[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] It's nice
- Subject: Re: [cobalt-security] It's nice
- From: Bill Irwin <bill_irwin@xxxxxxxx>
- Date: Fri, 29 Jun 2001 10:06:22 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Simon Wilson wrote:
>
> Bill and Carrie
> If you are going to do this please can you let us (the list) know where we
> can get this info. I and many others would appreciate your experience of
> installing these packages. I have read many walk throughs on how to install
> these packages but they are not specific to Raq and as a consequence I have
> failed to install them. "not using SSH and Portsentry?" you must be mad! I
> know, but I'm' a designer not an admin and I've just been left with the job
> of looking after the server. I'm sure I'm not the only one in this
> situation - Aware of all the risks but unqualified to deal with them.
>
> Simon
Digging through my files, I finally found the how-to for this
information. (woohoo!).
Please make a note. I did not make this how-to nor will I support it if
you come to us in the Email tech support. I'm merely sharing this
information for those who are as security minded as I am.
*********************************************
THIS IS NOT SUPPORTED BY MY EMPLOYER!!!!!!!!
*********************************************
Begin cut & paste
-------------------------------------------------------------
This document give instructions for installing:
SSH2, Tripwire, IPChains, Portsentry, Logcheck, Lcap, Chkrootkit,
LionFind, Whois, etc. etc.
Plus little tweaks such as:
Changing root password, changing default cobalt-mysql password, some
simple unix commands, turning off IMAP, some tweaks to srm.conf,
access.conf, httpd.conf, webalizer.conf
USE AT YOUR OWN RISK - I don't guarantee a single thing on here. This
was done on a RaQ4i; your mileage may vary.
___________________
Change Root Password:
login as admin
su to root :
# su -
enter your admin password, then type:
# passwd
enter new password twice - finished. (Be sure to write down the new
password!)
--------------------------
SSH2 Installation:
login through telnet as admin
su to root
Get SSH2:
#wget
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/RH62/openssh-2.
5.2p2-1.i386.rpm
#mv openssh* openssh2.rpm
#rpm -i openssh2.rpm
Get the Server:
#wget
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/RH62/openssh-se
rver-2.5.2p2-1.i386.rpm
# mv openssh-server* openssh2-server.rpm
#rpm -i openssh2-server.rpm
Get the Client:
#wget
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/RH62/openssh-cl
ients-2.5.2p2-1.i386.rpm
# mv openssh-clients* openssh2-clients.rpm
# rpm -i openssh2-clients.rpm
Start the SSH server:
# /etc/rc.d/init.d/sshd start
Test the install by logging in with an SSH2 client as admin (free
client: putty)
If it works, add the SSH to the startup files:
# pico /etc/rc.d/rc.local
At the end put:
***from line below****
#Start the SSH2 Server:
/etc/rc.d/init.d/sshd start
fi
***to line above***
Save changes and exit.
Exit as root, exit as admin.
Go to your GUI and disable Telnet.
Test it again by connecting through an SSH2 client as admin.
Making it more secure:
Now that you've got it working, make it more secure. As per Adam from
the cobalt-security list-
Locate the config file sshd_config which usually resides in /etc/ssh
you will see in the
first few lines something like :
Port 22
Protocol 1,2
change it to something like :
Port 52
Protocol 2
This will change the standard port of 22 into 52 and force protocol 2
to
be used.
Locate the start script in /etc/rc.d/rc3.d
and type something like ./S55sshd restart
Make sure you can login using the new port and protocol (don't forget
to
configure client) and
assuming everything is fine logout of your old session, that's it. If
in
doubt leave it alone.
----------------------------
Change MySQL default cobalt-mysql password:
# mysqladmin -uroot -pcobalt-mysql password newpassword
Test it:
# mysql -uroot -pnewpassword
You should be at a mysql prompt.
# quit
Gets you out of the mysql system.
------------------------------
SRM.CONF changes
# cd /etc/httpd/conf
#cp srm.conf srm.conf.bak
#pico srm.conf
For Directory Index (index.php is already there) add pages that you
want to load by default, like:
index.pl index.cgi index.php3
For IndexIgnore add INSTALL* to the end:
IndexIgnore .??* *~ *# HEADER* README* RCS INSTALL*
For PHP under AddType application:
# PHP4 (backwards compatible with php3)
AddType application/x-httpd-php .php .php3 .php4 .phtml
#AddType application/x-httpd-php4 .php3
AddType application/x-httpd-php4 .php4
AddType application/x-httpd-php4 .php
#AddType application/x-httpd-php4-source .php4s
#AddType application/x-httpd-php4-source .php3s
#AddType application/x-httpd-php4-source .phps
For ErrorDocument:
ErrorDocument 401 /401.html
ErrorDocument 403 /403.html
ErrorDocument 404 /404.html
#ErrorDocument 401 /cobalt_error/authorizationRequired.html
#ErrorDocument 403 /cobalt_error/forbidden.html
#ErrorDocument 404 /cobalt_error/fileNotFound.html
ErrorDocument 500 /cobalt_error/internalServerError.html
#We leave 500 as it is for easier debugging.
