Solved Antivirus and jails

fred974

fred974

Hello,

Could someone please tell me if It is necessary to have an antivirus on my FreeBSD server?

I have a FreeBSD host and 3 jails
jail 1 - web server
jail 2 - database server
jail 3 - mail server

If I need to install an antivirus, do I install it on the FreeBSD host so it can also scan all the jails?

If install on the host, can it be use on the mail server or do the mail server need to have its own as well?
 
No you do not. You should be more concerned about locking down your server against hackers.

You can use Postfix/Dovecot/Amavisd-new with ClamAV to scan all emails transiting thru your mail server. Most email viruses are targeted against Windows.

I don't use anti-virus on any of my FreeBSD production servers.
 
fred974 said:
If I need to install an antivirus, do I install it on the FreeBSD host so it can also scan all the jails?
Click to expand...
I would. Otherwise, there will be parts of the system that are not protected. (Note that this is a different question from "is a virus scanner needed on FreeBSD?")
 
I second gkontos about using OSSEC-HIDS to detect changes in the system.

Malwares are more common and easy to get into the server via backdoor and compromised website. That's why you should not run any software as root especially web servers. Lock down your PHP using open_basedir or suphp to limit website to its own public_html directory so infected website php codes cannot read or write outside of its own directory.

Anti-virus is not needed but its probably a good idea to install it anyway to have a peace of mind. Most viruses are written for Windows so its difficult for virus to infect Linux or BSD systems without root access and only use ports or package directly from FreeBSD or developer's website. Often times, when installing software on Linux or FreeBSD, it'll ask you for password to install them. Windows generally don't ask for password so that's why Windows are easily infected. Virus does happen on Linux/BSD, however, its rare if you lock down your server with sufficient security measures in place and only use approved software. None of my FreeBSD machines have been infected in the last 8 years so that's why I said its unnecessary in my situation and I don't take any unnecessary risks.

I'll be more concerned about malware than virus, though.
 
It's still a very good idea to install an antivirus. Scanning email traffic for viruses is a must-do to protect your users. And scanning hosted documents for viruses prevents your users to share infected documents through your web server with the entire world.

@work I'm running a FreeBSD web server hosting about 200 web sites, 13 jails, and I'm scanning every night with Clamav from host, so one script can scan every jails. Don't expect to catch many things. I've found 2 in years (infected .doc).
I'm also running 3 FreeBSD email servers (2 MX and a postfix-multi running 3 different SMTP), and I scan all email traffic for viruses. It's about 1 million emails per month just for MX. I block about 40 virus/phishing per month. Not so much, as current threats like cryptolocker don't ship as a virus: the email only contain a script that will download the real payload when the user is opening the attachment. I'm using Phishtank clamav definition to add phishing detection, and it's about 95% of what I catch (port security/clamav-unofficial-sigs)

If your web server provides PHP hosting, an IDS is paramount. I've seen so many malware infections starting with a vulnerability in PHP app, ending with the hacker gaining a shell on the server... I've a nice malware collection now, Clamav won't detect any of them.

I also use the pf firewall to prevent certain users to open outgoing connections, it can help sometime (www, mysql…), but it's not a smart move if you expect this WordPress to update itself automatically ;)
 
patpro said:
If your webserver provides PHP hosting, an IDS is paramount. I've seen so many malware infections starting with a vulnerability in PHP app, ending with the hacker gaining a shell on the server... I've a nice malware collection now, clamav won't detect any of them.
Click to expand...

This is very true. I've seen many users run their web servers (nginx, apache, php) as 'root' to avoid dealing with permission issues. PHP codes are not hackproof, might be poorly coded and some have backdoor especially plugins for joomla or wordpress. Always run nginx or apache as 'www' or user's name so the websites in public_html might get compromised but not jail and that will be easy to fix. If nginx or apache is run as 'root' or 'wheel', website or jail gets compromised, and that will be a nightmare to fix.

As I said its easy to fix compromised website is to compare the files from the backups to see which file was changed or added by malware. I usually keep a month's worth of backups. I've been running webserver for 2 years and none of my clients' website was compromised or hijacked. Locking down PHP to user's public_html directory and disable some PHP high-level privileges are important.
 
It's also a good move to not install any compilation software in your web server jail. Many vulnerabilities in CMS (Drupal, WordPress, Joomla, you-name-it…) involve the hacker being able to execute his own code with server privileges. If he's able to upload his own C/C++ file and compile it, he might exploit a local-only vulnerability giving him privilege escalation, and then gain root access.
Unfortunately, running each demon with a restricted user is not a strong protection, but you can be sure that running them as root is calling for trouble.

pkg audit is fine, but can be late by weeks on listing vuln. So be sure to follow a CERT mailing list. Keep PHP applications current, limit plugins. Web hosting is a savage world :)

Remington : I'm using ZFS snapshots for that purpose (I do have proper backup elsewhere of course). zfs diff makes it very easy to compare state of a website at different dates. Any file that has changed in content but not in timestamp should trigger an alert in admin's head (happens when the hacker is not too dumb).
 
fred974 said:
If install on the host, can it be use on the mail server or do the mail server need to have its own as well?
Click to expand...

