UnderGround Forums
 

ITGround >> Ubuntu Server - Security Question...


6/22/10 2:30 PM
Ignore | Quote | Vote Down | Vote Up
bartos
7 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 5850
 
I'm new to ubuntu and to linux administration all together. I am coming from a pretty solid BSD background.

I just installed ubuntu server and I have it directly connected to the internet with a public IP, no separate firewall or anything. Is this a terrible idea, or not really? If not really, what sort of hardening do I need to do?

If it matters, it will be a LAMP server (apache2,mysql,php) and will also have sshd installed.
6/22/10 7:12 PM
Ignore | Quote | Vote Down | Vote Up
big_slacker
27 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 14612
First of all, its a bad idea to have any host attached directly to the internet.

With that said, here is a decent checklist to get started. The basics are patching always up to date and shutting down any listening services not actively needed. Set permissions tight. After that think about iptables/snort.

http://security.utexas.edu/admin/redhat-linux.html
6/23/10 2:19 PM
Ignore | Quote | Vote Down | Vote Up
gsx_r
Send Private Message Add Comment To Profile

Member Since: 9/17/09
Posts: 467
You should probably look into what a firewall does. It blocks people from connecting, nothing more.

So unless you only want a certain IP(s) to connect a firewall isn't going to do you any good.
6/23/10 4:26 PM
Ignore | Quote | Vote Down | Vote Up
JOB
122 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/22/05
Posts: 17850
Who needs access to your server? Public, or private network? If it's a private network, it should be disconnected from the internet.

I have LAMP installed on my laptop with Ubuntu for some dev work with PHP, and I have iptables configured to only allow the subnet of my private network to access it. I also have the root of the server secure with a .htaccess file just incase anyone compromised my network.

If you let me know who needs access to what, I could write you up some quick iptables rules.
6/23/10 4:47 PM
Ignore | Quote | Vote Down | Vote Up
JOB
122 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/22/05
Posts: 17853
gsx_r - You should probably look into what a firewall does. It blocks people from connecting, nothing more.

So unless you only want a certain IP(s) to connect a firewall isn't going to do you any good.


That is not the functionality of a firewall I'm afraid. Firewalls are highly configurable beyond just IP address access lists. You can have smart-firewalls like stateful inspection, or packet filtering firewalls like iptables which are very powerful means of deciding what traffic can come in and out of the network.

For example - one rule might allow a user to attempt only 3 connections to a SSH server, and if they fail on the third attempt - they could be blocked for X amount of time.

Most people just think of firewalls as "that annoying little popup asking me to grant access or deny", when firewalls are far more complex, and are obviously only as good as the person configuring them.
6/23/10 4:54 PM
Ignore | Quote | Vote Down | Vote Up
bartos
7 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 5859
There will only be two services running on my server: SSHD (openssh) and HTTPD (apache). I will lock down the SSH access to only trusted IPs via hosts.allow. HTTPD will be available for everyone. If I want to monitor for abuse on httpd, there is both simple and complex software to assist me. I just don't see the need for a firewall...
6/23/10 5:07 PM
Ignore | Quote | Vote Down | Vote Up
JOB
122 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/22/05
Posts: 17854
If the server is public - then I don't see any need to inspect traffic. Provided you have SSH covered from a security standpoint, I think you'll be ok.

If it's LAMP you have installed, I'm assuming that it's for development purposes? As I'm not sure how up to date their packages are in reference to the latest apache/msql/php releases. They may be a few days behind in some instances which could be a security concern. I only use LAMP on an internal network.

You might want to monitor your HTTPD with snort perhaps.
6/23/10 8:05 PM
Ignore | Quote | Vote Down | Vote Up
big_slacker
27 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 14615
Even baby FWs these days do stateful inspection, randomize sequence numbers, DoS protection and have the capability to do layer 7 inspection of common protocols like http. Many do anti-x, e-mail filtering, IPS, policy based routing, scanning detect/shun and on and on.

Simple packet filtering is only the beginning and assuming you know what you're doing even hardened internet facing servers benefit from being behind one.
6/24/10 8:34 AM
Ignore | Quote | Vote Down | Vote Up
JOB
122 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/22/05
Posts: 17856
A fair point - RE: DoS protection / Packet Inspection. But depending on what purpose of the server, it may not require such rigorous protection. I am only saying this because of the server package he is using (LAMP), is traditionally used for development, rather than long-term hosting which would require such precautionary measures.
6/25/10 9:16 AM
Ignore | Quote | Vote Down | Vote Up
gsx_r
Send Private Message Add Comment To Profile

Member Since: 9/17/09
Posts: 469
bartos - There will only be two services running on my server: SSHD (openssh) and HTTPD (apache). I will lock down the SSH access to only trusted IPs via hosts.allow. HTTPD will be available for everyone. If I want to monitor for abuse on httpd, there is both simple and complex software to assist me. I just don't see the need for a firewall...


You're more then fine running without a firewall. Just make sure your mysql connections happen threw a socket.

a firewall will never protect you from a php/apache hole. Maybe an sshd hole,but only because you've limited the traffic to trusted ips.

Firewalls block packets based on ip(s). Anything else(not including stateful inspection because that's just a way to track packets) is an application gateway.
6/27/10 2:31 PM
Ignore | Quote | Vote Down | Vote Up
big_slacker
27 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 14620
Yes, companies now sell "multi-function security appliances" and "integrated security gateways" but we still call an ASA or ISG a firewall to avoid confusion and to denote their basic purpose in the network.

We don't call routers with ACLs firewalls for the same reason even though by a narrow definition they qualify.

Regardless of semantics, to keep on target you can harden a server and stick it directly on the internet, but I'd never have one out there involving any kind of sensitive data. If its just for play there is no reason why a firewall would be required.

Reply Post

You must log in to post a reply. Click here to login.