Ecrit par:  DAVID
Date création:  16-04-2012
Nombre de vues:  3106
Catégorie:  ovh
Note: 
Tutoriel N° 254 - Sécuriser serveur OVH Kimsufi Gentoo Release 2 : informatique > gestion > ovh

Sécurité serveur OVH Kimsufi Gentoo Realease 2


# Sécuriser phpMyAdmin

cd /home/ovh/www
mv phpMyAdmin-2.11.5-all-languages-utf-8-only phpMyAdmin-2.11.5-all-languages-utf-8-only2
mv phpMyAdmin-3.3.5.1-all-languages ppm

On crée un lien symbolique
ln -s /home/ovh/www/phpmy ppm



# Installation chkrootkit gentoo

cd /usr/local/src

Récupérer chkrootkit.tar.gz dans la pièce jointe

tar -zxvf chkrootkit.tar.gz -C /usr/local
cd /usr/local/
cd chkrootkit-0.49/
make sense

cd /usr/local/chkrootkit-0.49

On l'exécute
./chkrootkit



# Installation rkhunter gentoo

cd /usr/local/src

Récupérer rkhunter-1.3.8.tar.gz dans la pièce jointe

wget http://pkgs.fedoraproject.org/repo/pkgs/rkhunter/rkhunter-1.3.8.tar.gz/0c34eb2a2d0caa384f442c11fcbb0c46/rkhunter-1.3.8.tar.gz

tar -zxvf rkhunter-1.3.8.tar.gz -C /usr/local
cd /usr/local/
cd rkhunter-1.3.8/
./installer.sh --install
rkhunter --checkall --report-warnings-only
rkhunter --checkall
rkhunter --propupd



#Utiliser PHP ver 5

avant:
php ver

X-Powered-By: PHP/4.4.8_pre20070816-pl1-gentoo

rm -f /usr/local/bin/php
ln -s /usr/local/php5/bin/php /usr/local/bin/php
ln -s /usr/local/php4/bin/php /usr/local/bin/php4
php ver



# Recevoir un mail si connection en root

nano /root/.bashrc

echo 'NOTIFICATION - Acces SSH en ROOT sur `hostname` le:' `date` `who` | mail -s "NOTIFICATION - Connexion en ROOT via SSH depuis: `who | cut -d"(" -f2 | cut -d")" -f1`" votre_email@domaine.com



# Installation firewall

Activer log proftpd

nano /etc/proftpd/proftpd.conf

Ajouter à la fin

TransferLog /home/log/xferlog
SystemLog /home/log/proftpd.log

/etc/init.d/proftpd restart




# Installation firewall

nano /etc/init.d/firewall

Remplacer xx.xx.xx.xx par votre adresse ip locale (celle de free par exemple)
Elle sera la seule à pouvoir se connecter en ftp

#!/bin/sh
# chkconfig: 3 21 91
# description: Firewall

IPT=/sbin/iptables

case "$1" in
start)
$IPT -F INPUT
/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 10000 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 21 --source xx.xx.xx.xx -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source xx.xx.xx.xx -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.p19.ovh.net -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 --source 213.186.33.13 -j ACCEPT

/sbin/iptables -A INPUT -p icmp --source proxy.rbx.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -p icmp --source ping.ovh.net -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source xx.xx.xx.250 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source xx.xx.xx.251 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p icmp --source 213.186.33.250 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --source 213.186.33.251 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -p tcp --source 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --source 192.168.0.0/16 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 79 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j REJECT
exit 0
;;

stop)
$IPT -F INPUT
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac




Créer script pour initialiser iptables
cd /etc/init.d
nano /etc/init.d/iptables_flush.sh

#!/bin/sh
echo "Flushing iptables rules..."
sleep 1
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT



chmod 777 iptables_flush.sh &&
chmod 777 firewall
http://guides.ovh.com/FireWall


# Configuration fail2ban


cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.local
nano /etc/fail2ban/jail.conf

- On passe à true les modules necessaire et on ajoute les manquants
- On change les chemins des logs

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 xx.xx.xx.xx

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

[ssh-iptables]
enabled = true
...
logpath = /var/log/auth.log

[proftpd-iptables]
enabled = true
...
logpath = /var/log/proftpd.log


# This jail forces the backend to "polling".


[ssh-tcpwrapper]
enabled = true
...
logpath = /var/log/auth.log

# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]
enabled = true
...
logpath = /var/log/httpd/error_log


[apache-badbots]
enabled = true
...
logpath = /var/log/httpd/access_log


[apache-badbots]
enabled = true

action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=votre_email]
logpath = /var/log/httpd/access_log

maxretry = 1


[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp]
logpath = /var/log/httpd/access_log
maxretry = 1


# Jail pour les attaques dictionnaire qui visent phpmyadmin
[apache-admin]

enabled = true
port = http
filter = apache-admin
action = iptables[name=HTTP-Admin, port=http, protocol=tcp]
sendmail-whois[name=HTTP-Admin, dest=votre_email, sender=votre_email]
logpath = /var/log/httpd/error_log
maxretry = 6
bantime = 600




On ajoute les filtres manquants de fail2ban

cd /etc/fail2ban/filter.d/

nano apache-admin.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 471 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*admin|PMA|mysql|loginrc
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

-----------

nano apache-w00tw00t.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 471 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*admin|PMA|mysql
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
root@ks367082:/etc/fail2ban/filter.d# cat apache-w00tw00t.conf
[Definition]
failregex = ^ -.*"GET /w00tw00t.at.ISC.SANS.DFind:).*".*
ignoreregex =

-----------

nano php-url-fopen.conf

# Fail2Ban configuration file
#
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
# Version 2
# fixes the failregex so REFERERS that contain =http:// don't get blocked
# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
#

[Definition]

# Option: failregex
# Notes.: regex to match this kind of request:
#
# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza$
#
failregex = ^<HOST> -.*"(GET|POST).*?.*=http://.* HTTP/.*$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =


-----------
cd /var/log
cat /dev/null > access_log

On execute à chaque démarrage de ssh (même commande pour redemarrer)

/etc/init.d/firewall stop
fail2ban-client stop

sh /etc/init.d/iptables_flush.sh
/etc/init.d/firewall start
fail2ban-client -x start

fail2ban-client status


Télécharger les sources de ce tutoriel


Autres fiches (news, tutoriaux ou petites annonces) de David de la même catégorie >
Stop a ddos attack with iptables
Ecrit par DAVID
Saisir la mini description de votre tutoriel
Ecrit par DAVID
How to check if TLS 2.1 is installed ovh
Ecrit par DAVID
Contrer une attaque ddos
Ecrit par DAVID
Nettoyer serveur vps release3 hack rootkit
Ecrit par DAVID
Bounces - Mailer-Daemon avec POSTFIX
Ecrit par DAVID
Sécuriser serveur OVH release 3 avec un firewall
Ecrit par DAVID
Migration installation vps kimsufi release3 OVH
Ecrit par DAVID
Release 3 OVH Guide des problèmes et bugs corrigés
Ecrit par DAVID
 
ShareAnnonce version 1.0 Tous droits reserves. | Condition d'utilisation | Qui sommes nous ? | Contact