1 |
On Aug 2, 2005, at 7:50 PM, Raphael Melo de Oliveira Bastos Sales wrote: |
2 |
|
3 |
> Hi there, |
4 |
> |
5 |
> I was wondering what tools should I use to detect security flaws to |
6 |
> my server and a few tips on how to use them. What are the most common |
7 |
> forms of attack and how do I avoid being attacked by one of them? |
8 |
> |
9 |
> The services avaliable are only Apache - SSL and SSH. I've |
10 |
> installed an firewall, iptables and firestarter to control it, and |
11 |
> blocked all ports except 443 and 8080, where the SSH is listening. |
12 |
> Apache has PHP installed as a module. |
13 |
> |
14 |
|
15 |
Want to know how secure your server is? Try and hack it! |
16 |
|
17 |
A good port scanner like nmap should be a basic check of your |
18 |
firewall. I would also set nmap (if it can do this) to perform a SYN |
19 |
flood as it scans, to see if your server can withstand that basic DoS |
20 |
attack. (Adding --syn to your TCP rules in iptables can prevent SYN |
21 |
flooding when used with SYN cookies.) When you break in, find out |
22 |
why it worked and how it can be patched. |
23 |
|
24 |
Some things I would advise (I'm currently working on a server at the |
25 |
moment as well): |
26 |
- If the server is really important (or if you're paranoid), use |
27 |
the hardened-sources with PIE/SSP to prevent badly-written programs |
28 |
from arbitrarily executing code. |
29 |
- Enable SYN flood protection. There's a kernel option somewhere |
30 |
about IPv4 SYN cookies, enable that, and couple it with --syn |
31 |
attached to your TCP rules in iptables. It's a very popular denial- |
32 |
of-service attack. |
33 |
- Whenever you need to login or authenticate yourself, make the |
34 |
system delay five seconds after a bad password is entered. This will |
35 |
make a brute-force attack much much slower (0.2 passwords/sec as |
36 |
opposed to millions passwords/sec without a delay, depending on your |
37 |
server's speed). |
38 |
- Make sure iptables is set to deny all traffic that isn't |
39 |
explicitly allowed. |
40 |
- Turn off any services you don't need. |
41 |
- Read through your logs every now and then. I highly advise |
42 |
having the server burn them to a CD/floppy every now and then for an |
43 |
instant backup. Get a log reader/parser, too. |
44 |
|
45 |
Naturally, hide the server in the attic or basement. Chain it to |
46 |
something, or if it has a security slot, use a security cable. Put a |
47 |
lock on the case door. Unplug your floppy/CD drives if you're not |
48 |
using them. As of this writing, there is no kernel option to keep |
49 |
your computer or its innards from walking away. :-) |
50 |
-- |
51 |
Colin |
52 |
-- |
53 |
gentoo-user@g.o mailing list |