Hardening a server

General questions regarding Linux.

Moderators: Terry, FWLUG Administrator

Hardening a server

Postby stack » Thu Jan 17, 2008 12:51 pm

I am currently building up a new server for my home (as I type, the hardware is running its burn-in tests). I am building this box to take over the roles of many network services that I have running on various systems throughout the house. I realized not too long ago that MySQL runs on one box, Apache and my music streaming runs off my primary desktop system, my wifes computer runs the print server, my laptop actually has my CVS (I honestly don't know what I was thinking on that one... :oops: probably like most of my projects "hey look! a shiny new project to play with!" followed by "I don't want to move it now...I'll do it later"), and my RAID backup system sits in the corner turned off except for that one Saturday a month in which I run backups. I still have several other tasks running on various systems as well. This brought 2 things to mind.
1) thats a lot of wasted computing and energy.
2) no wonder why I have issues when an update on one system makes another go nuts!

So I have decided to make things simpler (if thats possible). I built up one system for all these tasks and hopefully I can shut down the other systems and save money on the electricity bill. The problem is that when I have hardened a server before, I have done so with just a few things in mind (large business / school training mentality of setting up one system for one purpose). Example, if its a MySQL system and thats all it runs then I can turn off everything but SSH and MySQL and toss the box to the back of the closet with a power cable and network cable knowing that I don't need to worry about much else. Since I am now running so many services on one box, I don't want a ton of holes but I am not sure how locked down I can make this system and keep it usable. I have a pretty hardened Smoothwall Firewall running and I will not be forwarding anything to this box from the outside world so I can be at least a bit more flexible then if this box was seen by the outside universe but thats not an excuse to do nothing at all either.

The services that I want to run on this system are:
MySQL - Database
Apache - Web server Internal use only ( I do not have plans on having this exposed passed my firewall and if I ever do I will build a box specifically for that purpose. This is for my coding projects as well as things like the next two items)
Zabbix - Monitors all my boxes, does all my reporting, creates a nice pretty layout in Apache, ect.
Jinzora - Music streaming though Apache
Share Printer
Samba - Sharing files with XBMC as well as a few other things.
CVS - Code repository (though I am debating on switching to subversion or something else like it...but thats another conversation)
FTP - internal use only (not exposed through firewall).
SSH - internal use only (not exposed through firewall).
Apt-proxy - Considering I run almost exclusively Debian and Ubuntu theres no need to pull a package a dozen times off the net. So I have my own apt repository that only updates files that have been requested (eg it takes up about 6GB space versus a full mirror which I think was 50+ GB last time I checked).

Considering that I have been taught for so long that "if a box has power and a net connection, it can be hacked" and "Its better to be paranoid and prepared then unaware and sorry" its probably no surprise that the only thing going through my head right now is "with that many services running, there is going to be a vulnerability". So I thought I would ask the group what your thoughts / opinons were. Besides doing the basics (making sure root can't log in via SSH, Samaba shares are read only, ect) what else should I do? Is it worth the hassle to setup and maintain an IDS like Snort or Tripwire? Or should I just run nmap against it every once in a while and take care of the basics? I guess another question would be, am I overloading a single server with too many tasks (the physical box can take the abuse but can the security) or should I just do the basics and leave the paranoia and tin foil hats for the firewall?

~Stack~
User avatar
stack
 
Posts: 268
Joined: Sat Jul 14, 2007 2:11 pm
Location: Fort Worth, Texas

Re: Hardening a server

Postby Davemon » Thu Jan 17, 2008 1:59 pm

I like to add extra layers of computer case shells onto the computer. That makes it much harder. :D

Sounds like you have all your bases covered. One thing I think many fail to consider, is system maintenance ie, cleaning the dust out of the system. OR adding extra power. Considering what you had going, a rack system with 1 or 2 extra PSU's wouldn't hurt and you'd still be saving on the ole electric bill.


Question, what kind o processing power do you have?

For absolute security, a passive network sniffer/monitor is a must.

How long do you plan on having this system going? Til it dies? Having started out in the industry blowing out dust in servers. You need to clean it once a year at least. Or have spare fans/PSU's to swap out. Will the CPU fry if the CPU fan seizes?

