Tutoriel N° 254
Sécurité serveur OVH Kimsufi Gentoo Realease 2
# Sécuriser phpMyAdmin
cd /home/ovh/www
mv phpMyAdmin-2.11.5-all-languages-utf-8-only phpMyAdmin-2.11.5-all-languages-utf-8-only2
mv phpMyAdmin-3.3.5.1-all-languages ppm
On crée un lien symbolique
ln -s /home/ovh/www/phpmy ppm
mv phpMyAdmin-2.11.5-all-languages-utf-8-only phpMyAdmin-2.11.5-all-languages-utf-8-only2
mv phpMyAdmin-3.3.5.1-all-languages ppm
On crée un lien symbolique
ln -s /home/ovh/www/phpmy ppm
# Installation chkrootkit gentoo
cd /usr/local/src
Récupérer chkrootkit.tar.gz dans la pièce jointe
tar -zxvf chkrootkit.tar.gz -C /usr/local
cd /usr/local/
cd chkrootkit-0.49/
make sense
cd /usr/local/chkrootkit-0.49
On l'exécute
./chkrootkit
Récupérer chkrootkit.tar.gz dans la pièce jointe
tar -zxvf chkrootkit.tar.gz -C /usr/local
cd /usr/local/
cd chkrootkit-0.49/
make sense
cd /usr/local/chkrootkit-0.49
On l'exécute
./chkrootkit
# Installation rkhunter gentoo
cd /usr/local/src
Récupérer rkhunter-1.3.8.tar.gz dans la pièce jointe
wget http://pkgs.fedoraproject.org/repo/pkgs/rkhunter/rkhunter-1.3.8.tar.gz/0c34eb2a2d0caa384f442c11fcbb0c46/rkhunter-1.3.8.tar.gz
tar -zxvf rkhunter-1.3.8.tar.gz -C /usr/local
cd /usr/local/
cd rkhunter-1.3.8/
./installer.sh --install
rkhunter --checkall --report-warnings-only
rkhunter --checkall
rkhunter --propupd
Récupérer rkhunter-1.3.8.tar.gz dans la pièce jointe
wget http://pkgs.fedoraproject.org/repo/pkgs/rkhunter/rkhunter-1.3.8.tar.gz/0c34eb2a2d0caa384f442c11fcbb0c46/rkhunter-1.3.8.tar.gz
tar -zxvf rkhunter-1.3.8.tar.gz -C /usr/local
cd /usr/local/
cd rkhunter-1.3.8/
./installer.sh --install
rkhunter --checkall --report-warnings-only
rkhunter --checkall
rkhunter --propupd
#Utiliser PHP ver 5
avant:
php ver
X-Powered-By: PHP/4.4.8_pre20070816-pl1-gentoo
rm -f /usr/local/bin/php
ln -s /usr/local/php5/bin/php /usr/local/bin/php
ln -s /usr/local/php4/bin/php /usr/local/bin/php4
php ver
php ver
X-Powered-By: PHP/4.4.8_pre20070816-pl1-gentoo
rm -f /usr/local/bin/php
ln -s /usr/local/php5/bin/php /usr/local/bin/php
ln -s /usr/local/php4/bin/php /usr/local/bin/php4
php ver
# Recevoir un mail si connection en root
nano /root/.bashrc
echo 'NOTIFICATION - Acces SSH en ROOT sur `hostname` le:' `date` `who` | mail -s "NOTIFICATION - Connexion en ROOT via SSH depuis: `who | cut -d"(" -f2 | cut -d")" -f1`" votre_email@domaine.com
echo 'NOTIFICATION - Acces SSH en ROOT sur `hostname` le:' `date` `who` | mail -s "NOTIFICATION - Connexion en ROOT via SSH depuis: `who | cut -d"(" -f2 | cut -d")" -f1`" votre_email@domaine.com
# Installation firewall
Activer log proftpd
nano /etc/proftpd/proftpd.conf
Ajouter à la fin
TransferLog /home/log/xferlog
SystemLog /home/log/proftpd.log
/etc/init.d/proftpd restart
Ajouter à la fin
TransferLog /home/log/xferlog
SystemLog /home/log/proftpd.log
/etc/init.d/proftpd restart
# Installation firewall
nano /etc/init.d/firewall
Remplacer xx.xx.xx.xx par votre adresse ip locale (celle de free par exemple)
Elle sera la seule à pouvoir se connecter en ftp
#!/bin/sh
# chkconfig: 3 21 91
# description: Firewall
IPT=/sbin/iptables
case "$1" in
start)
$IPT -F INPUT
/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 10000 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 21 --source xx.xx.xx.xx -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source xx.xx.xx.xx -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.p19.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source 213.186.33.13 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.rbx.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source ping.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source xx.xx.xx.250 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source xx.xx.xx.251 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 213.186.33.250 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 213.186.33.251 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --source 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --source 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 79 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j REJECT
exit 0
;;
stop)
$IPT -F INPUT
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac
# chkconfig: 3 21 91
# description: Firewall
IPT=/sbin/iptables
case "$1" in
start)
$IPT -F INPUT
/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 10000 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 21 --source xx.xx.xx.xx -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source xx.xx.xx.xx -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.p19.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source 213.186.33.13 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.rbx.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source ping.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source xx.xx.xx.250 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source xx.xx.xx.251 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 213.186.33.250 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 213.186.33.251 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --source 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --source 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 79 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j REJECT
exit 0
;;
stop)
$IPT -F INPUT
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac
Créer script pour initialiser iptables
cd /etc/init.d
nano /etc/init.d/iptables_flush.sh
#!/bin/sh
echo "Flushing iptables rules..."
