This is the keynote by Dan Geer at the SourceBoston 2008 Security Conference.
disclosure: I am on the board of advisors for this conference.
Streaming Flash Video
MP4 File
Files hosted courtesy of blip.tv
This is a basic level of hardening for Ubuntu servers and should be considered a baseline. This tutorial will cover two topics: SSH and Firewall. This tutorial was prepared using Ubuntu Server 8.04 beta.
SSH
edit the ssh daemon configuration file to move the ssh port away from 22. Most worms or bots are programmed to look at 22 and bruteforce whatever is there. Moving to an unknown port is the easiest way to decrease the level of log activity.
zeroday> sudo vi /etc/ssh/sshd_config
Look for “Port 22” and change it to a different value. Anything above 1024 is fine.
# What ports, IPs and protocols we listen for
Port 65522
Now restart sshd
zeroday> sudo invoke-rc.d ssh restart
Firewall
Shorewall is an easy to configure Netfilter and provide a basic level of perimeter for your server's Internet facing interfaces.
zeroday> sudo apt-get install shorewall
Once the system is installed it will display an error message stating it can not start until configured. This is a "dummy proof" feature so that new users will not deploy Shorewall without making critical changes to the rules. Simply put it will lock out all inbound connections if deployed as is. This is a great way to stay secure but would prevent even ssh from working.
The first step is to copy the example configuration files
zeroday> sudo cp /usr/share/doc/shorewall-common/examples/one-interface/* /etc/shorewall
To allow the most basic of services we will add rules to allow inbound connections for the web server and ssh server.
zeroday> sudo vi /etc/shorewall/rules
Look for "Permit all ICMP traffic FROM the firewall TO the net zone" and add the following lines after the icmp rule:
Your rules file should now look like this:
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
ACCEPT net fw tcp 65522
ACCEPT net fw tcp 80
Now the last two steps are enabling the system to startup. The first location is in the shorewall.conf file.
zeroday> sudo vi /etc/shorewall/shorewall.conf
Look for the STARTUP_ENABLED variable and change it from "No" to "Yes". This is not case sensitive.
The file should end up looking like this:
#######################################
# S T A R T U P E N A B L E D
#######################################STARTUP_ENABLED=YES
Lastly we need to change the shorewall file in /etc/default.
zeroday> sudo vi /etc/default/shorewall
Look for the "startup" parameter and change it from 0 to 1.
It should look like this when you are done
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to startstartup=1
Now you are ready to start your firewall. It is a good idea to double check your work. I like to compare my edited configuration files to the originals using diff.
zeroday> for i in `ls /etc/shorewall`;
do
diff /etc/shorewall/$i /usr/share/doc/shorewall-common/examples/one-interface/$i;
done
Once you have confirmed the changes start up the firewall.
zeroday> sudo invoke-rc.d shorewall start
I have been thinking about writing a web proxy for a while. There are several projects that all involve web proxy technology. So tonight while searching for a simple one I found exactly what I’m looking for. mouseHole.
There are a lot of dependencies so be sure to run the following script.
echo "installing ruby and dev libraries"
sudo apt-get install ruby --assume-yes
sudo apt-get install ruby1.8-dev --assume-yes
echo "installing ruby gems"
sudo apt-get install rubygems --assume-yes
echo "installing hpricot gem"
sudo gem install hpricot --include-dependencies
echo "installing camping gem"
sudo gem install camping --include-dependencies
echo "installing activerecord gem"
sudo gem install activerecord --include-dependencies
echo "installing json gem"
sudo gem install json --include-dependencies
echo "installing mongrel gem"
sudo gem install mongrel --include-dependencies
echo "installing sqlite3 and libraries"
sudo apt-get install sqlite3 swig libsqlite3-ruby libsqlite3-dev --assume-yes
echo "installing sqlite3 gem"
sudo gem install sqlite3-ruby --include-dependencies
This is nearly automated however you will need to pick the versions of several of the gems (ruby, win32, jruby, etc). If there was a single piece of functionality I’d like from gem installs is the ability to automate this last bit. i’d like to have an option that says “assume the highest version of ruby” for each of those choices. –assume-highest-ruby-version ?
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License
Weblogs at Harvard
Powered by WordPress & designed by Scott Allan Wallick.