[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] It's nice

Subject: RE: [cobalt-security] It's nice
From: "Thomas Ashcraft" <thomasa@xxxxxxxxx>
Date: Fri, 29 Jun 2001 08:22:58 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Can these all be run on the Qube2? I have a Qube2 and really need some
security. I have no idea how to use Linux and all that kernel stuff.

Anyone out there with a Qube, please help.

Thomas Ashcraft
thomasa@xxxxxxxxx
Pedco, Inc.



-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Zeffie
Sent: Friday, June 29, 2001 2:59 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] It's nice


> Here's something that I posted a while back on the user's list.
> Zeffie had a number of problems with it, but when I asked him for more
> specifics he didn't respond (he gets swamped with emails).

Actually I did....  I wrote this big long "carrie style" response in outlook
and at the bottom when I was finishing....  it crashed and I lost
everything...  so I satarted again... this time it was shorter... and that
one did make it to the list...  well so a couple "customers" reported...
anyway this stuff is always changing so here is an update with more
explanations

> Get SSH2:
> #wget
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/RH62/

lot's of good files yes... however the package on http://pkg.nl.cobalt.com
is the best way I feel to get the "general" security level higher...  and
it's a package... so it's easy

> Locate the config file sshd_config which usually resides in /etc/ssh
> you will see in the
> first few lines something like :
>
> Port 22
> Protocol 1,2
>
> change it to something like :
>
> Port 52

it's important to point out that this is picking the port number it will run
on and that they will need to adjust their "local computer software
settings" to go to port 52 in this example....  I would also reccomend they
use a port below 1024 and look at /etc/services and pick a number that is
not currently in use (either no service is assigned or the assigned one is
not running)

> Protocol 2

yep I like it....

> Locate the start script in /etc/rc.d/rc3.d
> and type something like ./S55sshd restart

yuck....  /etc/rc.d/init.d/sshd2 restart
This can suck when your logged in via ssh so have fun... I like to start a
second instance and kill the old one after I have "re-logged in" using the
new port... then I useally "kill" the original process...

> Make sure you can login using the new port and protocol (don't forget
> configure client) and
> assuming everything is fine logout of your old session, that's it. If
> in
> doubt leave it alone.
>
> ----------------------------
> Change MySQL default cobalt-mysql password:
> # mysqladmin -uroot -pcobalt-mysql password newpassword

this is so bad.....  ok this is the way it works....  you go and run this
from the command line and all is well so you think...  but wait...  guess
what... depending on the length of your bash_history you just recored the
password there... and depending on bash history sizes (varies between
cobalts) your password is right there for the hac*er to get right in without
a problem.....

I reccomend you set the password using the "SET PASSWORD root newpasswd"  (I
think off the top of my head....  ohhh.....) anyway it works out to
something like.....

>From the command line.......
mysql -u root -p
(enter cobalt-mysql when prompted for a passwd)
SET PASSWORD FOR root=PASSWORD('yournewpassword');
and your done... except of exiting mysql.... (quit)


>
> Test it:
> # mysql -uroot -pnewpassword
> You should be at a mysql prompt.
> # quit
> Gets you out of the mysql system.

again... if you use your passwd on the command line then you may be giving
it away faster then you want.....
mysql -uroot -p

> ------------------------------
> SRM.CONF changes

looks like personel prefs.....

> ------------------------------------
> Little How-Tos
> To see who's connected to your machine (through telnet and ssh):
> # w

err "w" is what they are doing...
who or pinky will tell you "who" is logged in....

> To change the FTP timeout:
> # pico /etc/proftpd.conf
> Add these lines:
> #Edited Timeout for longer ftp sessions
> TimeoutNoTransfer               1200
> TimeoutIdle                     1200

just prefs....

> To get Webalizer to run before logrotate, rename it:
> # mv /etc/cron.daily/webalizer.pl /etc/cron.daily/awebalizer.pl
> To get it to leave statistics on heavy-traffic sites, go into
> /etc/webalizer.conf and set Incremental to 'yes'.
> Remember to also set the name for the current file on the line below
> that.

just did a big post on this on the user list... bottom line.... rename the
logrotate/apache files zapache....


> To get directories to stop giving a list of contents:
> # pico /etc/httpd/conf/access.conf
> Edit this line so that it has the -Indexes at the end:
> # be more restrictive within a site
> <Directory /home/sites/*/>
> Options -FollowSymLinks +SymLinksIfOwnerMatch -Indexes
> </Directory>
> Save, exit, restart the web server.
> # /etc/rc.d/init.d/httpd restart
>

personel prefs...