You don't want to do a jail-to-host data pipeline for virus checking incoming emails. If someone exploits a vulnerability in the AV scanner, your host can be compromised, instead of the jail.
 
Scanning emails needs to be done by Amavisd or Spamassassin with ClamAV which must be inside jail mail server.

Keep software installed in host to absolute minimum. The more you add the higher risk that your host will be compromised. Use jail for everything else if you can. If a host gets compromised and all jails goes down. If a jail get compromised, host and other jails are still protected. Keep host and jails separate from each other as much as you can. I don't use pipelines between jails or host.
 
Thank you all for your input. As I am starting hosting our own website and mail, I really value all of your advises.

Thank you

patpro said:
I also use the pf firewall to prevent certain users to open outgoing connections, it can help sometime (www, mysql…), but it's not a smart move if you expect this WordPress to update itself automat
Click to expand...
patpro could you please tell me how you do that as I was told that it was not possible to Restrict user account via pf.
See my post here https://forums.freebsd.org/threads/restrict-user-account-via-pf.51203/#post-287091
 
patpro said:
...
pkg audit is fine, but can be late by weeks on listing vuln. So be sure to follow a CERT mailing list...
Click to expand...

The "given enough eyeballs, all bugs are shallow" saying absolutely applies here too. pkg audit shouldn't be behind, but we are all only human and not infallible. Whether it's a kernel panic, a vulnerability that hasn't been fixed/documented yet, or even a spelling error, it's all a bug and should be reported at https://bugs.FreeBSD.org/bugzilla/.
 
fred974 in fact the thread your pointing at says the same as I do.

What I suggest in a previous post is to filter OUTGOING connections, according to LOCAL user. The firewall (pf) can know a local userID of a process opening a connection, and it can take actions based upon that knowledge.

I use as a last rule in my pf.conf:
Code: 
block out log proto { tcp, udp } user { 80, 88 } label "www-mysql output deny"
which basically prevent user www and user mysql to open outgoing connections (unless it has been allowed+quick earlier in ruleset).

You must not try to do this until you're familiar with pf and confident with your firewaling skills. Read a lot (OpenBSD pf's documentation is a good start), and practice in a virtual machine or physically accessible machine if you can. Don't lock yourself out of a remote box.
 
It's a good practice to test the PF rules on a test machine or VirtualBox before putting it on a production server. So you won't get yourself or your clients locked out of the server with bad PF rules.

OpenBSD's PF is a little bit different than FreeBSD but there are plenty of documentations on the web for FreeBSD's PF. Start off with a basic rule allowing yourself into the server with SSH then you can add more rules for your clients.

Here is the basic rule to start off with and you can expand to meet your needs.

/etc/rc.conf
Code: 
pf_enable="YES"
pf_rules="/etc/pf.conf"

/etc/pf.conf
Code: 
ext_if = "em0" # interface card
ext_addr = "192.168.1.10" # server ip address
int_net = "10.0.0.0/24" # internal ip address subnet for jails
int_web = "10.0.0.1" # web server jail ip address

# NAT internal ip addresses
nat on $ext_if from $int_net to any -> ($ext_if)

# SSH to Host (use non-standard SSH port to minimize attacks)
rdr on $ext_if proto tcp from any to $ext_if port 22222 -> $ext_addr port 22

# Jail - web
rdr on $ext_if proto tcp from any to $ext_addr port {22, 80, 443} -> $int_web

# block all incoming ports
block in

# allow all traffic out from server
pass out all keep state
pass quick on lo

# allow traffic into server
pass in  on $ext_if proto tcp to $ext_addr  port { 22222 } keep state  # Host - SSH
pass in  on $ext_if proto tcp to $int_web  port { 22, 80, 443 } keep state # Jail - Web
 
patpro said:
The firewall (pf) can know a local userID of a process opening a connection, and it can take actions based upon that knowledge.
Click to expand...
Could you please confirm if (pf) know a local userID if that user is inside a jail?

can I do
Code: 
block out log proto { tcp, udp } user { 80, 88 } label "www-mysql output deny"
When my www user is in my webjail and my mysql user in my databasejail?
 
fred974 said:
Could you please confirm if (pf) know a local userID if that user is inside a jail?

can I do
Code: 
block out log proto { tcp, udp } user { 80, 88 } label "www-mysql output deny"
When my www user is in my webjail and my mysql user in my databasejail?
Click to expand...

It only works if the user IDs match exactly between the host and the jail. Unix-like systems use the numerical user IDs behind the scenes for the actual operations, not the plain text names.
 
80 is www userid
88 is mysql userid
1001 is johndoe userid ( you have to create it )

You will need to have johndoe userid 1001 in Host and Jail for this to work.

so you will do this...

Code: 
block out log proto { tcp, udp } user { 80, 88, 1001 } label "www-mysql output deny"

You can use vipw to add this line in host and jail, and there is no need to create user directory.
Code: 
johndoe:1001:1001:0:0:John Doe:/nonexistent:/usr/sbin/nologin

IMHO it'll be too much work if you got 200 users so its better to use 80, 88 as most web and MySQL servers use this UIDs to run.

I don't use the above for my servers and it could be a problem for Joomla, WordPress or plugins to fetch updates using port 80.
 
You must log in or register to reply here.
Back
Top