Slashdot Mirror
Ask Slashdot: Security Digests For the Home Network Admin?
New submitter halcyon1234 writes "I'm currently cutting the webhost cord, and setting up a simple webserver at home to host a couple hobby websites and a blog. The usual LAMP stuff. I have just enough knowledge to be dangerous; I know how to get everything set up and get it up to date, but not enough to be sure I'm not overlooking common, simple security configurations. And then there's the issue of new vulnerabilities being found that I'm not even aware of. The last thing I want is to contribute to someone's botnet or spam relay. What readings/subscriptions would you recommend for security discussions/heads up? Obviously I already read (too much) Slashdot daily, which I credit for hearing about some major security issues. Are there any RSS feeds or mailing lists you rely on for keeping up to date on security issues?"
When you're done with your setup. Post a story on Slashdot linking to your website, that's a fairly good stress test.
/.
Bonus points if you add something like "My awesomely new bulletproof website!". That should kick off the reliability test engines from
http://www.securityfocus.com/
The same sources as those you use when you this professionally. Not much of a choice there really.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Most ISPs do NOT allow this kind of stuff. While it might fly under the radar, there is always the possibility they will shut off your access. Besides, with a dynamic IP any change to it will take your website offline until DNS catches up. Hosting is cheap, I don't see why you'd want to cancel it unless it's hurting the bank.
You may (or may not) know to do these things:
Only allow SSH pubkey access for maintenance. Turn off remote passwords altogether in sshd_config.
Move SSH to some non-standard port (away from 22). Just makes it harder for outsiders to find the port.
Run something like denyhosts to kick off people trying brute force passwords on your server and to log their activity.
Consider only allowing SSL (port 443) access to the webserver and close down all other ports in iptables.
Just a few things (which may be obvious) to get you started.
You said LAMP--well, most L distros have a security list you can subscribe to to keep up-to-date on this sort of thing. Also, Linux Weekly News (lwn.net) regularly posts security announcements from most major distros
I am running a LAMP server (only the LA part active) with a few Web pages on my obsolete home desktop, with a slow ADSL connection. I don't have anything of serious value on the machine, so presumably an attacker would only benefit by using me as a bot. The system logs show regular access by the indexing services: Google, Yahoo, ... and lots of what looks like simple-minded dictionary attacks, and some probes for SQL/PHP features that are not available. None of the login attacks appears to have found my user name, much less hit the password. I use a long password, generated by a random generator. That seems to be enough.
There is some chance that I am owned by someone I can't detect. But I never notice much activity on the CPU nor on the network, and my ISP doesn't complain that any bad behavior comes from my connection. If I suspected a problem, I would power off while considering my response.
I have tripwire installed, but every time I try to check it I get confused by the pass-phrase management and put it off.
Mike O'Donnell http://people.cs.uchicago.edu/~odonnell/
I used to do this and stopped because there are so many attempts on a domain it seemed to slow down my internet connection. This was a long time ago, and it is possible there were some strategies I could have used with my router, but generally, it was pretty disruptive even though no actual breach occurred.
Of course, that doesn't mean you shouldn't try. Good luck!
Where's the MyCleanPC guy when you need him?
CERT?
Can check http://www.us-cert.gov/current/ daily or get it in an RSS feed.
There is also a mailing list.
Forget running it at home, get an Amazon AWS Micro site; it's free and the default config is as secure as possible. IPTABLES is easy to configure via the AWS web gui or you can manually create better rules once on the system. AMZN keeps track of updates, you just have to remember to ssh in every once in a while.
some sites:
http://www.securitywizardry.com/radar.htm
(a little heavy on the java)
https://isc.sans.edu/
You could subscribe to the CERT messages, but they kinda lag. There are some good security related mail lists which
I can't remember at the moment...
Check available updates for packages and kernel...
Look at mod_security for apache
If you're running wordpress or some other CRM app, be careful on how much you rely on third party packages
If you have phpadmin or webadmin installed, you may want to limit what IP's have access to it.
