[svlug] Configuring Server - SSH Trouble + Security Considerations

Lord Sauron lordsauronthegreat at gmail.com
Mon Oct 23 15:24:40 PDT 2006 

On 10/23/06, Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Lord Sauron (lordsauronthegreat at gmail.com):
> > Apache (beta portions of sites protected by username/password)
> > MySQL (listening to localhost ONLY)
>
> Please note that MySQL may still be open to network-based attack via Web
> apps.  That is, Prof. Moriarty send devilishly clever malformed URLs
> that get through swiss-cheese PHP-app input validation routines and
> execute dangerous SQL queries.  These are called SQL-injection attacks.

I know that - I have a how-to somewhere about attacking sites using
SQL injection attacks.

It I'm careful and build my PHP correctly I don't think anything
should get through.  If the only thing that can access the database is
my website, then I have exclusive control over what can happen.  Then
it's all a matter of how good my PHP is.

> > PHP
>
> Well, the real question is:  PHP configured how?  PHP used with what
> apps?  "PHP" on http://linuxmafia.com/kb/Security has some thoughts on
> that.   And, to add to that:
>
> o  Many distros default to installing a php.ini that's explicitly
>   intended for development-use only.  Some of those prototype php.ini
>   files have prominent comment lines saying "For Ghu's sake, don't
>   even _think_ of deploying this on public networks.  It's not safe."
>   But that doesn't do a lot of good if you, the admin, blithely
>   go with the default and never look at the config files.

I'll make extra sure to look for that then.

> o  Terrible, unsafe coding habits became so ingrained in the PHP
>   community for such a long time that many developed PHP Web apps
>   are themselves Typhoid Marys of security problems.  Read the
>   development history of some of the bigger ones, attentively, and it
>   comes accross like this:
>     Feb. 3:  Oops!  Input validation bug.  Upgrade to 3.51b.
>     Feb. 21:  Oops!  Another input validation bug.  3.51c.
>     Mar. 18:  Dammit, real input validation this time for sure!
>   It gets pretty ignominious, after a while.  I mean, c'mon, guys,
>   even Perl eventually got serious and started using "taint" mode.
>
> o  Accordingly, don't be surprised if some/many developed PHP Web apps
>   break after you tighten PHP security.

I expect something to break whenever I change a setting.  It's rather
disconcerting when something doesn't break.

> > CVS
>
>   Unless you're running pserver, this isn't a separate risk; access
>   is either local or ssh-mediated.

What's the issue with pserver?

> > NO FTP (all site-uploads and stuff handled over CVS)
>
> I have a stubborn liking for ftp daemons -- appropriately selected and
> used for anonymous-only service.  I do that with vs-ftpd, myself.
> See: "FTP Daemons" and "FTP Justification" on
> http://linuxmafia.com/kb/Network_Other/

I did decide that if I was going to use ftp, it would be sftp or
something more secure.

> > SSH (trying to find a way to restrict it to my machines only, so if
> > you're not my laptop or desktop, it should just categorically deny
> > you.)
>
> A lot of people do that; I don't.  I simply don't think the "Eek!  OMG,
> I've been portscanned.  Eek!  OMG, someone's dictionary-attacking my
> sshd" stuff is even significant at all (given precautions to keep local
> users from doing dumb things with password-selection).
>
> If you want something to worry about, here:
> "Break-in without Remote Exploit" on http://linuxmafia.com/kb/Security
> (Any resemblance to screw-ups involving shells.sourceforge.net and VA
> $WHATEVER is strictly intentional^Wcoincidental.)
>
> > My home network has some networked printers, tons of windows machines,
> > and other insecure things that would be very easily hacked.
>
> Sure, good point.
>
> > I have nmap on my laptop.  I've basically tried installing everything
> > networking on it so I can plug in and diagnose any network (or rape
> > it, if I want to, but I'm horrible at that...)  Any other good network
> > apps I should know about?
>
> Off the top of my head, gee, dunno.  Nessus?  Tiger?  Maybe you should
> start out with just one or two basic tools and learn to use those
> _well_.  (Beware the Gadget Freak Side, Luke.)

It's a desktop machine, not a server - it's not going anywhere.

> > So know what ports are open, what services use them, and how those
> > services are configured.  Using Gentoo's rc-update tool, I have a
> > pretty good idea of what's starting and when, though there could be
> > other daemonized things that I'm not seeing.
>
> Again, don't _just_ study the host from within itself.  Study it from
> the outside using nmap.  For one thing, that's what the bad guys would
> do.  Sort of like this:  "Attacking Linux" on
> http://linuxmafia.com/kb/Security

Well, I'm learning.  Desktop security measures and server security
measures share no common ground, so I'm coming into this almost
completely blind.  I think I can make this work though.

-- 
========== GCv3.12 ==========
GCS d-(++) s+: a? C++ UL+>++++ P+
L++ E--- W+(+++) N++ o? K? w--- O? M+
V? PS- PE+ Y-(--) PGP- t+++ 5? X R tv-- b+
                DI+++ D+ G e* h- !r !y
========= END GCv3.12 ========

More information about the Svlug mailing list