Linux security for newbies
Posted: Wed Aug 22, 2012 11:21 am
Let's face it, many of us want an internet presence but have almost no clue about how to keep their internet "real-estate" secure.
We all heard of hackers and they seem something inevitable, only luck can keep them away etc. Trusting your luck is not a good policy in any area, being informed and proactive is a generally good strategy.
It has been said that if you don't know linux or how to secure your server you should stay with Windows and shared hosting...
Staying with Windows is WORSE than with Linux securitywise. Windows is hacked even at home behind firewalls and hordes of zombies (captured windows machines controlled by hackers without the owner's knowledge) are proving this every day sending DDoS, probing for security holes, being spam machines and proxies that criminals use to hide their identity, etc.
As with shared hosting, one careless user can expose the database and the whole server in cases.
Nothing is certain, of course, but the chances to be hit by a truck if you are looking when you cross the street are much smaller than if you are not looking and listening music at full volume or talking on the phone.
This article is gonna be long, this is the first part with basic explanations, and at the end there will be the steps anyone can take to secure their Linux VPS even if they are not experienced sysadmins.
Services and ports
Once you have a machine on the net with a public IP all it's ports are visible from the internet. Think of ports like the apartments in a block, from 1-65535 are available for any IP address which is like your street address. That is a huge number, agreed, but very few are actually used, meaning the vast majority of the apartments have a locked door from day one and it is highly unlikely anyone will move there.
There are, on the other hand, some that have to be used, otherwise it is meaningless to have an internet presence, what is the use for a large building if the main door is locked and nobody lives there ? Only to pay taxes and rent ?
So, at least one port must be open, the one you connect from the internet, the ssh port. When you open putty and connect, you are connecting to a port, usually port 22. This is like the administration for the building, you must have access to the administration if you want to do anything with it. You can also use it for other purposes, such as proxy/vpn, but the main use is to control the machine.
Depending on what we want to do with our machine/building, there must be other ports/doors accessible from the internet.
For example, this board is hosted on a VPS that uses a webserver to deliver the contents to your browser. This is running on port/apartment 80.
When you type board.prometeus.net, your browser (internet explorer, mozilla, chrome, safari, etc) assumes you are going to the port/apartment number 80, because that is the location of a webserver and this is what browsers are used for, to connect to webservers, mainly. If port 80 on this machine will be blocked, the browser will knock on the door and if nobody answers will tell you the tenant at that address cannot be found. Whether it is so all the time or just gone in a vacation, your browser doesn't know.
So, in order for this board to work, there must be a webserver at port 80 and the port 80 must not be blocked (door locked).
We already have 2 ports and 2 services listening to external connections. Like the tenant is there and hears the doorbell and goes opening no matter who is out there (browser for port 80) or asks for the password before opening (ssh on port 22).
Once they opened the door, the dialog starts. Like the visitor says to the webserver (notice the word server) give me the page about security and as long as it knows the link (from other boards or wherever it got it from) the webserver will not ask any questions, just hand out the data. If, on the other hand, the visitor wants to write something here (post something) the webserver will give the authentication page instead, because this is how it's reactions are scripted in the code of the page. Visitors cannot post if not authenticated.
Ssh, on the other hand, will only ask for password (or key) if someone knocks on the door, as long as the password is not correct, will not do anything else, even more, depending on the configuration file it has, after a number of bad passwords will kick the visitor in the street so they will have to come back and start over. Even more, if the configuration says so, the ssh in flat 22 will call the concierge and demand that visitor such and such will not be allowed on the main door under any circumstances (IP banned).
Now, lets take the 2 cases of an automated hacker attack. Drones looking like humans, knock on doors and try various passwords (ssh) or try to obtain from the webserver on port 80 the keys of all flats in the building, instead of just the regular pages it should give them.
In the case of SSH, there is not much else to do, just try passwords over and over again. If we told ssh to call the police and lock the door after a number of failed attempts, there has to be another drone to try them and it is not practical as the hacker must have many drones and a script to keep track of which drone visited already and send another all the time. Also, if our ssh is, instead, in another flat, our drone won't start knocking on all doors till someone asks for the password, will simply give up most of the time.
