What Sort of Security Should I Try to Use?

arew264 · 2008-06-11 18:49:06

I've been running an Arch server at my house for quite some time now. It's duties include being a workstation for me, providing Samba shares of ISOs for the Windows gaming boxen on my home network to use, hosting any web projects I work on, running a repo mirror for the other Arch boxen I have at home and at school (I'm a high school student and I'm working on an experimental arch setup in a lab), and, occasionally, running a MUD server when my host has to go down (if you don't know, a MUD amounts to a simple telnet-compliant game server that allows no system access).
Recently when I tried to type my root password, I got it wrong. I wasn't locked out of my system and after I had reset it, I thought about it for a bit and became fairly sure that I had reversed the case in part of it. (I use secure passwords)
I have experienced no problems since, and I'm 90% sure I was right, but all the same, I've started thinking about security.

For the longest time, the only apps I had visible to the internet were SSH and HTTP. Since I was running only a test page on HTTP, that was pretty much safe, but the SSH server was protected by sshdfilter, a program that watches the SSH logs and blocks IPs (using IPTables) of people that try to log in as a user that doesn't exist or that miss the password three times. I've actually blocked myself a few times that way, but since I have on-site access to the server, it's all good.
I also had a full IPTables firewall that stealthed everything but SSH, HTTP, and two game servers (which I actually added in the last week).

With all that in place and emails hitting my gmail account about three times a week about IPs my server had blocked, I felt fairly secure. I even got a good laugh out of looking up the blocked IPs at www.ip-adress.com (adress is correct, not misspelled) and finding out where the script kiddies were.

Now, I want to take all the ISO's and personal documents off the server, wipe it, reinstall Arch, and get some real security measures installed. I know I want tripwire, sshdfilter will be back, and I'm looking into rootkit detection, but is there anything else that other Archers could recommend?

Last edited by arew264 (2008-06-11 18:50:46)

zouzou85 · 2008-06-17 17:39:55

hi arew264,
Did you find anything interesting that you could share?

arew264 · 2008-06-17 18:50:52

Well, a few hours after posting that, I left on a church trip and I just got back. Researching starts.... now!

tam1138 · 2008-06-17 20:20:33

First step I'd take is turning off password authentication via ssh and using keys instead. Check out ssh-keygen and the PasswordAuthentication directive for sshd_config.

Redroar · 2008-06-17 22:55:53

It took a while for me to figure out, but you have to disable both PasswordAuthentication and ChallengeResponseAuthentication to remove the password prompt completely. PublicKey authentication should pretty much remove any possibility of someone cracking into it, though. That and changing the port should help the most.

As you stated, having it block multiple attempts from an IP can occasionally backfire, but so long as you hold onto your private key it's all good.

my0pic · 2008-06-18 06:27:14

tam1138 wrote:

First step I'd take is turning off password authentication via ssh and using keys instead. Check out ssh-keygen and the PasswordAuthentication directive for sshd_config.

Redroar wrote:

It took a while for me to figure out, but you have to disable both PasswordAuthentication and ChallengeResponseAuthentication to remove the password prompt completely. PublicKey authentication should pretty much remove any possibility of someone cracking into it, though. That and changing the port should help the most.
As you stated, having it block multiple attempts from an IP can occasionally backfire, but so long as you hold onto your private key it's all good.

To tam1138 & Redroar:
Thank-you ever so much and may good fortune follow you everywhere!!
I set up ssh to my remote server a week ago and the one thing I didn't do was to disable PasswordAuthentication. I read your post today and logged in to my server to alter sshd_config and guess what? I noticed my last login was from an ip address in Taiwan. After giving myself a kick in the butt I set about ensuring every thing was locked down tight and no damage was done, not to mention any keys being sneekily put into authorized keys!!
Thanks once again

Last edited by my0pic (2008-06-18 06:31:47)

arew264 · 2008-06-18 23:53:49

Quite frankly, if I found someone had logged in from an IP from a foreign country, I wouldn't trust the box and would wipe it, no matter what I saw.
Anyway, here's what I've found so far:
Nessus - security scanner for... everything
Tripwire to make sure system files don't get overwritten
chkrootkit for rootkit detection
good old IPTables
SSHDfilter or key-only authentication
portsentry to block port scans
Snort - Intrusion Detection System
LogSentry - I'm told it's out of date but it could be handy to check for irregularities in logs

I also discovered a list of IP addresses/subnets that administrators are blocking, most notably everyone in China. It feels wrong and unethical to block people on foreign countries just because there are unregulated hackers there, but then again, I and a few trusted others have access to this box, and we're never going to be logging in from China.

Daenyth · 2008-06-19 01:26:11

Perhaps you could detail your setup somewhere -- make the Archwiki greater!

