Re: Feedback solicited - best way to harden a mail/web server?

From: Jim Levie (jim@entrophy-free.net)
Date: 12/27/02 

From: "Jim Levie" <jim@entrophy-free.net>
Date: Thu, 26 Dec 2002 21:37:22 -0600

On Thu, 26 Dec 2002 23:51:29 +0000, Jared H. wrote:

> I've been rootkitted again; third time in the last six months. Advice
> sought. Here is my current setup:
>
> RH 8.0
> ports 53 (TCP/UDP), 25, 443 open
> - this is a mail server primarily, running imap, Apache, PHP
> (Squirrelmail),
> Bastille firewall (I have my and my wife's workstations behind it). I hate
> to leave privileged ports open, but a server is no use if it can't
> communicate.
>
None of the service listed above are known to be vulnerable to a root exploit
according to what I see on the 8.0 Security Advisories. So if you were rooted
it had to be through some other means. As a start I'd suggest that you review
what you had installed on the system and compare that to the advisories listed
at https://rhn.redhat.com/errata/rh8-errata-security.html. Then check to see
if you had the current versions of the affected packages installed. Also
consider what non-RedHat packages or applications you might have added to the
system.

> Periodic netstat -a 's in addition to running chkrootkit daily confirm that
> Bastille was running as I had it configured.
>
Bastille is fine, but it doesn't take the place of a properly configured
firewall. Was the system protected by a properly configured firewall? Did you
have Tripwire installed and configured?

> I found an LKM trojan by upgrading chkrootkit from .37 to .38 - or was this
> a coincidence of timing? I also installed Arkeia's freeware on my machine
> that day (shoud've stuck to BRU :-( ).
>
> I have an old laptop that I can stick in front of the cable modem as a
> dedicated firewall/gateway. While it's only a 233MHz Pentium MMX, it has
> 144 MB of RAM and a 6GB disk, so I figure I can run Mandrake MNF or Trustix
> or Embedix or whatever else I need to.
>
> I am reasonably technical (a DBA who has been an SA in small shops), so I
> can set up whatever I need to (well, with some help from the good people of
> usenet), but I would like to minimize maintenance time - this is for home
> use, after all. I had thought Red Carpet would allow me to keep the
> installed packages current with a daily inspection of a few minutes, but
> obviously that was insufficient; so goodbye pure Red Hat.
>
Were you using Red Carpet or RedHat's up2date. The latter will ensure that all
security advisories fixed. Dunno if Red Carpet is quite as good.

And what about the other nodes on the network? How secure are those and do
they have expanded access to the server? It could well be that you weren't
hacked from the outside, but rather via one of your other machines. If your
local network wasn't firewalled and you used any of the insecure protocols
that expose user names and passwords in plain text someone might have gooten
in by sniffing a password. And there are other ways that an insecure system
can be tricked into launching an attack from the inside.

> My questions/issues:
>
> What distro to use next? Surveying what was out there, Mandrake's MNF
> appears to be the most current of the free distros (and I have used Mandrake
> desktop distros in the past to good result). Embedix and Immunix are both
> 2001 releases (at least on linuxiso.org). Trustix I am still looking at.
>
Before considering a different distribution you really need to figure out how
they got in. Any properly maintained and secured RedHat system is highly
resistant to a root attack. The probability is that something about the way
your system was configured or maintained is the root cause of the break in.
Simply changing to a different distribution may not do anything to close the
vulnerability if it is related to your configuration.

> Should I dedicate the old laptop to be a pure fw/gateway? - bearing in mind
> that with two NICS maximum, I can't set up a DMZ.
>
A dedicated firewall is slightly more secure in that it doesn't have to
provide any services to Internet or internal systems. But if there are
vulnerable practices in use (with Internet exposure) or vulnerable systems
inside of the firewall any of the interior systems can be at risk.

> Even if I scratch up the bucks for a desktop to make a three-NIC gateway
> (putting mail/web on a DMZ), how is that more secure? Break into the
> firewall machine and one can see everything the firewall can.
>
Pretty much ditto as above... Any node that can be reached via the firewall or
via an interior node is only as secure as your least secure system.

