GUIDE

GUIDE

Post by Hany E Morc » Thu, 18 Sep 1997 04:00:00



   How is it going everyone?

    I'm trying to secure my Linux box on the internet so I can I run a web
server.  Any good security guides on the web that I can read? Thank you

Hany--;

 
 
 

GUIDE

Post by Chris Evan » Thu, 18 Sep 1997 04:00:00



Quote:>    How is it going everyone?

>     I'm trying to secure my Linux box on the internet so I can I run a web
> server.  Any good security guides on the web that I can read? Thank you

You want a secure web server?

1) Right, ideally, the only service listening to the net would be the web
server itself. ie, no ftp. sendmail, inetd, innd, etc.

2) The web server (apache is a good choice) should run as a user that
doesn't have permission to write ANY files or execute ANY binaries
(especially SUID ones). This is fairly easy to do with directory
permissions like:

ls -ld /bin

drwx---r-x    root    nopriv          bin

3) Make sure the UID the web server runs as has this group "nopriv" as one
of its supplementary groups.

4) Don't even start up the web server as root. Traditionally this is a
problem if you want to bind to port 80 (privileged!), however Linux can
neatly sidestep the issue by letting you run the server on port 8080, and
transparently redirect traffic to port 80, to local port 8080.

5) If you must run other services, such as maybe inetd for login purposes
then make sure you configure the box as a firewall, and only allow traffic
not on your local network to arrive on port 80.

6) If "users" have access to the machine for purposes of writing/modifying
web documents, make sure the apache config file disables things like
Symlinks, otherwise...

ln -s / foo   <---- bad news

In particular the default apache settings coming with RedHat 4.2 could be
a tiny bit tighter; I would recommend "Options Indexes" "AllowOverride
AuthConfig FileInfo Indexes Limit" for user owned dirs.

7) If at all possible, consider disabling all execution of CGI binaries by
the server as _Well_ as normal system binaries.

As you can see, it's possible to make a web server practically uncrackable
by design but it takes a little effort. A typical web server attack and
host compromise will occur in two steps

1) Get shell running with privs of httpd user (possibly via bad CGI or
buffer overrun).

2) From shell, exploit some SUID binary to get root.

The steps above make 2) impossible to do, and 1) difficult.

Cheers
Chris

 
 
 

GUIDE

Post by cybercla » Thu, 18 Sep 1997 04:00:00



Quote:>    How is it going everyone?
>     I'm trying to secure my Linux box on the internet so I can I run a web
> server.  Any good security guides on the web that I can read? Thank you
> Hany--;

If you're using redhat 4.2 there are very few security bugs.  With the exception of a few buffer overflows, you don't have too much to worry about.

Regards,
  *clay

---
Perl/C/UNIX/Linux Hacker
http://www.veryComputer.com/

 
 
 

GUIDE

Post by Bob Tinsle » Fri, 19 Sep 1997 04:00:00



> If you're using redhat 4.2 there are very few security bugs.

... provided you install the elm, XFree, db, ld.so, and bind
security updates, available from any ftp.redhat.com mirror.
(Unfortunately, these are *far* from obscure packages, but
I've found Red Hat to be excellent at patching known security
problems remarkably quickly.)

Quote:> With the exception of a few buffer overflows, you don't have
> too much to worry about.

You WHAT?

Cheers,

--

This e-mail address will be disappearing *very* shortly...

 
 
 

GUIDE

Post by Thomas H. Ptac » Fri, 19 Sep 1997 04:00:00



Quote:>If you're using redhat 4.2 there are very few security bugs.

Good to know. When did you finish your audit?

Quote:> With the exception of a few buffer overflows, you don't have too much to
> worry about.

Ah, what's one or two of those, anyways?

--
----------------

----------------
"mmmm... sacrilicious..."

 
 
 

GUIDE

Post by Dan Strombe » Fri, 19 Sep 1997 04:00:00




<> If you're using redhat 4.2 there are very few security bugs.
<
<... provided you install the elm, XFree, db, ld.so, and bind
<security updates, available from any ftp.redhat.com mirror.
<(Unfortunately, these are *far* from obscure packages, but
<I've found Red Hat to be excellent at patching known security
<problems remarkably quickly.)

