Hi am new to Linux. I am would like to set up my own lamp server for my little site which runs a php and mysql database. I have purchased a few books on lamp one is good (by Eric Rosebrock)but old material the other not so good. I need to tie down my security policy and I am not sure what I should be using IP tables or SElinux. I have also seen a product called squid proxy which seems to cater for websites. Any advice or build docs appreciated. Thank you
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
IP tables or SELinux 1
- Thread starter kzn
- Start date
-
1
- #2
Welcome to the world of Linux Security, one that is about as twisted and complex as a fun house full of mirrors.
The first question you need to ask yourself, is what are you trying to protect against? The second thing you need to do is recognize that security is a process and a set of actions and while there are tools, such as Iptables, and Selinux that can help, these tools don't make you inherently more secure. The third thing to consider is that you need to apply a layered approach to your security.
Starting with the first question, what are you trying to protect against? You mention wanting to run a LAMP server which implies Apache, PHP, and MySQL. At the most basic level, you will want to address the users and permissions structure for your web site files. For example, Apache will run as non privileged user that can't do much beyond read these files. You can then have the files owned by root, which means that a cracker would need to gain root access to be able to modify them. You also need to be careful about how you configure the SQL user for the web pages and set the permissions appropriately. For example, allow that user to do SELECT statements only. PHP by itself is rather secure, but it can be used to great detriment, especially when coupled with a SQL backend. You need to make sure the code is written in such a way as to not allow things like cross site scripting and SQL injection.
Squid Proxy is usually used on a gateway box to control access on outbound web sites. Unless you have multiple users that you want to govern behind such a proxy, I am not certain how much benefit it would provide you.
Iptables is the firewall application that is built into Linux. By default, Linux does not have any open ports. Of course this changes the moment you add server functions, such as Apache or SQL. The primary use of Iptables should be thought of as a security blanket wrapping around your system that keeps you from performing unintended actions. For example, if you use Iptables to only open port 80 for your website, and then experiment with Bind, you won't inadvertently open port 53 to the world as it will be blocked by IPtables. You can also perform some really advanced functions with it, such as rate limiting connections, only allow connections from specified hosts, etc.
Selinux and its cousin Apparmor work a little differently. These programs extend the file permissions scheme built into Linux and are used primarily on sensitive and configuration directories. You can specify for example, that the Bind application has permissions to write to the /var/lib/bind folder where the journal databases are updated.
Each application that you install will have its own vulnerabilities and methods to secure it. Are you planning on running SSH for remote access? If so, you will want to take steps like turning off root login and only allowing Key based authentication (no passwords). You can then use an application like fail2ban to watch for erroneous connection attempts and cut them off.
One of the most important things you can do is monitor your log files and keep aware of the system performance. Normally, if you become compromised there will be an indication, typically in the logs. Crackers usually try to delete these logs, so if possible it is best to log to a remote location where they can't be deleted. There are tools to help with this such as logwatch, which will analyze the logs.
You can also look into Network based (sniffing) and Host based intrusion detection systems. Network based intrusion detection, like Snort will analyze the traffic on your network and generate alerts regarding suspicious activity. Host based intrusion systems, like Ossec, Aide, and Samhain help by monitoring the configuration files and for other system anomalies and will alert you to their presence.
The above is by no means a guide to how to secure your system, but does present some of the things you should think about. If anything, the take away items should be that security is a continuous process of you monitoring your system and that using tools is something that is applied in layers.
Here is a link to one of the most comprehensive lists of Linux security material that I am aware of. It would be a good place to research and contains enough information to keep you busy for quite a while.
The first question you need to ask yourself, is what are you trying to protect against? The second thing you need to do is recognize that security is a process and a set of actions and while there are tools, such as Iptables, and Selinux that can help, these tools don't make you inherently more secure. The third thing to consider is that you need to apply a layered approach to your security.
Starting with the first question, what are you trying to protect against? You mention wanting to run a LAMP server which implies Apache, PHP, and MySQL. At the most basic level, you will want to address the users and permissions structure for your web site files. For example, Apache will run as non privileged user that can't do much beyond read these files. You can then have the files owned by root, which means that a cracker would need to gain root access to be able to modify them. You also need to be careful about how you configure the SQL user for the web pages and set the permissions appropriately. For example, allow that user to do SELECT statements only. PHP by itself is rather secure, but it can be used to great detriment, especially when coupled with a SQL backend. You need to make sure the code is written in such a way as to not allow things like cross site scripting and SQL injection.
Squid Proxy is usually used on a gateway box to control access on outbound web sites. Unless you have multiple users that you want to govern behind such a proxy, I am not certain how much benefit it would provide you.
Iptables is the firewall application that is built into Linux. By default, Linux does not have any open ports. Of course this changes the moment you add server functions, such as Apache or SQL. The primary use of Iptables should be thought of as a security blanket wrapping around your system that keeps you from performing unintended actions. For example, if you use Iptables to only open port 80 for your website, and then experiment with Bind, you won't inadvertently open port 53 to the world as it will be blocked by IPtables. You can also perform some really advanced functions with it, such as rate limiting connections, only allow connections from specified hosts, etc.
Selinux and its cousin Apparmor work a little differently. These programs extend the file permissions scheme built into Linux and are used primarily on sensitive and configuration directories. You can specify for example, that the Bind application has permissions to write to the /var/lib/bind folder where the journal databases are updated.
