICE_DHCLIENT="no" # # set to "yes" if this server is a DHCP server FW_SERVICE_DHCPD="no" # # set to "yes" if this server is running squid. You still have to open the # tcp port 3128 to allow remote access to the squid proxy service. FW_SERVICE_SQUID="no" # # set to "yes" if this server is running a samba server. You still have to open # the tcp port 139 to allow remote access to SAMBA. FW_SERVICE_SAMBA="no" ########################################### # # 16.) # Which logging level should be enforced? # You can define to log packets which were accepted or denied. # You can also the set log level, the critical stuff or everything. # Note that logging *_ALL is only for debugging purpose ... # # Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes", # FW_LOG_*_ALL defaults to "no" # FW_LOG_DROP_CRIT="yes" # FW_LOG_DROP_ALL="no" # FW_LOG_ACCEPT_CRIT="yes" # FW_LOG_ACCEPT_ALL="no" # # only change/activate this if you know what you are doing! FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" ################################################## ## # # 17.) # Do you want to enable additional kernel TCP/IP security features? # If set to yes, some obscure kernel options are set. # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate, # icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate, # ip_local_port_range, log_martians, mc_forwarding, mc_forwarding, # rp_filter, routing flush) # Tip: Set this to "no" until you have verified that you have got a # configuration which works for you. Then set this to "yes" and keep it # if everything still works. (It should!) ;-) # # Choice: "yes" or "no", defaults to "yes" # FW_KERNEL_SECURITY="yes" ################################################## ### # # 19.) # Allow (or don't) ICMP echo pings on either the firewall or the dmz from # the internet? The internet option is for allowing the DMZ and the internal # network to ping the internet. # REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_INTERNET # # Choice: "yes" or "no", defaults to "no" if not set # FW_ALLOW_PING_FW="no" #Drops all icmp packets to or from the firewall # FW_ALLOW_PING_EXT="no" #Drops all icmp packets to or from the firewall # # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say # additionally "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_FW_TRACEROUTE="yes" # # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes" # # 22.) # Allow/Ignore IP Broadcasts? # # If set to yes, the firewall will not filter broadcasts by default. # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast # option is used. # If you do not want to allow them however ignore the annoying log entries, # set FW_IGNORE_FW_BROADCAST to yes. # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_FW_BROADCAST="no" # FW_IGNORE_FW_BROADCAST="yes" ## # END of rc.firewall2 ## That covers the local firewall on the webserver (please keep in mind that this entire tutorial is based on SUSE LINUX 7.3) Now we integrate the special SuSE security module in the following manner: server# cat >> /sbin/init.d/boot.local insmod secumod hardlink=1 symlink=1 pipe=1 trace=1 systable=1 logging=1 ^D When booting, this module will be loaded with a configuration preventing Symlink, Hardlink, Pipe, and a number of other UNIX-specific attacks. Now to the config of the apache itself. We need to make sure nobody gains unauthorized access to data or even changes the pages. For this purpose the pages are equipped with a special protection and then the Apache is furnished with a secure configuration. All pages must be supervised by the site administrator and should be locally write-protected for everybody except him. It is important that the web server is run under a different user than the one supervising the pages. In this way an attacker who manages to leak through the web will not be able to change the pages. Therefore a user is set up and a cron job is generated which makes sure every day that all pages belong to the site supervisor and have the correct authorizations. server# useradd -m wwwdocs server# cat > /etc/cron.daily/wwwdocs #!/bin/sh /bin/chown -R -h wwwdocs /usr/local/httpd/htdocs/* /bin/chmod -R go-w /usr/local/httpd/htdocs/* /bin/chmod -R a+r /usr/local/httpd/htdocs/* ^D server# chmod 700 /etc/cron.daily/wwwdocs Since the Apache probably has already been pre-configured, few changes will be necessary in the configuration. Of course, in the beginning the right value should be set for MinSpareServers, MaxSpareServers and StartServers in the file /etc/httpd/httpd.conf. The option MaxClients helps to ward off connect-denial-of-service attacks. A word of caution: if this option is set to low, regular visitors will be denied access, if too high, the administrator will have difficulties logging on and taking countermeasures in the event of an attack. In order to find the correct value there is no other way than just trying. The option ServerSignature can be switched "off" so that the software and version number is not displayed when a non-existing page is accessed, but this does not bring much since the HTTP header contains this and a lot more information. The aliases for /hilfe/, /doc/, /cgi-bin-sdb/, /sdb/, and /manual/ should be disabled. Here an example for