Solutions for a secure webserver

Support for security such as Firewalls and securing linux
Post Reply
deajan
Posts: 53
Joined: 2009/08/01 12:49:42
Location: South France
Contact:

Solutions for a secure webserver

Post by deajan » 2012/09/25 20:59:22

Hello,

I'm used to make linux LDAP / samba / zfs servers, but i'm kinda new in the web hosting area.

I've setup a machine on which i use LAMP to serve a couple of sites.

So far, i've installed:

- Ossec HIDS
- rkhunter
- apache mod_spamhaus
- apache mod_security
- fail2ban
- php suhosin extension

And i might add
- apache mod_evasive

What i could not add because of processing power lack (it's my personnal virtual server i rent) is Snort.
Also, running a Xen kernel by my hosting company, i cannot get SElinux to work (no selinux FS support) and i've asked them to get selinux working.

Is there any (not memory hungry) tool i can use to secure my server ?

Thanks.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Solutions for a secure webserver

Post by TrevorH » 2012/09/26 01:01:29

Could you post the output from the getinfo.sh script that you can find by reading [url=https://www.centos.org/modules/newbb/viewtopic.php?topic_id=28723&forum=54]this[/url]

deajan
Posts: 53
Joined: 2009/08/01 12:49:42
Location: South France
Contact:

Re: Solutions for a secure webserver

Post by deajan » 2012/09/27 21:09:24

Hello,

Although i don't really understand the reason you ask for it (except for knowing if my system is up to date), here is the output of getinfo.sh

[code]
Information for general problems.
[code]
== BEGIN uname -rmi ==
3.2.26-xenU-6909-x86_64 x86_64 x86_64
== END uname -rmi ==

== BEGIN rpm -qa \*-release\* ==
epel-release-6-7.noarch
centos-release-6-2.el6.centos.7.x86_64
== END rpm -qa \*-release\* ==

== BEGIN cat /etc/redhat-release ==
CentOS release 6.2 (Final)
== END cat /etc/redhat-release ==

== BEGIN getenforce ==
Permissive
== END getenforce ==

== BEGIN free -m ==
total used free shared buffers cached
Mem: 467 436 31 0 12 162
-/+ buffers/cache: 261 206
Swap: 361 0 361
== END free -m ==

== BEGIN rpm -qa yum\* rpm-\* python | sort ==
python-2.6.6-29.el6_2.2.x86_64
rpm-build-4.8.0-19.el6_2.1.x86_64
rpm-libs-4.8.0-19.el6_2.1.x86_64
rpm-python-4.8.0-19.el6_2.1.x86_64
yum-3.2.29-22.el6.centos.2.noarch
yum-metadata-parser-1.1.2-16.el6.x86_64
yum-plugin-fastestmirror-1.1.30-10.el6.noarch
== END rpm -qa yum\* rpm-\* python | sort ==

== BEGIN ls /etc/yum.repos.d ==
CentOS-Base.repo
CentOS-Debuginfo.repo
CentOS-Gandi.repo
CentOS-Media.repo
epel.repo
epel-testing.repo
== END ls /etc/yum.repos.d ==

== BEGIN cat /etc/yum.conf ==
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
# download the new metadata and "pay" for it by yum not having correct
# information.
# It is esp. important, to have correct metadata, for distributions like
# Fedora which don't keep old packages around. If you don't like this checking
# interupting your command line usage, it's much better to have something
# manually check the metadata once an hour (yum-updatesd will do this).
# metadata_expire=90m

# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d
== END cat /etc/yum.conf ==

== BEGIN yum repolist all ==
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* epel: mirrors.ircam.fr
repo id repo name status
base CentOS-6 - Base enabled: 6,294
c6-media CentOS-6 - Media disabled
centosplus CentOS-6 - Plus disabled
contrib CentOS-6 - Contrib disabled
debug CentOS-6 - Debuginfo disabled
epel Extra Packages for Enterprise Linux 6 - x8 enabled: 7,829
epel-debuginfo Extra Packages for Enterprise Linux 6 - x8 disabled
epel-source Extra Packages for Enterprise Linux 6 - x8 disabled
epel-testing Extra Packages for Enterprise Linux 6 - Te disabled
epel-testing-debuginfo Extra Packages for Enterprise Linux 6 - Te disabled
epel-testing-source Extra Packages for Enterprise Linux 6 - Te disabled
extras CentOS-6 - Extras enabled: 6
gandi Gandi enabled: 47
updates CentOS-6 - Updates enabled: 1,147
repolist: 15,323
== END yum repolist all ==

