|
|
|||
system monitoring advice
Hi folks,
After running linux for about three years and now OpenBSD for about two i am about ready to set up my small business webserver office lan. I will be running a small OpenBSD box with several nics, providing (routing/firewall) connection from the internet via a "Static" ip address to my small business web server and an internal lan. This is a home/office system not an Enterprise one. I have read here, and many man pages as applicable, plus the book of PF, SSH mastery and Absolute OpenBSD. I am a "NOVICE". The webserver will be a simple one consisting of just a few static pages running on a commercial OpenBSD server. The "Apache" webserver will be running from a default install chrooted in /www. There will be no e-commerce, email, or database functions. Since the web server info, and related .conf's may be backup'd and replaced easily i am not worried about proprietary data loss, e-commerce corruption and or financial/personal data loss. I think at this time i can set-up a basic firewall/router that meets my business needs and simply works. Later as my knowledge grows i can refine it. I am "however" concerned with detecting and neutralizing mal-ware pests from the outside infecting my system which sends pesky traffic to you.......and our internet neighbors. I am fairly familiar and use pfstat, and systat etc. QUESTION: What do you folks use/employ to try to stay on top of potential malware traffic that may originate from your systems.????? Remember this is not an Enterprise system here!!!!! Please suggest subjects/program reading and i can take it from here. thanks in advance FRCC Last edited by frcc; 20th November 2012 at 01:45 PM. |
|
|||
thankyou!
|
|
|||
I would place the webserver in a DMZ
For the most simple DMZ setup you would need a single box with 3 network cards. With a proper DMZ pf.conf, a static website, and with all unnecessary services like mail, ftp, ssh disabled, there is not much opportunity for somebody to use your www server for serving malware or attacking others. If you are really paranoia, you even could use a pf.conf for the server allowing only incoming traffic on tcp port 80, outgoing DNS traffic on tcp & udp port 53 and outgoing ntp (udp port 123).
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
traffic monitoring advice
Do any of you use any kind of malware scanning software such as
"clamscan" is it a valuable/viable tool? Is there a need for something like rootkit hunter in OpenBSD? Is/does software that tracks changes to file attributes a useful tool? lf so what do you use? Do any of you use a more strict run level from default install? Do most of you use PF exclusively for all your traffic routing/firewall needs? ie do you use any addiltional tools to augment PF ? thanks for the replies so far FRCC |
|
|||||
Quote:
Quote:
Quote:
Quote:
Quote:
|
|
|||
Instead of clamscan or a rootkit detector you could use aide to check the integrity of your server. This would rather be easy to use because you have physical access to the server.
I administer a FreeBSD server in a data center. One of the first things I did was creating a suitable pf.conf to protect the server itself for malicious incoming traffic and to prevent unauthorized outgoing traffic. Other measures that I took
I check the pflog logs on a regular basis. I see a lot of attempts to connect to MS SQL server, MS Remote Desktop Protocol, MS NetBios and whatever the current exploit of the week is Also bots that try the telnet , mysql , DNS, imap, smtp, and 8080 ports. The Apache error logs show a lot of probes for phpMyAdmin and Wordpress admin Code:
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/_admin [Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/_myadmin [Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/_admin [Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/_admin [Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/admin [Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/admin [Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/admin [Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/dbadmin [Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/myadmin [Sun Sep 02 14:47:41 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/mysqladmin [Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpadmin [Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin.old [Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpMyAdmin [Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin [Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin1 [Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin2 [Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/php-my-admin [Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin [Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpMyAdmin [Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/php-myadmin [Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmy-admin [Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/webadmin [Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/mysqladmin [Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/mysql-admin [Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/wbsadmin [Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpadmin [Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpMyAdmin-2.11.4 [Sun Sep 02 14:47:45 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmino-ld I never bothered with securelevel. At this moment I am looking into mod_security, an web application firewall. Rules for mod_security inspect the payload of the HTTP traffic and depending on the contents can block, log or deny such requests.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
Quote:
|
|
|||
what are you looking to accomplish with clam? I use it in conjunction with havp/squid for a proxy/virus scanner solution.
All outbound HTTP traffic from my internal lan is filtered through squid and havp for to scan downloads. It works great. For inbound you can do the same, set up a squid box for reverse proxy to provide some security. But if you're running and OpenBSD server with nginx chrooted you'll be fine - as long as your application's code is solid. As someone noted, your publicly accessible boxes should be on your DMZ, if there is an internal service or app that needs to be reached from the outside set up either an ipsec vpn or OpenVPN. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ZFS Performance monitoring | replaysMike | FreeBSD General | 1 | 14th November 2009 09:32 AM |
System Monitoring Tools | IronForge | OpenBSD Packages and Ports | 4 | 29th October 2009 03:18 AM |
How to: DMESG Monitoring | damien-NF | FreeBSD Installation and Upgrading | 2 | 4th August 2009 11:30 PM |
pf NAT monitoring | cerulean | FreeBSD General | 1 | 20th October 2008 12:27 PM |