what changes to the standard configuration could possibly look like: ("diff -u0") --- httpd.conf.orig Sun Jan 19 14:35:43 2003 +++ httpd.conf Sun Jan 9 14:35:42 2003 @@ -141,2 +141,2 @@ -MinSpareServers 1 -MaxSpareServers 1 +MinSpareServers 3 +MaxSpareServers 10 @@ -148 +148 @@ -StartServers 1 +StartServers 5 @@ -157 +157 @@ -MaxClients 150 +MaxClients 100 @@ -401 +401 @@ -ServerAdmin root@localhost +ServerAdmin webdocs@echte-domain.gr @@ -415 +415 @@ -#ServerName server@instronics.gr +ServerName www.echte-domain.gr @@ -485 +485 @@ -UserDir public_html +#UserDir public_html @@ -646 +646 @@ -ServerSignature On +ServerSignature Off @@ -665,11 +664,0 @@ -Alias /hilfe/ /usr/doc/susehilf/ -Alias /doc/ /usr/doc/ -Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/ -Alias /sdb/ /usr/doc/sdb/ -Alias /manual/ /usr/doc/packages/apache/manual/ - - - Options FollowSymLinks - AllowOverride None - - @@ -697,9 +685,0 @@ -# cgi-bin for SuSE help system -# using SetHandler - - -AllowOverride None -Options +ExecCGI -Includes -SetHandler cgi-script - - @@ -981,4 +961,4 @@ -# -# Deny from all -# ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi -# + + Deny from all + ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi + The activation of SSL and the generation of the certificate is described in the file /usr/doc/packages/apache/README.SuSE. Each of the administrators should have an own user account, since it would be impossible to know who did what when working under the root identity. Besides, the incorrect entry of a command under root can effect the whole system. Therefore, operations with high levels of authority should only be done when really necessary. A direct root login over the net has already been made impossible as a result of the modifications in the configuration made with the harden_suse script, and the administration itself can only be performed in an encrypted manner with SSH. The next thing that needs to be done is to configure sudo - a program which helps the administrators to do their job while at the same time keeping a record of the commands. This program also enables a detailed authorization structure, e.g. as user oracle, user A is entitled to restart the data base and view the system log files under root, but nothing else. A user is set up for each administrator with the help of the following line: erde# adduser -m -g trusted username Inclusion in the group "trusted" is essential, since due to security criteria determined by harden_suse, sudo may only be used by a trusted group. Subsequently the administrator is admitted to sudo by means of the visudo program. The following line which allows the administrator to do whatever he wishes is added in the editor username ALL=(ALL) ALL "man 5 sudoers" defines a host of settings with which the authorizations can be restricted. Of course it is important that the administrators use sudo and do not shift to the root identity with "su root"; for this reason, the root password should be disclosed to as few people as possible. Log data are very important. All important log messages from the web server and the router should be sent to a central log host from where the status of the computers can be monitored. In this way it will be difficult for an attacker to hide his trail. Additionally, it is a good idea to integrate the secure linux kernel patch by Solar Designer [13]. This makes it difficult for the attacker to exploit buffer overflows in programs. The system can be stripped of further privileged suid and sgid programs. This is simply done by entering programs which are not supposed to have these privileges any longer in /etc/permissions.local and subsequently removing the authorizations manually or starting SuSEconfig. This can be done until no more sgid programs and only the following suid programs are left: -rwsr-xr-x 1 root shadow 27920 Mar 11 11:50 /usr/bin/passwd -rwsr-x--- 1 root trusted 56600 Mar 11 18:41 /usr/bin/sudo -rwsr-xr-x 1 root root 6132 Mar 11 09:36 /usr/lib/pt_chown If the system has several partitions, the security level can be increased considerably by using the mount options ro (read only), nodev (no devices), nosuid (no privileged suid files) and noexec (no executable files). Besides, the ext2 file system flags "append-only" and "imutable" (by means of the chattr command) can be used for defining the kernel capabilities in order to protect log or boot files etc. from changes. If the server also needs to be protected from local attacks, the LILO boot loader must be equipped with a password. This is achieved by entering the following at the top of the file /etc/lilo.conf: password=something_difficult_to_guess restricted Updates A system which is not updated with the latest security patches will quickly become a target for attackers. Having done everything that is necessary to set up a secure system, the CGI scripts pose the greatest danger. The majority of successful attacks take place by means of these scripts. A word of advice: Limit your use of CGI scripts to those which have already been publicly available and in use for some time. In case the administrators themselves write scripts, they should have these checked regularly by someone for security issues. A