Sequring TPS Fedora4

Discussion in 'HOWTO-Related Questions' started by Hagforce, Mar 19, 2006.

  1. Hagforce

    Hagforce New Member

    Hello again :)

    I used your ISP setup on Fedora 4.

    This is my first linux webserver, so new questions come up all the time :rolleyes:

    I`ve now been running this setup on one server for two monts, and just installed another one for about a week ago.

    The setup is basicly unchanged from the tutorial, how sequre is this?.

    The question is now how do I sequre the server form attacks.
    -I vould like to get logs on attacks etc from the server daily.
    -I vould like to proteckt ssh etc from brute force.
    -Sugestions on modifications from the default setup to make it more sequre.
    -And anything alse to make it fortnox....

    What is the max e-mail size in postfix as standard, how tho change this.....

    Well, quite many questions....
    It sums up to, how do I sequre my server so it don`t get hacked (I know it can`t be 100% sequre),
     
    Last edited: Mar 19, 2006
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Have a look at portsentry and logcheck.

    http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts

    What's the output of
    Code:
    postconf -n | grep message_size_limit
    and
    Code:
    postconf -d | grep message_size_limit
    ?
     
  3. Hagforce

    Hagforce New Member

    The output of postconf -n | grep message_size_limit is nothing....
    The output of postconf -d | grep message_size_limit is:
    Code:
    message_size_limit = 10240000
    Thanks for the tisps on sequring the server...

    Is this a guide that will work for me on fedora with portsentry and logcheck (keep in mind that I`m a noob)... http://www.falkotimme.com/howtos/chkrootkit_portsentry/
    Should I also install Chkrootkit for "antivirus" or is there somting alse....


    A few aditional questions...

    -I see the server gives output on telnet...
    Should i just shut down telnet....
    I can`t think of anything I need it for?
    It just gives away information on the software I`m running on my server, and gives the hacker a head start?
    -Is there any online scanners for testing my server?
    -Is there a limit for how many e-mail adresses one can have under one domain?

    Thanks again for helping me out :D
     
    Last edited: Mar 20, 2006
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    IF you want to have another message_size_limit, run
    Code:
    postconf -e 'message_size_limit = 20480000'
    , for example, and restart Postfix afterwards.

    It should work for you. But the version numbers have increased, this tutorial is a little bit old.

    Have a look here: http://www.howtoforge.com/faq/1_38_en.html


    I think you mean the telnet client, not the server. The telnet client is ok.

    No.
     
  5. Hagforce

    Hagforce New Member

    Yeh, I messed up :p


    I mean the fackt that when I use a machine on the internet with a telnet client, and write "telnet myip 80" I get output on my webserver version "apache 2.0.54 (fedora)"

    Same with main en other stuff.

    Doesn`t these kind of feedbacks give hackers an advantage in knowing versions an system.
     
  6. Hagforce

    Hagforce New Member

    I didn`t explain what I ment vell....

    When I use a telnet client against port 80 at my server it replies
    Code:
    <address>Apache/2.0.54 (Fedora) Server at localhost Port 80</address>
    And at port 25 it replys
    Code:
    www.domain.com ESMTP Postfix
    Port 110
    Code:
    +OK AVG POP3 Proxy Server 7.1.371/7.1.385 [268.2.6/287]
    Isn`t this usefull information for hackers?
    Is it possible to make my server not reply on this....

    Or I`m I making no sense now :confused:
     
  7. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    You can configure these services to not show version numbers, but i dont have the exact configuration directives at hand.

    You may find these informations in the documentation and the man pages of the programs.
     
  8. Hagforce

    Hagforce New Member

    Ok...

    Found it...

    If anyone alse would like to do this:

    SSH to your fedora box.
    Code:
    nano /etc/httpd/conf/httpd.conf
    Type "ctrl+w" and search for "ServerSignature"
    Edit this to ServerSignature off

    You can also add "ServerTokens ProductOnly" in the line under to show only Apace, not version.

