Setting
up a Debian Log Server
|
♠ |
Vince Hillier |
1.
Purpose
Of This Document....................................................................
3
2.
Some
Notes On This Document.............................................................
3
3.
Installation
Of Debian............................................................................
3
4.
AIDE.......................................................................................................
4
5.
System
Hardening..................................................................................
4
5.1.
Disable
Inetd...............................................................................
5
5.2.
Install
SSH..................................................................................
5
5.3.
Debian
Harden-*........................................................................
5
5.4.
Sticky
Bits...................................................................................
6
5.5.
Log
Permissions..........................................................................
6
5.6.
Directory
Permissions................................................................
6
6.
System
Time...........................................................................................
7
7.
Remote
Logging.....................................................................................
7
1.
Purpose of this document.......................................................................
This document
will demonstrate the steps necessary to deploy a remote logging server. The author has written this document in
order to provide a “guide” for others to follow and a reference for
himself. No prior knowledge of
logging or security is required; this paper has been written with the beginners
in mind.
This document
also goes into more detail then some may deem necessary, but from the author’s
point of view is justified for a secure logging machine, which can be trusted in
the event that a network breach does take place.
The target
audience for this document is newcomers to the Linux world, although experienced
users will probably find it to be a good reference, the author
does.
2.
Some notes on this document.................................................................
Anything in
this document that is written in italic, is actually a command, or text that you
will type from your shell prompt, I assume that you are using the Bourne again
shell (bash), since it is the default shell in every distribution I have used.
If you’re not running bash, then I assume that you have enough knowledge to
convert the bash specific items. In short, if you are new to the Linux world,
don’t change your shell, at least not for this document.
You can find
the most recent version of this document at
http://vince.lansystems.ca
3.
Installation of
Debian.............................................................................
This section
is going to be very brief, as it is not in the scope of this document. In order
to be sure your system is secure and free of any hostile code, you should start
with a clean system. That means starting over from scratch, ensure you have made
proper backups of any data and information that you wish to retain; then
reinstall debian. I recommend just installing the base distribution, which is
very minimal but it gets your system started.
The next step
after installation of the base system is to perform an upgrade, you should
recall from the
installation
screens when you setup your apt sources, if you did not do this and wish to do
so now, execute the following command:
apt-setup
Now that you
have setup apt, and it’s sources we can move on to actually upgrading the
system. To do so, execute the following commands:
apt-get
update
apt-get
upgrade
And if you
want to be on the bleeding edge, you can upgrade to the unstable branch of
debian, which really is quite stable despite it’s name, but there are glitches
sometimes. So if you’re new to Linux you should not do this, if you feel you are
comfortable with Linux, and familiar with Debian then edit /etc/apt/sources.list
and replace every occurrence of “stable” with “unstable”, save the file, then
run the following commands:
apt-get
update
apt-get
dist-upgrade
4.
AIDE.......................................................................................................
We are now going to
setup file integrity checking. What this does is it checks if the file has been
modified at all. This is done by
checking the md5sums of system binaries, to make sure they have not been changed
by
crackers. There is a
commercial solution available at www.tripwire.com, but we’re going to
use AIDE (Advanced Intrusion Detection Environment).
It is important to do
this step now, as the system is still fresh and uncompromised. It is crucial for
all future
security measures that
these signatures be accurate. You need to be able to trust your system, this is
especially true for a logging server.
We install aide by
issuing the following command:
apt-get install
aide
That will install and
generate the file containing signatures, we now need to copy that file to a
floppy and make it read only. If you renamed the DB file during the apt
configuration of AIDE, you need to use the following
command:
mount
/floppy
cp
/var/lib/aide/aide.db /floppy/
umount
/floppy
If you chose not to
rename the file, you have to issue the following:
mount
/floppy
cp
/var/lib/aide/aide.db.new /floppy
umount
/floppy
Then make that floppy
disk read only.
Now we have to edit the
aide configuration file, which is located in /etc/aide/ called aide.conf. The
first thing we need to change is the location of the database file. It’s the
third line in the file. Make it:
database=file:/floppy/aide.db
/floppy/ is the path to
the mounted floppy, if you mount your disk at another location, replace /floppy
respectively.
We have to mount the
read only disk now.
mount
/floppy
By default AIDE runs
daily, we want it to run hourly so we schedule aide to run every hour, by
running the
following:
crontab
–e
When the editor opens,
insert the following
01 * * * * aide
–C
5.
System
Hardening..................................................................................
In this section we will discuss
methods of hardening your’ system(s). When I say system(s) I mean that most of
this applied to almost every system that you wish to harden, we’re still setting
up one log server. We are going to be actually doing quite a bit in this
section, disabling services and programs, installing programs,
etc…
5.1.
Disable INETD..........................................................................