web server which is both very secure and usable - something generally regarded to be contradictive - can be set up within less than 45 minutes. Much could be done to increase the level of security even more, but this system should be sufficient for most purposes. For the sudo, AIDE, and proftpd packages please rtfm on how to use and configure them. I know that my english is not very good, so forgive any typos, and any lines that make no sense, as this is my first tutorial ever. I want to point out special thanks to MR. Marc Heuse for his help on the information provided here. Without him, i would not have learned as much about linux security as i do now. Also special thanks goto the entire SuSE team ( www.suse.de ) I hope this tutorial gives you a brief introduction on how to setup a secure webserver using SuSE Linux 7.3 kernel 2.4.19 Good luck on setting up your own apache By HakimKT Kuwait
-----Original Message----- From: Flavius Porumb [mailto:flavius.porumb@gtstelecom.ro] Sent: 13 July 2004 08:39 To: suse-security@suse.com Subject: [suse-security] SuSE webserver
hello,
I found something that may interest some of you,
good luck,
flavius
Security (Beginner): Secure Installation of Apache Web Server Posted by hakimkt Tuesday, September 02, 2003 - 08:11 PM CEST
Fantastic HOWTO, well done HakimKT (whoever you are), and thanks to Flavius for posting it. So, what are the problems with this approach? I haven't seen anything absolutely terrible, but I'm no guru... * I wouldn't install any ftp server at all, as I just don't go for ftp and I'm lucky in that my users don't generally need it... * Portmap is installed by default (on SLES), so I remove it. Tom.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't see the need for 7 partitions, if you use journaling. For /tmp, use a tmpfs: none on /tmp type tmpfs (rw,size=2G,nr_inodes=200k,mode=01777) I use a 2G tmpfs with a 2G swap and 768M physical ram. I'm a gentoo user, and even compile stuff on this (it helps by anywhere from 0-10%), so it should be appropriate for your uses :) This leaves: / /var /home /usr /usr/local /etc I've never seen the /sbin/init.d thing, but I'm wary of separate /etc. /usr and /usr/local I'd think could be the same; if you break the system, you have to do a full reinstall anyway to rewrite the binaries, even though you could keep your configuration. I'm just being skeptic above, of course. :) Tom Knight wrote: |>-----Original Message----- |>From: Flavius Porumb [mailto:flavius.porumb@gtstelecom.ro] |>Sent: 13 July 2004 08:39 |>To: suse-security@suse.com |>Subject: [suse-security] SuSE webserver |> |>hello, |> |>I found something that may interest some of you, |> |>good luck, |> |>flavius |> |> Security (Beginner): Secure Installation of Apache Web Server |> Posted by hakimkt Tuesday, September 02, 2003 - 08:11 PM CEST | | | Fantastic HOWTO, well done HakimKT (whoever you are), and thanks to Flavius | for posting it. | | So, what are the problems with this approach? | I haven't seen anything absolutely terrible, but I'm no guru... | | * I wouldn't install any ftp server at all, as I just don't go for ftp and | I'm lucky in that my users don't generally need it... | * Portmap is installed by default (on SLES), so I remove it. | | Tom. | | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA9D0xhDd4aOud5P8RAr4OAKCM2doyJC3+GpLOEpbiwNZGAPCnugCfUWmx DPxG5mHJL2DyW9omvd2Hy6g= =y9SW -----END PGP SIGNATURE-----
John Richard Moser wrote: > I don't see the need for 7 partitions, if you use journaling. The reason for using several partitions is not that they can be checked faster. This is done for increased security through special mount options and to prevent local DoS attacks. But read on. > For /tmp, use a tmpfs: [...] > I use a 2G tmpfs with a 2G swap and 768M physical ram. Which will make it easy to overload your machine if you don't use quotas + a specifically hardened kernel. A local attacker can fill up your 2GB of /tmp, which means your RAM is full and 1.5GB of swap in use. This is going to be _really_ bad for your perfomance (=DoS). This is no concern for your dev-box at home, but for a webserver this is can be a serious issue. > /usr and /usr/local I'd think could be the same; if you break the > system, you have to do a full reinstall anyway to rewrite the binaries > even though you could keep your configuration. I think the point behind putting /usr/local/ on a seperate partition is that you can mount /usr as read only (maybe even mount it from a remote host if you have many boxes!). As most files are located there, yet they hardly ever need to be changed, this is a good idea. Stuff that is specific for this box can then be placed in /usr/local. In addition to using several partitions, /etc, /var, /home and /tmp should be mounted with "nodev" and "nosuid" options. /usr/local should at least have the "nodev" option set nordi
