[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] It's nice
- Subject: Re: [cobalt-security] It's nice
- From: "Carrie Bartkowiak" <ravencarrie@xxxxxxxx>
- Date: Thu, 28 Jun 2001 15:50:33 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Can you or someone post some of the info again for how to install
SSH,
> Port Sentry and the like. I'm collecting some info on "unsupported"
> installations of these software packages. Its for future reference
or
> possibly to add to knowledgebase when updated.
Bill,
Here's something that I posted a while back on the user's list.
Zeffie had a number of problems with it, but when I asked him for more
specifics he didn't respond (he gets swamped with emails).
However, it works for me on RaQ4's. I'd say just use this as a basis,
and not an end-all be-all definitive guide. Your mileage may vary, and
all of that good stuff. ;)
Also, I had given up on configuring IPChains until the Rev. steered me
towards PMFirewall. That got things running and now I've got time to
sit back and dissect it at my leisure.
Here goes...
Carrie Bartkowiak
April 2001
This document give instructions for installing:
SSH2, Tripwire, IPChains, Portsentry, Logcheck, Lcap, Chkrootkit,
LionFind
Plus little tweaks such as:
Changing root password, changing default cobalt-mysql password, some
simple unix commands, turning off IMAP, some tweaks to srm.conf,
access.conf, httpd.conf, webalizer.conf
USE AT YOUR OWN RISK - I don't guarantee a single thing on here. This
was done on a RaQ4i; your mileage may vary.
Note: Always check for newer versions of software than the downloads
listed here.
___________________
Change Root Password:
login as admin
su to root
# passwd
enter new password twice - finished. (Be sure to write down the new
password!)
--------------------------
SSH2 Installation:
login through telnet as admin
su to root
Get SSH2:
#wget
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/RH62/openssh-2.
5.2p2-1.i386.rpm
#mv openssh* openssh2.rpm
#rpm -i openssh2.rpm
Get the Server:
#wget
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/RH62/openssh-se
rver-2.5.2p2-1.i386.rpm
# mv openssh-server* openssh2-server.rpm
#rpm -i openssh2-server.rpm
Get the Client:
#wget
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/RH62/openssh-cl
ients-2.5.2p2-1.i386.rpm
# mv openssh-clients* openssh2-clients.rpm
# rpm -i openssh2-clients.rpm
Start the SSH server:
# /etc/rc.d/init.d/sshd start
Test the install by logging in with an SSH2 client as admin (free
client: putty)
If it works, add the SSH to the startup files:
# pico /etc/rc.d/rc.local
At the end put:
***from line below****
#Start the SSH2 Server:
/etc/rc.d/init.d/sshd start
fi
***to line above***
Save changes and exit.
Go to your GUI and disable Telnet.
Test it again by connecting through an SSH2 client as admin (in a
second window).
Making it more secure:
Now that you've got it working, make it more secure. As per Adam from
the cobalt-security list-
Locate the config file sshd_config which usually resides in /etc/ssh
you will see in the
first few lines something like :
Port 22
Protocol 1,2
change it to something like :
Port 52
Protocol 2
This will change the standard port of 22 into 52 and force protocol 2
to
be used.
Locate the start script in /etc/rc.d/rc3.d
and type something like ./S55sshd restart
Make sure you can login using the new port and protocol (don't forget
to
configure client) and
assuming everything is fine logout of your old session, that's it. If
in
doubt leave it alone.
----------------------------
Change MySQL default cobalt-mysql password:
# mysqladmin -uroot -pcobalt-mysql password newpassword
Test it:
# mysql -uroot -pnewpassword
You should be at a mysql prompt.
# quit
Gets you out of the mysql system.
------------------------------
SRM.CONF changes
# cd /etc/httpd/conf
#cp srm.conf srm.conf.bak
#pico srm.conf
For Directory Index (index.php is already there) add:
index.pl index.cgi index.php3
For IndexIgnore add INSTALL* to the end:
IndexIgnore .??* *~ *# HEADER* README* RCS INSTALL*
For PHP under AddType application:
# PHP4 (backwards compatible with php3)
AddType application/x-httpd-php .php .php3 .php4 .phtml
#AddType application/x-httpd-php4 .php3
AddType application/x-httpd-php4 .php4
AddType application/x-httpd-php4 .php
#AddType application/x-httpd-php4-source .php4s
#AddType application/x-httpd-php4-source .php3s
#AddType application/x-httpd-php4-source .phps
(Yes, I know there is redundancy there. However, I have
found that on 3 different RaQ4 machines, it will only work
with the redundancy in place.)
For ErrorDocument:
ErrorDocument 401 /401.html
ErrorDocument 403 /403.html
ErrorDocument 404 /404.html
#ErrorDocument 401 /cobalt_error/authorizationRequired.html
#ErrorDocument 403 /cobalt_error/forbidden.html
#ErrorDocument 404 /cobalt_error/fileNotFound.html
ErrorDocument 500 /cobalt_error/internalServerError.html
#We leave 500 as it is for easier debugging.
