Firewalls the core components of a network security implementation
Firewalls can be standalone hardware solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall.
There are also proprietary software firewall solutions developed for home and business markets by vendors such as Checkpoint, McAfee, and Symantec.
Firewalls function:
NAT
Network Address Translation (NAT) places private IP subnetworks behind one or a small pool of public IP addresses, masquerading all requests to one source rather than several.
Packet Filter [iptables]
A packet filtering firewall reads each data packet that passes within and outside of a LAN. It can read and process packets by header information and filters the packet based on sets of programmable rules implemented by the firewall administrator.
The Linux kernel has built-in packet filtering functionality through the Netfilter kernel subsystem.
Proxy
A proxy machine acts as a buffer between malicious remote users and the internal network client machines.
Netfilter and iptables
The Linux kernel features a powerful networking subsystem called Netfilter. The Netfilter subsystem provides stateful or stateless packet filtering as well as NAT and IP masquerading services. Netfilter also has the ability to mangle IP header information for advanced routing and connection state management. Netfilter is controlled through the iptables utility.
Examples:
iptables - administration tools for packet filtering and NAT
shorewall - Shoreline Firewall, netfilter configurator - transitional package
SSH Key generation for Security
We need to generate a pair of keys, on public for the server to encrypt the data and a private key, which is the only key that could decipher the encrypted data, and this private key is by definition should be kept private. There is many secure algorithm for encryption with different degree of encryption strength.
There is DSA and RSA, DSA is the standard encryption for the USA government, DSA keys has a 1024 size limit, whereas RSA is unlimited .
RSA key with a 2048 length, here are the steps.
$ ssh-keygen -v -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/buddies/.ssh/id_rsa): /home/buddies/.ssh/buddies_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/buddies/.ssh/buddies_rsa.
Your public key has been saved in /home/buddies/.ssh/buddies_rsa.pub.
The key fingerprint is:
66:d2:cc:7b:6a:62:f9:f5:c6:ef:69:fc:7b:87:0d:46 buddies@buddies
and then
$ chmod 600 /home/buddies/.ssh/buddies_rsa
$ scp /home/buddies/.ssh/buddies_rsa.pub buddies@myremote.server.com:/home/buddies/.ssh
on remote server we should do the following.
$ cat /home/buddies/.ssh/buddies_rsa.pub > /home/buddies/.ssh/authorized_keys
You will be asked for the login password on remote before the copying commences.
The file will be copied to login user home directory on remote (/home/buddies in that case).
Security - Install And Configure Advanced Policy Firewall (APF) On CentOS
From Advanced Policy Firewall’s website:
“Advanced Policy Firewall (APF) is an IPTables(Netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.”
Installation
Downloading and extracting.
wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar -zxvf http://www.rfxn.com/downloads/apf-current.tar.gz
cd apf-9.7-1
and Run:
APF will display locations of it’s executable and configuration files as well as ports detected as being used.
Configuration
APF’s basic configuration file is /etc/apf/conf.apf
By default everything is locked and You have to configure APF to open ports You need to use.
DEVEL_MODE=”1″ - be sure to set this option to 1 until You’re satisfied with the settings.
SET_MONOKERN=”0″ - APF supports monolithic kernels.
IFACE_IN=”eth0″ and IFACE_OUT=”eth0″ - untrusted interfaces connected to the network, mostly the Internet.
Testing
Start APF:
We can use the following parameters:
-s - start APF
-r - restart APF
-f - stop APF
-l - list statistics
-st - status of APF
-a host - allow connections from “host”
-d host - deny connections from “host”
Advanced Policy Firewall - http://www.rfxn.com/projects/advanced-policy-firewall
Linux Security Audit Tools
Chkrootkit - Scan system for trojans, worms and exploits.
Root kit detection tools:
checkps - detect rootkits by detecting falsified output and similar anomalies. The ps check should work on anything with /proc. Also uses netstat.
Rootkit hunter - scans for rootkits, back doors and local exploits
Rkdet - root kit detector daemon. Intended to catch someone installing a rootkit or running a packet sniffer.
fsaudit - Perl script to scan filesystems and search for suspicious looking directories.
Hardening PHP
Run As The User Instead of “nobody” . You can run PHP as the user (like CGI scripts do with Apache’s suexec)
Enable suPHP
PHP scripts are executed by the user who owns the VirtualHost serving the request.
Use Hardening Tools Like phpsuhosin
Remove Insecure Scripts
Apache directives like php_value are not valid for mod_suphp. It is possible to place a php.ini file in the directory containing the PHP script and specify these types of values in it.
For PHP scripts to execute, permissions of 0400 are sufficient. Scripts are run as the user who owns the VirtualHost, and as long as this user has permissions sufficient to write to a file/directory, PHP scripts will also have the ability to do so. Mod_SuPHP performs various security checks before executing PHP scripts. Most can be disabled in Mod_SuPHP configuration file located at /opt/suphp/etc/suphp.conf