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 nordi wrote: | John Richard Moser wrote: | > I don't see the need for 7 partitions, if you use journaling. | The reason for using several partitions is not that they can be checked | faster. This is done for increased security through special mount | options and to prevent local DoS attacks. But read on. | | > For /tmp, use a tmpfs: | [...] | > I use a 2G tmpfs with a 2G swap and 768M physical ram. | Which will make it easy to overload your machine if you don't use quotas | + a specifically hardened kernel. A local attacker can fill up your 2GB Ok local attacker loses his account and gets fired. Still no chance of lamers coming in from the web server. | of /tmp, which means your RAM is full and 1.5GB of swap in use. This is | going to be _really_ bad for your perfomance (=DoS). This is no concern | for your dev-box at home, but for a webserver this is can be a serious | issue. | | > /usr and /usr/local I'd think could be the same; if you break the | > system, you have to do a full reinstall anyway to rewrite the binaries | > even though you could keep your configuration. | | I think the point behind putting /usr/local/ on a seperate partition is | that you can mount /usr as read only (maybe even mount it from a remote | host if you have many boxes!). As most files are located there, yet they | hardly ever need to be changed, this is a good idea. Stuff that is | specific for this box can then be placed in /usr/local. Ahh, neat. | | In addition to using several partitions, /etc, /var, /home and /tmp | should be mounted with "nodev" and "nosuid" options. /usr/local should | at least have the "nodev" option set | Yeah, nice. | nordi | | Thanks for the clarification. I'm mostly into things like PaX and stack smash protection, proper coding, and a little access control. The whole nosuid-nodev thing I tend to overlook, as I'd expect SELinux or RSBAC to be used for that, or for mknod() or chmod()+s to just be denied to non-root users. I also use journaled filesystems (reiserfs), and think that a filesystem should be seen as 'clean' if it came down when there was nothing to be flushed to it and no files open. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA9FazhDd4aOud5P8RAmUNAJ44/FLjqNQo/x8oyZqPHXYdZPMVCgCfY9cO 5wXKHrQapnWB6Rs/qYCF7SU= =lsOO -----END PGP SIGNATURE-----
John Richard Moser wrote:
| > For /tmp, use a tmpfs: | [...] | > I use a 2G tmpfs with a 2G swap and 768M physical ram. | Which will make it easy to overload your machine if you don't use quotas | + a specifically hardened kernel. A local attacker can fill up your 2GB
Ok local attacker loses his account and gets fired. Still no chance of lamers coming in from the web server.
Assume you have a file owned by root called /tmp/foo. Now user bob comes and does "ln /tmp/foo /tmp/bar". Then the hardlink /tmp/bar will be owned by root and you will _never_ know who did it unless you do syscall loggin (which I doubt). Keep creating hardlinks until /tmp runs out of space or out of inodes. Ext2/3 allow ~65000 hardlinks per file, ReiserFS allows ~2billion, so flooding /tmp isn't a problem. Quotas don't help either since the attacker doesn't own the file. The only thing that helps are special hardening patches (OpenWall, GRSec) or special permission patches (SELinux, RSBAC), but not everybody uses them. This attack can be truly annoying since it fills up /tmp and may keep Apache from working. But with your setup (/tmp on tmpfs) it will bring the server to a grinding halt where you can't even login remotely to fix the server (assuming you don't have physical access). nordi
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 nordi wrote: | John Richard Moser wrote: | |> | > For /tmp, use a tmpfs: |> | [...] |> | > I use a 2G tmpfs with a 2G swap and 768M physical ram. |> | Which will make it easy to overload your machine if you don't use |> quotas |> | + a specifically hardened kernel. A local attacker can fill up your 2GB |> |> Ok local attacker loses his account and gets fired. Still no chance of |> lamers coming in from the web server. | | | Assume you have a file owned by root called /tmp/foo. Now user bob comes | and does "ln /tmp/foo /tmp/bar". Then the hardlink /tmp/bar will be | owned by root and you will _never_ know who did it unless you do syscall | loggin (which I doubt). | So what are you doing running a server where local users are allowed to create hardlinks to root-owned files in /tmp anyway? ;) | Keep creating hardlinks until /tmp runs out of space or out of inodes. nr_inodes= is your friend. | Ext2/3 allow ~65000 hardlinks per file, ReiserFS allows ~2billion, so | flooding /tmp isn't a problem. Quotas don't help either since the | attacker doesn't own the file. The only thing that helps are special | hardening patches (OpenWall, GRSec) or special permission patches | (SELinux, RSBAC), but not everybody uses them. | | This attack can be truly annoying since it fills up /tmp and may keep | Apache from working. But with your setup (/tmp on tmpfs) it will bring | the server to a grinding halt where you can't even login remotely to fix | the server (assuming you don't have physical access). | | nordi | you raise interesting points. We should clip these issues off at the source. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA9G6bhDd4aOud5P8RAqgyAJ9HCyIdzqUHIy4t9IQvjR3g5enz8gCfefZW UaiUha6ezKXWVBFIGwkK/p4= =LxXK -----END PGP SIGNATURE-----
Quoting John Richard Moser <nigelenki@comcast.net>:
| Keep creating hardlinks until /tmp runs out of space or out of inodes.
