Hi, I admit I never gave security that much thought, that is, except the most basic security rules like choosing good passwords, or reasonable file and directory permissions. But now I have to change that, since I'll soon have to setup a dedicated production server for our public libraries. I wonder where to begin. I would say first thing is get a series of "auditing" tools such as, for example, the port scanner nmap, to test the firewall on the server. Any other ideas for that? The firewall: CentOS includes a default firewall, where ports can be chosen using a simple graphical (or ncurses) tool. Is that solid enough for a web server? Or do you recommend diving into the innards of iptables? Or maybe, other solution, can you recommend some good "reasonable" set of rules for a web server, for example? Last but not least: SELinux. For the moment I don't use it. I read the chapter on SELinux in "Red Hat Enterprise Linux 5 Unleashed" by Tammy Fox, and I simply wonder if it's worth the pain. I'm curious about your opinions about this subject. Maybe some good reads on security? That is, articles that don't require you to be a doctor in computer science to get a grasp of the subject? And also documentation that doesn't require me to have a life expectance of 500+ years :oD Any suggestions? Niki
Niki Kovacs <contact at kikinovak.net> wrote:>>I wonder where to begin. << Policy. It's a drag, writing policies, but without policies, you're in the "Ready! Fire! Aim!" school of security. The top tier of policy is the "Enterprise Security Policy", which establishes the security function, roles, responsibilities, budget, etc. It also gives the power to enforce penalties for breaches of policies. At the next tier, you have system- and issue-specific policies, such as the "Use of corporate email" policy, the "Inappropriate content in the workplace" policy. You may then move down to standards (platforms, SOE, etc.) and procedures (e.g. for provisioning user accounts, resetting passwords, etc.). Everything then flows from a Threats and Risk Assessment. Identify the information assets of the enterprise, value them. Then identify the possible threats, essentially giving them a likelihood of occurring. This is then plugged into a risk matrix: high value asset with almost certain likelihood of compromise = extreme risk; insignificant value asset with rare likelihood of compromise = low risk. Obviously, you focus on the high risk stuff first. You then put in place controls to mitigate the risk. For some things, you can't mitigate (e.g. data centre hit by asteroid and now a smoking hole in the ground); those you push over into Disaster Recovery Planning and deal with through relocation, equipment replacement, off-site backups, etc. Your controls could be technical (firewalls, proxies, authentication and authorization/access control, etc.), physical (locked doors, fences, alarms) and administrative (policies/procedures/standards, pre-employment screening, job rotation, segregation of duties, etc.). ISO 27001/27002 are a good guide in this area, or if you're US Gummint, check out the NIST SP800-series publications.>>I would say first thing is get a series of "auditing" tools such as, for example, the port scanner nmap, to test the firewall on the server. Any other ideas for that? << Actually, tools like nmap, Nessus, etc. come in quite late in the day, for assurance that things are configured correctly. You can usually get much better bang from the buck from an internal audit first (it's amazing how often things are documented as being one way, when actually they're configured a completely different way).>>Maybe some good reads on security? That is, articles that don't require you to be a doctor in computer science to get a grasp of the subject? << If you want a rapid overview of Linux security, I recommend the book "Real World Linux Security" by Bob Toxen. If you want a rapid overview of the business aspects of security, I'd recommend you investigate Security+, which is an entry-level security certification - a course or even just a study guide would help you. I'll let others comment on SELinux - I've worked with it, but my experience is definitely atypical. A closing quote, which I think comes from the old edition of the "Official (ISC)? Guide to the CISSP CBK", but is probably the key point: "Technical specialists are not the right people to decide how the organization approaches security and what security measures should be implemented. Companies which deal with security at the administrator level do not view security in broad enough terms. Senior management is not sufficiently involved and aware, proper risk management is not performed, security is under-funded and there is no planning and procedures to deal with unanticipated events." In other words, your top priority in security should be to obtain senior management backing. Without that, you'll just be spinning your wheels. And always remember: you can secure the technology fairly easily - it's the *people* that are the weakest link. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909