    Type "crtl+x" and save your settings.
    Restart Apache
    Code:
    /etc/init.d/httpd restart
    Telnet etc to your box and check :)
    This should mask server version and services.

    Didn`t find anyting yet on postfix, dovecot, mysql, proftp and pop3....
    Doesn`t seem like port 81 gives out any info
     
    Last edited: Mar 23, 2006
  9. Hagforce

    Hagforce New Member

    After running postconf -e 'message_size_limit = 20480000'
    I get:

    Code:
    [root@www ~]# postconf -d | grep message_size_limit
    message_size_limit = 10240000
    [root@www ~]# postconf -n | grep message_size_limit
    message_size_limit = 20480000
    Witch is outgoing/incoming :confused:
     
  10. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Code:
    postconf -d | grep message_size_limit prints
    the default value,

    Code:
    postconf -n | grep message_size_limit
    your current setting. So the latter prints what is currently effective.
     
  11. Hagforce

    Hagforce New Member

    After getting the logs from logcheck I`m wondering what these attacks are...
    Code:
    Mar 23 00:31:06 www sshd[2320]: Failed password for invalid user soul from 67.104.249.10 port 51704 ssh2
    I haven`t got the ssh on port 51704, so why does it say failed password..
     
  12. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Please post the output of
    Code:
    netstat -tap
    Do you have portsentry installed? In that case portsentry detected that login try and logged it.
     
  13. Hagforce

    Hagforce New Member

    netstat -tap output:
    Code:
    Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
    tcp        0      0 *:41318                     *:*                         LISTEN      2220/rpc.statd
    tcp        0      0 *:mysql                     *:*                         LISTEN      2572/mysqld
    tcp        0      0 www.xxx.xxx:783              *:*                         LISTEN      2672/spamd.pid
    tcp        0      0 *:sunrpc                    *:*                         LISTEN      2203/portmap
    tcp        0      0 *:81                        *:*                         LISTEN      2898/ispconfig_http
    tcp        0      0 *:ftp                       *:*                         LISTEN      4527/proftpd: (acce
    tcp        0      0 static47.xxx.xx:domain *:*                         LISTEN      26203/named
    tcp        0      0 static49.xxx.xx:domain *:*                         LISTEN      26203/named
    tcp        0      0 static48.xxx.xx:domain *:*                         LISTEN      26203/named
    tcp        0      0 www.xxx.xx:domain           *:*                         LISTEN      26203/named
    tcp        0      0 www.xxx.xx:ipp              *:*                         LISTEN      10121/cupsd
    tcp        0      0 www.xxx.xx:5335             *:*                         LISTEN      2412/mDNSResponder
    tcp        0      0 *:smtp                      *:*                         LISTEN      4706/master
    tcp        0      0 www.xxx.xx:rndc             *:*                         LISTEN      26203/named
    tcp        0      0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam
    tcp        0      0 *:23314                     *:*                         LISTEN      20893/sshd
    tcp        0      0 *:imaps                     *:*                         LISTEN      2592/dovecot
    tcp        0      0 *:pop3s                     *:*                         LISTEN      2592/dovecot
    tcp        0      0 *:pop3                      *:*                         LISTEN      2592/dovecot
    tcp        0      0 *:imap                      *:*                         LISTEN      2592/dovecot
    tcp        0      0 *:http                      *:*                         LISTEN      13136/httpd
    tcp        0      0 localhost:rndc              *:*                         LISTEN      26203/named
    tcp        0      0 *:https                     *:*                         LISTEN      13136/httpd
    tcp        0    888 static48.xxx.xx:23314 static67.xxx.xxx:63425 ESTABLISHED 25776/0
    