> Alternatively, set AllowOverride options to ALL and drop an
> .htaccess file into the /web directory with this line:
> Options -Indexes

this is really bad and opens some security holes up depending on your
bussiness...  if you are hosting for strangers don't do this... just add
what you want to work and it will without giving extra stuff to your
users....

> Restarting inetd after dropping some new entries into hosts.deny:
> # /usr/sbin/inetd restart

as far as I know you don't need to do this...

> IPChains Install:
> #wget
> ftp://rpmfind.net/linux/redhat/6.2/en/os/i386/RedHat/RPMS/ipchains-1.3
> .9-5.i386.rpm
> # mv ipchains-1.3* ipchains-1.3.rpm
> # rpm -i ipchains-1.3.rpm
> IPChains is now installed. The startup script is in /etc/rc.d/init.d
> as ipchains.

well you can rpm -Uvh ftp://rpmfind.net/linux/redhat/6dHatblablabla/bla

but I don't like that package... myself I took the latest redhat 7.1 soruce
rpm and made a few changes then built it.   works great... as I recall it
was just a matter of getting rid on the need for xinetd.... it's also a
newer version which is improtant too...

> ALTERNATIVE FOR IPCHAINS NEWBIES:
> Get PMFirewall, install it, run the script and answer some questions
> about your setup:
> http://www.pointman.org/PMFirewall/

great stuff if your making a firewall....  I guess... never used it...

> PortSentry:
> # wget http://www.psionic.com/tools/portsentry-1.0.tar.gz
> # gunzip portsentry-1.0.tar.gz
> # tar -xvf portsentry-1.0.tar
> # mv portsentry-1.0 portsentry
> # cd portsentry
> #make

shoud be "make linux"

> # make install
>
> Configure PortSentry by carefully reading the portsentry.conf file and
> commenting/uncommenting
> certain lines and removing/adding certain ports.
> I recommend the "anal" setting. You'll get more mesages as "Attack
> Alerts" but it's a more - anal - setting.

yes but there are other modes that work better then using these settings....
also they need to setup the -"KILL_ROUTE" ... using ipchains in this
example...

> Turn on portsentry at bootup:
> add to /etc/rc.d/rc.local:
> /usr/local/psionic/portsentry/portsentry -tcp
> /usr/local/psionic/portsentry/portsentry -udp

yep... see note below

> To turn it on right now, just run those lines as root. You'll see
> portsentry firing up and binding if you look in
> /var/log/messages. There will be some lines where it cannot bind to
> certain ports, check

yep thats one way but it misses a few things that are nice to change.
Things like the complier used, and a init file...and setting up the ignore
file with local ip's....  you might want to add that...

What I did is I took the latest srpm from redhat 7.1 and modified it with my
own patch (with input from the redhat patches that I didn't like all of) and
rebuilt it into a nice rpm that does it all....

> LogCheck:
> # pico /usr/local/etc/logcheck.sh
> change the sysadmin address to whatever user you've set up to get the
> messages; save and exit

again the fast compile and install is a little rough and logcheck wants to
use some directoies that most people don't want them to use for temp
directories... any way...  the latest rh7.1 srpm, added changes, and made a
new rpm of it....

> # pico /root/crontab
> add this line:
> 01,16,31,45 * * * * /usr/local/etc/logcheck.sh
> That fires it off every 15 minutes. Adjust to your tastes.
> This line runs it once a night, at 1:01am:
> 1 1 * * *       /usr/local/etc/logcheck.sh
> If you don't have a file there yet, pico will make a new one. Tell
> crontab to pay attention to it like so:
> # crontab -u root /root/crontab

personel prefence

I like to link it....
ln -s /location/of/logcheck.sh /etc/cron.quaterhourly/Logcheck

With that I'm going to bed.... it's 3:48 now and I still have to reread this
...

Zeffie
http://www.zeffie.com/



_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security
References:
- Re: [cobalt-security] It's nice
  - From: Zeffie
Prev by Date: Re: [cobalt-security] It's nice
Next by Date: Re: [cobalt-security] It's nice
Previous by thread: Re: [cobalt-security] It's nice
Next by thread: RE: [cobalt-security] It's nice
Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index