On Feb 1, 2008 9:14 AM, Niki Kovacs <contact at kikinovak.net> wrote:> Hi, > > I admit I never gave security that much thought, that is, except the > most basic security rules like choosing good passwords, or reasonable > file and directory permissions. But now I have to change that, since > I'll soon have to setup a dedicated production server for our public > libraries.Ussualy default linux setup have already good security rules enabled. The problems will come from you, what you will chnage, how you will reduce the security!> > I wonder where to begin. I would say first thing is get a series of > "auditing" tools such as, for example, the port scanner nmap, to test > the firewall on the server. Any other ideas for that?nmap is the first step, nessus is overkill if you have to learn it to only protect one server.> > The firewall: CentOS includes a default firewall, where ports can be > chosen using a simple graphical (or ncurses) tool. Is that solid enough > for a web server? Or do you recommend diving into the innards of > iptables? Or maybe, other solution, can you recommend some good > "reasonable" set of rules for a web server, for example?You will certainly have dynamic contains, use PHP, ... You must first worry about the security of your web application ! Use the good settings in your php.ini, be careful about checking the validity of your user input ...> > Last but not least: SELinux. For the moment I don't use it. I read the > chapter on SELinux in "Red Hat Enterprise Linux 5 Unleashed" by Tammy > Fox, and I simply wonder if it's worth the pain. I'm curious about your > opinions about this subject.You have 3 mode for SELinux: disabled, permissive, enforcing Set it to permissive, and then try to solve the few errors. When your server is stable (no more change) and you have no new error, switch to enforcing.> > Maybe some good reads on security? That is, articles that don't require > you to be a doctor in computer science to get a grasp of the subject? > And also documentation that doesn't require me to have a life expectance > of 500+ years > :oD > > Any suggestions? > > Niki > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-- Alain Spineux aspineux gmail com May the sources be with you
Niki Kovacs <contact at kikinovak.net> wrote:>>Thanks for your very detailed response. << Trust me when I say: that wasn't detailed. Nowhere near it.>>- Is it worth the hassle to bother with SELinux? - Is the standard firewall configuration enough << You can go light on all that policy stuff, especially in a small business environment, but you need to give it at least superficial consideration. Until you do, you can't answer those questions, and we certainly can't. Would, say, a web site defacement cause your organization significant embarrassment? Would it cost you your job? Could borrowers' personal information be compromised? Are you storing information like SSN's? At what point does the benefit exceed the costs? The hassle is worth it for defense/government applications involving classified data, obviously. Probably not worth it for a web-surfing home desktop. You're somewhere - where? - in between. Only you can know, and it depends on business considerations. Remember: "Ready! Fire! Aim!". One easy out: the "due diligence" approach. Find out what other libraries are doing, and do the same or better. The Koha, OpenBiblio and other mailing lists could be a help here. I'll let others clue you in on various web vulnerabilities - SQL injection, command injection, cross-site scripting, overflows, etc. - as well as tools like Nessus, Nikto, etc. for vuln scanning. However, your top priority here should be proactive patch management and intrusion detection techniques such as log file monitoring/analysis. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909
Check to see if the town/county has any policies in place for computer systems and networks for public services and follow those guidelines. Otherwise look at surrounding public library systems to see if they have any you can adopt. For a LAMP setup your definitely going to want to use selinux to limit what each application can read and write to, and you should use audit too to set auditing on sensitive directories like, /etc, /bin, /lib, /sbin, /usr/bin, /usr/lib, /usr/sbin. You will probably want to use smartmon to monitor drive health and something else to monitor resource usage (drive space, memory, cpu, mysql db space) with email/sms alerts. -Ross ----- Original Message ----- From: centos-bounces at centos.org <centos-bounces at centos.org> To: CentOS mailing list <centos at centos.org> Sent: Fri Feb 01 06:47:36 2008 Subject: Re: [CentOS] General questions about security Les Bell a ?crit :> Policy. It's a drag, writing policies, but without policies, you're in the > "Ready! Fire! Aim!" school of security. The top tier of policy is the > "Enterprise Security Policy", which establishes the security function, > roles, responsibilities, budget, etc. It also gives the power to enforce > penalties for breaches of policies. At the next tier, you have system- and > issue-specific policies, such as the "Use of corporate email" policy, the > "Inappropriate content in the workplace" policy. You may then move down to > standards (platforms, SOE, etc.) and procedures (e.g. for provisioning user > accounts, resetting passwords, etc.).