2014-09-30 21:46:19 +02:00
|
|
|
Server Hardening
|
|
|
|
----------------
|
2014-09-19 15:02:49 +02:00
|
|
|
|
|
|
|
While the defaults should be secure, there are some simple
|
|
|
|
administrative actions that will increase your overall security. None
|
|
|
|
of these steps are required, but we encourage you to read this
|
|
|
|
document to see if the enhancements are relevant for your environment.
|
|
|
|
|
2014-09-30 21:46:19 +02:00
|
|
|
Tighten PHP configuration
|
|
|
|
-------------------------
|
2014-09-19 15:02:49 +02:00
|
|
|
|
|
|
|
Tighten the security of the PHP installation by creating a file
|
|
|
|
/etc/php5/conf.d/harden.ini with the following content:
|
|
|
|
|
|
|
|
user@host:~$ sudo sh -c 'cat > /etc/php5/conf.d/harden.ini'
|
|
|
|
display_errors = Off
|
|
|
|
log_errors = On
|
|
|
|
user@host:~$
|
|
|
|
|
2014-09-30 21:46:19 +02:00
|
|
|
Tighten Apache configuration
|
|
|
|
----------------------------
|
2014-09-19 15:02:49 +02:00
|
|
|
|
|
|
|
Tighten the security of the Apache installation by making sure
|
|
|
|
directory listings are disabled globally. Edit
|
|
|
|
/etc/apache2/conf.d/security and make sure the following is
|
|
|
|
uncommented:
|
|
|
|
|
|
|
|
<Directory />
|
|
|
|
AllowOverride None
|
|
|
|
Order Deny,Allow
|
|
|
|
Deny from all
|
|
|
|
</Directory>
|
|
|
|
|
2014-09-30 21:46:19 +02:00
|
|
|
Time Synchronization
|
|
|
|
--------------------
|
2014-09-19 15:02:49 +02:00
|
|
|
|
|
|
|
For logging and (on the validation server) time-stamping it is
|
|
|
|
important to have synchronized clocks. Install ntp.
|
|
|
|
|
|
|
|
user@host:~$ sudo apt-get install ntp
|
|
|
|
...
|
|
|
|
|
2014-09-30 21:46:19 +02:00
|
|
|
Firewall
|
|
|
|
--------
|
2014-09-19 15:02:49 +02:00
|
|
|
|
|
|
|
There is no reason why the KSM needs to listen to incoming requests
|
|
|
|
from the entire Internet, and restricting access to the intended
|
|
|
|
YK-VAL servers are recommended.
|
|
|
|
|
|
|
|
user@ksm:~$ sudo sh -c 'cat > /etc/network/if-pre-up.d/iptables'
|
|
|
|
#!/bin/sh
|
|
|
|
# IPv4 firewall:
|
|
|
|
iptables -F
|
|
|
|
iptables -P INPUT DROP
|
|
|
|
iptables -P FORWARD DROP
|
|
|
|
iptables -P OUTPUT ACCEPT
|
|
|
|
iptables -A INPUT -i lo -p all -j ACCEPT
|
|
|
|
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -i eth0 -s 1.2.3.4 --dport 22 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -i eth0 -s 2.3.4.5 --dport 80 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -i eth0 -s 2.3.4.5 --dport 443 -j ACCEPT
|
|
|
|
# IPv6 firewall:
|
|
|
|
ip6tables -F
|
|
|
|
ip6tables -P INPUT DROP
|
|
|
|
ip6tables -P FORWARD DROP
|
|
|
|
ip6tables -P OUTPUT ACCEPT
|
|
|
|
ip6tables -A INPUT -i lo -p all -j ACCEPT
|
|
|
|
ip6tables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
ip6tables -A INPUT -p icmpv6 -j ACCEPT
|
|
|
|
ip6tables -A INPUT -p tcp -i eth0 -s 2000:1:2::3 --dport 22 -j ACCEPT
|
|
|
|
ip6tables -A INPUT -p tcp -i eth0 -s 2000:2:3::4 --dport 80 -j ACCEPT
|
|
|
|
ip6tables -A INPUT -p tcp -i eth0 -s 2000:2:3::4 --dport 443 -j ACCEPT
|
|
|
|
user@ksm:~$ chmod +x /etc/network/if-pre-up.d/iptables
|
|
|
|
user@ksm:~$
|
|
|
|
|
|
|
|
Replace 1.2.3.4 (for IPv4) and 2000:1:2::3 (for IPv6) with the address
|
|
|
|
of the host you want to be able to login from via SSH, and replace
|
|
|
|
2.3.4.5 (for IPv4) and 2000:2:3::4 (for IPv6) with the address of the
|
|
|
|
YK-VAL that will be accessing this YK-KSM. Add more lines for each
|
|
|
|
validation server and SSH host.
|
|
|
|
|
|
|
|
For a validation server, you may want to allow HTTP(S) requests from
|
|
|
|
anyone, but not anything else.
