GNHLUG> Org Web>InternetServer>ServerSecurity (revision r1.18)EditAttach
Our InternetServer will need to be protected against all the Internet nasties (which are legion).

Don't forget to sign your comments!

Goals

  • Availability - Keep the services up and running.
  • Integrity - Prevent our Internet presence from being vandalized or subverted.
  • Traceability - Track who did what, when. Needed for change control and as a best practice.
  • Authenticity - Making sure admins really are who they say they are is important. Otherwise, this is a lower priority for us; most stuff is cleartext and public.
  • Privacy - Generally not a priority for us. Most of what we do is public by nature and intent. Still, some things (e.g., root password) will need to be protected.

sudo

  • All people have their own user account on the system.
  • No direct root logins. Login to user account first, then sudo. This gives us both enhanced security and traceability.

sudo to shell

It is proposed that we strictly avoid sudo'ing to a shell (e..g., "sudo /bin/sh"), or wrap such things in an automatic invocation of script(1) to log the entire shell session. Traceability again. -- BruceDawson and BenScott

I much prefer autostarting script if 'sudo shell' is run - flexible and easy. Creating time/original user named logfile in standard location would be ideal. (e.g. 2006_02_10_11_53_billm.log) -- DrewVanZandt - 10 Feb 2006

Some things that require shell redirection don't work without this [the ability to sudo to a shell] - however those can be put into a script and run 'sudo script'. But then the script is fungable after the run, so what's been gained is worth debating. -- BillMcGonigle - 08 Feb 2006

I agree with Bruce that we need to be very diligent in keeping track of what we do and keeping strict access and audit controls in place. With the planned environment of multiple admins from diverse backgrounds who have never worked together before, this will be critical. So I favor the idea of capturing any root shell sessions in log files. Flat out disabling sudo to a shell is less appealing. It certainly doesn't get us any security (aside from Bill's obvervation on changing files, sudo can generally be used to disable itself, unless you lock everyone down to the point where we wouldn't be able to admin the box with it anymore). So our use of sudo will be more about keeping honest people honest then protecting from arbitrary attacks. -- BenScott - 16 Feb 2006

OTP for sudo

OTP (OPIE or some other S/Key) for sudo access. -- MikeLedoux - 13 Feb 2006

Are there any links for those who aren't familar with these? -- BruceDawson - 13 Feb 2006

Both implement your standard challenge/response one time password, and plug in to sudo fairly easily. A quick search didn't find any information that doesn't presume familiarity, I'll see if I can come up with something better tonight. -- MikeLedoux - 13 Feb 2006

I'm a little unsure about how this fits into the risk management equation. What threat are we defending against here? Compromised SSH keys? Won't the overhead of OTP (I assume that's One Time Password; I've never used OPIE or S/Key before) be a large burden for us? -- BenScott - 16 Feb 2006

I think OTP for sudo would be a royal p.i.t.a. I use OTP a lot at work and home, and while it's very secure, and not too painful for basic ssh authentication, it could become seriously cumbersome for sudo access. Additionally, the risk OTP is engineered to protect against might actually be subverted if people were to accidently generate the OTPs on the remote server. -- PaulLussier - 24 Feb 2006

The only thing OTP for sudo would save us from in this case is attacks to extract passwords typed during ssh sessions. Given the decisions we've made regarding that, there's no point in pursuing OTP for sudo any further. -- MikeLedoux - 27 Feb 2006

Firewall

  • Use a local firewall (iptables/netfilter) to lock out most things
  • Deny inbound by default
  • Allow outbound by default (?)
  • Allowed inbound from anywhere:
    • 25/tcp
    • 80/tcp
    • 443/tcp
    • 53/udp
    • ICMP echo request (ping)
  • SSH -- for specifics, see discussion in "Remote Access"
  • Allow 53/tcp from DNS slaves
    • Currently allowed from everywhere because we're lazy :)

Remote Access (SSH)

Public keys

It has been suggested by several that we require public key authentication and disallow password authentication entirely.

