I'm setting up my first Lamp server on Debian Linux (Lenny). I'm a complete newb so please forgive my ignorance.
I'm trying to secure the server and have just removed all unneeded open ports using the netstat output. I've got it down to just 2 open ports which are http and mysql ports.
If i only have these two ports open does that mean they're the only two by which someone/something can launch an attack on my machine through? Do I need to set a firewall up if these are the only two open ports? Obviously in the future I will be needing to open other ports for stuff like ssh etc.
Thanks
-
do you really need to access remote mysql access? maybe you can limit it a bit or maybe mysql access over localhost/loopback is enough?
did you limit OUTGOING connections? even if you will have some vulnerable software limiting outgoing connections will help you hinder downloading of potentially harmful payload.
suggested rules:
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -F iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -s your.trusted.ip.address -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPTwhen you need to run system updates:
iptables -I OUTPUT -j ACCEPTwhen it's done:
iptables -D OUTPUT -j ACCEPTelduderino : I was unaware that the mysql one was for remote access. No I don't need that either in that case. I'm not sure how to make netstat output outgoing connections. I'm currently using netstat -plunt to show me the ports and the app using the port. Do i need a different command to show outgoing?pQd : well - you should know exactly what outgoing connections you allow. so - probably you want to allow those going to your dns server [for some dns/rev dns lookups], you probably would like to allow ftp/http connections to your debian update servers, maybe something to your smtp relay host... and not much more. obviously you want to allow established,related connections.elduderino : Ok great. So how do I get netstat to show outgoing connections? I can't seem to find details of what command I need to add to get it to show outgoing. ConnectionspQd : netstat -an should show them, alternatively just run tcpdump and analyze output.elduderino : Ok I did that. It shows up 2 active internet connections (httpd and mysql) and then about 100 entries under active UNIX domain sockets. On googling this I've found out that these are 'sockets' between applications on the same machine. So I need not worry about these as they're not outgoing connections? Does this mean I only have 2 outgoing connections?pQd : paste whatever you have there..elduderino : Do you mean paste the output of netstat -an. I can't as the character limit on this textarea won't let me!pQd : oh man use http://pastebin.com/ or something similar.elduderino : OK. Sorry to be a pain: http://pastebin.com/kZyfnHskpQd : ok.. refuse all incoming connections except http. allow all traffic via lo [loopback]. probably you also want to allow limited ssh connectivity; drop all outgoing connections except established, related.elduderino : Great, Thanks pQd!From pQd -
It's something to consider.
Having a firewall in place either on that box or before it can be useful down the line. What if you want to ban an abusive user from your service? Instead of worrying about implementing that in your app, you can just do it with iptables. Same with SYN flood prevention.
What about bandwidth rate limiting? That could also come in handy down the road.
Finally, don't forget about some of the redirect tricks that you can pull off if you decide to put a proxy in between your users and your web server.
From Michael Gorsuch
0 comments:
Post a Comment