I apologize for the html, but it is a copy from a web post I did.
I wanted to share this with list members and hope it helps others.
I tried not to be redundant and add things I have not seen posted before.
Always interested in constructive thoughts, better ideas, etc.
**
*Security thoughts for server admins/webmasters*
------------------------------------------------------------------------
I would like to add some security measures I like to use. These are not
listed on security sites and I feel it is time someone posted this stuff.
This concerns programs/items used by webmasters/server admins on a very
irregular basis. (not very often).
This list assumes you have an IPMI card with its own eth port or an
onboard IPMI interface, both having video access.
Or accessing the shell of a virtual host to access virtual servers
located on it. (if no IPMI)
Quote:
*PHPMYADMIN* - This is a wonderful tool for use by web programmers. Most
security with this program lists just two protections.
a)Use htaccess to password protect, force SSL
b)Alias the folder from /phpmyadmin to something like /examp
This is where security measures, aside from keeping updated, seem to
end. This is bad. There is more you can do to protect that access to
your database.
PhpMyAdmin is a program you will use at times, but 99% of the time you
will never touch it at all. So why would you leave it open to hackers
all the time?
Simply disable the 'alias' in httpd to prevent it from being accessed.
For example in CentOS 6 the file /etc/httpd/conf.d/phpmyadmin.conf
contains this directory information. (or something like it.)
I have added 'Deny from ALL and commented out 'Allow from ALL' and
restarted httpd. (the allowoverride is allowing htaccess protection for
the folder). You could comment out everything except the allowoverride
and deny from all...
Quote:
<Directory /usr/share/phpMyAdmin/>
*Order Deny,Allow*
Deny from All
Allow from 127.0.0.1
Allow from ::1
*#Allow from All*
allowoverride All
</Directory>
Once httpd is restarted no one can access the phpmyadmin folder if it is
not in the html folder. (in centos 6 the program is usually located in
/usr/share/phpmyadmin).
This prevents the hacking of your phpmyadmin program.
If you think about it, outside of a small fix or initial programming you
will almost never use the program.
So why do you leave it open to everyone 24 hours a day?
Quote:
*IPMI*
IPMI is great but if you are a webmaster you are probably leaving this
open to the internet.
If you are local to the datacenter, or the datacenter is really cool,
you can remove the eth cable from the ipmi port. And ask them to plug it
in when there is an issue.
This only works if you have a separate ipmi card with its own eth port.
(and helps if you tag the cable and port for the center)
I think most of us seldom, if ever, use our IPMI during the course of a
year once the system is set up.
This prevents root access, IPMI card getting hacked, and still allows
emergency access with a quick visit or a phone call
*IPMI, Virtual Host, Virtual Machines*
Quote:
*Your Virtual Host server*
I seldom ever need to go into my virtual host. It is set up correctly
and I get my logwatches every day. I have no ports open up on it.
If I never use it, why would I leave a shell port open 24 hours a day?
If I have an IPMI card I can log in and open that port. Then I can do
what I need to do.
Safest, if IPMI is available (with video) is to comment out/disable the
ssh port. On a virtual host you most likely use a physical bridge. This
means nothing is touching the host. Great Security tip.
Quote:
*Virtual Machines- DNS*
Are your DNS servers virtual machines on a server (or on a dedicated
with an IPMI card in it)? I bet you never access shell except to make
that very rare dns change. And if you use rndc you never use shell.
If you have IPMI with video disable ssh port. Enable it via IPMI on
those very rare instances you need to access it.
Logwatch can still send out.
Only port 53 should be open 24 hours a day (and if rndc that port
too...and 5353 if you are doing that.)
There is no reason to leave this system open to the net at all. Enable
shell when you need it and then disable when done.
You do not need to open port 25 (or any port) to send emails out of the
system.
So why do you leave port 22 (or other shell port) on 24 hours a day if
you never ever use it?
Quote:
*MYSQL servers*
Again, if on a virtual host or even its own dedicated disable port 22
(ssh port) and only enable via IPMI on those rare times you need to use it.
Quote:
*Your website/webserver*
The same issue remains. Outside of the times you are using shell OR
FTP...these ports should be disabled. Enable using IPMI.
This simple act prevents a lot of hack attempts, log filling, and gives
massive peace of mind.
Yes, you use shell and ftp....but not that much. Think about it.
You might use ftp and shell a lot, but you are leaving those ports open
24 hours a day, 7 days a week. I guarantee outside of massive program
days you use less than 5% of that time on those ports.
So why open your server to being hacked? Close the ports.
Quote:
*Your open source or commercial web application*
.htaccess protect any folder that does not need to be accessed by a user
via http. Most files are grabbed by a index file and are still able to
be used even with htaccess protection. Try it.
Definitely do this with your administrative folders. There is no reason
not to do this.
But how many times do you really access that admin folder?
I would say put a fake htacces protection file in all the folders you
can. Fake meaning the user required does not exist and there is no
password for it. Then it will not be passed.
The admin folder can also be done this way, but add commented out
sections with real user/pass info.
Then when you need to go to the admin section, you shell/ftp in, change
the htaccess file, then do what you need to do. Then comment out the
real access info.
This prevents any access from an external user to these folders for the
99% of the time you are not using your admin...and 100% of the time for
the folders they should never be visiting.
Outside of a programming/fix/update you will seldom be doing admin work,
program work, and your system/web apps will be running without your
input. So why leave all this open to hackers 24 hours a day?
These simple things can block 100% of brute force shell attacks across
your system...if you can unplug the ipmi card (with an easy way to
replug it) then you cannot be accessed via shell across all your
systems. Sleep in peace.
A majority of hacks on open source revolve getting to that admin
folder....or some other folder of a plug in.. The hacker will have a
heck of a time brute forcing an htaccess protected folder where no
user/pass combo will ever work.
*On a final note....*
If you are building a web application you should use a mysql user that
is only allowed to update and select...
With proper programming you can set up items to be deleted via a cron
job using a mysql user that has a bit more access.
This prevents a hacker from actually deleting or altering any
data....and easily rolled back.
This is how I program and I think it should be standard. As far as I
know not one single program does this...and that is a shame.