If you're running sshd, you may want to block bruteforce attempts after a certain number of bad tries, You should
probably just use certificate based authentication instead of passwords.
The best place to start is here
http://www.us-cert.gov/cas/signup.html
then onto the security announce list of whatever distro you use.
Those two alone will probably give you enough information to keep your system safe
Normal people worry me!
First: The only way to connect to your system is over a logical port. So, learn netfilter / IPtables and shut down all ports you don't need. The book "Running Linux" by Dalheimer and Welsh has a pretty good section on netfilter / IPtables. My recommendation - just leave port 22 and 80 (maybe 443 if you're having people log into your web application remotely). Default policy is drop packets unless it matches one of those ports.
Second: Turn off remote root login, typically found in sshd_config. This'll stop much of the probing.
Third: You don't want to allow someone to relentlessly try passwords. Get a program like Fail2ban. This will allow a certain number of login attempts before it bans the IP, just dropping the packets and not letting the password authentication module test them.
Fourth: Strong username/password combinations. The attacker has to guess the correct combination. Get jiggy with it. Unusual username and unusual passphrase password. Especially for the root user.
Fifth: Stop having Apache broadcast all of its version information. When someone is looking at response headers, they should see just that it's Apache and not Apache version XYZ. Apache loads several config files and reads them as one long config file (they're broken up for easier management). There's a setting in Apache to do that.
Sixth: In Apache's config files, turn off directory listings. Again, a simple configuration text file setting which eludes me at the moment. Apache The Definitive Guide by Laurie and Laurie is a good book to have. This info is also available on the web.
Seventh: Read your log files regularly. auth.log, error.log are very informative ones. Doing a lastlog command on a regular basis helps.
Finally - What is security?
1) You don't want people writing to where they shouldn't be writing.
2) You don't want people reading what they shouldn't be reading.
3) You don't want people executing what they shouldn't be executing.
Set up permissions well. Don't change them willy-nilly but if reading/writing most stuff on your box requires being part of the root group, that's pretty good security.
Finally, finally - keep reading various technical sites on the web for new security problems. Address as necessary.
On a publicly visible web server is to set up set the directive for the default web site (the first one in the virtual host list) to default deny to everyone. Then put your web site on a different virtual host. 99.9% of the scans I see come in by IP address, which gets them the default site. Any legitimate traffice will come in by domain name. This set up not only denies the script kiddes access to any PHP forms you've got, it convinces their 'bots to give up very quickly, which means less of a toll on your bandwidth.
(As someone noted, the standard consumer highspeed account prohibits running servers. Many commercial accounts do, too, unless you told them you're running a server of some kind. You may also have to get them to unblock port 25 if you want to run your own mail server - be very careful if you do that, though. You don't want to be a spamfest rathole without knowing it.)
Your distro will have a regular patch channel that will address most vendor-introduced vulnerabilities. Patch religiously, and often. At least once per week. It's not like you're responsible for SLA's or regression testing. If you somehow uncover a bug when you patch, muscle through it, and keep going.
Use a firewall and only expose necessary ports. Protect the ports with strong authentication, encryption where applicable, and possibly a reactive blocker such as fail2ban to keep the script kiddies at bay. If you must run an external SSH server, run it as a seperate process, and only allow key auth, and only for a single user.
Get on whatever mailing lists or errata lists support your distro and apps, and try and keep up with them. If your apps are maintained as source, try and use the repos to update your apps instead of just relying on standard stable packages. You'll get bug fixes faster (probably bugs as well. See above)
Use something like logwatch and read the daily mails.
Also use something like rkhunter to alert you in case something changes.
-- lk t lv ll th vwls t f wrds. T svs lts f tm t wrt bt ts pn n th ss t rd nd mks m lk lk cmplt dpsht.
Don't forget to be sure your isp does not block port 80. As mine does.. So nice of them. There are ways around it however..
I know Tenable has a free version of their Nessus scanner for home/research use, probably others do too. Download them and test them out and see what holes they find.
Slashdot was created to tell the world about the fabulous world of super efficient solar cells that never make it to market, not security silly bunny.