That is the normal cases when we took some security countermeasures. If, instead, we put password for root user such as root or toor or bob or 12345678, then chances are the drones will tell the correct password from their list of mostly used passwords by people which do not care about security or have no clue about how a password should look like. In this case, the drone will report home they managed to pass as the rightful owner and SSH gave them the keys from all the building, including the ones from the control panel of utilities and they practically control the whole building. The drone owner (hacker) will then proceed to make a drone factory in our building and send them around to find more poorly protected buildings and also use this one for other malicious purposes, such as selling it's bandwidth for DDoS, hosting child porn or phishing sites to steal passwords and money, or sending spam, anything to make a buck while police will look for the owner and the host will shut you down because you are too irresponsible to own some real estate on the internet. If, however, our password is something like MyPa$$_Vvord/Excel/2012, there is no chance in hell any drone will have that on their list, so won't be able to enter in the first place. If, also, we use a tool called fail2ban (the red line to the concierge to tell it to keep out such and such visitor after a failed number of passwords) then the drone has even less chances because his tries are limited to a handful before is kicked. If, also, the ssh port is not the usual 22, but something else, like 22022, 12322, 64133, or any other combination, the drone will usually give up when nobody will answer the number 22 door. We can also allow only someone coming from a certain address to enter the building, like only your IP at home or from another VPS will have even the chance to knock on the door, all the others will be stopped in the hall.
See ? It is not so hard to defend against brute force attempts (trying passwords at random).
Let's see how to defend against other attacks, such as those on certain services, like the webserver on port 80.
Suppose a browser or someone pretending to be a browser comes to our number 80 door and asks something unintelligible, like give me SELECT FROM TABLE row,column INSERT X VALUE or something along those lines. A very old and partially deaf tenant will probably try his best to do his job and do what the visitor asked and this might be changing the password from the forum's database to allow the hacker to read/modify it, so visitors to this forum will be redirected to his malicious sites to infect them with some virus and take over their computer. Or simply ask for the file containing the password directly.
A young and trained webserver will know better than comply with such requests and will simply give the standard answer 404-not found, or 302-forbidden sending them on their way and also keep a diary (log) about that malicious visitor so the owner will know and contact their host/isp or send police on their tracks. Unfortunately, that is another poor victim of bad password/old software used by the hacker and not the hacker address itself.
How does this translate in our case ? It means we need to keep our services (in this case the webserver) which are exposed to the internet up to date so the hackers will not be able to use known methods of social engineering or simply the force to knock down the service and do what they please with the site and, at times, with the whole server.
Firewalls
A firewall is nothing more than a special lock that verifies the visitor to comply with some criteria before allowing access. For example, it can limit the number of connections to some ports (so a spammer won't be able to send more than x mails a minute/hour, etc, for instance), can verify if the visitor comes from a few selected addresses and only then allow them in, can verify if the visitor comes from another number of addresses and deny their access and let everyone else in (for example block a known list of spammers/abusers/hacked computers), can block certain IPs after the services they tried to access told it so. It is the equivalent of the concierge or doorman at the main gate. it can also have complex rules like: If the visitor is not from x address, is looking for port(door) xxxxx and has not been connecting for more than x times before, let it in. Failing any of the checks blocks the access.
When is a firewall needed ?
Whenever we need special and complex access rules. Each service can be configured to block certain IPs, interfaces, only listen to certain type of packets, but if we want really complex things which our services configuration files do not support, we need a firewall.
We DO NOT need a firewall in most cases. For example, we only have ssh and HTTP (webserver) active (doors 22 and 80). These can be configured to deny/allow easy from their internal configuration files, but if we have tens of services and ALL must deny access to certain ranges of IPs (for example block a whole country) then it is easier to do this in the firewall, at the main door.
If we have just a few services, we keep them updated regularly from the official repositories of our Linux maker, we don't have to put up a firewall, it inserts another SPOF (single point of failure), if you misconfigure it you can block everyone out, including yourself, inserts more lag (tho minimal) and uses some resources (tho, also minimal).
