Security questions

Hi,

After months of declining service from my current hoster, I finally decided to get a VPS. A did quite a bit of research and ended up with Linode. I have no previous experience with VPSs and only little experience with Linux (perfect combination ;-)).

I've installed Ubuntu LTS, Lighttpd, PHP5 and MySQL. I've also configured iptables (for now) using a configuration script on a website, but I'll be looking into iptables a bit later to do some tuning. Everything seems to be working fine so far. In the next few days I'll be installing phpmyadmin and I'll make it only accessible via tunneling. I'm giving myself a few months to get familiar with everything before I'll be moving my main site over to the VPS.

To cut a long story short, I'm looking into best practices on securing the different software packages I'm using and securing my VPS in general. I've read a few articles on chroot and other ways to increase security on a VPS, but I'd really value your tips and tricks. I'll only be hosting a few of my own websites, I won't be hosting for others.

How would you increase security in my situation? Do's and don'ts? Are there any good whitepapers I should read?

Your input is appreciated!

Cheers,

Lost

13 Replies

Get iptables up and running ASAP. For ease of use I use fwbuilder, nice little application to manage your firewall.

Here's what I do, other than port 80 http traffic everything is blocked. I only allow ssh from specific IP's that I use. If you're going to open up other ports take a close look on what access is needed and go from there. Only open up ports that you absolutely need.

Thanks mate, I'll look into fwbuilder and have a play with it. I've already got iptables running (I created a config with an online tool) and did a scan with nmap. Only port 80 is open and the non-standard port I use for ssh. Unfortunately, I don't have a static ip address. Is it possible to restrict access to my ssh port based on hostname?

I also had a look at the php configuration and what settings I should change. Pff… one article tells you to set Option X to 1 and the next article tells you to set it to 0. Anyway, I hope I've got the most important php settings sorted.

Thanks again!

@Lost:

Thanks mate, I'll look into fwbuilder and have a play with it. I've already got iptables running (I created a config with an online tool) and did a scan with nmap. Only port 80 is open and the non-standard port I use for ssh. Unfortunately, I don't have a static ip address. Is it possible to restrict access to my ssh port based on hostname?

I also had a look at the php configuration and what settings I should change. Pff… one article tells you to set Option X to 1 and the next article tells you to set it to 0. Anyway, I hope I've got the most important php settings sorted.

Thanks again!
MMM not sure 'bout host but you can just restrict ssh via iptables via network range. This isn't as good as specific IP, but would be better than opening it up to the world.

ufw lets you to specify a netblock to allow. Doesn't look like it supports making rules by hostname, though.

Thanks guys, I'm looking into both fwbuilder and ufw.

Just to toss another firewall into the mix, I personally prefer the APF firewall, which is basically a handy easy-as-freakin-pie wrapper for iptables. There are only one or two config files that you'll ever have to edit for it.

For security tips:

WWW
* Keep permissions to the most restrictive for whatever it is that you doing. This really counts if you are using PHP/MySQL combo. However, it can also fall under files in htdocs root if you aren't careful.

  • You might want to check out mod_security if you are really into it.

SSH
* Again, keep permissions to a minimum.

  • Restrict users that have logon abilities (check out "AllowedUsers & AllowedGroups" settings)

  • Please disable password auth and only run pub-key based auth. If an emergency happens, use the linode console to fix stuff until SSH can be repaired.

  • Optional, but some people prefer, if you run SSH on a non-default port (!=22). Really this is just security by obscurity, but it can stop bot attacks from possibly taking up bandwidth.

GENERAL
* Some might say to never really use your root account and use sudo entirely instead.

  • Google "%PACKAGE% +secur*" to find possible tutorials or tips on security your favorite packages.

Other:

http://www.networkdictionary.com/Softwa … y-Tips.php">http://www.networkdictionary.com/Software/Unix-Linux-Security-Tips.php

http://forum.hitb.org/viewtopic.php?f=1&t=13658

Does anyone know about any security testers like a file based program like the one called Cops? I do not see it any more (Showing my age eh?) SATAN or the like out there. I have checked a few services. I could faint from the responses I got. Very few basic security scanners.

At first of course I would like to start with file system based scanner/reporter similar to cops which I recall gave a pretty good appraisal in its day.

Also for the Linode support people who may be listening are there any caveats I should know about like sending a polite announcement that a test on my server will be done in the next 48hrs or such?

I have some experience with ISS a per buy scanner/service. When I used it at first I paid a lot up front but kept it for the future. Now I realize the yearly subscription costs is where they got me. I imagine its much like SATAN in how it scans a remote site for vulnerabilities to harmless exploits it attempts.

By the way a useful site for all those listening/viewing as it were is

http://whatismyipaddress.com

It always lets you know your real IP address especially given the odd things ISPs are doing now you can not always tell from a traceroute anymore. This becomes invaluable.

It also tells you if you are on block lists and does traceroutes as well

Hi,

I was reading this and was thinking if is better to chmod a site root to www-data:www-data or using the regular user and chmod 777 the directories I need write access?

@nfn:

I was reading this and was thinking if is better to chmod a site root to www-data:www-data or using the regular user and chmod 777 the directories I need write access?
I'm not sure I understand the question, but it seems to me that chmod 777 is never the right answer.

One way I've done it is to make the web root owned by www-data:www-data (make sure to set the setgid bit on the directory and any subdirectories). Then to give someuser access to the web space, do usermod -G www-data -a someuser. To make sure everything is group-writeable, a cron job periodically runs chmod -R g+w on the web root. Of course, if you have multiple sites on one server, this does nothing to separate out the permissions for each, so isn't suitable if you want to prevent users with messing with each others' stuff.

Personally I don't like the idea of owning the files by www-data.

What I do is set up a user to access the web space via SFTP anyways, so I set it the ownership of the website root to clientuser:www-data with permissions 750 and setgid bit set. and if the user needs to have a www-data writable directory (for example an upload directory) a chmod -R g+w /path/to/writable-dir will be sufficient which can be easily set even from WinSCP and the like.

> clientuser:www-data with permissions 750 and setgid bit set. and if the user needs to have a www-data writable directory (for example an upload directory) a chmod -R g+w /path/to/writable-dir

Can you explain to a Linux noob how exactly that's different than 770. I'm reading this: http://en.wikipedia.org/wiki/Setuid and still don't quite get why that would be any different than 770.

If a directory is already set to 750 and you give group write access, then it's 770. So I'm not understanding the setgid bit and exactly what that does.

@waldo:

Can you explain to a Linux noob how exactly that's different than 770. I'm reading this: http://en.wikipedia.org/wiki/Setuid and still don't quite get why that would be any different than 770.
When the client opens an sftp session and creates subdirectories and/or files, the newly created files inherit the group ownership settings from their parent, therefore setting any file to give world read/write is unnecessary this way.

The wikipedia article explains this nicely: see the 'setgid on directories' section.

I between your explanation, Wikipedia and just trying it, I understand now. Thank you.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct