Basic Server Hardening

Ok, here is a list of a few programs I’d advise anyone to use who is running a server on the internet (or thinking of doing so).

  • aide or tripwire (they can check and report if files on your system get changed, configurable levels). If you use tripwire, don’t forget a “tripwire –check -I” after you do any updates.
  • logcheck will check your system logs, and report anything out of the ordinary (“ordinary” is defined by a list of ‘normal’ rules, and anything you add)
  • tiger goes farther than logcheck, it actively checks your system and reports anything strange (files not belonging to packages, users or groups that got added, …)
  • grsecurity adds more security features to your kernel (at least use the basic features and the possibility to turn off module loading after boot)
  • rkhunter, chkrootkit scan the system for signs of rootkits or other malware. just install, make sure they are executed daily by cron, possibly tweak rkhunters config a bit (I had problems with unhide and current kernel versions)

I’m not saying that setting up and tweaking all this software and actually reading the emails they generate will make your server super-duper secure, but they will reduce the risk of running a server open to the internet and alarm you if somthing strange is happening. It is important to read and understand what theese programs mail you. Yes, you will get false positives from time to time. And yes, you will have to adjust the config now and then due to package updates; but I get about 3-4 mails a week, and that is definatly ok considering the amount of data that gets checked.

Fantastic Contraption

I just found an interesting flash game called “Fantastic Contraption”. It’s kind of like that old game “The incredible machine” just with less exotic parts. Actually I like this flash game better since there is no “right” solution, there are endless possibilities to solve the problems. Unfortunately that doesn’t make things easier 😉 Have a look for yourself:

http://fantasticcontraption.com/

Hackit Contest

Ok, the contest is ready. I’ll start off with the information everybody has been waiting for:

IP: 80.190.250.213

There is a webserver running with a brief description of the target and rules of the contest http://80.190.250.213/ The webserver is actually part of the contest since people are supposed to deface this page. To make it a bit more interresting, the ssh sessions are recorded with script and saved here for everyone to see (e.g. “less -r filename”).

Rules and Target of the contest:
As stated above, deface this page. To achieve this goal, everything is allowed. Do what you need/want to achieve the goal.
Unfortunatly we will still need a short list of actions that are not allowed:

  • (D)DoS against this box, or via this box against other hosts are
    of course not allowed
  • Brute Force attacks against accounts are not prohibited … but trust me, you really don’t want to waste your time with that
  • Be nice, don’t try to make the accounts or box unusable for others
  • If you are doing something that isn’t aimed at solving the contest, than it probably isn’t allowed

A few details to the box and the system:

  • It is a vmware box (so I can reset it and/or access the console without any problems)
  • Linux debian testing is installed
  • some basic hardening done with normal linux tools and grsecurity
  • Don’t worry, I left enough room for you all to poke around, I didn’t make it “too secure to have fun”
  • This time no holes were intentionally added to the system. On the other hand there will also be no updates of software packages or changes to the RBAC system, no matter what security flaws arise (or I may have overseen)
  • On a scale of 1 to 10: I’d say the security is around 7

Have fun 😉

btw. I’m also posting this in the buha forums for anyone who prefers a German description.