Perfect RootServer: Unterschied zwischen den Versionen
(setup) |
K (ssh) |
||
Zeile 2: | Zeile 2: | ||
= Grundkonfiguration = | = Grundkonfiguration = | ||
== User anlegen == | [[Rootserver EX4]] | ||
<source lang=bash> | |||
== User anlegen == | |||
<source lang="bash"> | |||
useradd -m -G root,staff -c "Adminuser" -s /bin/bash adminuser | useradd -m -G root,staff -c "Adminuser" -s /bin/bash adminuser | ||
useradd -m -G staff -c "User XYZ" -s /bin/bash user | useradd -m -G staff -c "User XYZ" -s /bin/bash user | ||
</source> | </source> | ||
==Hardening== | == Hardening == | ||
* http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics | |||
* http://www.debian.org/doc/manuals/securing-debian-howto/ch4.de.html | *http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics | ||
*http://www.debian.org/doc/manuals/securing-debian-howto/ch4.de.html | |||
=== Default umask === | === Default umask === | ||
/etc/login.defs | /etc/login.defs | ||
<source lang="bash"> | <source lang="bash"> | ||
Zeile 31: | Zeile 34: | ||
http://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html | http://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html | ||
===Secure shared memory/Partition Security=== | === Secure shared memory/Partition Security === | ||
<source lang=bash> | /etc/fstab | ||
<source lang="bash"> | |||
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0 | tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0 | ||
/dev/vg0/tmp /tmp ext4 defaults,nodev,nosuid,noexec 0 0 | /dev/vg0/tmp /tmp ext4 defaults,nodev,nosuid,noexec 0 0 | ||
Zeile 42: | Zeile 46: | ||
/dev/vg0/home /home ext4 defaults,nosuid,nodev 0 0 | /dev/vg0/home /home ext4 defaults,nosuid,nodev 0 0 | ||
/dev/vg0/www /xxx/www ext4 defaults,nodev,nosuid,noexec 0 0 | /dev/vg0/www /xxx/www ext4 defaults,nodev,nosuid,noexec 0 0 | ||
</source> | </source> | ||
=== SSH Hardening - disable root login and change port. === | |||
<source lang="bash"> | <source lang="bash"> | ||
#/etc/ssh/sshd_config | #/etc/ssh/sshd_config | ||
Zeile 51: | Zeile 56: | ||
PermitRootLogin no | PermitRootLogin no | ||
</source> | </source> | ||
<br> | |||
=== Harden network with sysctl settings<br> === | |||
<source lang="bash">#/etc/sysctl.conf | |||
# IP Spoofing protection | |||
net.ipv4.conf.all.rp_filter = 1 | |||
net.ipv4.conf.default.rp_filter = 1 | |||
# Ignore ICMP broadcast requests | |||
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |||
# Disable source packet routing | |||
net.ipv4.conf.all.accept_source_route = 0 | |||
net.ipv6.conf.all.accept_source_route = 0 | |||
net.ipv4.conf.default.accept_source_route = 0 | |||
net.ipv6.conf.default.accept_source_route = 0 | |||
# Ignore send redirects | |||
net.ipv4.conf.all.send_redirects = 0 | |||
net.ipv4.conf.default.send_redirects = 0 | |||
# Block SYN attacks | |||
net.ipv4.tcp_syncookies = 1 | |||
net.ipv4.tcp_max_syn_backlog = 2048 | |||
net.ipv4.tcp_synack_retries = 2 | |||
net.ipv4.tcp_syn_retries = 5 | |||
# Log Martians | |||
net.ipv4.conf.all.log_martians = 1 | |||
net.ipv4.icmp_ignore_bogus_error_responses = 1 | |||
# Ignore ICMP redirects | |||
net.ipv4.conf.all.accept_redirects = 0 | |||
net.ipv6.conf.all.accept_redirects = 0 | |||
net.ipv4.conf.default.accept_redirects = 0 | |||
net.ipv6.conf.default.accept_redirects = 0 | |||
</source> | |||
<br> | |||
== Security == | == Security == | ||
Zeile 107: | Zeile 154: | ||
== Mailserver == | == Mailserver == | ||
=== Webmail === | === Webmail === | ||
Zeile 168: | Zeile 214: | ||
{{:Backup}} | {{:Backup}} | ||
== rsnapshot == | == rsnapshot == | ||
[[ | [[Category:Linux]] [[Category:Security]] | ||
[[ |
Version vom 19. August 2012, 20:21 Uhr
der Server soll hauptsächlich als Web- und Mailserver dienen.
Grundkonfiguration
User anlegen
useradd -m -G root,staff -c "Adminuser" -s /bin/bash adminuser
useradd -m -G staff -c "User XYZ" -s /bin/bash user
Hardening
- http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
- http://www.debian.org/doc/manuals/securing-debian-howto/ch4.de.html
Default umask
/etc/login.defs
# UMASK is the default umask value for pam_umask and is used by
# useradd and newusers to set the mode of the new home directories.
# 022 is the "historical" value in Debian for UMASK
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.
UMASK 077
http://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html
/etc/fstab
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
/dev/vg0/tmp /tmp ext4 defaults,nodev,nosuid,noexec 0 0
/dev/vg0/var /var ext4 defaults,nodev 0 0
/dev/vg0/mysql /xxx/mysql ext4 defaults,nodev,nosuid,noexec 0 0
/dev/vg0/mail /xxx/mail ext4 defaults,nodev,nosuid,noexec 0 0
/dev/vg0/home /home ext4 defaults,nosuid,nodev 0 0
/dev/vg0/www /xxx/www ext4 defaults,nodev,nosuid,noexec 0 0
SSH Hardening - disable root login and change port.
