[CentOS] some security measures I would like to share

Thu Jun 7 23:42:15 UTC 2012
Bob Hoffman <bob at bobhoffman.com>

I apologize for the html, but it is a copy from a web post I did.
I wanted to share this with list members and hope it helps others.
I tried not to be redundant and add things I have not seen posted before.
Always interested in constructive thoughts, better ideas, etc.
**


  *Security thoughts for server admins/webmasters*

------------------------------------------------------------------------
I would like to add some security measures I like to use. These are not 
listed on security sites and I feel it is time someone posted this stuff.

This concerns programs/items used by webmasters/server admins on a very 
irregular basis. (not very often).

This list assumes you have an IPMI card with its own eth port or an 
onboard IPMI interface, both having video access.
Or accessing the shell of a virtual host to access virtual servers 
located on it. (if no IPMI)

Quote:
*PHPMYADMIN* - This is a wonderful tool for use by web programmers. Most 
security with this program lists just two protections.
a)Use htaccess to password protect, force SSL
b)Alias the folder from /phpmyadmin to something like /examp

This is where security measures, aside from keeping updated, seem to 
end. This is bad. There is more you can do to protect that access to 
your database.

PhpMyAdmin is a program you will use at times, but 99% of the time you 
will never touch it at all. So why would you leave it open to hackers 
all the time?
Simply disable the 'alias' in httpd to prevent it from being accessed.
For example in CentOS 6 the file /etc/httpd/conf.d/phpmyadmin.conf 
contains this directory information. (or something like it.)

I have added 'Deny from ALL and commented out 'Allow from ALL' and 
restarted httpd. (the allowoverride is allowing htaccess protection for 
the folder). You could comment out everything except the allowoverride 
and deny from all...

Quote:
<Directory /usr/share/phpMyAdmin/>
*Order Deny,Allow*
Deny from All
Allow from 127.0.0.1
Allow from ::1
*#Allow from All*
allowoverride All
</Directory>

Once httpd is restarted no one can access the phpmyadmin folder if it is 
not in the html folder. (in centos 6 the program is usually located in 
/usr/share/phpmyadmin).

This prevents the hacking of your phpmyadmin program.
If you think about it, outside of a small fix or initial programming you 
will almost never use the program.

So why do you leave it open to everyone 24 hours a day?


Quote:
*IPMI*
IPMI is great but if you are a webmaster you are probably leaving this 
open to the internet.

If you are local to the datacenter, or the datacenter is really cool, 
you can remove the eth cable from the ipmi port. And ask them to plug it 
in when there is an issue.

This only works if you have a separate ipmi card with its own eth port. 
(and helps if you tag the cable and port for the center)

I think most of us seldom, if ever, use our IPMI during the course of a 
year once the system is set up.

This prevents root access, IPMI card getting hacked, and still allows 
emergency access with a quick visit or a phone call


*IPMI, Virtual Host, Virtual Machines*

Quote:
*Your Virtual Host server*
I seldom ever need to go into my virtual host. It is set up correctly 
and I get my logwatches every day. I have no ports open up on it.

If I never use it, why would I leave a shell port open 24 hours a day? 
If I have an IPMI card I can log in and open that port. Then I can do 
what I need to do.

Safest, if IPMI is available (with video) is to comment out/disable the 
ssh port. On a virtual host you most likely use a physical bridge. This 
means nothing is touching the host. Great Security tip.


Quote:
*Virtual Machines- DNS*
Are your DNS servers virtual machines on a server (or on a dedicated 
with an IPMI card in it)? I bet you never access shell except to make 
that very rare dns change. And if you use rndc you never use shell.
If you have IPMI with video disable ssh port. Enable it via IPMI on 
those very rare instances you need to access it.
Logwatch can still send out.
Only port 53 should be open 24 hours a day (and if rndc that port 
too...and 5353 if you are doing that.)

There is no reason to leave this system open to the net at all. Enable 
shell when you need it and then disable when done.
You do not need to open port 25 (or any port) to send emails out of the 
system.

So why do you leave port 22 (or other shell port) on 24 hours a day if 
you never ever use it?

Quote:
*MYSQL servers*
Again, if on a virtual host or even its own dedicated disable port 22 
(ssh port) and only enable via IPMI on those rare times you need to use it.

Quote:
*Your website/webserver*
The same issue remains. Outside of the times you are using shell OR 
FTP...these ports should be disabled. Enable using IPMI.

This simple act prevents a lot of hack attempts, log filling, and gives 
massive peace of mind.

Yes, you use shell and ftp....but not that much. Think about it.
You might use ftp and shell a lot, but you are leaving those ports open 
24 hours a day, 7 days a week. I guarantee outside of massive program 
days you use less than 5% of that time on those ports.

So why open your server to being hacked? Close the ports.


Quote:
*Your open source or commercial web application*
.htaccess protect any folder that does not need to be accessed by a user 
via http. Most files are grabbed by a index file and are still able to 
be used even with htaccess protection. Try it.

Definitely do this with your administrative folders. There is no reason 
not to do this.

But how many times do you really access that admin folder?

I would say put a fake htacces protection file in all the folders you 
can. Fake meaning the user required does not exist and there is no 
password for it. Then it will not be passed.
The admin folder can also be done this way, but add commented out 
sections with real user/pass info.

Then when you need to go to the admin section, you shell/ftp in, change 
the htaccess file, then do what you need to do. Then comment out the 
real access info.

This prevents any access from an external user to these folders for the 
99% of the time you are not using your admin...and 100% of the time for 
the folders they should never be visiting.




Outside of a programming/fix/update you will seldom be doing admin work, 
program work, and your system/web apps will be running without your 
input. So why leave all this open to hackers 24 hours a day?

These simple things can block 100% of brute force shell attacks across 
your system...if you can unplug the ipmi card (with an easy way to 
replug it) then you cannot be accessed via shell across all your 
systems. Sleep in peace.

A majority of hacks on open source revolve getting to that admin 
folder....or some other folder of a plug in.. The hacker will have a 
heck of a time brute forcing an htaccess protected folder where no 
user/pass combo will ever work.


*On a final note....*

If you are building a web application you should use a mysql user that 
is only allowed to update and select...
With proper programming you can set up items to be deleted via a cron 
job using a mysql user that has a bit more access.

This prevents a hacker from actually deleting or altering any 
data....and easily rolled back.

This is how I program and I think it should be standard. As far as I 
know not one single program does this...and that is a shame.