Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
advice for little server
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
majoron
Apprentice
Apprentice


Joined: 12 Oct 2005
Posts: 216
Location: Frankfurt

PostPosted: Tue Apr 29, 2014 8:48 am    Post subject: advice for little server Reply with quote

Hello,
I'm going to install linux on a server, and I have decided to go for Gentoo, which is my favourite distro for many reasons.
But my experience with servers is limited, so I would like to ask for suggestions from more experienced people.
Some requirements:
  • X
  • MySQL
  • Apache
  • Django
  • Java
  • Security: It is NOT going to provide a critical service. Security will not be the most important thing, not at all. Still, of course, we want a reasonable level of security.

Things that I would like to get opinions about:
  • kernel options
  • Recommended profile. Hardened? I would say no, but I'm not really sure...
  • Other important components: logging system(?), bootloader(Grub?), filesystems (ext4?), ...
  • USE flags
  • Some simple security suggestions?

Another thing I would like to know (I'm sure there must be some documents around, but I don't find what I'm looking for) is: a recommended policy of system upgrades for servers. Do you know some kind of "official" link for that?

TIA.

Best regards
_________________
Computers are like air conditioners, they stop working properly if you open Windows
Back to top
View user's profile Send private message
schorsch_76
Guru
Guru


Joined: 19 Jun 2012
Posts: 450

PostPosted: Tue Apr 29, 2014 12:31 pm    Post subject: Reply with quote

My recommendation:
-X
-Java
+Security
+fail2ban
+shorewall
+hardened profile
+regular backup
+rkhunter
+chkrootkit
+wiretrap
+openvpn

If you design the server from the begin, not with respect to security, you will for sure get hacked (and deserve to get hacked) and the server be misused. In Germany you can get really trouble if _your_ server is used as a spam sending machine. [1]

Some points to consider:
* SSH not on default port
* long and secure passwrds
* SSH better use keyfile instead of password
* Disallow root to login, only by regular user and su
* Maybe allow ssh only via VPN

[1] http://serverzeit.de/tutorials/admins-haften
Back to top
View user's profile Send private message
majoron
Apprentice
Apprentice


Joined: 12 Oct 2005
Posts: 216
Location: Frankfurt

PostPosted: Mon May 05, 2014 2:33 pm    Post subject: Reply with quote

schorsch_76 wrote:
My recommendation:
-X
-Java
+Security
+fail2ban
+shorewall
+hardened profile
+regular backup
+rkhunter
+chkrootkit
+wiretrap
+openvpn

If you design the server from the begin, not with respect to security, you will for sure get hacked (and deserve to get hacked) and the server be misused. In Germany you can get really trouble if _your_ server is used as a spam sending machine. [1]

Some points to consider:
* SSH not on default port
* long and secure passwrds
* SSH better use keyfile instead of password
* Disallow root to login, only by regular user and su
* Maybe allow ssh only via VPN

[1] http://serverzeit.de/tutorials/admins-haften

Thanks a lot for the answer!
I think most of the suggestions are ok. Some of them are not viable. For the rest, I have some questions/comments:
  • I have convinced my folks here to avoid X, which makes me relatively happy.
  • Although I must say that I don't like Java, and I don't trust very much when a programming language is under the control of a big company, apparently Java is not optional in this project. Still, I'm curious about what is the argument in favour of banning Java for the sake of security, particularly given the ubiquity of Java.
  • What do you mean by "+Security"? Do you mean "@security" (the portage set)? Or are you talking about some specific program?
  • Why simultaneously rkhunter and chkrootkit? Aren't they both rootkits finders?
  • wiretrap? Do you mean "wiretap", or some other sniffer in general?
  • Does it really help to use a different port for ssh?

Thank you again, and best regards.
_________________
Computers are like air conditioners, they stop working properly if you open Windows
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2970
Location: Germany

PostPosted: Mon May 05, 2014 7:25 pm    Post subject: Reply with quote

majoron wrote:
Does it really help to use a different port for ssh?


the logs are more readable :lol: I use another port myself just for that. No real security involved, though.

security? configure your services properly, don't run unnecessary services in the first place. if you want to do odd things not required for your application, like running an openvpn or irc bouncer on the side - do that on another server, any cheap vserver will do.

Proper configuration of the services you offer is so much more important than, say, hardened or watertight iptables... if your sshd allows plaintext passwords and your password is root123 then well, no one can help you really

don't give anyone access you don't trust intimately, and... oh well
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2549

PostPosted: Mon May 05, 2014 7:45 pm    Post subject: Reply with quote

Speaking about ports, I'd say for sure go above 5000, and preferably above 10,000. I'd do that for every remote terminal connection, and/or a VPN.

It does nothing with respect to a serious attempt, but most of the generic port scanning of non-named sites happens port 1-5000, because that's where the common standard services are. The higher you go, the less likely that somebody will "accidentally" stumble on your port.

+1 on no root login by remote, and +1 on requiring a key for ssh.

