Asegurando Server

Bueno, esta semana voy de dejar el servidor de hosting bien seguro. Ire poniendo todo lo que he ido haciendo. Por ahora tengo puesto unas cuantas cosas, pero como siempre la paranoia puede conmigo y no me parece suficientemente seguro ;P

Cosas instaladas:

1. Portsentry

2. Snort

3. Firewall

4. /tmp y /home montados con noexec,nosuid

   1/dev/hda7  /tmp   ext3  defaults,noexec,nosuid  0  2
   2/dev/hda8  /home  ext3  defaults,noexec,nosuid  0  2

5. PHP en safe mode y con unas cuantes funciones peligrosas deshabilitadas

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27


; Safe Mode
;
safe_mode = On
; By default, Safe Mode does a UID compare check when
; opening files. If you want to relax this to a GID compare,
; then turn on safe_mode_gid.
safe_mode_gid = Off

; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
disable_functions = phpinfo, system, shell_exec, proc_terminate, proc_open, proc_nice, proc_get_status, proc_close, passthru, exec, escapeshellcmd, escapeshellarg

; Whether or not to register the EGPCS variables as global variables.  You may
; want to turn this off if you don't want to clutter your scripts' global scope
; with user data.  This makes most sense when coupled with track_vars - in which
; case you can access all of the GPC variables through the $HTTP_*_VARS[],
; variables.
;
; You should do your best to write your scripts so that they do not require
; register_globals to be on;  Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
;
; The default in PHP usptream is now "register_globals = Off".  The Debian package
; is patched for backward compatibility to default to "On", however this will NOT
; last forever.  You have been warned.
register_globals = Off

6. chmod 750 a algunos archivos importantes

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


#!/bin/sh
#Script to change permission for sensible dir and programs

BINARY="/usr/bin/wget /usr/bin/lynx /usr/bin/lynx.stable /usr/bin/links /usr/bin/links.main /usr/bin/scp /usr/bin/ftp /etc/alternatives/ /root/ /usr/bin/gcc* /usr/bin/cc*"
MODE=0750
USER="root"

for BIN in $BINARY; do
chown $USER:$USER $BIN
chmod $MODE $BIN
done

7. Tripwire
8. … (seguro k me dejo algo)

Bueno, ire poniendo como tengo configurado lo que tenia antes. Seguramente muchas cosas no estan tan bien o no estan echas como deberian, pero ya se ira mejorando ;o)