What security do you use in your server

[freebuser]

Hello All,

I am using FreeBSD-9.0-RELEASE as a web and media server for personal use - exposed to internet.

I use pf as the firewall and the server is also behind an ADSL router/modem.

Very recently I found out about Snort.

So I thought of starting this thread for you to share your security setup so if someone doesn't know about a particular software then they can atleast find out more about them and use it if they wish.

So what are your experiences in securing your server and the softwares you are using to achieve that.

Thanks,

 

[Lorem-Ipsum]

I used to have ssh on port 22 with standard password authentication but after coming home one day to find out my auth.log was a few bazillion lines long I moved ssh to a non-standard port, started using key based auth only, and installed fail2ban. I also use pf with a fairly simple ruleset.

 

[throAU]

I have an edge router with fairly strict ACLs in front of my FreeBSD boxes, and block SSH on that (along with virtually everything else) from anywhere but trusted internal hosts.

To get ssh on one of my boxes, you need to VPN in via a Cisco ASA first.

 

[kpa]

I have a home system so my security settings are less strict. I haven't bothered to change the ssh(1) port from the default but I do use security/sshguard-pf to ban potential hackers. I use the Spamhaus DROP and EDROP IP blocklists on my PF firewall to avoid any connections from/to potentially dangerous addresses. I have my own domain with my own system as the mail handler for the domain, I've setup greylisting using mail/milter-greylist with sendmail(8).

 

[alie]

SSH with non-standard port.

 

[wblock@]

kpa: how often do you update the EDROP list? Do you have an automatic update process, or just import it into a file-backed table manually?

 

[kpa]

I have a cronjob that fetches the lists once a week and reloads the pf tables.

 

[mamalos]

I usually run all my servers behind jails with securelevel 3. Jails are mounted read-only, except for /var and /tmp which are mounted rw/noexec. I use some custom scripts to enforce acls and extended attributes on sensitive files and folders of my jails (eg /lib, /bin, /sbin, etc). The same script usually unsets the setuid bit from most binaries, except /usr/bin/login and a few others -depending on the services running-. My jails run each on a separate interface and reach the rest of the world via PF rules of my host system. On few of my servers I use subsystems of the TrustedBSD project. Last, I allow only incoming ssh connections on one of my servers (usually running OpenBSD) listening on a different port, allowing key authentication only, from which I reach the rest of my servers using SSH via Kerberos or key authentication (depending on the case).

 

[Orum]

SSH with non-standard port.

I have to disagree with this; it's merely security through obscurity. If you really want to prevent brute force & DoS against ssh, but still allow external access, I'd recommend setting up a VPN such as OpenVPN. With it, you can use UDP and tls-auth, which has several advantages

• UDP port does not show up in port scans
• Even if an attacker does know what port you're running it on, tls-auth prevents both replay and brute-force attacks
• More resistant to (D)DoS attacks, as the hashing is much faster than TCP handshake/tear-down

In addition, to prevent DDoS or spoofed UDP packet DoS, I'd recommend against using a "stateful UDP" rule, as if an attacker does know the port, they could try and exhaust the state table with garbage, similar to what can happen with a half-open SYN flood.

 

[mamalos]

... I'd recommend setting up a VPN such as OpenVPN...

This is not always "more" secure. If I am not mistaken, OpenSSH has a relatively good history of vulnerabilities compared to most daemons around. I am not sure about OpenVPN, but I wouldn't trust it out of the box without looking at its history.

• UDP port does not show up in port scans...

This is not the general case. If someone wants to, they can definitely issue a UDP port-scan. On the other hand, what OpenVPN allows that can make a portscan practically useless, is that it can be easily configured to permit connections only through a specific client UDP/TCP port.

 

[kpa]

This is not the general case. If someone wants to, they can definitely issue a UDP port-scan.

What gets sent in an UDP packet is completely user definable. If you don't know the details of the service you are going to probe you can not be sure if you ever get anything back. With OpenVPN you can turn on what is called HMAC filtering that signs all packets with cryptographic key. The server silently drops any packets without the signature. So even if the attacker knows that there is an OpenVPN service listening on UDP port 1194 he will get zero replies no matter what he tries.

OpenVPN is pretty damn secure if you configure it right. Especially in point-to-point mode where a potential listener will not be able to make heads to tails from the traffic because there's no initial negotiation with an identifiable initial packet or anything other recognizable.

I'd like to see a report of a case where a properly configure OpenVPN tunnel was compromised (operator PEBKACs excluded). I'm bold enough to claim that you can't find one. Prove me wrong

 

[mamalos]

kpa,

I don't understand why you're getting upset. I posted my personal opinion with respect to OpenSSH and OpenVPN, and started by saying "If I am not mistaken". In case I am mistaken, then sorry.

As far as your "challenge" on finding a properly configured compromised OpenVPN server, I can't answer this, the same way I can't answer for a properly configured OpenSSH server that has been compromised. This doesn't mean that none of them exists. From a quick search on OpenVPN CVE's I found out that they are indeed very few (fewer than OpenSSH's) instances for the same period of time, but you can see here and here that there have existed some vulnerabilities in the past that allowed for remote command execution, which means that there might have been some time where a properly configured OpenVPN server has been compromised.

Excuse me if I have insulted you in some way, because from the tone of your post it seems that I have. I have just expressed my opinion AND -as I said before- I started expressing it by saying "If I am not mistaken" only to prevent someone from feeling offended (most probably I haven't).

 

[kpa]

I'm not upset in any way and I'm glad that you took the time to dig up some potential vulnerabilities in OpenVPN. I guess I sometimes have a funny way of writing that people mistake as offensive or upset in tone, apologies.

 

[gkontos]

@freebuser

For a webserver you might want to have a look at www/mod_security.

No matter how many firewalls you put behind the most danger will come from layer 7.

 

[freebuser]

Thanks gkontos,

That is something new I learned today :stud.

Much appreciated for sharing this.

Cheers,

 

[freebuser]

When I read through some articles about mod_security, I found out that it was created for Apache and available for other web servers very recently.

I also found out that NAXSI is a Web Application Firewall for Nginx (which is the webserver in my case).

So for people with Nginx web server please refer May 2012 BSD Magazine.

Cheers,

 

[wblock@]

www/mod_security is great. My only difficulty with it is the documentation, which lacks useful examples in almost every case. But I have managed to use it successfully to detect webserver attacks and add those IP addresses to firewall block lists.