You should check a Hacking/security book that covers your installed OS. In terms of knowing any security issues, that is a little more complicated. Most Linux distributions are tied to version freeze where they do not include new version of packages, they only back-port security patches. For example, in Debian 6 (Squeeze) the latest (as today) version of php5 is 5.3.3-7+squeeze13, which in fact may give the assumption is outdated (latest in 5.3 branch is php 5.3.14), but it have been patched with all known released security patches. The problem with that approach (which RedHat Enterprise and clones also do btw), is that some security apps that check for vulnerabilities in packages may report false positives.
In short, you should trust the distribution you use, keep updated, and read both distribution site, and lwn.net for new vulnerabilities on a daily basis.
Also the server is more about maintenance than installation. You need to keep an eye on resources, logged sessions, watch logs, list of process running, updates.
It's called "staging".
F*ck comments. F*ck all the other interactive "web 2.0" sh*t. Do your Wordpress or whatever, then suck it out of the DB, convert to static HTML, and put it on the external webserver.
Problem (pretty much, well 99%) solved.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
My company supports about 700 Debian servers that are running at customer sites; as far as I can tell, not a single one of these has been compromised due to an unpatched security vulnerability in one of the Debian packages. Configure some kind of auto-update (e.g. cron-apt); Debian is by default configured to only install security updates and these are usually released within one or two days.
We did have a few servers that were compromised due to customer mistakes (unsafe root passwords especially) though. From what I've learned in these incidents, you can spot an infected machine by these symptoms:
In theory, a rootkit could be hidden really well, but in practice, the attackers just don't seem to care to adapt their rootkits specifically to the distros. An experienced Linux admin should have no problem detecting them.
Most ISPs offer business accounts that you can do whatever you want(to a degree).
SmallNetBuilder has some good articles: http://www.smallnetbuilder.com/security/security-howto For example, consider installing pfsense firewall in front of your DMZ. Also, if you run your OS on Ubuntu I recommend installing apticron, which will alert you to new patches. Stay fully patched.
Bugtraq and Full Disclosure mailing lists are a good read. Almost all new vulnerabilities are posted to one of these lists. In addition, many Linux distros post their security notices here (Ubuntu used to, but now only posts on their own list). The CERT list mentioned by previous commenters is also good, even if it can be a little slow at getting the news out. Microsoft, Apple and others report their security notices through this list.
"Every man has a right to his own opinion, but no man has a right to be wrong in his facts." - Bernard Baruch
Not if you already have a 50Tb file server cluster sitting at home. A bit of network traffic is nothing for electrical costs.
apt-get upgrade
Kept me running secure for 10 years +
also logwatch, tripwire for the paranoid...
-
Build a FNPP. I understand that the acronym is inferior, but I assure you that the actual end product is far far superior:
FreeBSD
Nginx
Postgresql
PHP
You are then going to want to get the box configured properly with the following:
geli encrypted root partition
ZFS Filesystem
geli encrypted swap
Nginx in its own jail
Postgresql in a separate jail and only listening on localhost
the only network access to the main system (outside the jail) is through openssh
have ssh use three factor authentication: 1. Password. 2. Google Authenticator. 3. Crypto Stick.
Enable ipfilter, and read the FreeBSD handbook for how to set it up properly
make sure that Openssh restricts itself to AES/SHA
raise the kernel securelevel to 3
make sure that openssh has a 4096 bit key and is restricted to the only the authentication methods that you are using
set portsnap and freebsd-update to run nightly in cron
install ports-mgmt/portaudit
install OSSEC from ports/security/ossec*
Follow these instructions and you will have a battle-ready hardened server.
I've been using a VPS for $3/month from 123systems.net. I haven't done much with it yet, and I don't know how consistent it is, but so far I have no complaints. buyvm.net was another I was looking at that I believe has an even cheaper option ($15/yr!). Like someone else said, check out http://www.lowendbox.com/ to become informed about the options. Of course, you get only a pittance of ram/cpu for these bargain basement prices (and often limited availability -- buyvm sounds like a bit of a lottery), but it is still nice to have full control over a linux system that I can pack it up and deploy it to another linux server with more resources/consistency if/when I need to, while playing around with it for cheap now. It's also nice to have a far away offsite backup in case my city gets EMP'ed / destroyed by aliens / etc.
