34 replies to this topic

[JimmyRidge]

just got finished dicking with some neato stuff myself mostly centered around my openwrt router (it is my gateway to the world afterall) heres some of the things i did

WPA wireless

my ssh/http server are hosted on a gentoo server with hardened kernel

iptables TARPIT module i tarpitted a few common windows ports lol netbios etc

snort ids alert mode (really want to setup some sort of temporary ipblocking for those that trip the alarm) *UPDATE* using snort inline! iptables queue's pkts snort inspects and accept/drops based on the rules only been running a short while but unbelievable the amount of attacks so far on my "nothing special servers"

<-- sixxs.net user!! i have a tunnel and a subnet workin on reverse delegation

i started increasing ssh password security and setup ssh keys so i dont have to type 20+ characters everytime i logon

so far i think its all locked down pretty good i can sleep tonight and continue fucking with it all and improving *UPDATE> also fired up fail2ban that checks the auth log for failed atempts and blocks the ip for a significant amount of time

hey its a work in progress and a home lab so... bite me

been thinking of messing with honeyd agian just wet my tongue with tinyhoneypot but that was too weak oh yea labrea tarpit for my ipv6 subnet hide my real machines

damn i still need to fart with dns bind

all in a days work

Edited by JimmyRidge, 11 May 2008 - 11:26 PM.

[Alk3]

You should recompile SSH with the versions spoofed on your router. It makes it harder for attackers to figure out what exploit to run against your gateway. So like this:

# ssh -v
OpenSSH_4.7p1 Debian-2, OpenSSL 0.9.8g 19 Oct 2007

I would spoof the stable release of Debian. I'm running Debian Lenny, not Etch, so it would in turn say OpenSSH_4.3p2. Its a good idea to do that for any service commonly known to drop to root if exploited. Sure there are thing that can be done to get passed this while attacking, but it should hopefully make your IDS easier to set up.

Edited by Alk3, 13 March 2008 - 02:32 PM.

[Alk3]

Also...

http://www.nagios.org/

https://www.linuxsecuritycentral.com/

[Coder(365)]

When setting up my router for OpenWRT, I used Shorewall as the front-end for iptables. It makes things so much easier to configure.

[mungewell]

In terms of firewall config I have recently been playing with Pyroman (http://pyroman.alioth.debian.org/).

It has a config file arrangement with rules in clearer english/text. It can pre-parse the rule for correctness and backups the current state of IPtables before applying new rules - useful if you get something wrong as you can 'undo'.

Cheers,
Mungewell.

[.solo]

I had a lot of fun implementing perfect-paper-passwords - another Steve Gibson project.

I used the pam module so I can use paper passwords with my ssh server. In addition to your user password you will have a one-time-use 4 character passcode.








http://code.google.com/p/ppp-pam/

https://www.grc.com/ppp.htm

It works great and because I often want to login to my ssh server on a friends computer or at school I don't always have my public key.

[Zapperlink]

When setting up my router for OpenWRT, I used Shorewall as the front-end for iptables. It makes things so much easier to configure.

try dd-wrt or if u want real lightweight tomato

[Beave]

I think things like firewalls, turn off services, etc...etc.. have been covered. I haven't seen these yet (but I didn't read everything in the threat).

- AIDE - Advanced Intrusion Detection Environment - http://sourceforge.net/projects/aide - This works a lot like tripwire (but is GNU/GPL). Basically, it takes a snap shot of the files on the system (using SHA1, MD5, etc..etc). On any system that I'm "worried" about, I'll use AIDE to take a snapshot of the system and I _store that on CD_. This way, if the system every gets compromised, you can pull the machine offline and run AIDE against the CD and determine what has been changed. If you leave the AIDE DB on the machines, the attacker can simply "update" the DB. Anyways, useful for checking the integrity of the the system. I've used this utility on "real system" and "honeypots".

- Snort - http://www.snort.org - This might be overkill. I run snort at a lot of sites. Even if it's overkill for your network, it's still sometimes interesting to see what it catches.

- PAX/GRSEC - extra security layers in the kernel. These are basically kernel patches that prevent (or try to) buffer overflows, heap overflows, various race conditions. They add several security features that the default kernel doesn't have.

- IBM Pro-Police - As a Gentoo user (No, I'm not a ricer) - I use the IBM Pro-Police GCC patches to build up most of my system(s). This adds things like "canary-on-the-stack" type protection amongst over things. Basically, again, It "helps" prevent things like buffer overflows, etc....

- Don't ignore syslog data. On critical sites, we have syslog stored locally and remotely. A typically attacker will attempt to "cover up" the intrusion by modifying the system logs (syslog) data. If the data is sorted off site (via syslog UDP over a VPN tunnel, or whatever), the attacker won't have access to those logs to "cover up". Sure, they can edit the local logs - but who cares.

- Speaking of syslog, utilities like "swatch" will allow for "real time" syslog monitoring. It seem to work pretty well, but I've always found it a bit "kludgy". I've been working on another project (code named "sagan") that's written in C. The idea is that it's "snort" for "syslog". The idea is that it uses the same rule set structure as "snort" and will even output to a Snort database (SQL). This enabled you to use tools that work with snort (oinkmaster, BASE/ACID, etc) to work with "sagan". Sagan can/will be able to output to ASCII flat files, Snort DB's, MySQL, Postgresql and various other formats. The rule sets allow you to "look" for events and be notified in "real time". I'll post here when I have the release version done.