nr_inodes= is your friend.
| Ext2/3 allow ~65000 hardlinks per file, ReiserFS allows ~2billion, so | flooding /tmp isn't a problem. Quotas don't help either since the | attacker doesn't own the file. The only thing that helps are special | hardening patches (OpenWall, GRSec) or special permission patches | (SELinux, RSBAC), but not everybody uses them. | | This attack can be truly annoying since it fills up /tmp and may keep | Apache from working. But with your setup (/tmp on tmpfs) it will bring | the server to a grinding halt where you can't even login remotely to fix | the server (assuming you don't have physical access). | | nordi |
you raise interesting points. We should clip these issues off at the source.
While this discussion of how to flood /tmp is interesting, it's also rather silly. Does anyone really allow any critical services to get anywhere near /tmp these days? The idea of a single area where everything writes to probably sounded great twenty years ago, but these days, each critical service gets own sandbox to play in and never the twain shall meet. If someone were to somehow overflow /tmp on any of my servers, the only impact would be a note in the syslog... Using /tmp for anything that matters is just asking for trouble... PS: Mounting /usr read-only would be fine if you only managed one or two servers. When you manage two dozen, it quickly becomes too much of a pain in the ass when you have security patches for those read-only files. Mount /usr remotely on all of them from a single source and patching that is a great theory until you realize that a single problem can wipe out your whole machine room...
On Tuesday 13 July 2004 08:23 pm, suse@rio.vg wrote:
PS: Mounting /usr read-only would be fine if you only managed one or two servers. When you manage two dozen, it quickly becomes too much of a pain in the ass when you have security patches for those read-only files. Mount /usr remotely on all of them from a single source and patching that is a great theory until you realize that a single problem can wipe out your whole machine room...
Not if you mount your remote /use directly on top of an existing /usr. If you lose your remote, the worst that happens is you fall back to a slightly older local copy. -- _____________________________________ John Andersen
Quoting John Andersen <jsa@pen.homeip.net>:
On Tuesday 13 July 2004 08:23 pm, suse@rio.vg wrote:
PS: Mounting /usr read-only would be fine if you only managed one or two servers. When you manage two dozen, it quickly becomes too much of a pain in the ass when you have security patches for those read-only files. Mount /usr remotely on all of them from a single source and patching that is a great theory until you realize that a single problem can wipe out your whole machine room...
Not if you mount your remote /use directly on top of an existing /usr. If you lose your remote, the worst that happens is you fall back to a slightly older local copy.
Unless there has been some significant changes to NFS since last I looked at this, the machine in question will lock up on I/O when it can no longer access the server...
suse@rio.vg wrote:
Quoting John Richard Moser <nigelenki@comcast.net>:
| Keep creating hardlinks until /tmp runs out of space or out of inodes.
nr_inodes= is your friend.
| Ext2/3 allow ~65000 hardlinks per file, ReiserFS allows ~2billion, so | flooding /tmp isn't a problem. Quotas don't help either since the | attacker doesn't own the file. The only thing that helps are special | hardening patches (OpenWall, GRSec) or special permission patches | (SELinux, RSBAC), but not everybody uses them. | | This attack can be truly annoying since it fills up /tmp and may keep | Apache from working. But with your setup (/tmp on tmpfs) it will bring | the server to a grinding halt where you can't even login remotely to fix | the server (assuming you don't have physical access). | | nordi |
you raise interesting points. We should clip these issues off at the source.
While this discussion of how to flood /tmp is interesting, it's also rather silly. Does anyone really allow any critical services to get anywhere near /tmp these days? The idea of a single area where everything writes to probably sounded great twenty years ago, but these days, each critical service gets own sandbox to play in and never the twain shall meet. If someone were to somehow overflow /tmp on any of my servers, the only impact would be a note in the syslog...
Using /tmp for anything that matters is just asking for trouble...