Each application that you install will have its own vulnerabilities and methods to secure it. Are you planning on running SSH for remote access? If so, you will want to take steps like turning off root login and only allowing Key based authentication (no passwords). You can then use an application like fail2ban to watch for erroneous connection attempts and cut them off.
One of the most important things you can do is monitor your log files and keep aware of the system performance. Normally, if you become compromised there will be an indication, typically in the logs. Crackers usually try to delete these logs, so if possible it is best to log to a remote location where they can't be deleted. There are tools to help with this such as logwatch, which will analyze the logs.
You can also look into Network based (sniffing) and Host based intrusion detection systems. Network based intrusion detection, like Snort will analyze the traffic on your network and generate alerts regarding suspicious activity. Host based intrusion systems, like Ossec, Aide, and Samhain help by monitoring the configuration files and for other system anomalies and will alert you to their presence.
The above is by no means a guide to how to secure your system, but does present some of the things you should think about. If anything, the take away items should be that security is a continuous process of you monitoring your system and that using tools is something that is applied in layers.
Here is a link to one of the most comprehensive lists of Linux security material that I am aware of. It would be a good place to research and contains enough information to keep you busy for quite a while.
- Thread starter
- #3
Hi Noway2
Thanks very much for the reply. I plan to allow mail,http and https trafic. DNS I think can be handled by the hosting company, unless someone can tell its better to run my own DNS/Bind server. By the way, I am setting this up on a VMware server so I could make a few more hosts on it.
I am using the latest version of centos and have installed it with the basics ... no xwindow etc. I am aware of SQL injection and hopefully should have this covered, its mainly the server side I am worried about .. I just dont want to get hacked. I fully understand it is a continuous process and I aim to make it as hard as possible for someone to hack in. Due to the fact I dont know much about it I feel like a kinder garden kid up against Mike Tyson.
So from what you have mentioned, I will use SELinux and iptables. As for Squid not sure about that and due to the fact I am making a dynamic site cant really see a benefit.
Thanks very much for your posting.
Thanks very much for the reply. I plan to allow mail,http and https trafic. DNS I think can be handled by the hosting company, unless someone can tell its better to run my own DNS/Bind server. By the way, I am setting this up on a VMware server so I could make a few more hosts on it.
I am using the latest version of centos and have installed it with the basics ... no xwindow etc. I am aware of SQL injection and hopefully should have this covered, its mainly the server side I am worried about .. I just dont want to get hacked. I fully understand it is a continuous process and I aim to make it as hard as possible for someone to hack in. Due to the fact I dont know much about it I feel like a kinder garden kid up against Mike Tyson.
So from what you have mentioned, I will use SELinux and iptables. As for Squid not sure about that and due to the fact I am making a dynamic site cant really see a benefit.
Thanks very much for your posting.
It sounds to me like you are already on the right track and you have the right ideas. Believe it or not, you are already way ahead in the game compared to many. Using Iptables and SELinux are good moves. Personally, Based upon experience, I would recommend using Ossec (it is very easy to install and use) which will help alert you to changes in your system. BTW, I think if you were to become compromised, there is a good possibility that you would get alerted that something changed.
If you do use SSH, be sure to protect it with key based authentication. This is one of the areas that will be targeted. Using your ISP's, or another public DNS is fine. There is really no reason to run your own DNS, unless you want to (I do for the geek factor). Believe it or not, using the latest versions and keeping up to date on the security patches is one of the number one things that you can do to help prevent intrusion.
Running under vmware is a good move, especially if you are starting out with the process. It makes it easy to try new things. Mail servers are a whole other matter. They are not easy to setup, but are a very rewarding experience to run. The big thing with them is to not operate as an open relay, which doesn't typically happen unless you do something really stupid.
I also think running without X and without a GUI is a good way to go for several reasons: 1 - it is fewer consumed resources leaving more performance to your system, 2 - it leaves fewer possible avenues of exploit, 3 - it forces you to learn the command line interface, which is by far the most efficient and powerful means of working with the system. I would even go as far as to say mastering the command line is a form of ZEN.
Personally, I think you will be fine. Your knowledge will increase over time as will your security requirements. Unfortunately, there are no short cuts but as your needs increase, so will your understanding. Keep reading and keep learning. If you have any questions, by all means post them. Both tek-tips and the forum from which I posted the security questions are excellent sites.
If you do use SSH, be sure to protect it with key based authentication. This is one of the areas that will be targeted. Using your ISP's, or another public DNS is fine. There is really no reason to run your own DNS, unless you want to (I do for the geek factor). Believe it or not, using the latest versions and keeping up to date on the security patches is one of the number one things that you can do to help prevent intrusion.
Running under vmware is a good move, especially if you are starting out with the process. It makes it easy to try new things. Mail servers are a whole other matter. They are not easy to setup, but are a very rewarding experience to run. The big thing with them is to not operate as an open relay, which doesn't typically happen unless you do something really stupid.
I also think running without X and without a GUI is a good way to go for several reasons: 1 - it is fewer consumed resources leaving more performance to your system, 2 - it leaves fewer possible avenues of exploit, 3 - it forces you to learn the command line interface, which is by far the most efficient and powerful means of working with the system. I would even go as far as to say mastering the command line is a form of ZEN.
Personally, I think you will be fine. Your knowledge will increase over time as will your security requirements. Unfortunately, there are no short cuts but as your needs increase, so will your understanding. Keep reading and keep learning. If you have any questions, by all means post them. Both tek-tips and the forum from which I posted the security questions are excellent sites.
- Status