Stories
Slash Boxes
Comments

SoylentNews is people

Ask Soylent: Hardening a Linux Server in 2017

posted by martyb on Saturday June 03 2017, @02:32PM   Printer-friendly
from the cat-and-mouse-and-dogged-determination dept.

Phoenix666 writes:

A couple years ago I set up a simple brochure-ware site for the School Board in the district here in Brooklyn, hosted on a VPS instance on Linode, to publicize the dates of public meetings, meeting minutes, etc. The VPS doesn't contain any sensitive information so I locked down the ports to 80, 443, and 22, hardened the SSH with measures like fail2ban, kept the system updated every week or so, and called it a day.

Last week, though, the site was compromised. Blowing the instance away and re-creating it from physical backups is not a problem, but in poring through the system to figure out how it was breached I realized both that my own security chops aren't deep enough and that standard best security practices might not be good enough anymore, anyway, given the many vulnerabilities exposed in the last year and realities like the NSA trove that Shadow Brokers leaked.

So the question for the more experienced security professionals in the Soylent community is, can they recommend a good guide and/or site to hone linux security chops and forensic skills that's current?

Original Submission

 
This discussion has been archived. No new comments can be posted.
Ask Soylent: Hardening a Linux Server in 2017 | Log In/Create an Account | Top | 45 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Insightful) by Anonymous Coward on Saturday June 03 2017, @03:09PM (13 children)

    by Anonymous Coward on Saturday June 03 2017, @03:09PM (#519873)

    You just don't need all this overly fancy software. Make a clean, well-styled static web page for announcements; update these pages by hand (e.g., generate them offline, and then post them on the server).

    Software is trash, because people are trash; you'll never have something secure in the age of the get-girls-coding Script Monkey.

    Starting Score:    0  points
    Moderation   +4  
       Insightful=4, Total=4
    Extra 'Insightful' Modifier   0  
    Total Score:   4  

  • (Score: 0) by Anonymous Coward on Saturday June 03 2017, @03:29PM

    by Anonymous Coward on Saturday June 03 2017, @03:29PM (#519879)

    Curious George resembles that remark!

  • (Score: 0) by Anonymous Coward on Saturday June 03 2017, @03:51PM (3 children)

    by Anonymous Coward on Saturday June 03 2017, @03:51PM (#519885)

    you'll never have something secure in the age of the get-girls-coding Script Monkey.

    Name one age when computers were secure.

    • (Score: 0) by Anonymous Coward on Saturday June 03 2017, @05:41PM

      by Anonymous Coward on Saturday June 03 2017, @05:41PM (#519923)

      The late second century BC [wikipedia.org] maybe?

    • (Score: 2) by kaszz on Sunday June 04 2017, @01:13AM (1 child)

      by kaszz (4211) on Sunday June 04 2017, @01:13AM (#520044) Journal

      When programmers knew there shit because no hand holding were available and the "servers" were simple enough to really be able to look through and personally audit the code. Modern server software contains a gazillion of options and features that most people will not use but just waits to be exploited.

      • (Score: 0) by Anonymous Coward on Sunday June 04 2017, @09:00AM

        by Anonymous Coward on Sunday June 04 2017, @09:00AM (#520149)

        When programmers knew there shit because no hand holding were available and the "servers" were simple enough to really be able to look through and personally audit the code.

        Yes, but when was this wonderful mythical era? 90s? 80s? 70s? 60s?

        The whole "security" side of the Internet is bolted on after the fact, as the original computer networks were developed by academics for academics with no security considerations whatsoever. All users were trusted. A secure Internet would require a complete bottom-up redesign.

        Modern server software contains a gazillion of options and features that most people will not use but just waits to be exploited.

        Most software contains gazillions of options and features that most people will never use. But that one time when I really need one of those features, if it's not there, I will switch to a software that has it.

  • (Score: 2) by bzipitidoo on Saturday June 03 2017, @04:03PM (6 children)

    by bzipitidoo (4388) on Saturday June 03 2017, @04:03PM (#519892) Journal

    Yes, the KISS principle.

    That's how I run my web site. Not even a full LAMP stack, just the L and A parts. No CMS either, wrote all the HTML myself, in a text editor. I put a little JavaScript in one of the pages, but the site is quite viewable without it, just won't see the pretty chess boards I made. Have never had a problem with my website being defaced or compromised, and I've had it up for 13 years now.