With regards to Java, Oracle (and Sun before them) have a pretty bad track record for security problems. That said, I'd recommend using the oracle version above others. It seems that the Open Source community strongly dislikes Java and most don't take it seriously. I'm skeptical about their devotion to security fixes in that regard. As well, Oracle is the reference standard, so it's likely to be more universally compatible with apps.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1746

PostPosted: Mon May 05, 2014 9:46 pm    Post subject: Reply with quote

I would not change standard ports becouse standards were introduced to make things easier to manage, remember, use, etc. And it's a really poor design in terms of security as it's security by obscurity, and rather poor one. If someone can get your user's private key and root password changing port is not going to stop him. If he can't, changing port makes no difference anyway.
So:
* Disable login on root (at least password login)
* prefferably disable user login with password as well - but this might be hard to do in real life case. Well, at least it's reasonable as long as people know at least abit about passwords. Show them some easy way to get unbreakable password (4-5 words is a good password, first letters from 10 word-long sentence will do fine too). Oh, and if you make passwords expire, you may be sure they will either chose weak passwords or write them down.
* fail2ban
* block on firewall everything except ports you actually WANT to be visible from outside world. Policy drop, then whitelist ssh, vpn, http/https and you're probably done.
* separating weird stuff with virtual machines might be a good idea. Qemu allows you run several such machines with network interfaces bridged together with phisical NIC, so every single virtual server would have it's own IP (and MAC)

filesystem: ext is nice, well tested etc, but IMO lacks checksums which potentialy puts you at risk of silent data corruption. This is something that needs some more digging into before saing whether or not it is an issue enough. Yes, sure, disks are supposed to keep their content, but you know, shit happens. Question is "how often" and "what a downside would be"
I do use ext myself, however with server I'd expect more storage.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2549

PostPosted: Tue May 06, 2014 4:42 am    Post subject: Reply with quote

I've never really understood the reasoning behind that.

Yes, if all you're doing is changing ports then it's really a terrible security measure. But obscuring an outward facing port through which the public is not invited certainly can't hurt anything provided the other measures are taken as well.

EVERY ssh server I've ever had exposed on the standard port for any length of time has had brute force attacks. None of the high-numbered ports I've used have had them. While disabling root login and demanding a key definitely will make a huge difference, it also helps if the bad guys don't know the thing is there in the first place.

Whether or not the brute force attacks can be successful is important, but given the choice I'd rather not pay for the bandwidth being used by some joker trying to break in.

So, just to put things into perspective, let's say a strong password policy is worth a dollar, and requiring a key is worth a dollar fifty in security terms. The nonstandard port might only be worth a nickel, but 2.55 is more than 2.50, and it's one line of the file you're editing anyway. It takes an extra 20 seconds to change it.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3914
Location: Dallas area

PostPosted: Tue May 06, 2014 9:52 am    Post subject: Reply with quote

If possible with things like ssh it would be better to simply block out IP addresses that you know won't be used.

If one is in the US, does one really expect to access their machine from Russia, Saudi Arabia, Mexico, Europe, etc.

For me, I keep it open for local machines, but closed to outside access.
And when I have traveled then I try and find out what provider they have where I'm traveling and only open those IP range(s)
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
schorsch_76
Guru
Guru


Joined: 19 Jun 2012
Posts: 450

PostPosted: Tue May 06, 2014 11:00 am    Post subject: Reply with quote

majoron wrote:
Thanks a lot for the answer!
I think most of the suggestions are ok. Some of them are not viable. For the rest, I have some questions/comments:
  • I have convinced my folks here to avoid X, which makes me relatively happy.
  • Although I must say that I don't like Java, and I don't trust very much when a programming language is under the control of a big company, apparently Java is not optional in this project. Still, I'm curious about what is the argument in favour of banning Java for the sake of security, particularly given the ubiquity of Java.
  • What do you mean by "+Security"? Do you mean "@security" (the portage set)? Or are you talking about some specific program?
  • Why simultaneously rkhunter and chkrootkit? Aren't they both rootkits finders?
  • wiretrap? Do you mean "wiretap", or some other sniffer in general?
  • Does it really help to use a different port for ssh?

Thank you again, and best regards.


My point is, that +Security, you should put a strong focus on security, because your initial post did indicate, hat security is really unimportant for you.

Java as a laguage has a really bad security reputation regarding bugs and security holes. If you need them, try to insulate its potential impact. Maybe a simple chroot for your apache/lighttpd/whatever or a qemu VM. Keyword: "Barrier around it"

rkhunter and chkrootkit are both run by crond . Both have different sets of signatures. They dont interfere with each other (unlike virus scanner on windows).

I did mean wiretrap. The intrusion detection system.

About the ssh port, the others have already discusses about it.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43178
Location: 56N 3W

PostPosted: Tue May 06, 2014 1:02 pm    Post subject: Reply with quote

rkhunter and chkrootkit may find rootkits - your only option then is to reinstall.

Have a look at tripwire - you need to store the signatures on another system.
Hardend is good - it makes attackers find an easier box to break into, which is really the object of security.

Any suffciently determinded attacker will find a way in.

Security is in layers.
Stopping them getting in.
Limiting the damage when they get in
Stoppimg them phoning home once they are in.

Hardened, with more than the default partions, allows things to be mounted with -o ro,nodev,noexec ... and so on ... not all on the same partition.
e.g. /home and /tmp can both be -o noexec,nodev
There are other useful no options
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
majoron
Apprentice
Apprentice


Joined: 12 Oct 2005
Posts: 216
Location: Frankfurt

PostPosted: Tue May 06, 2014 3:08 pm    Post subject: Reply with quote

Thank you very much for the interesting discussion and suggestions.
Now, I'm digesting and deciding.

Best regards
_________________
Computers are like air conditioners, they stop working properly if you open Windows
Back to top
View user's profile Send private message
majoron
Apprentice
Apprentice


Joined: 12 Oct 2005
Posts: 216
Location: Frankfurt

PostPosted: Tue May 06, 2014 3:15 pm    Post subject: Reply with quote

Thank you, schorsch_76, for the reply.
schorsch_76 wrote:
I did mean wiretrap. The intrusion detection system.

Do you have a link or the name of the package in portage?

Best
_________________
Computers are like air conditioners, they stop working properly if you open Windows
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum