Selasa, 14 Desember 2010

Securing an Ubuntu Server

Security is relative. Will these steps make your server “secure”? It will be more secure than it was before. And more secure than most servers. Your server will not be “low hanging fruit”. Security is an on-going process. It includes settings, practices and procedures. Make it your business to regularly read about security and to understand the concepts and our system. Paranoia is useful with regard to server security.
I’ve tested what is presented here in Ubuntu Server 8.04 (Hardy). If you want to harden your new Ubuntu server, this is a good start.
Ubuntu server is well designed, regularly updated and relatively secure. The Ubuntu Security Team manifests an onging effort to keep Ubuntu secure. Regular security updates are available and easy to implement.
  • No open ports
  • Role-based administration
  • No X server
  • Security updates
  • Kernel and compiler hardening
In this post, we are going to meet the security challenge in with multi-pronged effort that will include: system analysis, changing settings for additional hardening against attack, installing a firewall maintenance system, scanning for rootkits, and offering a regular maintenance regimen.
  • Change settings for increased security
  • Implement UFW, the uncomplicated firewall
  • Use denyhosts to automatically blacklist attackers
  • Scan the system for vulnerabilities with Tiger
  • Detect attempted intrusions with psad
  • Install nmap and scan the system for open ports
  • Check the system for rootkits with chkrootkit
  • Monitor logs

Change settings for increased security

see also: https://help.ubuntu.com/community/StricterDefaults

Secure shared memory

/dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure.
1.sudo vi /etc/fstab
Add this line:
1.tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0

Disable root SSH login

The root account is disabled by default in Ubuntu. If you installed Ubuntu on Slicehost or Linode, root is enabled. In any case, it is a good idea to disable root SSH access. Edit /etc/ssh/sshd_config and set PermitRootLogin to no.
1.sudo vi /etc/ssh/sshd_config
Change PermitRootLogin to no:
1.PermitRootLogin no
Of course, if you access your server via SSH, you should make sure you have sudo working for your user before disabling SSH root access.

Only allow admin users to use su

This helps prevent privilege escalation.
By default, Ubuntu does not have an admin group. Create an admin group:
1.sudo groupadd admin
Add yourself to the admin group:
1.sudo usermod -a -G admin andrew
Restrict access to /bin/su to admin group members:
1.sudo dpkg-statoverride --update --add root admin 4750 /bin/su
Check permissions for /bin/su with:
1.ls -lh /bin/su
…and see the following:
1.-rwsr-x--- 1 root admin 31K 2010-01-26 17:09 /bin/su

Do not permit source routing of incoming packets

see also: http://www.cromwell-intl.com/security/security-stack-hardening.html
1.sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
2.sudo sysctl ­-w net.ipv4.conf.default.accept_source_route=0

Don’t allow system users to access an FTP server

This is only needed is ftpd is installed and running. Only if you’ve installed ftpd. However, it is Ok to do this anyway and it will remove a FAIL from the tiger report.
SFTP is probably better than FTP, if it is usable for your files transfer needs.
see ftpusers manual: http://manpages.ubuntu.com/manpages/lucid/man5/ftpusers.5.html
Edit /etc/ftpusers:
1.sudo vi /etc/ftpusers
Add system users to deny use of ftpd:
01.backup
02.bin
03.daemon
04.games
05.gnats
06.irc
07.libuuid
08.list
09.lp
10.mail
11.man
12.mysql
13.news
14.ntp
15.postfix
16.proxy
17.sshd
18.sync
19.sys
20.syslog
21.uucp
22.www-data

UFW: basic firewall

previous post: Ubuntu UFW Uncomplicated Firewall Examples
community documentation: https://help.ubuntu.com/community/UFW
server guide: https://help.ubuntu.com/10.04/serverguide/C/firewall.html
ufw manual: http://manpages.ubuntu.com/manpages/lucid/en/man8/ufw.8.html
project wiki: https://wiki.ubuntu.com/UncomplicatedFirewall
nice article: http://savvyadmin.com/ubuntus-ufw/
UFW (Uncomplicated Firewall) provides an easy to understand interface to control iptables (iptables conteol Netfilter, which is built into the kernel). Will just a few commands, your server can control access. Checking status is also easy.
UFW (uncomplicated firewall) is a simple interface used to configure iptables.
Install and enable Uncomplicated Firewall:
1.sudo aptitude install -y ufw
2.sudo ufw enable
Display available UFW commands:
1.sudo ufw show
Display UFW configuration:
1.sudo ufw status
Allow SSH and HTTP access to the Apache server:
1.sudo ufw allow ssh
2.sudo ufw allow http
In the above example, ports for OpenSSH and Apache were opened by service name (“ssh” and “http”). You can use a port number instead of the service name (like “80″ instead of “http”).
See services running and which names to use:
The practice here is to open only ports that you use – ports that use a service that have a service running. To see a list of services that you have running for which you might want to open ports for:
1.sudo ufw app list
To see a list of services that UFW uses (like in the “sudo ufw allow ssh” example, above):
1.less /etc/services