    I can get by without the M and P parts because I am not running a forum or taking payments or donations, or anything that needs a registration process for users. There just isn't much surface for the black hats to work with.

    • (Score: 3, Interesting) by N3Roaster on Saturday June 03 2017, @04:46PM (1 child)

      by N3Roaster (3860) <roaster@wilsonscoffee.com> on Saturday June 03 2017, @04:46PM (#519901) Homepage Journal

      Also worth noting is that a lot of what simple sites use the P for are things that static site generators (jekyll, nanoc) do well now. Using any of those you can keep the nice template features, feed generation, &c. Let the generator update the site from a git hook. All of that is still locked up behind port 22 (hopefully no root login allowed, key based) so you're not increasing the attack surface. That's pretty easy to set up on Linode.

      • (Score: 2) by TheRaven on Sunday June 04 2017, @12:52PM

        by TheRaven (270) on Sunday June 04 2017, @12:52PM (#520191) Journal
        I'd second the recommendation of Jekyll (it's also supported by GitHub, so you can host pages using it in source form and have them generate the HTML). There are a bunch of useful packages (e.g. one for linking FreeBSD man pages, one for parsing BibTeX and generating references and so on), and it's trivial to do local generation for testing and use a git post-push hook for deployment. The web server can then run without the rights to modify any files on the disk.
        --
        sudo mod me up

    • (Score: 2) by Phoenix666 on Saturday June 03 2017, @10:47PM (3 children)

      by Phoenix666 (552) on Saturday June 03 2017, @10:47PM (#520004) Journal

      That's exactly what I did, for the same reasons. Other than that, I did set up a mail server using the Perfect Server for Debian guide on HowtoForge. That's the only other service and set of ports left open in the firewall. The SSH I set up to bounce everything coming from China, because fail2ban's logs were showing IP addresses in that range trying to brute force it; in fact I can still see the fail2ban logs bouncing attempts from those IP's the way it's supposed to. And yet, somewhere in the system there's a process that keeps recreating reverse SSH connections to that range of IP addresses. Looked in all the usual places for said process, ran lsof on the open connections, and still haven't found it yet.

      It's really a bare-bones implementation that I kept current with package updates on a fairly regular basis, so that's why I'm mystified. I've always trusted the KISS principle and the strength of FLOSS and guides on best practices to do the heavy lifting on security, but this episode has me re-examining that.

      --
      Washington DC delenda est.

      • (Score: 0) by Anonymous Coward on Sunday June 04 2017, @01:02AM

        by Anonymous Coward on Sunday June 04 2017, @01:02AM (#520037)

        And yet, somewhere in the system there's a process that keeps recreating reverse SSH connections to that range of IP addresses. Looked in all the usual places for said process, ran lsof on the open connections, and still haven't found it yet.

        SystemD.

      • (Score: 0) by Anonymous Coward on Sunday June 04 2017, @01:18AM

        by Anonymous Coward on Sunday June 04 2017, @01:18AM (#520045)

        i don't know which perfect server guide on howtoforge you're talking about but the ones i'm seeing are taking about bind and apache? that's not how to set up any "perfect" mail server. bind shouldn't be used on any server if possible. sounds like you're not doing enough research nor being paranoid enough.

      • (Score: 0) by Anonymous Coward on Sunday June 04 2017, @06:15AM

        by Anonymous Coward on Sunday June 04 2017, @06:15AM (#520121)

        a. Your hosting provider may have been compromised. Your site was attacked via a hole in Xen, VMWare, or Linux containers.

        b. Your client, used for ssh, was compromised.

        c. Intel's management firmware bug got you. That chip on the motherboard either attacked your kernel or it is itself doing the outbound ssh.

        d. The outbound ssh is running in SMM (system management mode) and was possibly installed by the PC vendor. It could be even, or just crummy anti-theft stuff calling home.

        e. Debian is compromised. They may have a bad developer or ftp maintainer.

        f. Maybe you got a bad install disk, and thus you aren't actually using Debian. It looks like Debian, being based off of Debian, but it has different package sources.

  • (Score: -1, Troll) by Ethanol-fueled on Saturday June 03 2017, @04:56PM

    by Ethanol-fueled (2792) on Saturday June 03 2017, @04:56PM (#519903) Homepage

    When you're dealing with Brooklyn, you're dealing with Jews, and Jews have money. The challenge is to convince them to spend that money.