Stories
Slash Boxes
Comments

SoylentNews is people

Ask Soylent: Hardening a Linux Server in 2017

posted by martyb on Saturday June 03 2017, @02:32PM   Printer-friendly
from the cat-and-mouse-and-dogged-determination dept.

Phoenix666 writes:

A couple years ago I set up a simple brochure-ware site for the School Board in the district here in Brooklyn, hosted on a VPS instance on Linode, to publicize the dates of public meetings, meeting minutes, etc. The VPS doesn't contain any sensitive information so I locked down the ports to 80, 443, and 22, hardened the SSH with measures like fail2ban, kept the system updated every week or so, and called it a day.

Last week, though, the site was compromised. Blowing the instance away and re-creating it from physical backups is not a problem, but in poring through the system to figure out how it was breached I realized both that my own security chops aren't deep enough and that standard best security practices might not be good enough anymore, anyway, given the many vulnerabilities exposed in the last year and realities like the NSA trove that Shadow Brokers leaked.

So the question for the more experienced security professionals in the Soylent community is, can they recommend a good guide and/or site to hone linux security chops and forensic skills that's current?

Original Submission

 
This discussion has been archived. No new comments can be posted.
Ask Soylent: Hardening a Linux Server in 2017 | Log In/Create an Account | Top | 45 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by barrahome on Saturday June 03 2017, @06:14PM (3 children)

    by barrahome (3580) on Saturday June 03 2017, @06:14PM (#519927) Journal

    i been using cPanel for 12 years, lot of issues and lessons, the basic list to me is this:

    • Disable shell functions on PHP & anything related to execute commands, users are lame, they download nulled stuff & shit, this will prevent crap like this, included remote url includes.
    • Disable compilers.
    • mount /tmp and /home with no exec permissions so people can't compile or run binary files unless you know what the user do.
    • Install mod_ruid2 if you use apache.
    • Rate limit the amount of emails that an account can send / hour so your queue doesn't get full of spam if someone gets hacked. We hate to be in a RBL right?
    • Then you can jump on advanced stuff, i'm not talking about perl & python stuff because most of "hackers" are script kiddies, they only do basic shit & copy paste stuff.
    • Change all default ports, install a good honeypot. Read your stats, learn your traffic.
    • Fail2ban is a good friend, use it.
    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Saturday June 03 2017, @08:02PM

    by Anonymous Coward on Saturday June 03 2017, @08:02PM (#519960)

    Also to add to this. If your instance does not need it remove it. You do not need to have every tool there just the ones to get things done. That is why people are moving to containers. The containers have exactly what is needed and no more. Use something like apparmor.

    Move some of the tools to non standard locations and lock them to particular users if you must have them there.

  • (Score: 2) by Phoenix666 on Saturday June 03 2017, @11:00PM (1 child)

    by Phoenix666 (552) on Saturday June 03 2017, @11:00PM (#520006) Journal

    Yeah the site didn't require PHP, so I didn't use it. There's no interactivity on the site. It's all simple HTML/CSS.

    I didn't change the default ports for the HTTP/S or SSH because it doesn't do much.

    I did set up a mail server, but used the Perfect Mail Server for Debian on HowtoForge and kept the packages updated.

    Fail2ban is set up, and the funny thing is it's there still bouncing everything from China the way it's supposed to. But still there are reverse SSH connections to that same IP range that are being spawned by a process on the system I haven't found yet.

    Nuking the instance and recreating it from backups is trivial, and no sensitive data was lost or compromised, but I rather want to use the occasion to deepen my knowledge of the subject matter area of security since it's been a bit of a wake-up call.

    Do you have any recommendations for more advanced (or, hell, even intermediate-to-advanced) sources to help me on the way there?

    --
    Washington DC delenda est.

    • (Score: 0) by Anonymous Coward on Sunday June 04 2017, @02:48AM

      by Anonymous Coward on Sunday June 04 2017, @02:48AM (#520067)

      maybe it has to do with how fail2ban handles the blocklist? maybe fail2ban is the "hacker"?