Restart the httpd server:
# /etc/rc.d/init.d/httpd restart
Do checks to see if this is all working okay. Don't forget to
enable PHP in the site that you're testing - this one will cause
you much head-on-desk-banging.
------------------------------------
Little How-Tos
To see who's connected to your machine (through telnet and ssh):
# w
To see how long the server has been up and running:
# uptime
Update the 'locate' database:
# /etc/cron.daily/slocate.cron
(The first time you do this, it will take a while.)
To test if PHP is working okay:
1. Make sure you have PHP enabled in site settings.
2. Make a file named test.php and in it put this:
<? phpinfo(); ?>
3. Go to www.yourdomain.com/test.php
(If you haven't done the changes to the srm.conf your file will need
to be test.php3)
To change the FTP timeout:
# pico /etc/proftpd.conf
Add these lines:
#Edited Timeout for longer ftp sessions
TimeoutNoTransfer 1200
TimeoutIdle 1200
To get Webalizer to run before logrotate, rename it:
# mv /etc/cron.daily/webalizer.pl /etc/cron.daily/awebalizer.pl
To get it to leave statistics on heavy-traffic sites, go into
/etc/webalizer.conf and set Incremental to 'yes'.
Remember to also set the name for the current file on the line below
that.
To get directories to stop giving a list of contents:
# pico /etc/httpd/conf/access.conf
Edit this line so that it has the -Indexes at the end:
# be more restrictive within a site
<Directory /home/sites/*/>
Options -FollowSymLinks +SymLinksIfOwnerMatch -Indexes
</Directory>
Save, exit, restart the web server.
# /etc/rc.d/init.d/httpd restart
Alternatively, set AllowOverride options to ALL and drop an
.htaccess file into the /web directory with this line:
Options -Indexes
Restarting inetd after dropping some new entries into hosts.deny:
# /usr/sbin/inetd restart
Restart the server from the command line:
# /sbin/shutdown -r now
--------------------------------------
IPChains Install:
#wget
ftp://rpmfind.net/linux/redhat/6.2/en/os/i386/RedHat/RPMS/ipchains-1.3
.9-5.i386.rpm
# mv ipchains-1.3* ipchains-1.3.rpm
# rpm -i ipchains-1.3.rpm
IPChains is now installed. The startup script is in /etc/rc.d/init.d
as ipchains.
Get the helper scripts:
# wget
http://netfilter.filewatcher.org/ipchains/ipchains-scripts-1.1.2.tar.g
z
# gunzip ipchains-scripts.tar.gz
# tar -xvf ipchains-scripts.tar
# make clean (my raq grumbled at me with this)
# make (some notes, more grumbling)
# make install
At this point you will need to configure IPChains.
ALTERNATIVE FOR IPCHAINS NEWBIES:
Get PMFirewall, install it, run the script and answer some questions
about your setup:
http://www.pointman.org/PMFirewall/
--------------------------------------
PortSentry:
# wget http://www.psionic.com/tools/portsentry-1.0.tar.gz
# gunzip portsentry-1.0.tar.gz
# tar -xvf portsentry-1.0.tar
# mv portsentry-1.0 portsentry
# cd portsentry
#make
# make install
Configure PortSentry by carefully reading the portsentry.conf file and
commenting/uncommenting
certain lines and removing/adding certain ports.
I recommend the "anal" setting. You'll get more mesages as "Attack
Alerts" but it's a more - anal - setting.
Turn on portsentry at bootup:
add to /etc/rc.d/rc.local:
/usr/local/psionic/portsentry/portsentry -tcp
/usr/local/psionic/portsentry/portsentry -udp
To turn it on right now, just run those lines as root. You'll see
portsentry firing up and binding if you look in
/var/log/messages. There will be some lines where it cannot bind to
certain ports, check
------------------------------------------
LogCheck:
#wget http://www.psionic.com/tools/logcheck-1.1.1.tar.gz
# gunzip logcheck-1.1.1.tar.gz
# tar -xvf logcheck-1.1.1.tar
# mv logcheck-1.1.1 logcheck
# make clean
# make linux
# pico /usr/local/etc/logcheck.sh
change the sysadmin address to whatever user you've set up to get the
messages; save and exit
# pico /root/crontab
add this line:
01,16,31,45 * * * * /usr/local/etc/logcheck.sh
That fires it off every 15 minutes. Adjust to your tastes.
This line runs it once a night, at 1:01am:
1 1 * * * /usr/local/etc/logcheck.sh
If you don't have a file there yet, pico will make a new one. Tell
crontab to pay attention to it like so:
# crontab -u root /root/crontab
-----------------------------------------
TripWire (following instructions at
http://www.linuxsecurity.com/feature_stories/feature_story-81.html)
!!!!BE SURE TO WRITE DOWN YOUR PASSPHRASES!!!!