#/etc/ssh/sshd_config
Port 563
AllowGroups staff
PermitRootLogin no
Harden network with sysctl settings
#/etc/sysctl.conf
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
Security
Chkrootkit
Checksecurity
Logcheck
Firewall
Shorewall
HDParm
HDDTemp
NTP-Date
smartmontools
aktuelle Festplatten unterstützen smart, damit kann man den 'Gesundheitsstatus' abfragen:
/etc/smartd.conf
... #DEVICESCAN # First two SCSI disks. This will monitor everything that smartd can # monitor. Do extended self-tests Wednesdays at 6pm and Sundays at 1 am /dev/sda -d ata -s L/. ./. ./3/18 /dev/sdb -d ata -s L/. ./. ./7/01 ...
cron-apt
Per Cron werde die Paketlisten aktualisiert und es gibt ein syslog-Eintrag, falls es neue Updates gibt.
Dienste
Cron
root-crontabs:
30 07 * * * /home/www/_server/bin/webtraffic.pl 30 05 * * * /home/www/_server/bin/webalizer.sh 01 08 * * * /usr/bin/graphdefang.pl -quiet 4 06 * * * /home/backup/bin/packagelist.sh
Webserver
PHP4
Mod-Security
Webstatistiken
Mod-PAM
Mailserver
Webmail
Horde
Virusscanner
ClamAV
Spamschutz
Spamassissin
DCC-Distributed Checksum Clearinghouse
Blacklists
Pyzor
Razor
Statistiken
Mysql-Server
PHPMyAdmin
mysqldumper
File-Zugriff
PureFTP
Monitoring
Cacti
Munin
SNMP
/etc/snmp/snmpd.conf
... smuxsocket 127.0.0.1 # Check the / partition and make sure it contains at least 10 megs. disk / 10000 # Check for loads: load 12 14 14 ...
Integration von Qmail-Stats gibt's bei Cacti
IP-Accounting
Backup
Backup ist natürlich auch notwendig. Auch wenn das System sich auf einem gespiegelten Raid befindet, so hilft das nicht gegen Datenverlust, sondern nur vor Hardwareausfall. Deshalb müssen die folgenden Sachen gesichert werden. Backup-Dir ist /srv/backup. Unter /srv/backup/bin/ liegen die (Cron)Scripte.
Serverkonfiguration
Dateien mit rsnapshot
Config ist /etc/rsnapshot.conf, alles default-werte, sonst diese Änderungen. Im root-Dir liegen dann die Backups der letzten Woche.
# All snapshots will be stored under this root directory.
snapshot_root /srv/backup/rsnapshot/
#retain hourly 6
retain daily 7
#retain weekly 4
logfile /var/log/rsnapshot.log
backup /home/ localhost/
backup /etc/ localhost/
backup /srv/vmail/ localhost/
backup /srv/www/ localhost/
und das dazugehörige cronscript /etc/cron.d/rsnapshot:
30 3 * * * root /usr/bin/rsnapshot daily
Partitionstabelle
liegen unter /srv/backup/server (manuell erstellt, parted)
parted -l|tee /srv/backup/server/partitions
Liste der installierten Packeten
/srv/backup/server/package.list (cron, /srv/backup/bin/packagelist.sh):
#!/bin/sh
/usr/bin/dpkg -l>/srv/backup/server/package.list
SQL-Export
der Export wird via MySQLDumper (im AdminBereich unter Verwaltung) täglich per cron dürchgeführt. Jede DB hat ein eigene Datei. Die Files liegen unter .../msd/work/backup/ und werden jeweils 10 Tage aufgehoben.
Dateisystem extern via Duply
Backups auf nicht vertrauenswürdige (FTP-)Server
Wer seine Daten auf einem unbekannten Server sichert, muss sie verschlüsseln und signieren, um sie zuverlässig vor neugierigen Blicken und Manipulationen zu schützen. Dafür ist duplicity das richtige Werkzeug, und das c't-Skript ftplicity (jetzt duply) macht die Arbeit damit zu einem Kinderspiel.
/etc/duply/<profile>/exclude
/dev
/proc
/sys
/tmp
/home
/srv/mysql
/var/cache
/var/tmp
/var/spool/postfix/private
/run
/build
/mnt
/srv/backup
/srv/backupserver
/root/.cache/
Restore
Einzelne Dateien aus dem Backup restauriert man mit duply fetch. Der Befehl benötigt drei Optionen: Datei- beziehungsweise Verzeichnisname, Ziel und Alter:
duply <profile> fetch etc/passwd /root/pw 4D
beispielsweise restauriert /etc/passwd im Stand von vor 4 Tagen nach /root/pw, "now" liefert den aktuellen Stand. Details zu dem verwendeten Zeitformat finden sie in der Manpage von duplicity im Abschnitt TIME FORMATS.
Cronjobs
27 7 1 * * /usr/bin/duply <profile> backup_verify_purge --force
23 6 * * * /usr/bin/duply <profile> bkp 2>/dev/null
0 7 * * 5 /usr/bin/duply <profile> status 2>/dev/null
Links
- http://www.heise.de/security/artikel/Hinter-Schloss-und-Siegel-270834.html
- duply (extended ftplicity)
- Ubuntu-Packages
Tools
- rsnapshot http://www.rsnapshot.org/: Erzeugt inkrementele Backups mit Hilfe von rsync
- mySQLDumper http://www.mysqldumper.de/: Mysql-DB-Backups