Denyhosts: avoid SSH attacks

project: http://denyhosts.sourceforge.net/
Looking at /var/log/auth.log on servers that I manage shows a steady streams of attacks on SSH. I am countering these attacks in a number of ways, starting with denyhosts.
Denyhosts periodically scans /var/log/auth.log for repeated failures to access the system via SSH. It then adds these offenders to /etc/hosts.deny. See the project page for details.
1.sudo aptitude -y install denyhosts
That does it – the rest is automatic. You can see the IP addresses added to /etc/hosts.deny with:
1.sudo less /etc/hosts.deny

Tiger: security system scanner

project: http://www.nongnu.org/tiger/
Tiger creates an automated security audit by analyzing files and settings on the system and creating a report listing what has been analyzed and listing warning, alerts and failures.
The tiger command creates a report of potential security problems in /var/log/tiger. The use the tigexp command to look up the resulting codes generated for a detailed explanation and what to do to make the system more secure. The problems tiger considers most serious are marked with FAIL.
Install tiger:
1.sudo aptitude -y install tiger
Run tiger to create a report of security issues.
1.sudo tiger
Use less to view the most recent tiger report:
1.sudo -i
2.less /var/log/tiger/`ls -t1 /var/log/tiger | head -1`
3.exit
Use tigexp to list explanations for FAIL codes:
1.tigexp dev002f
Google is also helpful, naturally.
Ignore these:
1.--FAIL-- [dev002f] /dev/fuse has world permissions
2.--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660
Changing permissions for these could cause problems.

Detect attempted intrusions with psad

project: http://www.cipherdyne.org/psad/
Psad is a collection of lightweight daemons that log attempted intrusions, in particular monitoring iptables.
Installation:
1.sudo aptitude -y install psad
The daemons will run automatically.
To check current status:
1.sudo psad -S
You can modify psad settings to e-mail the admin in the event of intrusion detection.

Nmap: port scanning

project: http://nmap.org/
This allows you to see which ports are open, verifying that UFW/iptables is working correctly.
Installing nmap:
1.sudo aptitude install -y nmap
Port scanning:
1.nmap -v -sT localhost
SYN Scanning:
1.sudo nmap -v -sS localhost
scan type explanations: http://nmap.org/book/man-port-scanning-techniques.html

Chkrootkit: check for rootkit presence

project: http://www.chkrootkit.org/
Chkrootkit scans the system for evidence that a rootkit has been installed.
This is a confidence test to be used to test whether your system has been compromised. In a perfect world you would not need this…but in this world, it is good to run periodically.
Installing chkrootkit:
1.sudo aptitude install -y chkrootkit
Running chkrootkit:
1.sudo chkrootkit

LogWatch

Ubuntu community documentation: https://help.ubuntu.com/community/Logwatch
The most detailed and informative logs in the world are useless if no one looks at them. Logwatch winnows the deluge to a succinct report…which you will look at. Even so, familiarize yourself with your system’s logs and review them on a regular basis. A daily logwatch habit would be a good start.
Installation:
1.sudo aptitude -y install logwatch
Usage:
1.sudo logwatch | less

Ongoing maintenance

Your server is now more secure. Once a week, perform on-going maintenance.
Updating software:
1.sudo aptitude update
2.sudo aptitude safe-upgrade
The safe-upgrade action is preferred by me because it does not upgrade packages that rely on dependencies that have not been upgraded to required levels.
see: http://wiki.debian.org/Aptitude
Or, you could set-up automatic security updates, if you cannot do the weekly maintenance. This is not a perfect solution because an administrator is not monitoring what is being updated and testing after updates. see: https://help.ubuntu.com/10.04/serverguide/C/automatic-updates.html
Check for attempted instrusions:
1.sudo psad -S
UPDATED: Analyze system with tiger. Because the tiger reports in /var/log/tiger/are owned by root, run these commands one at a time. (This solves a problem some people were having with permissions.)
1.sudo -i
2.tiger
3.grep FAIL /var/log/tiger/`ls -t1 /var/log/tiger | head -1`
4.exit
In the above, FAILs are pulled from the newest report file with grep. The ls clause in backticks gives grep the newest file in the directory. The sudo -i command allows you to run multiple commands as root, ending with exit.
Use tigexp to list explanations for FAIL codes:
1.tigexp dev002f
Scan ports with nmap:
1.sudo nmap -v -sS localhost
Check for rootkits
1.sudo chkrootkit
Look at logs:
1.sudo logwatch | less
Keep up with trends
visit: http://www.linuxsecurity.com/

Elsewhere

http://www.itsecurity.com/features/ubuntu-secure-install-resource/
http://www.cyberciti.biz/tips/linux-security.html

Senin, 13 Desember 2010

Install ulang router Giganet

Ringkasan ini tidak tersedia. Harap klik di sini untuk melihat postingan.