sleep 1
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
echo "Flushing iptables rules..."
sleep 1
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
chmod 777 iptables_flush.sh &&
chmod 777 firewall
http://guides.ovh.com/FireWall
# Configuration fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.local
nano /etc/fail2ban/jail.conf
- On passe à true les modules necessaire et on ajoute les manquants
- On change les chemins des logs
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 xx.xx.xx.xx
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
[ssh-iptables]
enabled = true
...
logpath = /var/log/auth.log
[proftpd-iptables]
enabled = true
...
logpath = /var/log/proftpd.log
# This jail forces the backend to "polling".
[ssh-tcpwrapper]
enabled = true
...
logpath = /var/log/auth.log
# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]
enabled = true
...
logpath = /var/log/httpd/error_log
[apache-badbots]
enabled = true
...
logpath = /var/log/httpd/access_log
[apache-badbots]
enabled = true
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=votre_email]
logpath = /var/log/httpd/access_log
maxretry = 1
[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp]
logpath = /var/log/httpd/access_log
maxretry = 1
# Jail pour les attaques dictionnaire qui visent phpmyadmin
[apache-admin]
enabled = true
port = http
filter = apache-admin
action = iptables[name=HTTP-Admin, port=http, protocol=tcp]
sendmail-whois[name=HTTP-Admin, dest=votre_email, sender=votre_email]
logpath = /var/log/httpd/error_log
maxretry = 6
bantime = 600
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 xx.xx.xx.xx
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
[ssh-iptables]
enabled = true
...
logpath = /var/log/auth.log
[proftpd-iptables]
enabled = true
...
logpath = /var/log/proftpd.log
# This jail forces the backend to "polling".
[ssh-tcpwrapper]
enabled = true
...
logpath = /var/log/auth.log
# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]
enabled = true
...
logpath = /var/log/httpd/error_log
[apache-badbots]
enabled = true
...
logpath = /var/log/httpd/access_log
[apache-badbots]
enabled = true
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=votre_email]
logpath = /var/log/httpd/access_log
maxretry = 1
[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp]
logpath = /var/log/httpd/access_log
maxretry = 1
# Jail pour les attaques dictionnaire qui visent phpmyadmin
[apache-admin]
enabled = true
port = http
filter = apache-admin
action = iptables[name=HTTP-Admin, port=http, protocol=tcp]
sendmail-whois[name=HTTP-Admin, dest=votre_email, sender=votre_email]
logpath = /var/log/httpd/error_log
maxretry = 6
bantime = 600
On ajoute les filtres manquants de fail2ban
cd /etc/fail2ban/filter.d/
nano apache-admin.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 471 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*admin|PMA|mysql|loginrc
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
#
# Author: Cyril Jaquier
#
# $Revision: 471 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*admin|PMA|mysql|loginrc
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
-----------
nano apache-w00tw00t.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 471 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*admin|PMA|mysql
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
root@ks367082:/etc/fail2ban/filter.d# cat apache-w00tw00t.conf
[Definition]
failregex = ^ -.*"GET /w00tw00t.at.ISC.SANS.DFind:).*".*
ignoreregex =
#
# Author: Cyril Jaquier
#
# $Revision: 471 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*admin|PMA|mysql
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
root@ks367082:/etc/fail2ban/filter.d# cat apache-w00tw00t.conf
[Definition]
failregex = ^ -.*"GET /w00tw00t.at.ISC.SANS.DFind:).*".*
ignoreregex =
-----------
nano php-url-fopen.conf
# Fail2Ban configuration file
#
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
# Version 2
# fixes the failregex so REFERERS that contain =http:// don't get blocked
# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
#
[Definition]
# Option: failregex
# Notes.: regex to match this kind of request:
#
# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza$
#
failregex = ^<HOST> -.*"(GET|POST).*?.*=http://.* HTTP/.*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
#
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
# Version 2
# fixes the failregex so REFERERS that contain =http:// don't get blocked
# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
#
[Definition]
# Option: failregex
# Notes.: regex to match this kind of request:
#
# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza$
#
failregex = ^<HOST> -.*"(GET|POST).*?.*=http://.* HTTP/.*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
-----------
cd /var/log
cat /dev/null > access_log
On execute à chaque démarrage de ssh (même commande pour redemarrer)
/etc/init.d/firewall stop
fail2ban-client stop
sh /etc/init.d/iptables_flush.sh
/etc/init.d/firewall start
fail2ban-client -x start
fail2ban-client status
fail2ban-client stop
sh /etc/init.d/iptables_flush.sh
/etc/init.d/firewall start
fail2ban-client -x start
fail2ban-client status
