linux – Page 4 – Ryan Schulze

Basic Server Hardening

October 26, 2008Ryanaide, chkrootkit, grsecurity, hackers, linux, logcheck, rkhunter, security, Server, tiger, tripwire

Ok, here is a list of a few programs I’d advise anyone to use who is running a server on the internet (or thinking of doing so).

aide or tripwire (they can check and report if files on your system get changed, configurable levels). If you use tripwire, don’t forget a “tripwire –check -I” after you do any updates.
logcheck will check your system logs, and report anything out of the ordinary (“ordinary” is defined by a list of ‘normal’ rules, and anything you add)
tiger goes farther than logcheck, it actively checks your system and reports anything strange (files not belonging to packages, users or groups that got added, …)
grsecurity adds more security features to your kernel (at least use the basic features and the possibility to turn off module loading after boot)
rkhunter, chkrootkit scan the system for signs of rootkits or other malware. just install, make sure they are executed daily by cron, possibly tweak rkhunters config a bit (I had problems with unhide and current kernel versions)

I’m not saying that setting up and tweaking all this software and actually reading the emails they generate will make your server super-duper secure, but they will reduce the risk of running a server open to the internet and alarm you if somthing strange is happening. It is important to read and understand what theese programs mail you. Yes, you will get false positives from time to time. And yes, you will have to adjust the config now and then due to package updates; but I get about 3-4 mails a week, and that is definatly ok considering the amount of data that gets checked.

Bash Scripting

October 13, 2008Ryanbash, linux, scripting, shell, vim

I’ve been doing a bit of bash scripting lately. Anyone who is interrested in bash scripting should also have a look at the “bash support” vim script http://www.vim.org/scripts/script.php?script_id=365. A fair amount of the addons are aimed at a gui usage (like gvim), but even if you are a console user like me, it adds enough features to be worth while. After using it for a few days you get addicted to the neat features, scripting in a vim without it is like typing with your nose. It’s not impossible, but you aren’t having much fun either.

MSI Wind U100

October 11, 2008Ryan1 CommentDebian, Laptop, linux, MSI, Windows

I bought myself a laptop this week. To be more precise I bought a MSI Wind U100 “Luxury” version in white with 2GB Ram. It arrived today, and I have been spending most of the afternoon setting up Windows. I must say, I’m positively surprised about how good it works and the default setup. It came with 3 partitions, the first (about 3GB) is a rescue system, the second (about 50GB) has windows installed, and the rest (100GB) was an empty partition. I reduced the last partition to 50GB and will be installing Linux in the other half later on (Dual-Boot). It seems most of the community is only interested in installing ubuntu on the msi wind, so let’s see how far I get with a “normal” debian install. Not that ubuntu is bad, I use it often enough as a desktop installation, but this laptop isn’t really your standard hardware or usage here. So debian it will be, and minimized/customized to to what I want efficiently and good looking ;-).

Since there are plenty of reviews floating around the ‘net, I’ll spare you all a rant about how cool the notebook is.

Hackit Server downtime

October 7, 2008Ryanbroken, hackit, linux, ssh

Sorry for the downtime, wasn’t planned. It was late last night when I set up the knock daemon, I somehow managed to accidently copy and past my terminal which resulted in about a quarter of my /etc/init.d/* scripts getting broken. Unfortunatly I didn’t notice it right away. I did notice it when I rebooted the server (kernel change) and lot’s of daemons didn’t come up (oh unimportant stuff like SSH 🙁 ) Well, that’s what backups are for.

knock daemon with INPUT chain set to default ACCEPT

October 6, 2008March 12, 2011Ryanbasg, iptables, knock, linux, Server, ssh

I know there are plenty of pages floating around the Internet about knock daemons that open ports in a firewall after a predefined series of ports are “knocked”. For some reason ALL the pages I found assumed that a) you want the filter in your INPUT chain, and that the INPUT chain defaulted to DROP or REJECT.
In my case, I’m defiantly not going to have a iptables firewall with a default that drops packets. Every few weeks I try out some new software and can’t be bothered with adjusting my firewall every time. All I need it to do is keep pesky people off my ssh, that’s all.

So here is a short tutorial how to set up s knock daemon with a ACCEPT default for INPUT:

/etc/knockd.conf

[options]
UseSyslog

[opencloseSSH]
sequence      = 76:udp,123:tcp,7630:tcp,1921:udp
seq_timeout   = 25
tcpflags      = syn,ack
start_command = /sbin/iptables -I SSH-Knock 2 -s %IP% -p tcp --dport 22 --syn -j ACCEPT
cmd_timeout   = 20
stop_command  = /sbin/iptables -D SSH-Knock -s %IP% -p tcp --dport 22 --syn -j ACCEPT

[options]

UseSyslog

[opencloseSSH]

sequence = 76:udp,123:tcp,7630:tcp,1921:udp

seq_timeout = 25

tcpflags = syn,ack

start_command = /sbin/iptables -I SSH-Knock 2 -s %IP% -p tcp --dport 22 --syn -j ACCEPT

cmd_timeout = 20

stop_command = /sbin/iptables -D SSH-Knock -s %IP% -p tcp --dport 22 --syn -j ACCEPT

iptables:

iptables -N SSH-Knock
iptables -A INPUT -p tcp --dport 22 -j SSH-Knock
iptables -A SSH-Knock -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A SSH-Knock -j REJECT --reject-with icmp-port-unreachable
/etc/init.d/iptables save active

iptables -N SSH-Knock

iptables -A INPUT -p tcp --dport 22 -j SSH-Knock

iptables -A SSH-Knock -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A SSH-Knock -j REJECT --reject-with icmp-port-unreachable

/etc/init.d/iptables save active