|
|
|
|
|
|
|
|
user@val:~$ sudo sh -c 'cat > /etc/network/if-pre-up.d/iptables'
|
|
|
|
#!/bin/sh
|
|
|
|
# IPv4 firewall
|
|
|
|
iptables -F
|
|
|
|
iptables -P INPUT DROP
|
|
|
|
iptables -P FORWARD DROP
|
|
|
|
iptables -P OUTPUT ACCEPT
|
|
|
|
iptables -A INPUT -i lo -p all -j ACCEPT
|
|
|
|
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -i eth0 -s 1.2.3.4 --dport 22 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
|
|
|
|
# IPv6 firewall:
|
|
|
|
ip6tables -F
|
|
|
|
ip6tables -P INPUT DROP
|
|
|
|
ip6tables -P FORWARD DROP
|
|
|
|
ip6tables -P OUTPUT ACCEPT
|
|
|
|
ip6tables -A INPUT -i lo -p all -j ACCEPT
|
|
|
|
ip6tables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
ip6tables -A INPUT -p icmpv6 -j ACCEPT
|
|
|
|
ip6tables -A INPUT -p tcp -i eth0 -s 2000:1:2::3 --dport 22 -j ACCEPT
|
|
|
|
ip6tables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
|
|
|
|
ip6tables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
|
|
|
|
user@ksm:~$ chmod +x /etc/network/if-pre-up.d/iptables
|
|
|
|
user@ksm:~$
|
|
|
|
|
|
|
|
Again, replace 1.2.3.4 (for IPv4) and 2000:1:2::3 (for IPv6) with the
|
|
|
|
address of the host you want to be able to login from via SSH.
|
|
|
|
|
|
|
|
If you want to allow SSH and HTTP(S) from everywhere, but nothing
|
|
|
|
else, try this:
|
|
|
|
|
|
|
|
user@val:~$ sudo sh -c 'cat > /etc/network/if-pre-up.d/iptables'
|
|
|
|
#!/bin/sh
|
|
|
|
# IPv4 firewall
|
|
|
|
iptables -F
|
|
|
|
iptables -P INPUT DROP
|
|
|
|
iptables -P FORWARD DROP
|
|
|
|
iptables -P OUTPUT ACCEPT
|
|
|
|
iptables -A INPUT -i lo -p all -j ACCEPT
|
|
|
|
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
|
|
|
|
iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
|
|
|
|
# IPv6 firewall:
|
|
|
|
ip6tables -F
|
|
|
|
ip6tables -P INPUT DROP
|
|
|
|
ip6tables -P FORWARD DROP
|
|
|
|
ip6tables -P OUTPUT ACCEPT
|
|
|
|
ip6tables -A INPUT -i lo -p all -j ACCEPT
|
|
|
|
ip6tables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
ip6tables -A INPUT -p icmpv6 -j ACCEPT
|
|
|
|
ip6tables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
|
|
|
|
ip6tables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
|
|
|
|
ip6tables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
|
|
|
|
user@ksm:~$ chmod +x /etc/network/if-pre-up.d/iptables
|
|
|
|
user@val:~$
|
|
|
|
|
2014-09-30 21:46:19 +02:00
|
|
|
Database Encryption
|
|
|
|
-------------------
|
2014-09-19 15:02:49 +02:00
|
|
|
|
|
|
|
The database contains sensitive information. If someone is able to
|
|
|
|
access your machine physically, they may shut it off and steal it with
|
|
|
|
the goal of reading out the sensitive information. By encrypting the
|
|
|
|
disk, you can prevent this. Note that this does not protect against
|
|
|
|
an attacker who has physical access to your server and sufficient time
|
|
|
|
to read out the data from the already running system.
|
|
|
|
|
|
|
|
Full disk encryption will give you the highest protection, but
|
|
|
|
requires that you can enter the disk encryption password on each
|
|
|
|
power-up. This can be unpractical when your hosting environment is
|
|
|
|
remote.
|
|
|
|
|
|
|
|
Partial disk encryption allows the operating system to start up, and
|
|
|
|
enable you to login to the machine remotely to enter the disk
|
|
|
|
encryption password. This is less secure than full disk encryption,
|
|
|
|
because an attacker could physically disconnect your machine, modify
|
|
|
|
the operating system to send a copy of the password to the attacker,
|
|
|
|
but may be sufficient if you keep good track of when your machine is
|
|
|
|
not working properly.
|
|
|
|
|
|
|
|
To use partial disk encryption for the database content, we suggest
|
|
|
|
you install the operating system as normal but create another file
|
|
|
|
system on an encrypted volume.
|
|
|
|
|
|
|
|
If you need swap space, be sure to only put the swap on the encrypted
|
|
|
|
volume too. Make sure that the database does not start up
|
|
|
|
automatically on boot, and also make sure that the system does not
|
|
|
|
attempt to mount your encrypted partition automatically.
|
|
|
|
|
|
|
|
Setup:
|
|
|
|
|
|
|
|
user@ksm:~$ sudo apt-get install loop-aes-utils loop-aes-modules-2.6-amd64
|
|
|
|
...