# wget http://www.tripwire.org/files/rpm3/tripwire-2.3-47.i386.tar.gz
# tar xvzf tripwire-2.3-47.i386.tar.gz
# rpm -ivh tripwire-2.3-47.i386.rpm
# /etc/tripwire/twinstall.sh
Enter key passwords - the first one is the 'site passphrase' that you
will need to enter again at the end of installation.
Write policy file:
# /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt (you'll need to enter
passphrase again)
Generate initial database: (will need to enter *local* passphrase)
# /usr/sbin/tripwire -m i
Find out which files aren't on your system that are in the default
tripwire configuration: (this take a while)
# /usr/sbin/tripwire -m c | grep Filename >> twtest.txt
My RaQ4i came up with 140 lines of files that weren't in the
configuration.
Edit /etc/tripwire/twpol.txt and comment out all of the lines that are
in twtest.txt. Easiest way to do this is to have two windows open, one
with each file in it.
# pico /etc/tripwire/twpol.txt
If you can't find a file line, use CTRL-W to find it. This takes a
*really* long time, and there are some files you may not want to
comment out even if they don't exist now, like /root/.bash_history.
*****from install file***
Additionally, there are other files in the default policy that may not
make sense to monitor on the local system. These include lock files
(which identify that some process is in use) and pid files (which
identify the process ID of some daemons). Since the files are likely
to change often, if not at every system boot, they can cause Tripwire
to generate false positives. To avoid such problems, comment out all
of the /var/lock/subsys entries as well as the entry for /var/run.
******************
Reset the configuration file:
# /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt
Generate the database again:
# /usr/sbin/tripwire -m i
Remove the text versions of the policy:
# rm /etc/tripwire/twcfg.txt /etc/tripwire/twpol.txt
****from install file***
If they need to be restored cleartext versions of these files can be
created from the encrypted versions by issuing the command (and
providing the appropriate passphrases):
# /usr/sbin/twadmin -m p > /etc/tripwire/twpol.txt
****************************
Cron that baby:
# cd /usr/local/bin
# pico runtw.sh
Paste this in (change HOST to your machine's name):
***from line below***
#!/bin/sh
/usr/sbin/tripwire -m c | mail -s "Tripwire Report from HOST"
root@localhost
***to line above***
# chmod 755 runtw.sh
Now either...
1. Drop this file into your nightly folder:
# cp /usr/local/bin/runtw.sh /etc/cron.daily
2. Or drop this line into /root/crontab:
1 1 * * * /usr/local/etc/logcheck.sh
__________________
Turn off IMAP:
http://www.cobaltdiscussions.com/board/viewthread.php?FID=16&TID=5
# pico /etc/inetd.conf
disable imap (do a search for imap and comment out this line:)
#imap stream tcp nowait root /usr/sbin/tcpd imapd
Restart the inet server:
# killall -HUP inetd
#pico /usr/admserv/cgi-bin/.cobalt/services/services.cgi
Change this line:
$ret=Cobalt::swatch::swatch_set_service_on("imap");
To this:
$ret=Cobalt::swatch::swatch_set_service_off("imap");
Now go into the GUI's Control Panel and just hit the 'Save Changes'
button.
This keeps Active Monitor from grumbling about IMAP being turned off.
______________________
Installing LCAP (keeps kernels from being loaded):
# wget
http://owned.lab6.com/~gossi/RaQ-security/files/lcap-0.0.3-2.i386.rpm
# rpm -iv lcap-0.0.3-2.i386.rpm
Check to see that everything is okay:
# /sbin/lcap CAP_SYS_MODULE
If you get no errors, add it to the /etc/rc.d/rc.local file.
Reboot the server.
***From Gossi on the security list***
Basically, that stops loadable kernel modules from being inserted into
the
kernel once the command is run (ie at boot). So if somebody breaks in
and
tries to load up something like adore, knark (or one of the other
various
Linux Kernel Module rootkits) they won't be able to, without
forcefully
removing lcap (which requires removing the line from rc.local and
rebooting the RaQ, which is easily noticable).
***************************
Note: this may set off an email mailed to you every ten minutes. Seems
to be either fixed or
disabled with more current RaQ4 patches.
-----------------------------------
Install Chkrootkit:
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# gunzip chkrootkit.tar.gz
# tar -xvf chkrootkit.tar
# cd chkrootkit-0.31
# make clean
# make
# ./chkrootkit
If you've got Portsentry installed you'll probably get a false
positive on bindshell, tcp port 31337. Also the 'z2' will report that
the last log entry may be corrupted. See www.chkrootkit.org for more
info, or for more in-depth commands.
____________________
Install LionFind:
# wget
http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/lionfind-0.1.9
.tar.gz
# tar -xzvf lionfind-0.1.9.tar.gz
# cd lionfind-0.1.9
# ./lionfind
_____________________
Install Whois:
# wget http://bw.org/whois/dist/whois-current.tar
# tar -xvf whatever-version-you-have
Read the README and INSTALL file. It's very simple to do by hand, or
just run install.sh.
Test it by typing in a domain name that you know:
# whois yahoo.com