== BEGIN egrep 'include|exclude' /etc/yum.repos.d/*.repo ==
== END egrep 'include|exclude' /etc/yum.repos.d/*.repo ==

== BEGIN sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n ==
priority = 2 [gandi]
== END sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n ==

== BEGIN cat /etc/fstab ==
/dev/xvda1 / ext3 rw,noatime,errors=remount-ro 0 1
devpts /dev/pts devpts defaults 0 0
none /proc proc rw,nosuid,noexec 0 0
none /selinux selinuxfs defaults 0 0
== END cat /etc/fstab ==

== BEGIN df -h ==
Filesystem Size Used Avail Use% Mounted on
/dev/xvda1 3.0G 1.8G 1.1G 64% /
/dev/xvdd 6.0G 1.3G 4.4G 23% /srv/DONNEES
== END df -h ==

== BEGIN fdisk -lu ==
Disk /dev/xvda1 doesn't contain a valid partition table
Disk /dev/xvdd doesn't contain a valid partition table
Disk /dev/xvda2 doesn't contain a valid partition table

Disk /dev/xvda1: 3221 MB, 3221225472 bytes
255 heads, 63 sectors/track, 391 cylinders, total 6291456 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000


Disk /dev/xvdd: 6442 MB, 6442450944 bytes
255 heads, 63 sectors/track, 783 cylinders, total 12582912 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000


Disk /dev/xvda2: 379 MB, 379584512 bytes
255 heads, 63 sectors/track, 46 cylinders, total 741376 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

== END fdisk -lu ==

== BEGIN blkid ==
/dev/xvda1: LABEL="CENTOS6_64" UUID="8ee876b5-52c1-4b70-9d55-c700771a2b6f" TYPE="ext4"
/dev/xvda2: LABEL="swap" UUID="c5330ac0-85d5-430f-bc7f-087cca5e197b" TYPE="swap"
/dev/xvdd: LABEL="DONNEES" UUID="8342ee8e-1bd3-6f0c-c404-ec9536530ca8" TYPE="ext3"
== END blkid ==

== BEGIN cat /proc/mdstat ==
cat: /proc/mdstat: No such file or directory
== END cat /proc/mdstat ==

== Warning: pvs is not installed ==

== Warning: vgs is not installed ==

== Warning: lvs is not installed ==

== BEGIN rpm -qa kernel\* | sort ==
kernel-2.6.32-220.23.1.el6.x86_64
kernel-devel-2.6.32-220.23.1.el6.x86_64
kernel-firmware-2.6.32-220.23.1.el6.noarch
kernel-headers-2.6.32-220.23.1.el6.x86_64
== END rpm -qa kernel\* | sort ==

== Warning: lspci is not installed ==

== Warning: lsusb is not installed ==

== BEGIN rpm -qa kmod\* kmdl\* ==
== END rpm -qa kmod\* kmdl\* ==

== BEGIN ifconfig -a ==
eth0 Link encap:Ethernet HWaddr 00:16:3E:GG:GG:GG
inet addr:95.142.xxx.xxx Bcast:95.142.xxx.xxx Mask:255.255.252.0
inet6 addr: 2001:4b98:dc0:51:216:xxxx:xxxx:xxxx/64 Scope:Global
inet6 addr: fe80::216:xxxx:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1400 errors:0 dropped:1 overruns:0 frame:0
TX packets:1249 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:178175 (173.9 KiB) TX bytes:294184 (287.2 KiB)
Interrupt:26

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:129 errors:0 dropped:0 overruns:0 frame:0
TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15274 (14.9 KiB) TX bytes:15274 (14.9 KiB)

== END ifconfig -a ==

== Warning: brctl is not installed ==

== BEGIN route -n ==
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 95.142.xxx.xxx 0.0.0.0 UG 0 0 0 eth0
95.142.xxx.xxx 0.0.0.0 255.255.252.0 U 0 0 0 eth0
== END route -n ==

== BEGIN sysctl -a | grep .rp_filter ==
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.arp_filter = 0
== END sysctl -a | grep .rp_filter ==

== BEGIN ip rule show ==
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
== END ip rule show ==