Minggu, 21 November 2010

Report Besaran File Hasil Caching Video

Ringkasan ini tidak tersedia. Harap klik di sini untuk melihat postingan.

Minggu, 07 November 2010

Ganti Domain Blog

Setelah beberapa kali gonta-ganti domain name, untuk ketiga kalinya blog ini ganti nama domain.
Pada awal terbentuknya blog ini beberapa bulan yang lalu masih menggunakan default domain, yaitu : rezagiganet.blogspot.com Selanjutnya diganti lagi dengan free domain lain menjadi www.rezagiganet.co.cc.
Sebenarnya kedua domain tersebut walau pun free *.blogspot.com (free selamanya) & *.co.cc (free 1tahun) sudah cukup bagus, tetapi manusia memang tidak ada puasnya termasuk saya yang 100% manusia dan demi sebuah kemajuan & perubahan ke arah yang lebih baik lalu meregister domain di situs register PANDI

PANDI (Pengelola Nama Domain Internet Indonesia) adalah badan hukum yang dibentuk oleh perwakilan dari komunitas teknologi informasi dan telah memenuhi syarat sebagai badan hukum di Indonesia.
PANDI memiliki maksud dan tujuan untuk mengembangkan dan menyediakan jasa layanan yang lain terkait dengan nama domain.

Domain yang baru adalah www.rezagiganet.web.id
Domain baru Semangat Baru!

Selasa, 02 November 2010

Why is English so difficult?


I don’t normally post these things, but I found this too good to give it a pass.
Some reasons to be grateful if you grew up speaking English:
1) The bandage was wound around the wound.
2) The farm was used to produce produce.
3) The dump was so full that it had to refuse more refuse.
4) We must polish the Polish furniture.
5) He could lead if he would get the lead out.
6) The soldier decided to desert his dessert in the desert.
7) Since there is no time like the present, he thought it was time to present the present.
8) A bass was painted on the head of the bass drum.
9) When shot at, the dove dove into the bushes.
10) I did not object to the object.
11) The insurance was invalid for the invalid.
12) There was a row among the oarsmen about how to row.
13) They were too close to the door to close it.
14) The buck does funny things when the does are present.
15) A seamstress and a sewer fell down into a sewer line.
16) To help with planting, the farmer taught his sow to sow.
17) The wind was too strong to wind the sail.
18) After a number of injections my jaw got number.
19) Upon seeing the tear in the painting I shed a tear.
20) I had to subject the subject to a series of tests.
21) How can I intimate this to my most intimate friend?
Let’s face it – English is a crazy language.
There is no egg in eggplant nor ham in hamburger; neither apple nor pine in pineapple.
English muffins weren’t invented in England or French fries in France.
Sweetmeats are candies while sweetbreads, which aren’t sweet, are meat.
We take English for granted. But if we explore its paradoxes, we find that quicksand can work slowly, boxing rings are square and a guinea pig is neither from Guinea nor is it a pig.
And why is it that writers write but fingers don’t fing, grocers don’t groce and hammers don’t ham?
If the plural of tooth is teeth, why isn’t the plural of booth beeth?
One goose, 2 geese. So one moose, 2 meese? One index, 2 indices?
Doesn’t it seem crazy that you can make amends but not one amend?
If you have a bunch of odds and ends and get rid of all but one of them, what do you call it?
If teachers taught, why didn’t preachers praught? If a vegetarian eats vegetables, what does a humanitarian eat?
Sometimes I think all the folks who grew up speaking English should be committed to an asylum for the verbally insane.
In what language do people recite at a play and play at a recital?
Ship by truck and send cargo by ship?
Have noses that run and feet that smell?
How can a slim chance and a fat chance be the same, while a wise man and a wise guy are opposites?
You have to marvel at the unique lunacy of a language in which your house can burn up as it burns down, in which you fill in a form by filling it out and in which an alarm goes off by going on.
English was invented by people, across the ages, and it reflects the creativity of the human race (which, of course, isn’t a race at all). That is why, when the stars are out, they are visible, but when the lights are out, they are invisible.

Web Hosting