| 1 |
On Aug 2, 2005, at 7:50 PM, Raphael Melo de Oliveira Bastos Sales wrote: |
| 2 |
|
| 3 |
> Hi there, |
| 4 |
> |
| 5 |
> I was wondering what tools should I use to detect security flaws to |
| 6 |
> my server and a few tips on how to use them. What are the most common |
| 7 |
> forms of attack and how do I avoid being attacked by one of them? |
| 8 |
> |
| 9 |
> The services avaliable are only Apache - SSL and SSH. I've |
| 10 |
> installed an firewall, iptables and firestarter to control it, and |
| 11 |
> blocked all ports except 443 and 8080, where the SSH is listening. |
| 12 |
> Apache has PHP installed as a module. |
| 13 |
> |
| 14 |
|
| 15 |
Want to know how secure your server is? Try and hack it! |
| 16 |
|
| 17 |
A good port scanner like nmap should be a basic check of your |
| 18 |
firewall. I would also set nmap (if it can do this) to perform a SYN |
| 19 |
flood as it scans, to see if your server can withstand that basic DoS |
| 20 |
attack. (Adding --syn to your TCP rules in iptables can prevent SYN |
| 21 |
flooding when used with SYN cookies.) When you break in, find out |
| 22 |
why it worked and how it can be patched. |
| 23 |
|
| 24 |
Some things I would advise (I'm currently working on a server at the |
| 25 |
moment as well): |
| 26 |
- If the server is really important (or if you're paranoid), use |
| 27 |
the hardened-sources with PIE/SSP to prevent badly-written programs |
| 28 |
from arbitrarily executing code. |
| 29 |
- Enable SYN flood protection. There's a kernel option somewhere |
| 30 |
about IPv4 SYN cookies, enable that, and couple it with --syn |
| 31 |
attached to your TCP rules in iptables. It's a very popular denial- |
| 32 |
of-service attack. |
| 33 |
- Whenever you need to login or authenticate yourself, make the |
| 34 |
system delay five seconds after a bad password is entered. This will |
| 35 |
make a brute-force attack much much slower (0.2 passwords/sec as |
| 36 |
opposed to millions passwords/sec without a delay, depending on your |
| 37 |
server's speed). |
| 38 |
- Make sure iptables is set to deny all traffic that isn't |
| 39 |
explicitly allowed. |
| 40 |
- Turn off any services you don't need. |
| 41 |
- Read through your logs every now and then. I highly advise |
| 42 |
having the server burn them to a CD/floppy every now and then for an |
| 43 |
instant backup. Get a log reader/parser, too. |
| 44 |
|
| 45 |
Naturally, hide the server in the attic or basement. Chain it to |
| 46 |
something, or if it has a security slot, use a security cable. Put a |
| 47 |
lock on the case door. Unplug your floppy/CD drives if you're not |
| 48 |
using them. As of this writing, there is no kernel option to keep |
| 49 |
your computer or its innards from walking away. :-) |
| 50 |
-- |
| 51 |
Colin |
| 52 |
-- |
| 53 |
gentoo-user@g.o mailing list |
Archives