How to specify the listening ports of a NFS server on Red Hat 5

Description: by default, some NFS (both version 2 and 3) daemons on Red Hat 5 listen on random ports (statd, lockd, mountd, rquotad). In order to configure a firewall for this daemons, the incoming ports need to be fixed and not random. I’m going to use the following ports in this example: 4000 for statd, 4001 for lockd, 4002 for mountd and 4003 for rquotad.

Steps:

1. Edit /etc/sysconfig/nfs with this configuration:
   • STATD_PORT=4000
   • LOCKD_TCPPORT=4001
   • LOCKD_UDPPORT=4001
   • MOUNTD_PORT=4002
   • RQUOTAD_PORT=4003
2. Restart your NFS server: service nfs restart ; service nfslock restart
3. Configure your firewall rules to allow NFS traffic to this ports.

Book review: ModSecurity 2.5 by Magnus Mischel

As a GNU/Linux systems administrator, I manage Apache servers and their configurations on a daily basis, so being capable of getting the best from them is essential on my daily work. That’s why any additional knowledge on the subject helps to make my work easier and more efficient. That is where ModSecurity 2.5 by Magnus Mischel comes to scene. Although I have already installed and configured mod_security on several Apache servers, I have learned a lot from this book and I strongly recommend to read it if you are a web server admin or you are interested in web-based attacks and how to protect your servers from them.

ModSecurity 2.5 by Magnus Mischel introduces one of the most powerful Apache’s modules: mod_security. It is a web application firewall designed as an Apache module. It provides protection from a lot of web-based attacks and it monitors and logs your HTTP traffic. This book explains how to secure your Apache installation and web applications using mod_security. It is targeted to web servers admins, mainly in GNU/Linux environments, with some experience with SQL. Although programming knowledge is not required, knowing shell scripting, Perl and/or PHP will make following the book easier. Web security knowledge is not required as all security concepts and attacks are in-depth explained through the book. No prior regular expressions knowledge is required as they are widely explained on many chapters and there is an appendix dedicated to them.

Before reading this book, I was thinking “A book on such a specialized topic must be hard to follow and understand”. How wrong I was. In fact, it is one of the best written technical books I have ever read. The author explains each topic step-by-step but in-depth, so you can learn new things easily through all the book both by the explanations and the real-life examples it shows. After reading it, you will be able to create your own customized mod_security rules, understand a lot of web-based attacks, know how to protect from them using mod_security and, last but not least, improve your regular expressions skills.

My favourite part of the book is Chapter 6 (“Blocking common attacks”) because it introduces many web-based attacks, how to prevent them and how to protect your servers from them in just a few minutes with real-life examples and screenshots. Chapter 2 (“Writing rules”) is very nice and well explained too, but I prefer real examples over theory (you can’t blame me, I’m a Sysadmin). On the other hand, The only chapter I don’t like as much as the others is the last one (“Protecting a web application”) because it picks up a web application (YaBB) and explains in-depth how to generate the proper rules to protect it. I understand that this has to be read as a real world example, but I think it’s very focused on the application and it’s hard to follow this example if you have never used YaBB before.

In conclusion, I think this is a “must-have” book if you usually deal with web servers. I enjoyed reading it a lot and I have learned many things that mod_security can do that I wasn’t aware of. I strongly recommend it to all web servers admins out there. You can download a sample chapter (Chapter 3 – Performance) here. Check the book’s table of contents to find out what the rest of the chapters are about.

You can also buy the book from Packt Publishing if you want.

NOTE: I was contacted by Packt Publishing to review this book and they send me a free copy to do it. I would like to thank them for giving me this opportunity.

How to install and configure GreenSQL in Ubuntu 9.10

Description: “GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL & PostgreSQL . The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license”.

Installation:

• Download its source code from its web.
• install the needed packages: apt-get install libevent-1.4-2 libpcre3 libmysqlclient15off libpq5 libmysqlclient15-dev libevent-dev libpcre3-dev libpcre3 libpq-dev flex g++ bison build-essential
• Uncompress it: tar xvfz greensql-fw_*.tar.gz
• Enter its directory: cd greensql-fw_*
• Build the deb package: ./build.sh
• Install the deb package (as root): cd .. && dpkg -i greensql-fw*.deb
• Answer the questions to connect GreenSQL to your database

Configuration (using Apache):

• Enter GreenSQL directory: cd /usr/share/greensql-fw
• Set the right permissions to templates_c : chgrp -R www-data templates_c && chmod -R 770 templates_c
• Create the file /etc/apache2/conf.d/greensql with the following content(replace [ and ] for angle brackets):
  Alias /greensql /usr/share/greensql-fw
[Directory /greensql]
Order deny,allow
Deny from all
Allow from 127.0.0.1
[/Directory]

• Restart Apache: apache2ctl restart
• Access GreenSQL using your web browser (default user is admin and default password is pwd): http://localhost/greensql
• Change the default admin’s password.
• Edit GreenSQL configuration to fit your needs (reading this might help).

