If you can see this check that

Main Page

Server Hardening


System Hardening

User:
Password:

It is really a job for an experienced system administrator to strengthen the security of a server. However this tutorial will guide you through two basic demonstrations of what can be achieved in hardening a webserver. Initially we will configure a linux firewall to demonstrate simple per-user rules, before configuring a simple webserver to reject invalid urls.

Question 1: Firewall: Empty the Chains

In this tutorial we are going to work on the firewall configuration of your machine. Some care must be taken when doing this, or you will suddenly find you can no longer log in!

In all these cases the easiest way to do the experiment is to CREATE an executable program in /root called "firewall". Start your editor and edit "firewall". Cut and paste the following into that file:

#!/bin/bash
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#
# Make sure ssh and telnet stay working, and that users on
# other VMs cannot log in.
#
# --- Put a rule here if you want to be inserting at the start of INPUT
#
iptables -A INPUT -i eth0 -p tcp --dport ssh ! -s 10.0.0.0/16 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport telnet ! -s 10.0.0.0/16 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport http -j ACCEPT
#
# Sockets, once connected, continue to work
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Your changes go after here.
#

Do "chmod +x ./firewall" and then just "./firewall" to configure the firewall. Execute it once and they press the check button to make sure everything is set up ok.

After executing this file you can use "iptables -L" to show you what rules have been stored in the kernel. The provided rule uses a default policy of ACCEPT. Later on we look at the default policy of DROP.

Tests - not attempted
iptable empty UNTESTED

Add two users to the system, "dave" and "jim".

adduser dave
adduser jim
As root, the administrator, you can become these users easily. Type "su - dave" and you will become the user "dave". The command is "su" then a space then a hyphen then a space followed by the username. Forgetting the hyphen might appear to work, but it doesn't! When you want to return to being root just press CTRL D.

The "lwp-request" command goes to the web and downloads something. This As dave, run

lwp-request http://linuxzoo.net/ncsi.txt > gotit
Press CTRL D then do the same for jim. Press CTRL D again to return to root. If you are not sure which user you currently are just look at the prompt, as this has the current username in it.

Tests - not attempted
Dave file exists UNTESTED
jim file exists UNTESTED

To secure a webserver you could make sure server-side scripts run as different users, and then build firewall rules to police what users are allowed to do what. In this case user "jim" is the user whose identity is used to run scripts.

Now modify the firewall so that jim cannot initiate access the internet. He will still need access in general, otherwise when you become that user your ssh session will die.

In the firewall file, edit the file and at the end insert the following line and then execute the file again (or just run the command on its own):

iptables -A OUTPUT -o eth0 -m state --state NEW -m owner --uid-owner jim -j DROP

Once the change is made "su" to jim and try the lwp-request again. Do

cat gotit
If you see "Can't connect" then you are blocked. Recheck the access for the user "dave" and verify dave can still access the network.

Tests - not attempted
Jim blocked UNTESTED

Question 2: Run the apache server

In this question we will set up a server side script with a security problem.

Note each time you make a configuration change to the Apache server you must restart (or at the very least reload) the http service. Remember to start apache for the first time do:

service httpd start
And to reload the configuration file do:
service httpd reload

Now get the web server running...

Tests - not attempted
Run apache UNTESTED

Now we will create a simple server-side script. With an editor and while you are user dave, edit /var/www/cgi-bin/hack.htm and insert the following code.

#!/usr/bin/perl
use strict;
use CGI qw(:standard);
import_names("Q");
print header('-X-XSS-Protection'=>0);
print '<body>';
print h1 "Welcome to hack";
print p "Glad to have you back $Q::user\n";
print '</body>';

You also need to "chmod o+x /var/www/cgi-bin/hack.htm".

You can access this via the browser using "http://YOURHOSTNAME/cgi-bin/hack.htm?user=Gordon", where YOURHOSTNAME is the string given when you type "hostname". The string "Gordon" can be replaced with any name you like. Try it.

Tests - not attempted
Can read http://../cgi-bin/hack.htm?user=me UNTESTED
Script is dynamic UNTESTED

This script hosts a cross-scripting issue. If "user=gordon" become something more risks, like

hack.htm?user=gordon<script>alert("YouAreHacked")</script>
Then when you run this you get to run arbitary javascript on the page. This can be adapted to ask for passwords on sites hosted by banks, or make spoof pages look like they are genuine. Try it (you should get a popup alert if it works).

Note that in chrome (and presumably others) it detecte this as an XSS problem and protected the browser automatically. I had to disable this safety check using a flag in the script.

The right thing to do here is to sanitise the script. To do this edit the file and delete the last two lines:

print p "Glad to have you back $Q::user\n";
print '</body>';
and change them to:
my $u=$Q::user;
$u = "hacker" if $u !~ m/^[a-zA-Z0-9]+$/;
print p "Glad to have you back $u\n";
print '</body>';

Tests - not attempted
Can read http://../cgi-bin/hack.htm?user=me UNTESTED
Script is dynamic UNTESTED
Script validates illegal user UNTESTED


Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7a | 7b | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2017 Gordon Russell. All rights reserved.