Anyways, that's my 2 cents.

[iceni]

i can't remember all the things i've done, but i configured apparmor and disabled unneeded daemons and i configured Aide too.

this is how i setup Aide -

how to setup. install, then in a root shell run this -
# aide --init

that will create the databse.

then rename the new database to make it active -
cd /var/lib/aide/
mv aide.db.new aide.db

the rules are kept here -
/etc/aide.conf

to re-run and check it run this from a root shell -
# aide --check -V2>>SOME_NAME.txt

[mirrorshades]

I had a lot of fun implementing perfect-paper-passwords - another Steve Gibson project.

I used the pam module so I can use paper passwords with my ssh server. In addition to your user password you will have a one-time-use 4 character passcode.

It works great and because I often want to login to my ssh server on a friends computer or at school I don't always have my public key.

Hey, that's pretty cool. Almost makes me think Mr. Gibson is less of a wacko. :)

I just have all my SSH stuff public key only. I tend to have my USB drives with me, so it's not a huge deal. But that does look kind of neat. Could use with a blank password and basically have it be one-time use passwords only. (Of course, don't lose the paper it's printed on, or have the ink smudge.)

[iceni]

here are some links about securing linux -
http://www.linuxtopi...uide/index.html
http://www.linuxtopi...rity/index.html
http://www.linux-sec...arden.gwif.html
http://www.debian.or...n.html#contents
http://www.debianhel...uk/security.htm <--- this one is short and easy and good!
http://www.puschitz....ringLinux.shtml
http://www.linux-sxs...ity/scheck.html <-- this is another short and easy to follow one

i wish there were more linux security forums, i love windows security but know nothing about linux security compared to windows!

Edited by iceni, 23 April 2008 - 06:51 PM.

[army_of_one]

Another thing I'll add to the list is process isolation via virtualization. You can sandbox each of your main services, like web or email servers, into their own isolated segment. There are many ways to do this. Here's the one's holding the most promise:

1. OS-level virtualization with OpenVZ. This starts with a central, OpenVZ kernel and basically creates a bunch of kernel or OS instances for each VM. The VM must run the same OS, but the result is lightening-fast, provides moderate amount of security, and has a ton of useful features (like bandwidth limiting).

2. Host-level virtualization with VMWare Server or Xen. In this case, you have a host OS (e.g. Linux) running a "hypervisor" (VMWare or Xen) which runs a bunch of VM's. Each VM has a full operating system and services, like an actual computer. You would REALLY harden the host OS and carefully configure the virtualization layer. Then, you just create a VM for each software you want to run, removing all unnecessary components. I would use JeOS or DSL for the guest OS, possibly patched with SELinux or grsecurity. With addons like VMWare Tools, you can have better performance and integration with host, albeit potential security issues. This type of virtualization, is fairly easy to do and provides really good isolation. If sh1t happens, you just restore from snapshot.

3. Bare-metal virtualization. In this case, the hypervisor (virtualization software) runs directly on the hardware, with no host OS. VMWare ESX Server (ESXi is free) is the most popular of these. I like using these because it reduces the size of the "trusted computing base." In other words, there's a smaller amount of code for an attacker to try to exploit for kernel-level access. ESXi, with everything included, is under 50MB I think. Bare-metal's main drawback is hardware support, but if you get compatible hardware then you have a very fast, efficient, easily-managed, and very secure way to isolate your services.

Virtualization isn't a magic bullet. It has its own risks and problems. You definitely need to practice defense in depth and be careful like with anything else. However, used properly, it can be a valuable weapon in your security arsenal.

(Side note: don't try to use chroot for this. It wasn't really designed for it, and there are many attacks on it.)

Edited by army_of_one, 07 February 2009 - 06:10 PM.

[duper]

You can use a combination of SELinux RBAC and the latest in kernel hardening and anti-exploitation technologies, but still be safer on Windows Vista SP2 Beta.

[army_of_one]

Vista is the safest version of Windows, but from a server standpoint I totally disagree. The main Vista security features are listed here:

http://technet.micro...y/bb629420.aspx

I'm aware of Server 2003's security, which is primary MS server OS until 2008 see's wider adoption. Looking at it all, I think a basic server is much more secure on hardened Linux, Solaris 10 (w/ Containers), FreeBSD (w/ Jails), OpenBSD, or VMS. MS Vista and Server 2003/2008 can't touch those in security and stability. If I was doing any important servers, I'd probably run them on top of VMWare ESX server. I'd separate security appliances, management, DNS and web server into separate VM's. I might even use different OS's: OpenBSD for firewall appliance; LFS or DSL(trimmed) w/ djbdns for DNS; hardened RedHat/CentOS w/ SELinux for production server. The management VM would monitor the others, do failover if necessary, etc. It's a bit more complex, but still very manageable for secure home servers. Additionally, you only need one set of security/mgmt. related VM's. You can have as many application-specific server VM's as you want from there. Even enterprises could use this model, as they have access to management tools that removes burden of complexity.

[vulture]

Hmm,

I take the onion layered approach to security.

for a mere $300 one can easily pick up a Cisco asa 5505 and utilize ASDM to configure most traffic rules and ACLs,

even so I normally place a secondary security host right behind
mine .
Pfsense is a great router distro that runs on just about any x86 hardware and is pretty secure with snort and other packages available. IT also has a very clean and polished web administration interface

http://www.pfsense.org/