PS: Mounting /usr read-only would be fine if you only managed one or two servers. When you manage two dozen, it quickly becomes too much of a pain in the ass when you have security patches for those read-only files. Mount /usr remotely on all of them from a single source and patching that is a great theory until you realize that a single problem can wipe out your whole machine room...
How to prevent flushing /tmp? What can be done to secure a system and prevent unwanted actions to be done? 1) Secure /tmp in /etc/fstab, e.g. /tmp = hda6: /dev/hda6 /tmp ext2 rw,nosuid,nodev,noexec 1 2 other sources: http://www.webhostgear.com/34.html This doesn't prevent /tmp from beeing flushed, but secures it a littlebit. 2) Limit users rights: man limits.conf This even doesn't prevent /tmp beeing flushed, but limits users right, if shellaccess is needed. 3) Set shell to /bin/false for FTP only users /etc/passwd userxy [...] /bin/false This prevents from logging in and doing funny tings. Normally a webserver account only needs ftp access or secure with ssl enhanced ftp. FTP-Server with ssl enhancement: http://sourceforge.net/projects/wzdftpd/ http://sourceforge.net/projects/indiftpd/ Or install secure bash without shell, e.g.: http://www.air.rzeszow.pl/bash-2.05b-secure/ 4) Use secumod to prevent creation of sym- and hardlinks. There are other kernelpatches/-modules out there doing the same. This prevents /tmp to be flushed with symlinks. 5) Further protection: set quota for tmp (this is no symlink protection, but limits user's space on tmp) 6) Run daily scripts as cron-job for /tmp or run logout-scripts. Examples should be found with google: http://www.cs.arizona.edu/computer.help/policy/DIGITAL_unix/AA-PS2HD-TET1_ht... Maybe you change attributes of the fs (chattr/capbits ...) so the unwanted action cannot be done. This attribute you don't see with ls command. lsattr lists the attributes set. Example for chattr: http://www.theparallax.org/security/linux/chattr.html (only in german - damn) Be careful with this, because this settings even are set for root (e.g. to disallow root to do things). It is even possible to lockout root and give rights compareable to "root" to different users. This makes problems administrating systems and running services, depending on how far you go. 7) If you program your own php-scripts for your webserver look for secure programmingstyle and secure your php.ini. 8) On the webserverside disable "follow symlinks" option (this may lead to other security-issues). No system can be made 100% secure, but this helps making it a little bit more difficult for malicious people to alter your system. Philippe
Philippe Vogel wrote:
/dev/hda6 /tmp ext2 rw,nosuid,nodev,noexec 1 2
Mounting /tmp as "noexec" could break stuff. Although I agree that nobody should run _any_ programs from /tmp, I have seen 2 programs that do expect stuff in /tmp to be executable.
4) Use secumod to prevent creation of sym- and hardlinks. There are other kernelpatches/-modules out there doing the same.
You should definitely NOT use secumod for that. I once tried it out and it crashed as soon as I got some heavy disk I/O. When I reported this to SuSE they said "Hm, we do not support this module anymore... the code is totally broken." which says everything. nordi
Am Mittwoch, 14. Juli 2004 14:39 schrieb nordi:
> /dev/hda6 /tmp ext2 rw,nosuid,nodev,noexec 1 2
Mounting /tmp as "noexec" could break stuff. Although I agree that nobody should run _any_ programs from /tmp, I have seen 2 programs that do expect stuff in /tmp to be executable.
Note that "noexec" does _not_ increase security as it can be easily circumvented with /lib/ld-linux.so /tmp/foo . Cheers, Stefan --
Okay, FTP server of choice - Hakim's document mentions using proftpD. Is this really more secure than all the mainstrain alternatives? I've gone (where possible) for RPMs maintained by SuSE, and proftp isn't one of them. On SLES, the choice appears to be: ?pure-ftpd?1.0.12 ?Lightweight, fast and secure FTP server ?vsftpd ?1.1.0 ?A Very Secure FTP Daemon - written from scratch. Despite my earlier insistance that I never install an FTP daemon, I'm now finding that I have to in order to support one piece of software. It's either that or samba.... :-( Tom.
----- Original Message ----- From: "Tom Knight" <thomas.knight@ahds.ac.uk> To: <suse-security@suse.com> Sent: Wednesday, July 14, 2004 1:12 PM Subject: RE: [suse-security] SuSE webserver
Okay, FTP server of choice - Hakim's document mentions using proftpD. Is this really more secure than all the mainstrain alternatives? I've gone (where possible) for RPMs maintained by SuSE, and proftp isn't one of them. On SLES, the choice appears to be: ?pure-ftpd?1.0.12 ?Lightweight, fast and secure FTP server ?vsftpd ?1.1.0 ?A Very Secure FTP Daemon - written from scratch.
