SANS: The Twenty Most Critical Internet Security Vulnerabilities

**dschott** · 09-16-2004 02:15 AM

best idea ever, if you donno how to do it, hire a security consultant to do it for you.

why?

cauz you just wasted 3000 dollars on repairs. my advice? next time spend that 3000 dollars to get a a rock solid network (btw the guy on your aim list who failed his rhse exam is NOT a security consultant, neather is the script kiddie next door) go to google and find your self a respectable security consulting agency and end the annoyance

**spaceman** · 09-16-2004 02:30 AM

1, Perhaps there are reputable web hosting companies out there who are security experts, and for a premium (which we'd expect to pay) will take care of all these security concerns for us as part of the package? If so, make yourself known to us!

2. Does anyone have any recommendations for security experts or companies who DO offer this sort of service for existing dedicated web servers? I mean, sure, I can and have gone to Google and every man and his dog claims to be a security expert. So how about some solid referrals from someone who is employing such services and is happy to recommend them?

**Mike Peel** · 09-16-2004 05:02 AM

Wow - I came into this thread as I'm fairly new to having my own server, and was curious about how to secure it properly. Sadly, a seemingly useful thread quickly turned into a bitching arguament between members...

I'll point out that there's generally two approaches to software design / management / security - open source, and closed source. I'll use two examples: Linux for OpenSource, Windows for closed. Do I really need to point out which is most secure?

If people don't share information about potential problems with security setups, and the best ways to sort out these problems, then hackers have their own playground full of people's unprotected servers. If, however, people do share...

**ramprage** · 09-16-2004 05:07 AM

Ahem. http://www.crucialparadigm.com/resou...-detection.php

And all the other tutorials at www.crucialparadigm.com have been ripped from my site without my permission. An email has been sent to the author requesting they remove my tutorials immediately.

http://www.webhostgear.com/60.html is the BFD link

Thank you

Steve

**SarcNBit** · 09-16-2004 11:04 AM

I have to agree with 0000000 here. This is a support forum, and there is nothing wrong (except in the instance I mention below) with someone coming by and requesting detailed tips on how to secure their server.

If you have developed some proprietary technique that you do not wish to share, then by all means feel free not to share it. The act of not sharing however is going to add little value to this forum which so many people (myself included) value.

My only problem with this thread is that it is redundant. There has to be at least 2 or 3 other threads that attack this same issue (which lends credibility to some of hazes remarks). If the original poster had something to add, they should have posted to one of the existing threads.

dgb I am surprised to see you make comments like that. It seems out of character for someone who maintains an open support forum and has been very helpful in these forums. I am going to chaulk it up to lack of coffee/sleep/etc

Most of the people here are competitors, but do not forget that they are also colleagues and I think for the most part everyone has done a commendable job of respecting each others business interests. I have learned a tremendous amount about cPanel from this and other forums and would be much worse for wear if no such resources existed.

**Lyi** · 09-17-2004 04:31 AM

While I agree with points from both sides, I feel knowledge such as this is needed and that if nobody posted how-to's then there would be no letting the fisher learn because there would be no pool to learn from.

Here is a thread from servermatrix's forums that is pretty informative on how to do a few things to touch up the security on your server.

How to increase security on a Cpanel Server

Now there are a few others on that board, I'd recommend looking at the Redhat security forum on that board.

And If you need to keep your advantage by keeping the competition hacked then your riding a train waiting to be derailed in the end, because of alot of helpfull folks the knowledge is out there, some just need to be pointed the way.
I'd prefer to point and save them 4-10 hours of fruitless searching to find what they want, because learning the in and outs of searching is only worth the knowledge that is avaliable to be searched anyways.

Lyi

**000000000** · 10-02-2004 12:05 PM

I posted a thread with the basics here: http://forums.cpanel.net/showthread.php?t=30159.

**mr.wonderful** · 10-03-2004 01:07 PM

Originally Posted by dgbaker

There a few issues with doing this.

1. Why should anyone give away their secrets on how they do security?
2. Posting such info in public forums is also giving the hackers extra info on how the server is secured.
3. As I've stated on the forum before, we are all in this industry to make money, end of story. So why would I want to help my competition with things like this? If they have issues all the better for everyone else who may get their business.
4. Handing people tutorials on every little thing is not the answer, each must learn to fish instead of asking for the fish to be given.

5. Just because you can follow a tutorial does not mean you are any safer. Tutorials are and should be used as guidelines only and baselines, each system still needs to be looked at and handled individually to ensure proper/better security.

I know that sounds harsh and self-centered etc... but hey! business is business and in this industry one must do whatever they can to maintain an edge (no matter how small) on it's competition.

Ummm, awhile ago you were announceing to the whole world that you were GETTING OUT FO THE BUSINESS, then you myseriously came back. Interesting. The above sounds a bit selfish to me!