    What`s this one?:
    Code:
    tcp        0      0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam
    Some other info in the logs that got me worried is that this happens every 30 min (from logcheck):
    Code:
    Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session opened. 
    Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session closed
    And lots of these (from logcheck):
    Code:
    Mar 25 05:57:45 www named[26203]: unexpected RCODE (REFUSED) resolving '55.165.161.72.in-addr.arpa/PTR/IN': 209.142.136.142#53
    Mar 25 05:57:47 www named[26203]: unexpected RCODE (REFUSED) resolving '55.165.161.72.in-addr.arpa/PTR/IN': 207.230.192.252#53
    Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'rose.man.poznan.pl/A/IN': 150.254.65.7#53
    Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sunflower.man.poznan.pl/A/IN': 150.254.65.7#53
    Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sunflower.man.poznan.pl/AAAA/IN': 150.254.65.7#53
    Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sol.put.poznan.pl/A/IN': 150.254.65.7#53

    Am I hacked, or what is going on here? :confused:

    I installed logcheck and chkrootkit, and set them up with cron to run every night.

    I also changed the SSH port to none standard.

    I haven`t installed portsentry yet....
    I`m a bit unsure if it`s the right thing for me.
    With dial up users and dhcp I can`t just put adresses in hosts.deny, wouldn`t this cause problems?.

    Should I install a firewall to, in addition to the one in ISPConfig?.
     
    Last edited: Mar 26, 2006
  14. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    That's freshclam. It belongs to ClamAV and updates your virus signatures. Nothing to worry about.

    That's the ISPConfig monitoring script that checks if the important services like web, ftp, etc. are still running. If it finds they aren't, the monitoring scripts sends you an email.

    It might cause problems if someone gets an IP address that's in /etc/hosts.deny.

    No. You can use one firewall at a time, but not mix several ones.
     
  15. Hagforce

    Hagforce New Member

    Thanks again for your help falco!.

    I can`t even begin to describe how mutch easier your help and howto`s has made the change from win servers to linux.

    What about the messages from named... nothing unnormal?
     
  16. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    I haven't seen something like this before, so I can't say. If your system is able to resolve domains, it should be ok.
     
  17. Hagforce

    Hagforce New Member

    I,m did a portscan from ISPConfig

    Code:
        Port 21 (tcp) is open (ftp)!
        Port 25 (tcp) is open (smtp)!
        Port 53 (tcp) is open (domain)!
        Port 80 (tcp) is open (http)!
        Port 81 (tcp) is open (unknown)!
        Port 110 (tcp) is open (pop3)!
        Port 111 (tcp) is open (sunrpc)!
        Port 143 (tcp) is open (imap)!
        Port 443 (tcp) is open (https)!
        Port 631 (tcp) is open (ipp)!
        Port 783 (tcp) is open (unknown)!
        Port 953 (tcp) is open (rndc)!
        Port 993 (tcp) is open (imaps)!
        Port 995 (tcp) is open (pop3s)!
        Port 3306 (tcp) is open (mysql)!
        Port 5335 (tcp) is open (unknown)!
        Port 41318 (tcp) is open (unknown)!
        Port 42141 (tcp) is open (unknown)!
        Port 43025 (tcp) is open (unknown)!
    The setup in ISPConfig firewall is:

    Code:
      Name  	  Port  	  Type  	  Active 
      FTP  	  21  	  tcp  	  yes 
      SSH  	  22  	  tcp  	  yes 
      SMTP  	  25  	  tcp  	  yes 
      DNS  	  53  	  tcp  	  yes 
      DNS  	  53  	  udp  	  yes 
      WWW  	  80  	  tcp  	  yes 
      ISPConfig  	  81  	  tcp  	  yes 
      POP3  	  110  	  tcp  	  yes 
      SSL (www)  	  443  	  tcp  	  yes 
    
    Why is all this other ports (that are not configured in firewall) open :eek:
     
  18. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    You cannot test your firewall with the ISPConfig portscan :) The ISPConfig script that scans the ports is on your server (inside) the firewall.

    Ttry to find an portscanner that you can run on your workstation and scan your server from there.
     

Share This Page