|
Here are some helpful instructions from Carrie as of April 2001. She tested the work on a RaQ4’s. She also states her thanks to Zeffie and the Rev for help in steering her the right way. Please be aware this is all posted from an email and there may be carriage returns at the wrong time. Please read carefully. Proceed at your own risk. Carrie uses Pico as her editor of choice.
Carrie’s disclaimer 1: I'd say just use this as a basis, and not an end-all be-all definitive guide. Your mileage may vary, and all of that good stuff. ;)
Carrie’s quote: “Been there, done that... used the t-shirt to wipe the blood off of my desk and bandage my flat forehead.” --Carrie Bartkowiak
This document give instructions for installing:
SSH2, Tripwire, IPChains, Portsentry, Logcheck, Lcap, Chkrootkit, LionFind
Plus little tweaks such as:
Changing root password, changing default cobalt-mysql password, some simple unix commands, turning off IMAP, some tweaks to srm.conf, access.conf, httpd.conf, webalizer.conf
USE AT YOUR OWN RISK - I don't guarantee a single thing on here. This was done on a RaQ4i; your mileage may vary.
Note: Always check for newer versions of software than the downloads listed here.
___________________
Change Root Password:
login as admin
su to root
# passwd
enter new password twice - finished. (Be sure to write down the new
password!)
--------------------------
SSH2 Installation:
login through telnet as admin
su to root
su -
Get SSH2:
#wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/RH62/openssh-2.5.2p2-1.i386.rpm
#mv openssh* openssh2.rpm
#rpm -i openssh2.rpm
Get the Server:
#wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/RH62/openssh-server-2.5.2p2-1.i386.rpm
# mv openssh-server* openssh2-server.rpm
#rpm -i openssh2-server.rpm
Get the Client:
#wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/RH62/openssh-clients-2.5.2p2-1.i386.rpm
# mv openssh-clients* openssh2-clients.rpm
# rpm -i openssh2-clients.rpm
Start the SSH server:
# /etc/rc.d/init.d/sshd start
Test the install by logging in with an SSH2 client as admin (free client: putty)
If it works, add the SSH to the startup files:
# pico /etc/rc.d/rc.local
At the end put:
***from line below****
#Start the SSH2 Server:
/etc/rc.d/init.d/sshd start
fi
***to line above***
Save changes and exit.
Go to your GUI and disable Telnet.
Test it again by connecting through an SSH2 client as admin (in a second window).
Making it more secure:
Now that you've got it working, make it more secure. As per Adam from the cobalt-security list-
Locate the config file sshd_config which usually resides in /etc/ssh you will see in the first few lines something like :
Port 22
Protocol 1,2
change it to something like :
Port 52
Protocol 2
This will change the standard port of 22 into 52 and force protocol 2 to be used.
Locate the start script in /etc/rc.d/rc3.d
and type something like ./S55sshd restart
Make sure you can login using the new port and protocol (don't forget to configure client) and assuming everything is fine logout of your old session, that's it. If in doubt leave it alone.
----------------------------
Change MySQL default cobalt-mysql password:
# mysqladmin -uroot -pcobalt-mysql password newpassword
Test it:
# mysql -uroot -pnewpassword
You should be at a mysql prompt.
# quit
Gets you out of the mysql system.
------------------------------
SRM.CONF changes
# cd /etc/httpd/conf
#cp srm.conf srm.conf.bak
#pico srm.conf
For Directory Index (index.php is already there) add:
index.pl index.cgi index.php3
For IndexIgnore add INSTALL* to the end:
IndexIgnore .??* *~ *# HEADER* README* RCS INSTALL*
For PHP under AddType application:
# PHP4 (backwards compatible with php3)
AddType application/x-httpd-php .php .php3 .php4 .phtml
#AddType application/x-httpd-php4 .php3
AddType application/x-httpd-php4 .php4
AddType application/x-httpd-php4 .php
#AddType application/x-httpd-php4-source .php4s
#AddType application/x-httpd-php4-source .php3s
#AddType application/x-httpd-php4-source .phps
(Yes, I know there is redundancy there. However, I have
found that on 3 different RaQ4 machines, it will only work
with the redundancy in place.)
For ErrorDocument:
ErrorDocument 401 /401.html
ErrorDocument 403 /403.html
ErrorDocument 404 /404.html
#ErrorDocument 401 /cobalt_error/authorizationRequired.html
#ErrorDocument 403 /cobalt_error/forbidden.html
#ErrorDocument 404 /cobalt_error/fileNotFound.html
ErrorDocument 500 /cobalt_error/internalServerError.html
#We leave 500 as it is for easier debugging.
Restart the httpd server:
# /etc/rc.d/init.d/httpd restart
Do checks to see if this is all working okay. Don't forget to
enable PHP in the site that you're testing - this one will cause
you much head-on-desk-banging.
