Hardening a debian wheezy linux apache server

So, I’ve been making a couple of servers publicly accessible so as to allow some services outside the firewall. The main things I’m aiming to have available are git and mediawiki, which in turn means making SSH and Apache services available.

I have a virtual server that is my main gateway, and I have a smoothwall that sits at the perimeter. I’ve been through a bunch of different sites and looked at lots of documentation, this post just points to a few of them in case someone else is following the same path.

Firstly, I’m on debian, so the authoritative manual is the debian security manual.  This is reasonably old and looks clunky, but the advice in it remains good.  From this I got the following things:

  • harden – a debian package that conflicts with known risky packages (so makes it hard to accidentally install something that compromises security), and installs a bunch of tools
  • tiger – an auditing service that tells you what’s running on your machine and what vulnerabilities you have – tiger -E to run it
  • tripwire – a tool that creates a checksum of key configuration files, and checks daily whether any of them have changed.  It’s better if you have some write-protected media to prevent someone just changing the tripwire signatures, but even without that it will probably give you an alert for most script kiddie type attacks
  • checksecurity – runs some sort of security check daily.  Waiting to see what that does as yet
  • chkrootkit – looks for root kits
  • debsums – I think this checks that your packages in dpkg haven’t been corrupted or compromised.  Not sure how it works as yet

Next, from demongin I found the following tips:

  • install mod-evasive for apache: this looks to have some handling of DOS attacks, blocking excessive traffic and some attempted compromises
      aptitude install libapache2-mod-evasive
      a2enmod evasive

A few sites recommended mounting a separate /tmp and preventing anyone from running executables from there, I ended up making my own instructions:

  • create a new partition for /tmp (I split the swap space in half to do this, too lazy to reformat the whole virtual machine)
  • mount /tmp using the following line in /etc/fstab
      UUID=79c5069a-cc90-420c-ad40-abed9ae520ec     /tmp            ext4    noexec,nosuid,rw  0       1
  • change permissions to have sticky bit
      chmod 1777 /tmp
  • link /var/tmp to /tmp
     rmdir /var/tmp
     cd /var
     ln -s /tmp

From yosti I found some really good information, this set I haven’t finished working through, I haven’t configured iptables.  But I really like the ideas:

  • Apache hardening, we turn on mod_headers
      a2enmod headers
  • in /etc/apache2/conf.d/security we set
      ServerTokens Prod
      ServerSignature Off
      Header set X-Content-Type-Options: "nosniff"
      Header set X-XSS-Protection: "1; mode=block"
      Header set X-Frame-Options: "sameorigin"
  • IPTables.  I have a firewall on the front end (smoothwall), so I don’t need inbound iptables so much.  And as yosti has said, I’m only running a handful of services, so any other ports aren’t open anyway.  But I like the idea of limiting outbound internet access to only those users that I specifically enable it for.  In short, it would stop any compromised users from downloading stuff (such as a rootkit) and therefore make it hard to take over a machine other than using the software already on the machine – which is hard work.  So this is still on my list to do

 

Advertisements

One thought on “Hardening a debian wheezy linux apache server

  1. Pingback: Proxying rails, mediawiki and gitweb with apache2 mod_proxy and mod_proxy_html | technpol

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s