I imagine that I'll be scavenging quad processors from the junk yard in 3 years. I mention this only as an afterthought. 3 years from now 16 core systems might be the norm and all the power you'll need. By then, you might have security video recorded and maybe available to you via the web.



Davemon
User avatar
Davemon
 
Posts: 247
Joined: Sat Feb 10, 2007 2:42 pm

Re: Hardening a server

Postby stack » Thu Jan 17, 2008 2:19 pm

Davemon wrote:I like to add extra layers of computer case shells onto the computer. That makes it much harder. :D

Yeah, I only have an aluminum case so I will probably need to do that for sure. :-D

The box itself is a p4 2.4 with 1.5GB ram. I have 6 hard drives and 1 CDrom drive and a 450 Watt PSU. I think thats fine for now as I can't really upgrade anything without replacing something else. The P4 doesn't actually have a fan on the processor as is; just a really freakin huge heat sink and so far its been running smoothly and cool. There are something like 8 fans in the case and they are all standard fans. Part of the monitoring that I have going on with Zabbix is that whenever a drive or the processor gets too hot, it starts sending me emails and IM's and at the critical peak it shuts the system down. So I am not too worried about over heating.

Depending on how hard I push this box will determine when I upgrade next. Considering I ran my old file server (SSH, FTP, IRC) box into the ground after 7 years of use and my second real computer (p3 700mhz with 256MB ram) is still running as my firewall (replacement after my 15 year old Digital p1 300mhz box died....RIP :cry: ), I will probably have this box for a long while. I tend to keep my primary systems around for a while :-D

Davemon wrote:By then, you might have security video recorded and maybe available to you via the web.

I have looked into doing something like MCE Linux which does just that. However, for the time being I would rather wait till I get a house that I am pretty confident that I will be in for more then a year or so. Plus I do not want to undertake that kind of a project right now.

As for the Passive network sniffer/monitor, what do you suggest? Its been forever since I messed around with Tripwire (think it was 3 years ago when I messed with it) and the closest I have come to messing with Snort is installing the basics for Smoothwall. Also, should it run on the server itself or on a separate box (the guy who runs the corporate paid-for version here at work runs it on a separate box) ?

~Stack~
User avatar
stack
 
Posts: 268
Joined: Sat Jul 14, 2007 2:11 pm
Location: Fort Worth, Texas

Re: Hardening a server

Postby David Miller » Tue May 06, 2008 1:59 pm

Consider paritioning your server with some kind of virtualizaztion. Then you can seperate the services you don't trust into their own secure compartments. As a bonus you get flexible storage management, assuming you use something like LVM on the host. I also think its really neat to use ebtables to filter net traffic outside of the virtual machine instances, it is also neat to do block device encryption on the host instead of in the virtual machine.

I use usermode linux, with lvm, loop-aes, ebtables, and chroot jails to run several servers on one box.

Xen is very popular, and much more effecient than uml. Linux-Vserver looks cool too, it seems similar to solaris-style zones. If I were to rebuild my always-on server today I would use linux-vserver and/or xen instead of uml.

edit: I suppose I should have looked at the date, I didn't realize I was bumping such an old post, oh well...
David Miller
 

Re: Hardening a server

Postby stack » Tue May 06, 2008 2:23 pm

I have considered the VM stuff before. I have been using VMware at home and work for a number of years and am debating on if I want it on my server or not (currently it is only on my primary desktop). I have also looked into xen and vritual box but I don't know enough about them yet to mess around with my server.

I am afraid my system is not the most secure but I did take steps to ensure that not just anyone can get to it. I try to keep my network pretty tight and since everything I have is internal to me, access is restricted to the server through the network.

One of these days I am going to sit down and run all of the cool VM software and figure out which one I really like...
User avatar
stack
 
Posts: 268
Joined: Sat Jul 14, 2007 2:11 pm
Location: Fort Worth, Texas


Return to FWLUG General Discussions

Who is online

Users browsing this forum: No registered users and 36 guests

cron