------------------------------------
Little How-Tos
To see who's connected to your machine (through telnet and ssh):
# w
To see how long the server has been up and running:
# uptime
Update the 'locate' database:
# /etc/cron.daily/slocate.cron
(The first time you do this, it will take a while.)
To test if PHP is working okay:
1. Make sure you have PHP enabled in site settings.
2. Make a file named test.php and in it put this:
<? phpinfo(); ?>
3. Go to www.yourdomain.com/test.php
(If you haven't done the changes to the srm.conf your file will need
to be test.php3)
To change the FTP timeout:
# pico /etc/proftpd.conf
Add these lines:
#Edited Timeout for longer ftp sessions
TimeoutNoTransfer 1200
TimeoutIdle 1200
To get Webalizer to run before logrotate, rename it:
# mv /etc/cron.daily/webalizer.pl /etc/cron.daily/awebalizer.pl
To get it to leave statistics on heavy-traffic sites, go into
/etc/webalizer.conf and set Incremental to 'yes'.
Remember to also set the name for the current file on the line below
that.
To get directories to stop giving a list of contents:
# pico /etc/httpd/conf/access.conf
Edit this line so that it has the -Indexes at the end:
# be more restrictive within a site
<Directory /home/sites/*/>
Options -FollowSymLinks +SymLinksIfOwnerMatch -Indexes
</Directory>
Save, exit, restart the web server.
# /etc/rc.d/init.d/httpd restart
Alternatively, set AllowOverride options to ALL and drop an
.htaccess file into the /web directory with this line:
Options -Indexes
Restarting inetd after dropping some new entries into hosts.deny:
# /usr/sbin/inetd restart
Restart the server from the command line:
# /sbin/shutdown -r now
--------------------------------------
IPChains Install:
#wget ftp://rpmfind.net/linux/redhat/6.2/en/os/i386/RedHat/RPMS/ipchains-1.3.9-5.i386.rpm
# mv ipchains-1.3* ipchains-1.3.rpm
# rpm -i ipchains-1.3.rpm
IPChains is now installed. The startup script is in /etc/rc.d/init.d as ipchains.
Get the helper scripts:
# wget http://netfilter.filewatcher.org/ipchains/ipchains-scripts-1.1.2.tar.gz
# gunzip ipchains-scripts.tar.gz
# tar -xvf ipchains-scripts.tar
# make clean (my raq grumbled at me with this)
# make (some notes, more grumbling)
# make install
At this point you will need to configure IPChains.
ALTERNATIVE FOR IPCHAINS NEWBIES:
Get PMFirewall, install it, run the script and answer some questions about your setup:
http://www.pointman.org/PMFirewall/
--------------------------------------
PortSentry:
# wget http://www.psionic.com/tools/portsentry-1.0.tar.gz
# gunzip portsentry-1.0.tar.gz
# tar -xvf portsentry-1.0.tar
# mv portsentry-1.0 portsentry
# cd portsentry
#make
# make install
Configure PortSentry by carefully reading the portsentry.conf file and commenting/uncommenting certain lines and removing/adding certain ports.
I recommend the "anal" setting. You'll get more mesages as "Attack Alerts" but it's a more - anal - setting.
Turn on portsentry at bootup:
add to /etc/rc.d/rc.local:
/usr/local/psionic/portsentry/portsentry -tcp
/usr/local/psionic/portsentry/portsentry -udp
To turn it on right now, just run those lines as root. You'll see portsentry firing up and binding if you look in /var/log/messages. There will be some lines where it cannot bind to certain ports, check
------------------------------------------
LogCheck:
#wget http://www.psionic.com/tools/logcheck-1.1.1.tar.gz
# gunzip logcheck-1.1.1.tar.gz
# tar -xvf logcheck-1.1.1.tar
# mv logcheck-1.1.1 logcheck
# make clean
# make linux
# pico /usr/local/etc/logcheck.sh
change the sysadmin address to whatever user you've set up to get the messages; save and exit
# pico /root/crontab
add this line:
01,16,31,45 * * * * /usr/local/etc/logcheck.sh
That fires it off every 15 minutes. Adjust to your tastes.
This line runs it once a night, at 1:01am:
1 1 * * * /usr/local/etc/logcheck.sh
If you don't have a file there yet, pico will make a new one. Tell crontab to pay attention to it like so:
# crontab -u root /root/crontab
-----------------------------------------
TripWire (following instructions at
http://www.linuxsecurity.com/feature_stories/feature_story-81.html)
!!!!BE SURE TO WRITE DOWN YOUR PASSPHRASES!!!!
# wget http://www.tripwire.org/files/rpm3/tripwire-2.3-47.i386.tar.gz
# tar xvzf tripwire-2.3-47.i386.tar.gz
# rpm -ivh tripwire-2.3-47.i386.rpm
# /etc/tripwire/twinstall.sh
Enter key passwords - the first one is the 'site passphrase' that you
will need to enter again at the end of installation.