Last edited by Daenyth (2008-06-19 01:30:56)

tam1138 · 2008-06-19 01:54:10

arew264 wrote:

Quite frankly, if I found someone had logged in from an IP from a foreign country, I wouldn't trust the box and would wipe it, no matter what I saw.

I agree.

slackhack · 2008-06-19 01:54:24

arew264 wrote:

I also discovered a list of IP addresses/subnets that administrators are blocking, most notably everyone in China. It feels wrong and unethical to block people on foreign countries just because there are unregulated hackers there, but then again, I and a few trusted others have access to this box, and we're never going to be logging in from China.

that's what I do on my iptables box, block everything from china. it seems extreme until you see massive hacking attempts almost on a daily basis trying to crack your ftp server, ssh, portscanning, etc.

aside from what everyone else has suggested (snort, chkrootkit/rkhunter, tripwire, etc. ) logwatch is also pretty useful to get a daily report of your apache logs, ftp, ssh attempts, disk usage, etc.

arew264 · 2008-06-19 03:40:35

I'll detail my setup once I get it set up. I'm still planning what to do after the wipe.

Daenyth · 2008-06-19 18:01:27

Thanks so much, I'll be very interested to hear how it all goes.

my0pic · 2008-06-20 00:33:59

arew264 wrote:

Quite frankly, if I found someone had logged in from an IP from a foreign country, I wouldn't trust the box and would wipe it, no matter what I saw.

Advice taken. Up and running again within a couple of hours from backup taken before the system was exposed. Added rkhunter and blocks in my ip tables. Thanks.

arew264 · 2008-06-20 17:08:54

Thanks? What did I do?
Anyway, the trick is that when someone gets logged in to your box, the first thing they generally try and do is a root privilege exploit, and seemingly there always is one that works. (Arch may be above that, I don't know the details of how such things work)
Once they get root privileges, they can do everything, they can literally fill your system with back doors and put in a hacked kernel (or hacked replacement kernel modules) that hides them from you. Once they're in, there's no limit.
This is why I'm paranoid

arew264 · 2008-08-10 19:39:40

Okay, I just reinstalled with 64 bit Arch (got a new mobo and processor since I started this thread).
I'm going to start setting everything up and making a detailed log.
I chuckled a bit when I typed `yaourt snort`...

Last edited by arew264 (2008-08-10 19:41:33)

pheon · 2008-08-10 20:12:30

Hi,
I've got some links dealing with unix/linux hardening. Maybe you find something usefull.

http://linuxwiki.de/LinuxSecurity
http://en.tldp.org/HOWTO/Security-HOWTO/
http://www.linuxsecurity.com/docs/harde … ian-howto/
http://linuxgazette.net/105/odonovan.html
http://seifried.org/lasg/
http://www.linuxsecurity.com/content/bl … y/108/177/
http://www.cromwell-intl.com/security/l … ening.html
http://www.linux-sec.net/Harden/howto.gwif.html (even moaaar links and howtos)

Another basic approach would be MAC (Mandatory Access Controls).
http://www.linux.com/articles/113941
I've never setup a MAC-System, so I can't tell you how much effort really is needed...

Best regards

Arch Linux

#1 2008-06-11 18:49:06

What Sort of Security Should I Try to Use?

#2 2008-06-17 17:39:55

Re: What Sort of Security Should I Try to Use?

#3 2008-06-17 18:50:52

Re: What Sort of Security Should I Try to Use?

#4 2008-06-17 20:20:33

Re: What Sort of Security Should I Try to Use?

#5 2008-06-17 22:55:53

Re: What Sort of Security Should I Try to Use?

#6 2008-06-18 06:27:14

Re: What Sort of Security Should I Try to Use?

#7 2008-06-18 23:53:49

Re: What Sort of Security Should I Try to Use?

#8 2008-06-19 01:26:11

Re: What Sort of Security Should I Try to Use?

#9 2008-06-19 01:54:10

Re: What Sort of Security Should I Try to Use?

#10 2008-06-19 01:54:24

Re: What Sort of Security Should I Try to Use?

#11 2008-06-19 03:40:35

Re: What Sort of Security Should I Try to Use?

#12 2008-06-19 18:01:27

Re: What Sort of Security Should I Try to Use?

#13 2008-06-20 00:33:59

Re: What Sort of Security Should I Try to Use?

#14 2008-06-20 17:08:54

Re: What Sort of Security Should I Try to Use?

#15 2008-08-10 19:39:40

Re: What Sort of Security Should I Try to Use?

#16 2008-08-10 20:12:30

Re: What Sort of Security Should I Try to Use?

Board footer