|
|
|
|
user@ksm:~$ sudo rmmod loop && sudo modprobe loop
|
|
|
|
user@ksm:~$ sudo dd if=/dev/zero of=/root/ksm.img bs=1k count=1M
|
|
|
|
...
|
|
|
|
user@ksm:~$ sudo losetup -e AES128 /dev/loop0 /root/ksm.img
|
|
|
|
Password:
|
|
|
|
user@ksm:~$ sudo mkfs.ext2 -q /dev/loop0
|
|
|
|
user@ksm:~$ sudo mkdir /ksm
|
|
|
|
user@ksm:~$ sudo mount /dev/loop0 /ksm
|
|
|
|
user@ksm:~$ sudo /etc/init.d/postgresql-8.3 stop
|
|
|
|
...
|
|
|
|
user@ksm:~$ sudo update-rc.d -f postgresql-8.3 remove
|
|
|
|
user@ksm:~$ sudo mv /var/lib/postgresql /ksm
|
|
|
|
user@ksm:~$ sudo ln -s /ksm/postgresql /var/lib/postgresql
|
|
|
|
user@ksm:~$ sudo sh -c 'cat > /usr/local/sbin/ykksm-start'
|
|
|
|
#!/bin/sh
|
|
|
|
set -e
|
|
|
|
set -x
|
|
|
|
losetup -e AES128 /dev/loop0 /root/ksm.img
|
|
|
|
fsck /dev/loop0
|
|
|
|
mount /dev/loop0 /ksm/
|
|
|
|
/etc/init.d/postgresql-8.3 start
|
|
|
|
user@ksm:~$ sudo sh -c 'cat > /usr/local/sbin/ykksm-stop'
|
|
|
|
#!/bin/sh
|
|
|
|
set -e
|
|
|
|
set -x
|
|
|
|
/etc/init.d/postgresql-8.3 stop
|
|
|
|
umount /ksm
|
|
|
|
losetup -d /dev/loop0
|
|
|
|
user@ksm:~$ sudo chmod +x /usr/local/sbin/ykksm-{start,stop}
|
|
|
|
|
|
|
|
Slightly adapted for MySQL:
|
|
|
|
|
|
|
|
user@ksm:~$ sudo apt-get install loop-aes-utils loop-aes-modules-2.6-686
|
|
|
|
...
|
|
|
|
user@ksm:~$ sudo rmmod loop && sudo modprobe loop
|
|
|
|
user@ksm:~$ sudo dd if=/dev/zero of=/root/ksm.img bs=1k count=1M
|
|
|
|
...
|
|
|
|
user@ksm:~$ sudo losetup -e AES128 /dev/loop0 /root/ksm.img
|
|
|
|
Password:
|
|
|
|
user@ksm:~$ sudo mkfs.ext2 -q /dev/loop0
|
|
|
|
user@ksm:~$ sudo mkdir /ksm
|
|
|
|
user@ksm:~$ sudo mount /dev/loop0 /ksm
|
|
|
|
user@ksm:~$ sudo /etc/init.d/mysql stop
|
|
|
|
user@ksm:~$ sudo update-rc.d -f mysql remove
|
|
|
|
user@ksm:~$ sudo mv /var/lib/mysql /ksm
|
|
|
|
user@ksm:~$ sudo ln -s /ksm/mysql /var/lib/mysql
|
|
|
|
user@ksm:~$ sudo sh -c 'cat > /usr/local/sbin/ykksm-start'
|
|
|
|
#!/bin/sh
|
|
|
|
set -e
|
|
|
|
set -x
|
|
|
|
losetup -e AES128 /dev/loop0 /root/ksm.img
|
|
|
|
fsck /dev/loop0
|
|
|
|
mount /dev/loop0 /ksm/
|
|
|
|
/etc/init.d/mysql start
|
|
|
|
user@ksm:~$ sudo sh -c 'cat > /usr/local/sbin/ykksm-stop'
|
|
|
|
#!/bin/sh
|
|
|
|
set -e
|
|
|
|
set -x
|
|
|
|
/etc/init.d/mysql stop
|
|
|
|
umount /ksm
|
|
|
|
losetup -d /dev/loop0
|
|
|
|
user@ksm:~$ sudo chmod +x /usr/local/sbin/ykksm-{start,stop}
|
|
|
|
|
|
|
|
Then in the future, to start the YK-KSM, you will need to login to the
|
|
|
|
machine and issue the command 'sudo ykksm-start' and enter the disk
|
|
|
|
encryption password.
|
|
|
|
|
|
|
|
Again, make sure that you don't use any unencrypted swap.
|
|
|
|
|
2014-09-30 21:46:19 +02:00
|
|
|
Intrusion Detection
|
|
|
|
-------------------
|
2014-09-19 15:02:49 +02:00
|
|
|
|
|
|
|
To make some attacks discussed in the previous section harder, make
|
|
|
|
sure that your system has a hardware intrusion detection system and
|
|
|
|
that your software is notified when it is triggered. When the
|
|
|
|
intrusion detection is triggered, you should stop the database and
|
|
|
|
unmount the encrypted volume and send out a signal to your
|
|
|
|
administrators.
|