Write policy file:
# /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt (you'll need to enter
passphrase again)
Generate initial database: (will need to enter *local* passphrase)
# /usr/sbin/tripwire -m i
Find out which files aren't on your system that are in the default
tripwire configuration: (this take a while)
# /usr/sbin/tripwire -m c | grep Filename >> twtest.txt
My RaQ4i came up with 140 lines of files that weren't in the
configuration.
Edit /etc/tripwire/twpol.txt and comment out all of the lines that are
in twtest.txt. Easiest way to do this is to have two windows open, one
with each file in it.
# pico /etc/tripwire/twpol.txt
If you can't find a file line, use CTRL-W to find it. This takes a
*really* long time, and there are some files you may not want to
comment out even if they don't exist now, like /root/.bash_history.
*****from install file***
Additionally, there are other files in the default policy that may not
make sense to monitor on the local system. These include lock files
(which identify that some process is in use) and pid files (which
identify the process ID of some daemons). Since the files are likely
to change often, if not at every system boot, they can cause Tripwire
to generate false positives. To avoid such problems, comment out all
of the /var/lock/subsys entries as well as the entry for /var/run.
******************
Reset the configuration file:
# /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt
Generate the database again:
# /usr/sbin/tripwire -m i
Remove the text versions of the policy:
# rm /etc/tripwire/twcfg.txt /etc/tripwire/twpol.txt
****from install file***
If they need to be restored cleartext versions of these files can be
created from the encrypted versions by issuing the command (and
providing the appropriate passphrases):
# /usr/sbin/twadmin -m p > /etc/tripwire/twpol.txt
****************************
Cron that baby:
# cd /usr/local/bin
# pico runtw.sh
Paste this in (change HOST to your machine's name):
***from line below***
#!/bin/sh
/usr/sbin/tripwire -m c | mail -s "Tripwire Report from HOST"
root@localhost
***to line above***
# chmod 755 runtw.sh
Now either...
1. Drop this file into your nightly folder:
# cp /usr/local/bin/runtw.sh /etc/cron.daily
2. Or drop this line into /root/crontab:
1 1 * * * /usr/local/etc/logcheck.sh
__________________
Turn off IMAP:
http://www.cobaltdiscussions.com/board/viewthread.php?FID=16&TID=5
# pico /etc/inetd.conf
disable imap (do a search for imap and comment out this line:)
#imap stream tcp nowait root /usr/sbin/tcpd imapd
Restart the inet server:
# killall -HUP inetd
#pico /usr/admserv/cgi-bin/.cobalt/services/services.cgi
Change this line:
$ret=Cobalt::swatch::swatch_set_service_on("imap");
To this:
$ret=Cobalt::swatch::swatch_set_service_off("imap");
Now go into the GUI's Control Panel and just hit the 'Save Changes'
button.
This keeps Active Monitor from grumbling about IMAP being turned off.
______________________
Installing LCAP (keeps kernels from being loaded):
# wget
http://owned.lab6.com/~gossi/RaQ-security/files/lcap-0.0.3-2.i386.rpm
# rpm -iv lcap-0.0.3-2.i386.rpm
Check to see that everything is okay:
# /sbin/lcap CAP_SYS_MODULE
If you get no errors, add it to the /etc/rc.d/rc.local file.
Reboot the server.
***From Gossi on the security list***
Basically, that stops loadable kernel modules from being inserted into
the
kernel once the command is run (ie at boot). So if somebody breaks in
and
tries to load up something like adore, knark (or one of the other
various
Linux Kernel Module rootkits) they won't be able to, without
forcefully
removing lcap (which requires removing the line from rc.local and
rebooting the RaQ, which is easily noticable).
***************************
Note: this may set off an email mailed to you every ten minutes. Seems
to be either fixed or
disabled with more current RaQ4 patches.
-----------------------------------
Install Chkrootkit:
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# gunzip chkrootkit.tar.gz
# tar -xvf chkrootkit.tar
# cd chkrootkit-0.31
# make clean
# make
# ./chkrootkit
If you've got Portsentry installed you'll probably get a false
positive on bindshell, tcp port 31337. Also the 'z2' will report that
the last log entry may be corrupted. See www.chkrootkit.org for more
info, or for more in-depth commands.
____________________
Install LionFind:
# wget
http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/lionfind-0.1.9
.tar.gz
# tar -xzvf lionfind-0.1.9.tar.gz
# cd lionfind-0.1.9
# ./lionfind
_____________________
Install Whois:
# wget http://bw.org/whois/dist/whois-current.tar
# tar -xvf whatever-version-you-have
Read the README and INSTALL file. It's very simple to do by hand, or
just run install.sh.
Test it by typing in a domain name that you know:
# whois yahoo.com
|