The next part of this tutorial will present you the practical means to achieve security, with command examples and software usage.
Admin
We all heard of hackers and they seem something inevitable, only luck can keep them away etc. Trusting your luck is not a good policy in any area, being informed and proactive is a generally good strategy.
It has been said that if you don't know linux or how to secure your server you should stay with Windows and shared hosting...
Staying with Windows is WORSE than with Linux securitywise. Windows is hacked even at home behind firewalls and hordes of zombies (captured windows machines controlled by hackers without the owner's knowledge) are proving this every day sending DDoS, probing for security holes, being spam machines and proxies that criminals use to hide their identity, etc.
As with shared hosting, one careless user can expose the database and the whole server in cases.
Nothing is certain, of course, but the chances to be hit by a truck if you are looking when you cross the street are much smaller than if you are not looking and listening music at full volume or talking on the phone.
This article is gonna be long, this is the first part with basic explanations, and at the end there will be the steps anyone can take to secure their Linux VPS even if they are not experienced sysadmins.
Services and ports
Once you have a machine on the net with a public IP all it's ports are visible from the internet. Think of ports like the apartments in a block, from 1-65535 are available for any IP address which is like your street address. That is a huge number, agreed, but very few are actually used, meaning the vast majority of the apartments have a locked door from day one and it is highly unlikely anyone will move there.
There are, on the other hand, some that have to be used, otherwise it is meaningless to have an internet presence, what is the use for a large building if the main door is locked and nobody lives there ? Only to pay taxes and rent ?
So, at least one port must be open, the one you connect from the internet, the ssh port. When you open putty and connect, you are connecting to a port, usually port 22. This is like the administration for the building, you must have access to the administration if you want to do anything with it. You can also use it for other purposes, such as proxy/vpn, but the main use is to control the machine.
Depending on what we want to do with our machine/building, there must be other ports/doors accessible from the internet.
For example, this board is hosted on a VPS that uses a webserver to deliver the contents to your browser. This is running on port/apartment 80.
When you type board.prometeus.net, your browser (internet explorer, mozilla, chrome, safari, etc) assumes you are going to the port/apartment number 80, because that is the location of a webserver and this is what browsers are used for, to connect to webservers, mainly. If port 80 on this machine will be blocked, the browser will knock on the door and if nobody answers will tell you the tenant at that address cannot be found. Whether it is so all the time or just gone in a vacation, your browser doesn't know.
So, in order for this board to work, there must be a webserver at port 80 and the port 80 must not be blocked (door locked).
We already have 2 ports and 2 services listening to external connections. Like the tenant is there and hears the doorbell and goes opening no matter who is out there (browser for port 80) or asks for the password before opening (ssh on port 22).
Once they opened the door, the dialog starts. Like the visitor says to the webserver (notice the word server) give me the page about security and as long as it knows the link (from other boards or wherever it got it from) the webserver will not ask any questions, just hand out the data. If, on the other hand, the visitor wants to write something here (post something) the webserver will give the authentication page instead, because this is how it's reactions are scripted in the code of the page. Visitors cannot post if not authenticated.
Ssh, on the other hand, will only ask for password (or key) if someone knocks on the door, as long as the password is not correct, will not do anything else, even more, depending on the configuration file it has, after a number of bad passwords will kick the visitor in the street so they will have to come back and start over. Even more, if the configuration says so, the ssh in flat 22 will call the concierge and demand that visitor such and such will not be allowed on the main door under any circumstances (IP banned).
Now, lets take the 2 cases of an automated hacker attack. Drones looking like humans, knock on doors and try various passwords (ssh) or try to obtain from the webserver on port 80 the keys of all flats in the building, instead of just the regular pages it should give them.
In the case of SSH, there is not much else to do, just try passwords over and over again. If we told ssh to call the police and lock the door after a number of failed attempts, there has to be another drone to try them and it is not practical as the hacker must have many drones and a script to keep track of which drone visited already and send another all the time. Also, if our ssh is, instead, in another flat, our drone won't start knocking on all doors till someone asks for the password, will simply give up most of the time.