<snip> Thanks for your very detailed response. Though I can't help feeling a bit like having asked for an identity photo... and getting a 10-foot oil painting :oD Basically, all I'm concerned about security-wise is a modest Apache/PHP/MySQL server running a single public library management software, and interconnecting eleven (small) public libraries, with a total of 60.000 database entries. No (very) big deal. The configuration is supposed to run on a dedicated server, so my question will be more practical: - Is it worth the hassle to bother with SELinux? - Is the standard firewall configuration enough, or do I really have to fine-tune the thing? - Basically, what auditing tools besides NMap can you recommend for such a thing? cheers, Niki _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20080201/cd4c0164/attachment-0001.html>
Ross S. W. Walker a ?crit :> > Check to see if the town/county has any policies in place for computer > systems and networks for public services and follow those guidelines. > > Otherwise look at surrounding public library systems to see if they have > any you can adopt. >The surrounding places here (town halls, police stations) mostly run Windows (98, Me, 2000, XP). So I'd better follow my nose than their security standards :oD Cheers, Niki
CI Security has some good hardening guidelines for Linux based servers. Any public facing server should be hardened before deploying it online. www.cisecurity.org Paul -------------- Original message ---------------------- From: Niki Kovacs <contact at kikinovak.net>> Hi, > > I admit I never gave security that much thought, that is, except the > most basic security rules like choosing good passwords, or reasonable > file and directory permissions. But now I have to change that, since > I'll soon have to setup a dedicated production server for our public > libraries. > > I wonder where to begin. I would say first thing is get a series of > "auditing" tools such as, for example, the port scanner nmap, to test > the firewall on the server. Any other ideas for that? > > The firewall: CentOS includes a default firewall, where ports can be > chosen using a simple graphical (or ncurses) tool. Is that solid enough > for a web server? Or do you recommend diving into the innards of > iptables? Or maybe, other solution, can you recommend some good > "reasonable" set of rules for a web server, for example? > > Last but not least: SELinux. For the moment I don't use it. I read the > chapter on SELinux in "Red Hat Enterprise Linux 5 Unleashed" by Tammy > Fox, and I simply wonder if it's worth the pain. I'm curious about your > opinions about this subject. > > Maybe some good reads on security? That is, articles that don't require > you to be a doctor in computer science to get a grasp of the subject? > And also documentation that doesn't require me to have a life expectance > of 500+ years > :oD > > Any suggestions? > > Niki > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
Yes, but be aware of any requirements that if revealed afterwards can put a project in jeopardy both in terms of budget and schedule. There may be policies governing encryption or firewall setup or monitoring that are general and need to be covered in all environments. Or another type of requirement that might exist is to have low-vision access for the vision impaired for all public terminals. Not security related but can definitely pose a problem if it isn't covered in the build spec. -Ross ----- Original Message ----- From: centos-bounces at centos.org <centos-bounces at centos.org> To: CentOS mailing list <centos at centos.org> Sent: Fri Feb 01 14:24:29 2008 Subject: Re: [CentOS] General questions about security Ross S. W. Walker a ?crit :> > Check to see if the town/county has any policies in place for computer > systems and networks for public services and follow those guidelines. > > Otherwise look at surrounding public library systems to see if they have > any you can adopt. >The surrounding places here (town halls, police stations) mostly run Windows (98, Me, 2000, XP). So I'd better follow my nose than their security standards :oD Cheers, Niki _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20080201/68a632db/attachment-0001.html>