I wish to make a secure Linux box which allow only HTTP and FTP services, what can I do to make my system isolated from outside world except this two services?

I'm thinking of close down all the ports EXCEPT HTTP and FTP port (21 and 80), does it help to improve the security? What else should I do to improve the security? I'm doing this as a project, pls provide your help if you have any idea to improve it. Every single contribution is greatly appreciated.

Thanks!

Yes. Access restrictions will make it more secure.

Ull need to:
-Edit startup behaviour to stop of all daemons u dont need to run, or better if u dont need em, remove em.
-Edit /etc/inetd.conf and prepend a hash (#) to all the services that are not needed (all except ftp, http), if u find u need a service, just uncomment it.
-Look for services that are not started from inetd, or are not wrapped tru tcpd (tcpwrappers).
-Edit the tcpwrapper config files /etc/hosts.deny to default deny from all, add services and allowed hosts to hosts.allow.
-Install Iptables (kernel-2.4x) or Ipchains (2.2x) and configure to deny all traffic except for 21 and 80.

Next to this ull also want to check ure ftp and http daemon's compile options, config, patchlevel or/and version for vulnerabilities (including .cgi files, ssi's etc).
If ure ftpd hasnt got a built-in chroot, consider running it chrooted.
Consider running a more restricted and separate dev server off another port if ure trying/developping experimental stuff.
Dont place symlinks into the system in public space, restrict uploads to one upload directory and set the immutable bit on everything a user can wink at.

Ok. Check. Weve covered
-disabling unneeded services (inetd)
-restricting access to used services (inetd, wrappers)
-restricting access to host & services (tables/chains)

Now look for the Linux Administrators Security Guide (LASG) somewhere over at linuxdoc.org, go to the SANS Top-ten and keep up on security bulletins from ure ftpd & httpd makers.

Theres lotsa tools to make a start with checking ure system's security and do some intrusion detection, Ill just throw in a few terms u can lookup for ureself: portsentry, snort, aide, tripwire, cops, ippl, logcheck, secfocus.com, cert.org. Theres also local security like users, restrictions, PAM and undeletable/immutable/sgid/suid bits.

If ure interested, just ask, and we'll set up a thread on that later on.

shouldnt you also comment unwanted ports in /etc/services...

You'll also want to improve the ipv4 stack to stop spoofing and DOS attacks etc etc etc.

all the files in /proc/sys/net/ipv4 set-up your default IP options on packets and other tcp handlers.
put these in your /etc/rc.d/rc.local file

# stops SYN flood attacks
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# stop port rewriting attack before firewall frags them back
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# ignores snort or ICMP broadcast attacks
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# RFC's sending ICMP error replies to a broadcast frame is forbidden, so drop response to them.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Stops incorrectly source packets from been routed when to different interface from different input
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# stops the routing table been modified by packets non-sourced route, network should be set-up correctly in first place.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# same as above stop your system doing the same to other routing tables
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# stops anyone doing an OS finger print scan on your IP stack, 64 will show as linux, 61 will screw them up
echo 61 > /proc/sys/net/ipv4/conf/all/ip_default_ttl

These are just some extra examples of how you need to improve the Linux OS security.

/Raz

Good one Razbot, I always forget to mention these..

Doodah, /etc/services is essentially a lookup table, it doesnt have any effect on running/starting/stopping scripts.
Want to show only "normal" ports: use /etc/services, want to show almost "all" ports: use services file from nmap...

I could be mistaken but FTP needs two ports, 20 and 21. If you are going to have a gui, then X needs port 6xxx open, usually 6000.

TCP/20 is the ftp data port, itll be taken care of tru Iptables/ipchains, it doesnt initiate the connection to ftpd.

X Windows TCP/600x ports access can shut out with starting X like "startx -nolisten tcp". It can be taken care of also tru Iptables/ipchains.

Thanks unSpawn, razbot, doodah, mongrel, you guys are really helpful.

I'm new to Linux, so I don't really familiar with all the stuffs that all of you mentioned above, but I'll try it out one by one later, thanks again!

By the way, what are the patches that I should apply for the system and for the Apache server? Especially the Apache server, there are really damn a lot of modules, I'm getting confuse already.

Pls keep on posting anything that you have in mind. With the help I'm getting here, I should be confident with my project, he he...

Why not just use SSH for your FTP it is on port 22 also...

If I could add:

Why not just disable what u don't want in /etc/inetd.conf ?

Here's a snippet of the format its in:

#:STANDARD: These are standard services.
ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd
#telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd
ssh stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/sshd1 -i


You should always Close Down Unnecessary Services. A good way to find out what's going on is to run the command netstat -vat The output will look something like the following:

root$ netstat -vat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 dsl081-050-241.dsl-:ftp grce.speakeasy.or:3045 ESTABLISHED
tcp 0 0 dsl081-050-241.d:telnet dsl081-00-04-sfo:4169 ESTABLISHED
tcp 0 0 *:1004 *:* LISTEN
tcp 0 0 dsl081-050-241.dsl:1624 cs6.ms.yahoo.com:5050 ESTABLISHED
tcp 0 0 dsl081-050-241.d:telnet dsl81-050-1-sfo:2103 ESTABLISHED
tcp 0 0 *:6000 *:* LISTEN
tcp 0 138 dsl081-050-241.d:telnet dsl081-00-1-sfo:1697 ESTABLISHED
tcp 0 0 dsl081-050-241.d:telnet dsl081-00-14-sfo:1026 ESTABLISHED
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:linuxconf *:* LISTEN
tcp 0 0 *:amidxtape *:* LISTEN
tcp 0 0 *:amandaidx *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN

This is fine for Redhat 6.x but won't work on 7.x

7.x uses a modular approach with the /etc/xinetd.conf starting up the scripts in /etc/xinetd.d/

/Raz

For all of these... do you still want to set the bit to 1 even if the file (such as icmp_ignore_bogus_error_responses) doesn't exist? I'm running Redhat 7.1.

Thx.

If it doesnt exist in /proc/sys/net/ipv4 (and the path is correctly entered), no. Proc is the virtual representation of stuff running in the kernel, so if it aint there, it aint used in the kernel. If youre switching between kernels where it is/isnt available, and you want some extra signalling you could add it like this to your scripts:

if [ ! -f /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo "/proc/sys/net/ipv4/conf/all/send_redirects aint there"; else echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi

or silence it like

if [ -f /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi

JustinHoMi,

Yeah it doesn't matter if you add them as the kernel won't use them.

For RH7.1 change these lines.

sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
sysctl -w net.ipv4.icmp_echoreply_rate=10
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects


/raz

You can use this script for allowing only FTP and Web

let supposse you machine ip address is 200.200.200.1

#Accept Web Traffic
/sbin/ipchains -A input -p tcp -s 0/0 -d 200.200.200.1 80 -j ACEEPT
#Accept Ftp Traffic
/sbin/ipchains -A input -p tcp -s 0/0 -d 200.200.200.1 21 -j ACCEPT
#Now deny other Traffic
/sbin/ipchains -A input -s 0/0 -d 200.200.200.1 -j DENY

i think this will help


Regards,

John Lee