You also need the libc from contrib - for some reason this doesn't
appear to be listed on the redhat errata page, even tho it's needed
for decent security.

I just ran afoul of the (apparent) circumstance that the contrib libc
doesn't understand "passwd: compat" in nsswitch.conf.

<> With the exception of a few buffer overflows, you don't have
<> too much to worry about.
<
<You WHAT?

It is a little like saying "With the exception of a few bullets, you
don't have to worry about walking across a battlefield".  Ok, not
quite that bad, but you get the idea.

I don't mean to say that redhat is especially holey - only that buffer
overflows account for a significant fraction of any OS' known security
problems.

 
 
 

GUIDE

Post by Elliot L » Sat, 20 Sep 1997 04:00:00



Quote:>You also need the libc from contrib - for some reason this doesn't
>appear to be listed on the redhat errata page, even tho it's needed
>for decent security.

Well, that's not completely true... The libc shipped with RHL 4.2 has all
known security holes patched, and is also a good deal more stable than
libc 5.4.x.

Quote:><> With the exception of a few buffer overflows, you don't have
><> too much to worry about.

[It's funny how people will mention "a few buffer overflows" instead of
 E-mailing the people who will fix them :-]

Hope this helps,
-- Elliot - http://www.redhat.com/
What's nice about GUI is that you see what you manipulate.
What's bad about GUI is that you can only manipulate what you see.

| http://www.cauce.org/ | http://www.linuxnet.org/ |

 
 
 

GUIDE

Post by Dan Strombe » Sat, 20 Sep 1997 04:00:00



<

<>You also need the libc from contrib - for some reason this doesn't
<>appear to be listed on the redhat errata page, even tho it's needed
<>for decent security.
<
<Well, that's not completely true... The libc shipped with RHL 4.2 has all
<known security holes patched, and is also a good deal more stable than
<libc 5.4.x.

I see.  chkexploit led me to believe otherwise.

Not having source to chkexploit, I don't know if it tests for specific
vulnerabilities, or just looks at the libc version and says "you're
vulnerable."

 
 
 

GUIDE

Post by josm » Sun, 21 Sep 1997 04:00:00




> >    How is it going everyone?

> >     I'm trying to secure my Linux box on the internet so I can I run a web
> > server.  Any good security guides on the web that I can read? Thank you

> > Hany--;

> If you're using redhat 4.2 there are very few security bugs.  With the exception of a few buffer overflows, you don't have too much to worry about.

> Regards,
>   *clay

> ---
> Perl/C/UNIX/Linux Hacker
> http://www.veryComputer.com/

read the CERT advisories
 
 
 

GUIDE

Post by s.. » Sun, 21 Sep 1997 04:00:00



[Redhat libc security:]

Quote:>>Well, that's not completely true... The libc shipped with RHL 4.2 has all
>>known security holes patched, and is also a good deal more stable than
>>libc 5.4.x.

>I see.  chkexploit led me to believe otherwise.

>Not having source to chkexploit, I don't know if it tests for specific
>vulnerabilities, or just looks at the libc version and says "you're
>vulnerable."

You don't have the source? Funny that, my copy of chkexploit is simply
a Bourne shell script. ;-)

CU, Sico.

 
 
 

GUIDE

Post by Dan Strombe » Tue, 23 Sep 1997 04:00:00



<
<[Redhat libc security:]
<
<>>Well, that's not completely true... The libc shipped with RHL 4.2 has all
<>>known security holes patched, and is also a good deal more stable than
<>>libc 5.4.x.
<>
<>I see.  chkexploit led me to believe otherwise.
<>
<>Not having source to chkexploit, I don't know if it tests for specific
<>vulnerabilities, or just looks at the libc version and says "you're
<>vulnerable."
<
<You don't have the source? Funny that, my copy of chkexploit is simply
<a Bourne shell script. ;-)
<
<CU, Sico.

AAAUUUGGGGHHHH.

Thank you.