Restart the httpd server:
# /etc/rc.d/init.d/httpd restart
Do checks to see if this is all working okay. Don't forget to enable
PHP on the site you're checking things with before spending 3 hours
banging your head on the desk wondering why you've done everything
right and a .php file still gives you a download prompt.
------------------------------------
Little How-Tos:
Some helpful commands to let you know what's going on:
# w
# netstat
# ps -aux
# top
To see how long the server has been up and running:
# uptime
Update the 'locate' database:
# /etc/cron.daily/slocate.cron
(The first time you do this, it will take a while.)
To test if PHP is working okay:
1. Make sure you have PHP enabled in site settings.
2. Make a file named test.php and in it put this:
<? phpinfo(); ?>
3. Go to www.yourdomain.com/test.php
(If you haven't done the changes to the srm.conf your file will need
to be test.php3)
To change the FTP timeout:
# pico /etc/proftpd.conf
Add these lines:
#Edited Timeout for longer ftp sessions
TimeoutNoTransfer 1200
TimeoutIdle 1200
To get Webalizer to run before logrotate, rename it:
# mv /etc/cron.daily/webalizer.pl /etc/cron.daily/awebalizer.pl
To get it to leave statistics on heavy-traffic sites, go into
/etc/webalizer.conf and set Incremental to 'yes'.
Remember to also set the name for the current file on the line below
that.
To get directories to stop giving a list of contents:
# pico /etc/httpd/conf/access.conf
Edit this line so that it has the -Indexes at the end:
# be more restrictive within a site
<Directory /home/sites/*/>
Options -FollowSymLinks +SymLinksIfOwnerMatch -Indexes
</Directory>
Save, exit, restart the web server.
# /etc/rc.d/init.d/httpd restart
Restarting inetd after dropping some new entries into hosts.deny:
# /usr/sbin/inetd restart
Restart the server from the command line:
# /sbin/shutdown -r now
--------------------------------------
IPChains Install:
#wget
ftp://rpmfind.net/linux/redhat/6.2/en/os/i386/RedHat/RPMS/ipchains-1.3
.9-5.i386.rpm
# mv ipchains-1.3* ipchains-1.3.rpm
# rpm -i ipchains-1.3.rpm
IPChains is now installed. The startup script is in /etc/rc.d/init.d
as ipchains
or
# service ipchains start
Don't do this until you've tested your script a few times to see how
it's working and you have the helper scripts installed.
Get the helper scripts:
# wget
http://netfilter.filewatcher.org/ipchains/ipchains-scripts-1.1.2.tar.g
z
# gunzip ipchains-scripts.tar.gz
# tar -xvf ipchains-scripts.tar
# make clean (my raq grumbled at me with this)
# make (some notes, more grumbling)
# make install
Still working on this, will post a more detailed IPChains how-to once
I get done.
This page might help:
http://plug.skylab.org/199907/msg00138.html
--------------------------------------
PortSentry:
# wget http://www.psionic.com/tools/portsentry-1.0.tar.gz
# gunzip portsentry-1.0.tar.gz
# tar -xvf portsentry-1.0.tar
# mv portsentry-1.0 portsentry
# cd portsentry
# make install
(Dunno why, but I had to get the 'portsentry' file from old machine
via ftp and drop it in this directory for install to work)
Turn on portsentry at bootup: (haven't done this yet)
add to /etc/rc.d/rc.local:
/usr/local/psionic/portsentry/portsentry -tcp
/usr/local/psionic/portsentry/portsentry -udp
To turn it on right now, just run those lines as root. You'll see
portsentry firing up and binding if you look in
/var/log/messages.
------------------------------------------
LogCheck:
#wget http://www.psionic.com/tools/logcheck-1.1.1.tar.gz
# gunzip logcheck-1.1.1.tar.gz
# tar -xvf logcheck-1.1.1.tar
# mv logcheck-1.1.1 logcheck
# make clean
# make linux
# pico /usr/local/etc/logcheck.sh
change the sysadmin address to whatever user you've set up to get the
messages; save and exit
# pico /root/crontab
add this line:
01,16,31,45 * * * * /usr/local/etc/logcheck.sh
That fires it off every 15 minutes. Adjust to your tastes.
This line runs it once a night, at 1:01am:
1 1 * * * /usr/local/etc/logcheck.sh
If you don't have a file there yet, pico will make a new one. Tell
crontab to pay attention to it like so:
# crontab -u root /root/crontab
-----------------------------------------
TripWire (following instructions at
http://www.linuxsecurity.com/feature_stories/feature_story-81.html)
# wget http://www.tripwire.org/files/rpm3/tripwire-2.3-47.i386.tar.gz
# tar xvzf tripwire-2.3-47.i386.tar.gz
# rpm -ivh tripwire-2.3-47.i386.rpm
# /etc/tripwire/twinstall.sh
Enter key passwords - the first one is the 'site passphrase' that you
will need to enter again at the end of installation. The second is the
'local passphrase' that you'll need now and again. Make sure to write
these down!
