Basic Security

From SysadminWiki

Table of contents
1 File Systems and Partitions
2 Firewalls
3 Host-based Intrusion Detection System - HIDS
4 Centralized logging system on MySQL with PHP frontend
5 Services
6 Forensic
[edit]

File Systems and Partitions

[edit]

Firewalls

[edit]

Host-based Intrusion Detection System - HIDS

OSSEC (http://www.ossec.net/). Client/Server over a secure channel, very simple to setup, understand SSH and GridFTP attacks, web scanning, MySQL errors, Snort allerts, iptables messages, etc.. it offers a web interface (http://www.ossec.net/wiki/index.php/OSSECWUI) too.

For instance OSSEC can easily recognise, and automatically stop, brutal SSH attacks like:

OSSEC HIDS Notification.
2008 Aug 31 13:39:46
Received From: (pcgrid01) 193.204.231.243->/var/log/messages
Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system."
Portion of the log(s):
Aug 31 13:46:46 pcgrid01 sshd[3864]: Invalid user test4 from 201.116.169.43
Aug 31 13:46:40 pcgrid01 sshd[3856]: Invalid user test from 201.116.169.43
Aug 31 13:46:38 pcgrid01 sshd[3854]: Failed password for invalid user test from 201.116.169.43 port 11147 ssh2
Aug 31 13:46:38 pcgrid01 sshd[3854]: Invalid user test from 201.116.169.43
Aug 31 13:46:34 pcgrid01 sshd[3848]: Invalid user test from 201.116.169.43
Aug 31 13:46:32 pcgrid01 sshd[3846]: Failed password for invalid user test from 201.116.169.43 port 10871 ssh2
Aug 31 13:46:32 pcgrid01 sshd[3846]: Invalid user test from 201.116.169.43

with an iptables DROP instruction on that specific client, or on all your subnet. The DROP is discarded after a tunable amount of time ( I setted that 1 day ).

On pcgrid01 OSSEC reports the DROP action in its log file.

[root@pcgrid01 /]# grep 201.116.169.43 /var/ossec/logs/active-responses.log
Sun Aug 31 13:48:34 CEST 2008 /var/ossec/active-response/bin/firewall-drop.sh add - 201.116.169.43 1220182874.1828379 5712
[root@pcgrid01 /]#

[edit]

Centralized logging system on MySQL with PHP frontend

Understand what is happening on a cluster of linux boxes is a complex task without some kind of centralized repository where all the informations are stored ordered by time/host. You can setup a server to be a central syslog server setting the file /etc/sysconfig/syslog and your syslog clients to send logs on that host. But I'm lazy and I hate to browse tons of info in black/white text files :-). Also you have loosed the tags bounded with the messages, basically the Facility/Priority (http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm) syslog info and you can't use those like parameters in your queries. So if you like web tools I suggest to replace the standard syslog RPM with Rsyslog (http://www.rsyslog.com/) + Phplogcon (http://www.phplogcon.com/). Your logs will be stored both locally and on the remote MySQL DB. You should use an XFS filesystem for the MySQL files and a powerful HW to host the DB because the queries must execute in few time. After 1 month you can safely drop rows from the DB. Also you should protect the Phplogcon web access with X509 logins and allow just https connections to avoid network sniffing. In my site the iptable firewall allows the web access just from well know IPs or subnet but you could open to Internet integrating the Basic Security#Host-based Intrusion Detection System - HIDS security features.

[edit]

Services

[edit]

Forensic

Retrieved from "http://www.sysadmin.hep.ac.uk/wiki/Basic_Security"