Despite my earlier insistance that I never install an FTP daemon, I'm now finding that I have to in order to support one piece of software. It's either that or samba.... :-(
Tom.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Another alternative is vsftp which is presented below: http://www.zdnet.co.uk/print/?TYPE=story&AT=2129119-39020445t-20000012c Use VSFTP for a secure FTP server Scott Lowe MCSE TechRepublic January 22, 2003, 10:37 BST Use VSFTP for a secure FTP server File Transfer Protocol (FTP) servers can be useful for providing files to customers and for exchanging files with partners and business associates. However, FTP can become the bane of existence for the admins who must keep these services secure and operational. Poorly secured FTP services can often result in a successful attack on a server. That's where VSFTP comes in. VSFTP is a secure, stable, and fast FTP server. It can greatly decrease the chances of an attacker gaining access to a server via FTP exploits. Want evidence? The Red Hat, OpenBSD, and SuSE FTP sites all have one thing in common: They all run on VSFTP. Even SANS recommends VSFTP as the preferred FTP daemon because of its tight security. VSFTP basics VSFTP is an FTP server daemon that runs on Linux/UNIX operating systems. Its primary features are security, performance, and stability. VSFTP includes a number of additional attractive features, including: a small system footprint, the ability to handle virtual users, the choice of operating in a standalone configuration or via the inetd daemon, and bandwidth throttling for more site control. As of this writing, the current version is 1.13, although version 1.2 is a release candidate and may very well be available by the time this article is published. Version 1.13 is a 117-KB archived download. For this demonstration, I am using VSFTP 1.13 on a Red Hat 8.0 server with version 2.4.18-14 of the kernel. Installation Installing VSFTP is much like installing any other application under Linux. To expand the downloaded archive, switch to the directory in which you saved it and type: gunzip -dc vsftpd-1.1.3.tar.gz | tar xvf - This will create a directory named vsftpd-1.1.3 and put all of the files into it. Switch to that directory by typing cd vsftpd-1.1.3 at the prompt. In this example, I am using a standard configuration, which begins by typing make at the command prompt. If you want to make changes to the configuration, you can edit the builddefs.h file in the distribution before compiling with the make command. If the compilation process is successful, a binary file named vasftpd will be placed into this directory. In my testing, the compilation went quickly and was free of errors. Adding users VSFTP uses the Linux/UNIX "nobody" user as a part of the default configuration. On most Linux/UNIX operating systems, this user exists by default, but if it doesn't exist on your system(s), you'll need to add it. On my system, I get the following results when I try to add it (which indicates that the user already exists): [root@rh8lab VSFTP d-1.1.3]# /usr/sbin/useradd nobody useradd: user nobody exists In addition, you need to create an FTP user if you want to support anonymous FTP. If you plan to always authenticate the incoming user, you don't have to do this. However, to preserve the security of VSFTP, the anonymous user's home directory must not be owned by the FTP user, and the user should not have any permissions for it. You can use the commands in Table A to accomplish this. Table A mkdir /var/ftp/ Creates a directory named /var/ftp. /usr/sbin/useradd -d /var/ftp ftp Creates a user named "ftp" with the home directory /var/ftp. On many systems, this user will already exist. chown root.root /var/ftp Changes ownership of the /var/ftp directory to the root user. chmod og-w /var/ftp Removes the write permission from others and groups. Creating the FTP user and setting appropriate permissions Next, make sure that the directory /usr/share/empty exists. If not, create it with the mkdir command. Finally, you need to install the executable file, help pages, and so forth, that were previously created during the build process. To do this, change to the directory in which you built vsftpd and type make install. This installs everything you need to begin using VSFTPD except a configuration file. You can copy a sample configuration file to the /etc directory by typing cp vsftpd.conf /etc. Page 2 Standalone If you want to run VSFTP in standalone mode, all you need to do is add a single line to the end of the /etc/vsftpd.conf file that reads "listen=YES" and then execute /usr/local/sbin/vsftpd &. The & tells the program to continue to run but bring you back to a command prompt. Assuming you get no error messages, you can now connect to the FTP server as an anonymous user and get directory listings, transfer files, etc. Using xinetd Since I'm doing my testing and demonstration on a Red Hat 8 system (which uses xinetd), I will be focusing on the xinetd installation process. inetd If you are running an inetd machine, you can use the installation instructions included with VSFTP for details on how to set up your server. Everything should work if you add the lineftp stream