Also, like someone else mentioned, I have run ssh/www for about 15 years on my home ISP since whenever I got broadband with no complaints from my ISP.
Many distributions have their own list that will post security warnings for software they distribute. FreeBSD (technically not Linux), does a GREAT job of that with not only a mailing list, but a special utility (portaudit) that just checks for warnings about the software you have installed. Many FreeBSD people have portaudit run in cron and e-mail them any problems (so you don't have to sift through all the warnings for software you don't use).
Install fail2ban, especially if you're going to leave SSH open. You can configure some stuff to catch common web exploit attempts as well. You can probably get configured on any service you want. It plugs into iptables and bans IPs for set time periods for too many bad logins in a short period of time, hitting certain URLs, etc. It's highly configurable for just about any service you could want to run, and you can whitelist IPs and subnets. If you're running any admin control panels, cpanel, phpmyadmin, webmin, or whatever, set it up with an htaccess file so those pages are only accessible from your lan. Also, do not allow root login over ssh. So long as you don't have too common of a username, it can make it very difficult to match up a nonstandard username with a password. Combin that with fail2ban, and that'll keep a lot of the baddies out.
I've been getting this since 2004.
There's an archive here to see if it helps you:
http://www.qualys.com/research/sans-at-risk/
Subscribing is here:
http://www.qualys.com/company/compref/
although I've been getting it since all you had to do was send an email.
I would start out by choosing a very minimal linux distribution. Install the minimal build of CentOS, Ubuntu Server, etc. Don't install a GUI or any unneeded packages. Install only the base, and SSH. You can install what you need after that. You could visit CIS(http://www.cisecurity.org/) and download a benchmark to use for hardening your Linux system. They have benchmarks that can be used for basic Linux hardening (most distributions are covered, and even if not, the same practices apply across the board). Then you can also run through the CIS benchmark for the Web server/DNS/etc. itself. Hardening doesn't solve your problems, but it does reduce your attack footprint, and then it is up to you to be vigilant on patching what you do have facing the internet. Use iptables or another host based firewall to block off everything that should not be receiving traffic from the outside. Then I would use OSSEC (http://www.ossec.net/) to monitor for system changes, and monitor your logs. OSSEC is an excellent program and extremely useful. At the end of the day, you'll learn a lot through while applying the benchmarks (I advise creating a script to automate for future servers), but it comes down to hardening, patching (OS, Server(s), and CMS), and monitoring.
http://ipduh.com/search --upon a search click on the Security tag. It is just a search of the major security mailing lists , security advisories , etc ...
However, to someone like you I would recommend to Setup automatic security updates instead of reading about security issues every day.
Lots of good advice above.
What kind of websites do you have and how complicated are they? Do you really need a LAMP stack? I'd consider running a webserver on OpenBSD if you can tolerate it and actually need security. Otherwise, look at one of the better commercial like Linux distros, like CentOS. Patch regularly and follow tips from above regarding the networking config.
Second, are you in the US and do you already itemize your taxes? This could become 100% business write off. Write off your DSL as a business expense, write off power for the servers, the space in your house they take up, and any other costs. You may have to offer some services behind your hobby websites where people could contract you for advice. There's different business structures and you could get by with a sole proprietor type, but LLC's are really good too. The records you need to keep are simple and a basic P&L spreadsheet can be used to fill out your taxes.
----- obSig
I set up /tmp on a separate partition and added the noexec and nosuid tags.
Join the free bit of the site (community), signup for the vulnerability list in the profile page.
Example:
http://secunia.com/advisories/49457/
They send 10-20 emails a day approx, easy enough to filter them to delete the irrelevant ones etc.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
sans.org - there are a number of digests they have and their security training is excellent.