> Would a dedicated fw/router appliance be more secure (I can't afford Cisco
> grade here - we're talking something like a Netgear or SMC or Linksys)?
>
Likewise...
 
> Opinions most definitely sought - I gotta get my environment stable rather
> than piss away weekends reinstalling all the time.
>
It really isn't that hard to set up a secure home LAN. It might not protect
you against a professional, but you aren't likely to be that target of one of
those types unless you are doing things on your home LAN much more interesting
than what's been mentioned.

The way I'd do it (which has so far proved to be resistant to even
professional security scans) is:

1) Install a custom RedHat 7.3 or 8.0 only loading those applications that are
absolutely required. Then immediately apply all applicable RedHat updates,
preferrably before exposing the system to the Internet. When installing the
system use the RedHat packages where ever possible. Non-RedHat packages or
things built from source are suspect and you want to think long and hard
before adding one of them.

2) As soon as the system is installed and updated configure Tripwire. At the
same time install a good set of firewall rules and make sure that those rules
will catch illegal packet types. The default stance of the firewall must be to
disallow everything and then permit only those inbound services that are
essential (25/tcp, 53/tcp/udp, 443/tcp apparently). Also carefully check any
web apps for possible security vulnerabilities. If you only have HTML pages,
you are safe, but any cgi's need to be carefully examined, especiallyif they
read/write files, do DB accesses or invoke any system commands.

3) Make sure that no insecure protocols (plaintext passwords) are enabled.
Note that POP and IMAP might use plaintext passwords, depending on what
servers/clients are used.

4) Go over every interior system very carefully and make sure that everything
installed on those boxes is safe and that all security fixes are in place.

5) Now you can connect the server/firewall to the Internet and be reasonably
sure that script kiddies (the most plausable threat) are locked out. Finish
the configuration by attaching your other systems to a second NIC on the box
and modifing the firewall rule sets to allow those systems access to what ever
services that the gateway/web/mail/dns server provides to the local LAN.

6) Have someone run an nmap scan over TCP and UPD ports from the outside to
verify that only those ports that you've opened in the firewall are
accessible.

Make sure that you religiously keep the box up to date w/respect to RedHat
errata. And of course there's the standard stuff like making sure that all
passwords are GOOD passwords, and not routinely logging into the box (or any
other system) as root. And never, never, build anthing as root. You should
only be root for the specific commands that demand it (sudo is a wonderful
tool). To be enven safer, don't use the server/firewall as a workstation.
That's where a dedicated firewall and/or firewall/server is nice. 

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
 The instructions said to use Windows 98 or better, so I installed RedHat
   Jim Levie                                email: jim@entrophy-free.net

Relevant Pages

  • Re: Feedback solicited - best way to harden a mail/web server?
    ... > consider what non-RedHat packages or applications you might have added to the ... Was the system protected by a properly configured firewall? ... if you have ever seen the configuration files it generates, ... certainly put iptables rules on it and install Tripwire. ...
    (comp.os.linux.security)
  • Re: Service Pack 1 & 2
    ... but enable to install because of service pack 2. ... >> I recently reinstalled Windows XP home on a new hard disk because the ... >> I tried to install service pack 1 but was rejected from doing so. ... > Why you should use a computer firewall.. ...
    (microsoft.public.windowsupdate)
  • Re: circularproblem
    ... >was more than one, install them back one by ... >Windows is not the only product you likely have on your ... secure your computer ... >firewall can be found here: ...
    (microsoft.public.windowsxp.general)
  • Re: Feedback solicited - best way to harden a mail/web server?
    ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ...
    (comp.os.linux.security)
  • Re: Hardware Firewall Articles?
    ... > The Linksys WAG54G I am using does have a built in firewall, ... That firewall should be secure, but you've got to be configured properly to ... consultant to look over your configuration. ...
    (comp.security.firewalls)