Posts Tagged secure

Safe rm – stops you accidentally wipeing the system!

Posted by on Monday, 21 September, 2009

I found this the today http://www.safe-rm.org.nz/ , and having had the odd accident im most definitely going to be installing this on my own server!

What is safe-rm?

Safe-rm is a safety tool intended to prevent the accidental deletion of important files by replacing /bin/rm with a wrapper, which checks the given arguments against a configurable blacklist of files and directories that should never be removed.

Users who attempt to delete one of these protected files or directories will not be able to do so and will be shown a warning message instead:

    $ rm -rf /usr
    Skipping /usr

(Protected paths can be set both at the site and user levels.)

Recovering important files you deleted by mistake can be quite hard.

So, why not install this on your server and save yourself some hassles in case you accidentally have that shell script gone wrong problem. Now if somebody could do the same to fdisk I would be totally happy, there was this time when i accidentally repartitioned my own server HDD after puting a new one in, and got the wrong drive :/

For manual install its as simple as

wget the file http://safe-rm.googlecode.com/files/safe-rm-0.6.tar.gz

tar zvxf safe-rm-0.6.tar.gz

cd safe-rm-0.6

mv /bin/rm /bin/old-rm

mv safe-rm /bin/rm

For those running debian variants you can

apt-get install safe-rm

Points to note in the README:

Once you have installed safe-rm on your system (see INSTALL), you will need to
fill the system-wide or user-specific blacklists with the paths that you’d like
to protect against accidental deletion.

The system-wide blacklist lives in /etc/safe-rm.conf and you should probably add
paths like these:

/
/etc
/usr
/usr/lib
/var

The user-specific blacklist lives in ~/.safe-rm and could include things like:

/home/username/documents
/home/username/documents/*
/home/username/.mozilla

Here are two projects which allow you to recover recently deleted files by trapping
all unlink(), rename() and open() system calls through the LD_PRELOAD facility:

delsafe (link in the readme is dead but i googled and updated it here)
http://unix.freshmeat.net/projects/delsafe

libtrashcan
http://hpux.connect.org.uk/hppd/hpux/Development/Libraries/libtrash-0.2/readme.html

There are also projects which implement the FreeDesktop.org trashcan spec. For example:

trash-cli
http://code.google.com/p/trash-cli


PHP and Apache, some safer defaults

Posted by on Tuesday, 7 April, 2009

Okay, so every monkey and his dog can do PHP these days, hey that what it was written for.

So if i was looking to perhaps hack a server, one of the first things i would look for is the version of php running on the server. This can be found out very easily if you enable the version to be added to the server string. You can hide this with the config option
expose_php = Off

Here are a few quick, handy php config defaults
; Who needs to download off remote sites seriously?

allow_url_fopen = Off
;this can help stop a few sql injection methods

magic_quotes_gpc = On
; By not allowing these few functions we can stop a fair bit of nasty stuff going on, not just from end users but by the users writing the code. You may wish to add mail() into this also

disable_functions = proc_open , popen, disk_free_space, diskfreespace, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru
safe_mode = On
; By default, Safe Mode does a UID compare check when

; opening files. If you want to relax this to a GID compare,

; then turn on safe_mode_gid. This stops users messing with others stuff

safe_mode_gid = Off
; This is handy if you want to be able to execute SOME binaries but not others from PHP

safe_mode_exec_dir = /some/safe/binary/folder
Okay, that covers most of the basics, now for apache PHP end.
For each website that has a VirtualHost you should add in lines similar to this
php_admin_value open_basedir /var/www/debian.co.nz:/var/www/debian.co.nz/tmp

php_admin_value doc_root /var/www/debian.co.nz:/var/www/debian.co.nz/tmp
What this does is limits users from opening anything outside of their own directories (you really dont want them being able to open stuff in /etc etc)

Last-Modified: 2007-04-05 22:00:08


Make sure your SSH server is secure

Posted by on Tuesday, 7 April, 2009

First and formost, ask yourself if you really need to run ssh on an external IP. If not then in the ssh config you can bind it to your internal LAN easily enough 🙂
You can do this in the sshd_config file using something like …

ListenAddress 192.168.1.1

Another thing you probably want is to not allow root logins.

PermitRootLogin no

If you happen to want external access and have dns or something setup, it sometimes pays to run it on a different port to stop a lot of bots that go around trying default user/password combos. This can be annoying when connecting in, particularly if you have multiple users, but its worth its weight in gold in stopping automated attacks.

Port 2200

There are many more options in the ssh config that you may wish to try out, im not going to go into each and every one of them.

Here are some other ideas which may be fun to test/try

Firewall rules can help limit the amount of times they connect within a set time with something like this.

 iptables -A INPUT -i eth0 -p tcp --dport ssh -m state --state NEW \
 -m recent --set --name recentssh
 iptables -A INPUT -i eth0 -p tcp --dport ssh -m state --state NEW \
 -m recent --name recentssh --update --seconds 120 --hitcount 4 -j DROP
 iptables -A INPUT -j ACCEPT -i eth0 -p tcp --destination-port ssh

This allows them 4 counts within 120 seconds.

Ed: Some people have had issues with this due to a bug in debian/kernel/ip_recent and sent in this change

 iptable -A INPUT  -i eth0 -p tcp --dport 22 -m state --state NEW \
                   -m limit --limit 3/min --limit-burst 3 -j ACCEPT
 iptable -A INPUT  -i eth0 -p tcp --dport 22 -m state \
                   --state ESTABLISHED -j ACCEPT
 iptable -A OUTPUT -o eth0 -p tcp --sport 22 -m state
                   --state ESTABLISHED -j ACCEPT

Last-Modified: 2007-04-05 21:41:24