Write policy file:
# /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt (you'll need to enter
passphrase again)
Generate initial database: (will need to enter *local* passphrase)
# /usr/sbin/tripwire -m i
Find out which files aren't on your system that are in the default
tripwire configuration: (this take a while)
# /usr/sbin/tripwire -m c | grep Filename >> twtest.txt
My RaQ4i came up with 140 lines of files that weren't in the
configuration.
Edit /etc/tripwire/twpol.txt and comment out all of the lines that are
in twtest.txt. Easiest way to do this is to have two windows open, one
with each file in it.
# pico /etc/tripwire/twpol.txt
If you can't find a file line, use CTRL-W to find it. This takes a
*really* long time, and there are some files you may not want to
comment out even if they don't exist now, like /root/.bash_history.
*****from install file***
Additionally, there are other files in the default policy that may not
make sense to monitor on the local system. These include lock files
(which identify that some process is in use) and pid files (which
identify the process ID of some daemons). Since the files are likely
to change often, if not at every system boot, they can cause Tripwire
to generate false positives. To avoid such problems, comment out all
of the /var/lock/subsys entries as well as the entry for /var/run.
******************
Reset the configuration file:
# /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt
Generate the database again:
# /usr/sbin/tripwire -m i
Remove the text versions of the policy:
# rm /etc/tripwire/twcfg.txt /etc/tripwire/twpol.txt
****from install file***
If they need to be restored cleartext versions of these files can be
created from the encrypted versions by issuing the command (and
providing the appropriate passphrases):
# /usr/sbin/twadmin -m p > /etc/tripwire/twpol.txt
****************************
Cron that baby:
# cd /usr/local/bin
# pico runtw.sh
Paste this in (change HOST to your machine's name):
***from line below***
#!/bin/sh
/usr/sbin/tripwire -m c | mail -s "Tripwire Report from HOST"
root@localhost
***to line above***
# chmod 755 runtw.sh
Now either...
1. Drop this file into your nightly folder:
# cp /usr/local/bin/runtw.sh /etc/cron.daily
2. Or drop this line into /root/crontab:
1 1 * * * /usr/local/etc/logcheck.sh
__________________
Turn off IMAP: (thanks to shimi on the cobalt-security list)
http://www.cobaltdiscussions.com/board/viewthread.php?FID=16&TID=5
# pico /etc/inetd.conf
disable imap (do a search for imap and comment out this line:)
#imap stream tcp nowait root /usr/sbin/tcpd imapd
Restart the inet server:
# killall -HUP inetd
#pico /usr/admserv/cgi-bin/.cobalt/services/services.cgi
Change this line:
$ret=Cobalt::swatch::swatch_set_service_on("imap");
To this:
$ret=Cobalt::swatch::swatch_set_service_off("imap");
Now go into the GUI's Control Panel and just hit the 'Save Changes'
button.
This keeps Active Monitor from grumbling about IMAP being turned off.
______________________
Installing LCAP (keeps kernels from being loaded):
# wget
http://owned.lab6.com/~gossi/RaQ-security/files/lcap-0.0.3-2.i386.rpm
# rpm -iv lcap-0.0.3-2.i386.rpm
Check to see that everything is okay:
# /sbin/lcap CAP_SYS_MODULE
If you get no errors, add it to the /etc/rc.d/rc.local file.
Reboot the server.
***From Gossi on the security list***
Basically, that stops loadable kernel modules from being inserted into
the
kernel once the command is run (ie at boot). So if somebody breaks in
and
tries to load up something like adore, knark (or one of the other
various
Linux Kernel Module rootkits) they won't be able to, without
forcefully
removing lcap (which requires removing the line from rc.local and
rebooting the RaQ, which is easily noticable).
***************************
-----------------------------------
Install Chkrootkit:
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# gunzip chkrootkit.tar.gz
# tar -xvf chkrootkit.tar
# cd chkrootkit-0.31
# make clean
# make
# ./chkrootkit
If you've got Portsentry installed you'll probably get a false
positive on bindshell, tcp port 31337. Also the 'z2' will report that
the last log entry may be corrupted. See www.chkrootkit.org for more
info, or for more in-depth commands.
____________________
Install LionFind:
# wget
http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/lionfind-0.1.9
.tar.gz
# tar -xzvf lionfind-0.1.9.tar.gz
# cd lionfind-0.1.9
# ./lionfind
_____________________
Install Whois:
# wget
ftp://rpmfind.net/linux/redhat/7.0/en/os/i386/RedHat/RPMS/whois-1.0.3-
2.i386.rpm
# rpm -iv whois-1.0.3-2.i386.rpm
Test it by typing in a domain name that you know:
# whois yahoo.com
-------------------
cut & paste
--
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.