**000000000** · 10-03-2004 10:21 PM

See what I mean?

**spaceman** · 10-05-2004 05:58 AM

Originally Posted by ramprage

Ahem. http://www.crucialparadigm.com/resou...-detection.php

And all the other tutorials at www.crucialparadigm.com have been ripped from my site without my permission. An email has been sent to the author requesting they remove my tutorials immediately.

http://www.webhostgear.com/60.html is the BFD link

Thank you

Steve

Hi Steve - thanks very much for pointing that out. I've taken your word for it and edited my original post accordingly.

**spaceman** · 10-21-2004 12:28 AM

Top Vulnerabilities to UNIX Systems
# U1 BIND Domain Name System
# U2 Web Server
# U3 Authentication
# U4 Version Control Systems
# U5 Mail Transport Service
# U6 Simple Network Management Protocol (SNMP)
# U7 Open Secure Sockets Layer (SSL)
# U8 Misconfiguration of Enterprise Services NIS/NFS
# U9 Databases
# U10 Kernel

Full details, including (for each vulnerability) description, os' affected, how to determine if you are vulnerable, how to protect against it:

http://www.sans.org/top20/

**Ben** · 10-21-2004 01:15 AM

I'm not sure if anyone actually answered this or not, I stopped reading when the flaming started.

Turning off compilers

Code:

chmod 700 /usr/bin/*cc*

Mounting /tmp noexec

Code:

Move to directory with 500MB free

cd /home

Stop everything

service chkservd stop
service httpd stop
service mysql stop

Use dd to write 500MB of zero'd out data to it:

dd if=/dev/zero of=tmpfs bs=1k count=512000 

Then, force mke2fs to format it:
 
mke2fs -j -F tmpfs

Okay, so now we have a formatted filesystem inside this file. 

Mount it someplace temporarily: 

mkdir /newtmp 
mount -t ext3 -o loop /home/tmpfs /newtmp 

and copy over files and rm /tmp 

cd /tmp 
cp -ra * /newtmp 
rm -rf * 

Unmount new tmp: 
umount /home/tmpfs

Add the following to /etc/fstab: 

vi /etc/fstab
/home/tmpfs /tmp ext3 loop,noexec 0 0 

Remount: 
mount -a 

Change permissions on the directory: 

chmod 777 /tmp 
chmod +t /tmp

Start everything

service chkservd start
service httpd start
service mysql start

-Note, I had to readd the mysql.sock symlink after I did this

cd /tmp
ln -s /var/lib/mysql/mysql.sock

If /var/tmp isn't symlinked to /tmp do

cd /var
rm -rf tmp/
ln -s /tmp tmp

DONE

As for a firewall, we used iptables, here's what our iptables policy script looks like

Code:

IPTABLES="/sbin/iptables"

#Flush everything, start from scratch
$IPTABLES -F

#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

#Allow all lo traffic
$IPTABLES -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

#Allow all connections related and established connections
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -s 24.155.39.207 -j DROP

#Set default OUTPUT policy to ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# Open ports for server/services
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 37 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 43 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 465 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 873 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 873 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 995 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2082 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2083 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2086 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2087 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2089 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2095 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 3306 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 6666 -j ACCEPT

#Enable Blogger support (non-standards compliant piece of dogshit that it is)
$IPTABLES -A INPUT -s 66.102.15.83 -j ACCEPT
$IPTABLES -A INPUT -s 216.34.7.186 -j ACCEPT

#Add passive-mode people here
$IPTABLES -A INPUT -s 24.1.79.131 -j ACCEPT

#Logging
$IPTABLES -A INPUT -j LOG --log-prefix "INPUTDEFAULT: "

#Save rules
iptables-save > /etc/sysconfig/iptables

#Restart for rules to take effect
service iptables restart

I'd also reccomend installing and using phpSuExec, which if you use cPanel, can be turned on using /scripts/easyapache

Hope this helps and good luck in fighting off the hackers.

**stech** · 10-21-2004 09:53 AM

Ben,

You have a lot of nerve interupting this thread to post a bunch of useful information (JK)

But seriously, thank you for posting, excellent info to have !!

**craig1972** · 05-22-2005 01:00 PM

Can someone post a HOW-TO to install AIDE?

Thanks!

**DWHS.net** · 05-27-2005 03:18 PM

Originally Posted by craig1972

Can someone post a HOW-TO to install AIDE?

Thanks!

Watch out for server loads on these step followers, they seem to soak up CPU.

Log watch seems fine for me. And sorry never installed it.

LinkBack

Thread Tools

SANS: The Twenty Most Critical Internet Security Vulnerabilities

Posting Useful Information

Aide?

What is "whostmgr2 - top ./top"? - Load/CPU randomly high then low again?

Tired of hackers

Where do i report hackers?