The first thing we’re going to do is
disable inetd, inetd is the “internet super server”. Inetd listens on ports, and
runs services when connections are made to those ports, some examples of these
services are: smtp, identd, time, telnet, etc… We won’t be needing any of those
services on our log server, so we disable by issuing the following
commands:
update-rc.d -f inetd
remove
kill -9 `pidof
inetd`
5.2.
Install SSH................................................................................
The
next thing we’re going to do, is install SSH. This, in my opinion should be
mandatory for everyone who has remote access needs. We use SSH to encrypt the
communication between our management consoles and the remote servers we connect
to. Traditional remote management services, like telnet, rsh etc… send
everything you type in plain text. Yes, that includes your username and
password. What good is locking down your’ server if people can sniff your
username and passwords?
We
install SSH by issuing the following command:
apt-get
install ssh
Okay,
now that it is installed we’re going to have to edit the configuration file, to
edit the configuration file we run the following command:
nano
/etc/ssh2/sshd2_config
You
now have the file open in nano, you have to set your desired options. I will
cover a few basic ones here.
Below
is a couple of options, and my settings, you are free to change them but these
are a basic guideline for the newcomers.
PermitRootLogin
no
ServerKeyBits
1024
RSAAuthentication
no
PubkeyAuthentication
no
Now
that we have edited the configuration file, we can run the SSH
server.
sshd
5.3.
Debian Harden-*......................................................................
In
this section we’re going to install some debian packages that will insure we
don’t actually install any insecure programs. We do this through Debian Harden
packages, these packages are basically rules that apt-get follows. The harden
packages we are going to install are harden-clients, harden-servers,
harden-localflaws, and harden-tools. For a full list go to
http://www.debian.org/distrib/packages and type harden in the Search Package
Directories section.
apt-get
install harden-clients, harden-servers, harden-localflaws, and
harden-tools
5.4.
Sticky Bits.................................................................................
In
this section we’re going to run a suid and sgid audit, the executables with
these attributes set are quite dangerous, because they run as the root user, or
group no matter who executes them. That means if there is a problem with the
program and it is exploitable, it’s 40 times easier to get escalated privileges.
So we want to remove as many as we can, if we can’t remove it, we want to
restrict access to only specified users.
Change
to home directory
cd
~/
Search
for files with S(U/G)ID bit set
find
/ -perm +4000 > suids && find / -perm +2000 >
sgids
List
the files that are SUID
ls
–ld `cat suids`
List
the files that are SGID
ls
–ld `cat sgids `
We
don’t need any files SUID on the box except su. So we run
chown
root.staff `cat suids`
chmod
750 `cat suids`
That’s
removes the suid bit from all the files that have it, now we need to enable the
suid bit on su, and restrict access to it, so that only authorized users can
execute it.
groupadd
su
chown
root.su /bin/su
chmod
4750 /bin/su
And
now we add our self to the “su” group that we created.
adduser
vince su
5.5.
Log Permissions.....................................................................
The
default permissions on log files are really slack, we’re going to tighten them
up a little bit so that ordinary users cannot view them.
cd
/var/log
chmod
–R 640 *
chmod
660 wtmp lastlog
5.6.
Directory Permissions...........................................................
We
are going to restrict users from running “ls” in directories, this is just a
very small deterrent put in place to confuse some script kids. This will not
fool any experienced crackers, or script kids with any knowledge, cause they
will know exactly what files they are looking for. This does not prevent access
to any files, it just prevents someone from listing files.
chmod
751 / /home /lib /boot /etc /log /var
6.
System Time...........................................................................................
A
log server is not very good if the time is ever wrong, so to ensure that our
time is always correct we’ll install ntpdate. This is a time synchronization
program, that we’ll run hourly.
apt-get
install ntpdate
Now
that we have the program installed, we need to run it. Before we do that we’ll
have to decide what NTP server we’re going to use, for folks in
ntpdate
–s chime.utoronto.ca
We
now have our time set, but we want to ensure that it stays that way, so we
schedule ntpdate to run hourly.
crontab
–e
When
the editor opens we add:
01
* * * * /usr/sbin/ntpdate –s chime.utoronto.ca
Then
save that and your time will be corrected hourly, if need be.
7.
Remote
Logging.....................................................................................
Now
we’re going to setup remote logging, this involved 2 steps. We need to setup the
machines that are going to be sending log information to our server; we do this
by setting the following in every “client” machines’
/etc/syslogd.conf.
*.*
@logserverip
Of
course change “logserverip” with your log servers’ IP address. If necessarcy,
allow UDP traffic on port 514 (we didn’t cover clinet side
firewalls).
Now
we have to configure our server to accept those connections on port 514, so we
do that by editing /etc/rc2.d/S10syslogd and we change the SYSLOGD=”” line to
the following:
SYSLOGD="-rm
0"
In
the above line, the r tell syslogd there will be clients connecting to it, and
that it should accept them, the m 0 signifies we don’t want to see – MARK –
entries in the logs that our server records.