Opinion - I am aware this could cause flames, sorry. Cracking will probably not be from password guessing etc. (especially if on nonstandard port, and we stick to decent passwords e.g. gpw or whatever) - it will be a vulnerability in a service we run. Minimal exposure to the outside world would be good. :-) -- DrewVanZandt - 10 Feb 2006

While I agree that vulnerabilities present a bigger danger, password cracking is a threat. Further, blind, automatic, SSH password guessing attacks are currently active on the Internet. At work we were getting probed not infrequently. Changing the default port foils most of them, but it's still there. At the time time, public keys are pretty easy, generally considered very strong, and actually make things easier if you use ssh-agent. -- BenScott - 16 Feb 2006

Another thing which has not been discussed is the use of OTP for ssh access. This would be significantly more secure than the use of SSH keys. Consider the possibility of a trojaned sshd getting installed on the system. This sshd now has access to the secret passphrase to your key should you ssh from the remote system elsewhere. Using agent-based authentication forwarding and OTP, this risk is mitigated. Any OTP you type is instantly obsolete upon it's successful use. I would find this use of OTP far more palatable than for sudo. -- PaulLussier - 24 Feb 2006

I'm not convinced that OTP for SSH is more secure than SSH keys, provided a) you use a strong passphrase for your SSH key, and b) you only use your SSH key and passphrase directly on a trusted host under your immediate control. Since your passphrase is never sent over the wire to the remote sshd, I'm not sure how a trojaned sshd would ever get that passphrase. Perhaps I am missing something obvious here. -- MikeLedoux - 27 Feb 2006

Access list

Require entries in AllowedUsers in sshd_config. Inconvenient for adding new accounts, but the number of accounts will be very low and we don't have time to deal with getting cracked. -- BillMcGonigle - 11 Feb 2006

Or we could use a Unix group (e.g., "sshusers"). -- BenScott - 16 Feb 2006

Also, no root logins via SSH (public key or otherwise). sudo only. See above. -- BenScott - 16 Feb 2006

Addendum: root login via SSH allowed by public key with "forced-commands-only_ to enable backups via SSH. -- BenScott - 16 Nov 2006

Port number

It has been suggested by several that we use a non-standard port number for SSH (instead of IANA's assignment of 22).

I've been port-scanned for ssh running on non-standard ports. -- BillMcGonigle - 11 Feb 2006

While this won't stop any serious attack, it does stop a lot of the stupid ones, and that counts for something. It also cuts down on log noise, if nothing else. :) -- BenScott - 16 Feb 2006

IP address restrictions

It has been suggested that we restrict SSH to a small set of known IP addresses.

I postulate that restricting ssh access to a small set of IP's is more secure than having it open to the world. It avoids all the script-kiddie issues, for instance. So, there should be arguments here for why we'd want to accept a less-secure method in the face of known attacks. -- BillMcGonigle - 11 Feb 2006

Unfortunately, I do not have a personal static IP address, so this would mean I would not be able to help much (or at all). Active discussion of this issue is presently on the -sysadmin list. -- BenScott - 16 Feb 2006

Likewise, my personal 'net connection has a dynamic IP, so this would severly impair my ability to contribute. -- MikeLedoux - 27 Feb 2006

Other tools

  • logsentry/logwatch/etc - alert us to unusual messages (email, maybe SMS) -- BenScott - 16 Feb 2006
  • portsentry - identify probes and scans and auto-firewall the source addresses -- BenScott - 16 Feb 2006
    • One note - this would require us to open up any ports we want to sentry in the firewall. Is this something we want to do? -- ColeTuininga - 26 Feb 2006
  • System file integrity verification tools:
    • bsign - Corruption & intrusion detection using embedded hashes
    • systraq - monitor your system and warn when system files change
    • tripwire - file and directory integrity checker
      • I can only vouch for tripwire, it works, and it works well. But it require maintenance and produces rather verbose reports which need to be monitored and dealt with. -- PaulLussier - 24 Feb 2006
    • rkhunter/chkrootkit - Looks for known rootkits, and a few other things. -- ColeTuininga - 26 Feb 2006
Edit | Attach | Watch | Print version | History: r21 < r20 < r19 < r18 < r17 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r18 - 2006-11-15 - BenScott
 

All content is Copyright © 1999-2024 by, and the property of, the contributing authors.
Questions, comments, or concerns? Contact GNHLUG.
All use of this site subject to our Legal Notice (includes Terms of Service).