Use:
To use GreenSQL, you have to change the configuration of the applications which connect to your database and point them to the computer where you have installed GreenSQL (localhost in this case) and the port where GreenSQL is running (3305 in my case to proxy my MySQL database). You can test whether it is working connecting to your database and creating a table (it should appear as an alert named “Detected attempt to create database/table/index” in GreenSQL and it should be blocked if you didn’t change the IPS option). Example:
mysql -u root -h 127.0.0.1 -P 3305 -p
CREATE TABLE greensql_test;

Remember: Although you use database firewalls like GreenSQL, you must prevent SQL injection and other database-related attacks by securing and auditing your application’s code.

Introducing Rootkit Hunter

Description: “Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:

• MD5 hash compare
• Look for default files used by rootkits
• Wrong file permissions for binaries
• Look for suspected strings in LKM and KLD modules
• Look for hidden files
• Optional scan within plaintext and binary files

Rootkit Hunter is released as GPL licensed project and free for everyone to use“.

Installation:

• Download the latest version from its web.
• Uncompress it: tar xvfz rkhunter-*.tar.gz
• Enter its directory: cd rkhunter-*
• Install it (as root): ./installer.sh --layout /usr/local --install

Use:

• To run it (as root): rkhunter --sk -c
• To check its rsults: less /var/log/rkhunter.log

To obtain valid results, be aware of false positives (check warnings twice) and keep it updated. Remember: security is a process, not a state.

How to install and configure OSSEC in Ubuntu Server 9.04

Description: “OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows.”

Installation:

• Install the needed packages with the following command: apt-get install gcc g++ make
• Download the latest version from its web.
• Uncompress it: tar xvfz ossec-hids-latest.tar.gz
• Run the installation script: cd ossec-hids-* && ./install.sh

Here are the installation steps (with my answers in boldface):

---

** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** Per l’installazione in Italiano, scegli [it].
** 日本語でインストールします．選択して下さい．[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: en

OSSEC HIDS v2.2 Installation Script – http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

– System: Linux
– User: root
– Host: server

— Press ENTER to continue or Ctrl-C to abort. —

1- What kind of installation do you want (server, agent, local or help)? local

2- Setting up the installation environment.

– Choose where to install the OSSEC HIDS [/var/ossec]: /opt/ossec

– Installation will be made at /opt/ossec .

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: y
– What’s your e-mail address? myemail@mydomain.com

– We found your SMTP server as: mail.mydomain.com.
– Do you want to use it? (y/n) [y]: y

— Using SMTP server: mail.mydomain.com.

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

– Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

– Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response

– Do you want to enable active response? (y/n) [y]: y

– Active response enabled.

– By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
– They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.

– Do you want to enable the firewall-drop response? (y/n) [y]: y

– firewall-drop enabled (local) for levels >= 6

– Default white list for the active response:
– 10.0.0.1
– 10.0.0.2

– Do you want to add more IPs to the white list? (y/n)? [n]: n

3.6- Setting the configuration to analyze the following logs:
— /var/log/messages
— /var/log/auth.log
— /var/log/syslog
— /var/log/mail.info
— /var/log/dpkg.log

– If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

— Press ENTER to continue —

5- Installing the system
– Running the Makefile
INFO: Little endian set.

(COMPILATION CODE GOES HERE)

– System is Debian (Ubuntu or derivative).
– Init script modified to start OSSEC HIDS during boot.

– Configuration finished properly.

– To start OSSEC HIDS:
/opt/ossec/bin/ossec-control start

– To stop OSSEC HIDS:
/opt/ossec/bin/ossec-control stop

– The configuration can be viewed or modified at /opt/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).

More information can be found at http://www.ossec.net

— Press ENTER to finish (maybe more information below). —

---

I chose to perform a local installation because it’s the simplest one and it’s enough for the purpose of this article. I set /opt/ossec as the installation directory according to the Filesystem Hierarchy Standard.

Configuration: You can configure your OSSEC installation editing /opt/ossec/etc/ossec.conf . I recommend to add the email_maxperhour option to limit the number of mails received from OSSEC.

After editing /opt/ossec/etc/ossec.conf , don’t forget to restart OSSEC with this command: /opt/ossec/bin/ossec-control restart .

Introducing Lynis

From its web: “Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes”.

Lynis is a very useful tool to find “big” security issues on a computer easily and quickly. Its tests are harmless and they take little time to run. Besides pointing out security issues, it also shows suggestions on how to improve your computer’s security.

It needs no installation. You just need to download the latest version from its web site and uncompress it:

tar xvf lynis-*.tar.gz

To run it, enter the directory where it was extracted and run (as root):

./lynis -c -Q

When the tests are finished, the results are showed divided in warnings and suggestions. This information is a good guide to start hardening your computer. If you want to learn more about the test performed and its results, you can read its report file /var/log/lynis.log .

Although Lynis is a great tool, hardening isn’t over after fixing all its warnings and suggestions. It is just the first step to hardening a computer, so getting good results doesn’t mean that your computer is secure. Remember: security is a process, not a state.