565 tutoriels disponibles
Chercher un tutoriel
Bienvenue
sur Shareannonce
 
Sécuriser serveur OVH Kimsufi Gentoo Release 2
Ecrit par: Shareannonce
Date création:  16-04-2012
Nombre de vues:  4939
Catégorie:  informatique > gestion > ovh
Note: 
 
   Tutoriel N° 254

Sécurité serveur OVH Kimsufi Gentoo Realease 2


# Sécuriser phpMyAdmin

cd /home/ovh/www
mv phpMyAdmin-2.11.5-all-languages-utf-8-only phpMyAdmin-2.11.5-all-languages-utf-8-only2
mv phpMyAdmin-3.3.5.1-all-languages ppm

On crée un lien symbolique
ln -s /home/ovh/www/phpmy ppm



# Installation chkrootkit gentoo

cd /usr/local/src

Récupérer chkrootkit.tar.gz dans la pièce jointe

tar -zxvf chkrootkit.tar.gz -C /usr/local
cd /usr/local/
cd chkrootkit-0.49/
make sense

cd /usr/local/chkrootkit-0.49

On l'exécute
./chkrootkit



# Installation rkhunter gentoo

cd /usr/local/src

Récupérer rkhunter-1.3.8.tar.gz dans la pièce jointe

wget http://pkgs.fedoraproject.org/repo/pkgs/rkhunter/rkhunter-1.3.8.tar.gz/0c34eb2a2d0caa384f442c11fcbb0c46/rkhunter-1.3.8.tar.gz

tar -zxvf rkhunter-1.3.8.tar.gz -C /usr/local
cd /usr/local/
cd rkhunter-1.3.8/
./installer.sh --install
rkhunter --checkall --report-warnings-only
rkhunter --checkall
rkhunter --propupd



#Utiliser PHP ver 5

avant:
php ver

X-Powered-By: PHP/4.4.8_pre20070816-pl1-gentoo

rm -f /usr/local/bin/php
ln -s /usr/local/php5/bin/php /usr/local/bin/php
ln -s /usr/local/php4/bin/php /usr/local/bin/php4
php ver



# Recevoir un mail si connection en root

nano /root/.bashrc

echo 'NOTIFICATION - Acces SSH en ROOT sur `hostname` le:' `date` `who` | mail -s "NOTIFICATION - Connexion en ROOT via SSH depuis: `who | cut -d"(" -f2 | cut -d")" -f1`" votre_email@domaine.com



# Installation firewall

Activer log proftpd

nano /etc/proftpd/proftpd.conf

Ajouter à la fin

TransferLog /home/log/xferlog
SystemLog /home/log/proftpd.log

/etc/init.d/proftpd restart




# Installation firewall

nano /etc/init.d/firewall

Remplacer xx.xx.xx.xx par votre adresse ip locale (celle de free par exemple)
Elle sera la seule à pouvoir se connecter en ftp

#!/bin/sh
# chkconfig: 3 21 91
# description: Firewall

IPT=/sbin/iptables

case "$1" in
start)
$IPT -F INPUT
/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 10000 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 21 --source xx.xx.xx.xx -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source xx.xx.xx.xx -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.p19.ovh.net -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source 213.186.33.13 -j ACCEPT

/sbin/iptables -A INPUT -p icmp --source proxy.rbx.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source ping.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source xx.xx.xx.250 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source xx.xx.xx.251 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p icmp --source 213.186.33.250 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 213.186.33.251 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p tcp --source 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --source 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 79 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j REJECT
exit 0
;;

stop)
$IPT -F INPUT
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac




Créer script pour initialiser iptables
cd /etc/init.d
nano /etc/init.d/iptables_flush.sh

#!/bin/sh
echo "Flushing iptables rules..."
sleep 1
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT



chmod 777 iptables_flush.sh &&
chmod 777 firewall
http://guides.ovh.com/FireWall


# Configuration fail2ban


cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.local
nano /etc/fail2ban/jail.conf

- On passe à true les modules necessaire et on ajoute les manquants
- On change les chemins des logs

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 xx.xx.xx.xx

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

[ssh-iptables]
enabled = true
...
logpath = /var/log/auth.log

[proftpd-iptables]
enabled = true
...
logpath = /var/log/proftpd.log


# This jail forces the backend to "polling".


[ssh-tcpwrapper]
enabled = true
...
logpath = /var/log/auth.log

# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]
enabled = true
...
logpath = /var/log/httpd/error_log


[apache-badbots]
enabled = true
...
logpath = /var/log/httpd/access_log


[apache-badbots]
enabled = true

action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=votre_email]
logpath = /var/log/httpd/access_log

maxretry = 1


[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp]
logpath = /var/log/httpd/access_log
maxretry = 1


# Jail pour les attaques dictionnaire qui visent phpmyadmin
[apache-admin]

enabled = true
port = http
filter = apache-admin
action = iptables[name=HTTP-Admin, port=http, protocol=tcp]
sendmail-whois[name=HTTP-Admin, dest=votre_email, sender=votre_email]
logpath = /var/log/httpd/error_log
maxretry = 6
bantime = 600




On ajoute les filtres manquants de fail2ban

cd /etc/fail2ban/filter.d/

nano apache-admin.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 471 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*admin|PMA|mysql|loginrc
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

-----------

nano apache-w00tw00t.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 471 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*admin|PMA|mysql
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
root@ks367082:/etc/fail2ban/filter.d# cat apache-w00tw00t.conf
[Definition]
failregex = ^ -.*"GET /w00tw00t.at.ISC.SANS.DFind:).*".*
ignoreregex =

-----------

nano php-url-fopen.conf

# Fail2Ban configuration file
#
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
# Version 2
# fixes the failregex so REFERERS that contain =http:// don't get blocked
# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
#

[Definition]

# Option: failregex
# Notes.: regex to match this kind of request:
#
# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza$
#
failregex = ^<HOST> -.*"(GET|POST).*?.*=http://.* HTTP/.*$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =


-----------
cd /var/log
cat /dev/null > access_log

On execute à chaque démarrage de ssh (même commande pour redemarrer)

/etc/init.d/firewall stop
fail2ban-client stop

sh /etc/init.d/iptables_flush.sh
/etc/init.d/firewall start
fail2ban-client -x start

fail2ban-client status




Télécharger les sources de ce tutoriel

 
 
   Autres tutoriels de la même catégorie >
 
ShareAnnonce version 2.0 Tous droits reserves. | Condition d'utilisation | Contact