That is the normal cases when we took some security countermeasures. If, instead, we put password for root user such as root or toor or bob or 12345678, then chances are the drones will tell the correct password from their list of mostly used passwords by people which do not care about security or have no clue about how a password should look like. In this case, the drone will report home they managed to pass as the rightful owner and SSH gave them the keys from all the building, including the ones from the control panel of utilities and they practically control the whole building. The drone owner (hacker) will then proceed to make a drone factory in our building and send them around to find more poorly protected buildings and also use this one for other malicious purposes, such as selling it's bandwidth for DDoS, hosting child porn or phishing sites to steal passwords and money, or sending spam, anything to make a buck while police will look for the owner and the host will shut you down because you are too irresponsible to own some real estate on the internet. If, however, our password is something like MyPa$$_Vvord/Excel/2012, there is no chance in hell any drone will have that on their list, so won't be able to enter in the first place. If, also, we use a tool called fail2ban (the red line to the concierge to tell it to keep out such and such visitor after a failed number of passwords) then the drone has even less chances because his tries are limited to a handful before is kicked. If, also, the ssh port is not the usual 22, but something else, like 22022, 12322, 64133, or any other combination, the drone will usually give up when nobody will answer the number 22 door. We can also allow only someone coming from a certain address to enter the building, like only your IP at home or from another VPS will have even the chance to knock on the door, all the others will be stopped in the hall.
See ? It is not so hard to defend against brute force attempts (trying passwords at random).
Let's see how to defend against other attacks, such as those on certain services, like the webserver on port 80.
Suppose a browser or someone pretending to be a browser comes to our number 80 door and asks something unintelligible, like give me SELECT FROM TABLE row,column INSERT X VALUE or something along those lines. A very old and partially deaf tenant will probably try his best to do his job and do what the visitor asked and this might be changing the password from the forum's database to allow the hacker to read/modify it, so visitors to this forum will be redirected to his malicious sites to infect them with some virus and take over their computer. Or simply ask for the file containing the password directly.
A young and trained webserver will know better than comply with such requests and will simply give the standard answer 404-not found, or 302-forbidden sending them on their way and also keep a diary (log) about that malicious visitor so the owner will know and contact their host/isp or send police on their tracks. Unfortunately, that is another poor victim of bad password/old software used by the hacker and not the hacker address itself.
How does this translate in our case ? It means we need to keep our services (in this case the webserver) which are exposed to the internet up to date so the hackers will not be able to use known methods of social engineering or simply the force to knock down the service and do what they please with the site and, at times, with the whole server.
Firewalls
A firewall is nothing more than a special lock that verifies the visitor to comply with some criteria before allowing access. For example, it can limit the number of connections to some ports (so a spammer won't be able to send more than x mails a minute/hour, etc, for instance), can verify if the visitor comes from a few selected addresses and only then allow them in, can verify if the visitor comes from another number of addresses and deny their access and let everyone else in (for example block a known list of spammers/abusers/hacked computers), can block certain IPs after the services they tried to access told it so. It is the equivalent of the concierge or doorman at the main gate. it can also have complex rules like: If the visitor is not from x address, is looking for port(door) xxxxx and has not been connecting for more than x times before, let it in. Failing any of the checks blocks the access.
When is a firewall needed ?
Whenever we need special and complex access rules. Each service can be configured to block certain IPs, interfaces, only listen to certain type of packets, but if we want really complex things which our services configuration files do not support, we need a firewall.
We DO NOT need a firewall in most cases. For example, we only have ssh and HTTP (webserver) active (doors 22 and 80). These can be configured to deny/allow easy from their internal configuration files, but if we have tens of services and ALL must deny access to certain ranges of IPs (for example block a whole country) then it is easier to do this in the firewall, at the main door.
If we have just a few services, we keep them updated regularly from the official repositories of our Linux maker, we don't have to put up a firewall, it inserts another SPOF (single point of failure), if you misconfigure it you can block everyone out, including yourself, inserts more lag (tho minimal) and uses some resources (tho, also minimal).
The next part of this tutorial will present you the practical means to achieve security, with command examples and software usage.
Admin