== BEGIN ip route show ==
default via 95.142.xxx.xxx dev eth0
95.142.xxx.xxx/22 dev eth0 proto kernel scope link src 95.142.xxx.xxx
== END ip route show ==

== BEGIN cat /etc/resolv.conf ==
nameserver 127.0.0.1
nameserver 217.70.184.225
nameserver 217.70.184.226
OPTIONS timeout:1 attempts:3 rotate
== END cat /etc/resolv.conf ==

== BEGIN egrep 'net|hosts' /etc/nsswitch.conf ==
#hosts: db files nisplus nis dns
hosts: files dns
#networks: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
netmasks: files
networks: files
netgroup: nisplus
== END egrep 'net|hosts' /etc/nsswitch.conf ==

== BEGIN chkconfig --list | grep -Ei 'network|wpa' ==
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
== END chkconfig --list | grep -Ei 'network|wpa' ==

[/code]

I actually was able to get SElinux to work... Yet permissive because not configured right for now.
Any security advice is appreciated :)

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Solutions for a secure webserver

Post by TrevorH » 2012/09/27 21:44:43

I wanted to see it so I could see why a xen kernel wouldn't work with selinux. The reason is because you are not running a CentOS kernel - it's something hacked up by your vendor. The fact that you're also running what purports to be CentOS 6.2 also means that the rest of your packages are probably not up to date either.

You probably want to run a `yum update` to pull down 6.3 and all its subsequent patches and security fixes if you are concerned about security - and do this on a regular basis. Perhaps also subscribe to the CentOS-announce mailing list so that you get mailed notifications of security patches as they are released. I'd also be concerned about your vendor provided kernel - 3.2.26 is not [u]that[/u] old but it dates from August 5th and there have been 3.2.27 - 29 releases since then though I haven't checked to see if there were any security fixes in those versions. This is a good reason for sticking with the CentOS supplied kernel and running `yum update` regularly - you'll get newer security vulnerabilities patched as they are released. This may be something that you have to talk to your hoster about as xen can either use pygrub to boot a VM - in which case the guest's kernel adn grub are used or they can be specified in the xen config file for the VM and then the hoster has control over what kernel you run and it's pulled from the host machine not the guest.

I see that you have yum-priorities installed and you have set your gandhi repo to be priority 2 but any others are not assigned priorities manually which means that everything else is 99 - including CentOS base and updates. That means that gandhi packages will overwrite core CentOS packages from base and updates if there are any duplicates. That's possibly not what you intended - base and updates should be priority=1 so that they take precedence.

I also didn't realise that you were running on a xen guest - when I saw "xen kernel" I assumed that you were on the host.

deajan
Posts: 53
Joined: 2009/08/01 12:49:42
Location: South France
Contact:

Re: Solutions for a secure webserver

Post by deajan » 2012/09/28 19:07:07

Hello,

Yes i do run CentOS 6.2 instead of 6.3, i think it's a choice of my hosting company.
Running yum update won't update more than what it is now. I think it's like you said a yum priorities concern.
The gandi repo is the one from my hosting company. I'll have to ask them if there's any special reason not upgrading to 6.3... Or if they just forgot to sync their repo with 6.3 tree.
Thanks for that.

On the other point, i actually asked if there are any webhosting related security tasks i could do as i'm not used to host internet sites.
I did secure my httpd.conf file i guess, allowing no overrides, no directoy listing allowed, no .htacess files.
I made php run in safe mode, enabled openbasedir.

I'm actually searching if there are any super nice great tools like ossec / mod_security that i don't know yet :)

Cheers.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Solutions for a secure webserver

Post by TrevorH » 2012/09/28 21:37:49

[quote]
On the other point, i actually asked if there are any webhosting related security tasks i could do as i'm not used to host internet sites.
[/quote]

And I tried to point out that the number one thing you can do is to keep up to date with the vendor supplied updates. They patch security vulnerabilities and without them, all else is a sticking plaster over the top of a gaping wound.

deajan
Posts: 53
Joined: 2009/08/01 12:49:42
Location: South France
Contact:

Re: Solutions for a secure webserver

Post by deajan » 2012/09/28 21:53:40

Sorry, didn't realize my answer could be read as rude :)

I cannot simply change repo order and 'yum update' without asking my hosting company why they've made it this was, as i don't really want to have a non rebooting server.
I'll have to wait to see what's their reason.

Meantime, i am still configuring the rest of the server and seeking for security tools.
Thanks.

Post Reply