tcp nowait root /usr/local/sbin/vsftpd to /etc/inetd.d and then restart the inetd daemon either via a reboot or kill -SIGHUP {pid of inetd}.Be sure that this is the only "ftp" line in the file. If you are running on an xinetd machine, a configuration file resides in /etc/xinetd.d named vsftpd. If you can't find this file at that location, you can copy it from the vsftpd.conf example that comes with the VSFTP distribution. When editing this file, you'll see a number of parameters underneath "service ftp" that dictate how the VSFTP server will function. Table B lists these parameters, their defaults, and what they mean. Table B socket_type stream This is the type of TCP socket to use for this protocol. FTP is a TCP stream. wait no This is associated with the ability for the socket to accept messages. user root What user should be used to launch this service? Note that VSFTP reduces privileges as soon as possible after starting. server /usr/local/sbin/vsftpd This is the location of the server program associated with this configuration file. If you have vsftpd in a different location, you should change this value. nice 10 This option modifies the default scheduling priority for the process. 10 is the default with the range being 20 (highest) to 19 (lowest). disable no The service is not disabled. In other words, it should be started when xinetd starts up. per_source No default This specifies the number of concurrent connections allowed from the same IP address. It's useful for limiting the number of connections from a single site. instances No default This limits the maximum number of concurrent FTP connections to the server. It's useful for limiting server load. no_access No default This is a list of IP addresses that are not allowed to access this service. I will be using the default configuration file and restart xinetd on my Red Hat server by typing /etc/rc.d/init.d/xinetd restart at the command prompt. Note that if you previously configured VSFTP in standalone mode, you need to remove the line "listen=YES" from /etc/vsftpd.conf. If you don't, xinetd will restart, but the vsftpd service will not work. I made that mistake the first time I configured VSFTP. Once this is done, you should be able to connect to the VSFTP server as an anonymous user and get directory listings, download files, etc. Enabling controlled access Setting up an FTP server to distribute software to anyone who connects can be useful in many cases, but you may want to control access to the FTP resources. For example, suppose you want to set up a site just for your customers. You can do this with VSFTP by making use of PAM. My Red Hat server uses PAM for authentication, as do most Red Hat machines. To determine whether your distribution uses PAM, look for a filename pam.conf or for a directory named pam.d. Since my Red Hat server uses the pam.d directory for its PAM information, I will be demonstrating that installation method only. VSFTP comes with a sample PAM configuration located in the Red Hat subdirectory of the distribution. This file needs to be renamed and copied to the pam.d directory, which you can do with the command: cp vsftpd.pam /etc/pam.d/ftp Next, you need to change the VSFTP configuration to allow local user logins. To do this, edit the file /etc/vsftpd.conf and uncomment the line "local_enable=YES". Now, when you attempt to connect to the server as a Linux/UNIX user, you will be placed in that user's home directory. Listing A shows the results of my demonstration. As you can see, a directory listing was provided after I logged into the VSFTP server. Summary VSFTP powers many of the largest sites in the open source world, including the security-conscious Open BSD project and Red Hat Linux. With its small footprint, ability to handle large loads, security, and flexibility, it makes an ideal FTP server for any organisation that wants file transfer capability but not the major security headaches that typically come with it.
On Wednesday 14 July 2004 02:12 am, Tom Knight wrote:
Okay, FTP server of choice - Hakim's document mentions using proftpD. Is this really more secure than all the mainstrain alternatives? I've gone (where possible) for RPMs maintained by SuSE, and proftp isn't one of them. On SLES, the choice appears to be: ?pure-ftpd?1.0.12 ?Lightweight, fast and secure FTP server ?vsftpd ?1.1.0 ?A Very Secure FTP Daemon - written from scratch.
You'd be better off with Samba, IMHO. But as far as ProFTPD there were a couple of security flaw in a row and that was enough to freak SuSE, and it stopped being offered after 8.2. Pure-FPTd is offered, (and it just had a security flaw, so no doubt SuSE will bolt from that one too ;-) Profptd's big advantage is flexibility of configurations, with a syntax for setting directories and permissions similar to a web server, it makes offering disjoint portions of the file system easier. I like it, I use it, but on my 9.x machines I'm going with what SuSE offers, just because security issues are taken care of in one place. -- _____________________________________ John Andersen
participants (8)
-
Flavius Porumb -
John Andersen -
John Richard Moser -
nordi -
Philippe Vogel -
Stefan Fritsch -
suse@rio.vg -
Tom Knight