I apologize for the html, but it is a copy from a web post I did. I wanted to share this with list members and hope it helps others. I tried not to be redundant and add things I have not seen posted before. Always interested in constructive thoughts, better ideas, etc. **
*Security thoughts for server admins/webmasters*
------------------------------------------------------------------------ I would like to add some security measures I like to use. These are not listed on security sites and I feel it is time someone posted this stuff.
This concerns programs/items used by webmasters/server admins on a very irregular basis. (not very often).
This list assumes you have an IPMI card with its own eth port or an onboard IPMI interface, both having video access. Or accessing the shell of a virtual host to access virtual servers located on it. (if no IPMI)
Quote: *PHPMYADMIN* - This is a wonderful tool for use by web programmers. Most security with this program lists just two protections. a)Use htaccess to password protect, force SSL b)Alias the folder from /phpmyadmin to something like /examp
This is where security measures, aside from keeping updated, seem to end. This is bad. There is more you can do to protect that access to your database.
PhpMyAdmin is a program you will use at times, but 99% of the time you will never touch it at all. So why would you leave it open to hackers all the time? Simply disable the 'alias' in httpd to prevent it from being accessed. For example in CentOS 6 the file /etc/httpd/conf.d/phpmyadmin.conf contains this directory information. (or something like it.)
I have added 'Deny from ALL and commented out 'Allow from ALL' and restarted httpd. (the allowoverride is allowing htaccess protection for the folder). You could comment out everything except the allowoverride and deny from all...
Quote: <Directory /usr/share/phpMyAdmin/> *Order Deny,Allow* Deny from All Allow from 127.0.0.1 Allow from ::1 *#Allow from All* allowoverride All </Directory>
Once httpd is restarted no one can access the phpmyadmin folder if it is not in the html folder. (in centos 6 the program is usually located in /usr/share/phpmyadmin).
This prevents the hacking of your phpmyadmin program. If you think about it, outside of a small fix or initial programming you will almost never use the program.
So why do you leave it open to everyone 24 hours a day?
Quote: *IPMI* IPMI is great but if you are a webmaster you are probably leaving this open to the internet.
If you are local to the datacenter, or the datacenter is really cool, you can remove the eth cable from the ipmi port. And ask them to plug it in when there is an issue.
This only works if you have a separate ipmi card with its own eth port. (and helps if you tag the cable and port for the center)
I think most of us seldom, if ever, use our IPMI during the course of a year once the system is set up.
This prevents root access, IPMI card getting hacked, and still allows emergency access with a quick visit or a phone call
*IPMI, Virtual Host, Virtual Machines*
Quote: *Your Virtual Host server* I seldom ever need to go into my virtual host. It is set up correctly and I get my logwatches every day. I have no ports open up on it.
If I never use it, why would I leave a shell port open 24 hours a day? If I have an IPMI card I can log in and open that port. Then I can do what I need to do.
Safest, if IPMI is available (with video) is to comment out/disable the ssh port. On a virtual host you most likely use a physical bridge. This means nothing is touching the host. Great Security tip.
Quote: *Virtual Machines- DNS* Are your DNS servers virtual machines on a server (or on a dedicated with an IPMI card in it)? I bet you never access shell except to make that very rare dns change. And if you use rndc you never use shell. If you have IPMI with video disable ssh port. Enable it via IPMI on those very rare instances you need to access it. Logwatch can still send out. Only port 53 should be open 24 hours a day (and if rndc that port too...and 5353 if you are doing that.)
There is no reason to leave this system open to the net at all. Enable shell when you need it and then disable when done. You do not need to open port 25 (or any port) to send emails out of the system.
So why do you leave port 22 (or other shell port) on 24 hours a day if you never ever use it?
Quote: *MYSQL servers* Again, if on a virtual host or even its own dedicated disable port 22 (ssh port) and only enable via IPMI on those rare times you need to use it.
Quote: *Your website/webserver* The same issue remains. Outside of the times you are using shell OR FTP...these ports should be disabled. Enable using IPMI.
This simple act prevents a lot of hack attempts, log filling, and gives massive peace of mind.
Yes, you use shell and ftp....but not that much. Think about it. You might use ftp and shell a lot, but you are leaving those ports open 24 hours a day, 7 days a week. I guarantee outside of massive program days you use less than 5% of that time on those ports.
So why open your server to being hacked? Close the ports.
Quote: *Your open source or commercial web application* .htaccess protect any folder that does not need to be accessed by a user via http. Most files are grabbed by a index file and are still able to be used even with htaccess protection. Try it.
Definitely do this with your administrative folders. There is no reason not to do this.
But how many times do you really access that admin folder?
I would say put a fake htacces protection file in all the folders you can. Fake meaning the user required does not exist and there is no password for it. Then it will not be passed. The admin folder can also be done this way, but add commented out sections with real user/pass info.
Then when you need to go to the admin section, you shell/ftp in, change the htaccess file, then do what you need to do. Then comment out the real access info.
This prevents any access from an external user to these folders for the 99% of the time you are not using your admin...and 100% of the time for the folders they should never be visiting.
Outside of a programming/fix/update you will seldom be doing admin work, program work, and your system/web apps will be running without your input. So why leave all this open to hackers 24 hours a day?
These simple things can block 100% of brute force shell attacks across your system...if you can unplug the ipmi card (with an easy way to replug it) then you cannot be accessed via shell across all your systems. Sleep in peace.
A majority of hacks on open source revolve getting to that admin folder....or some other folder of a plug in.. The hacker will have a heck of a time brute forcing an htaccess protected folder where no user/pass combo will ever work.
*On a final note....*
If you are building a web application you should use a mysql user that is only allowed to update and select... With proper programming you can set up items to be deleted via a cron job using a mysql user that has a bit more access.
This prevents a hacker from actually deleting or altering any data....and easily rolled back.
This is how I program and I think it should be standard. As far as I know not one single program does this...and that is a shame.
On 6/7/2012 7:42 PM, Bob Hoffman wrote:
*On a final note....*
If you are building a web application you should use a mysql user that is only allowed to update and select... With proper programming you can set up items to be deleted via a cron job using a mysql user that has a bit more access.
This prevents a hacker from actually deleting or altering any data....and easily rolled back.
This is how I program and I think it should be standard. As far as I know not one single program does this...and that is a shame.
Sorry, I meant select and insert only.