DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th November 2012
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default system monitoring advice

Hi folks,
After running linux for about three years and now OpenBSD for about two i am about ready to set up my small business webserver office lan.

I will be running a small OpenBSD box with several nics, providing (routing/firewall) connection from the internet via a "Static" ip address to my small business web server and an internal lan.

This is a home/office system not an Enterprise one.

I have read here, and many man pages as applicable, plus the book of PF, SSH mastery and Absolute OpenBSD. I am a "NOVICE". The webserver will be a simple one consisting of just a few static pages running on a commercial OpenBSD server. The "Apache" webserver will be running from a default install chrooted in /www. There will be no e-commerce, email, or database functions.

Since the web server info, and related .conf's may be backup'd and replaced easily i am not worried about proprietary data loss, e-commerce corruption and or financial/personal data loss.
I think at this time i can set-up a basic firewall/router that meets my business needs
and simply works. Later as my knowledge grows i can refine it.

I am "however" concerned with detecting and neutralizing mal-ware pests from the outside infecting my system which sends pesky traffic to you.......and our internet neighbors.
I am fairly familiar and use pfstat, and systat etc.

QUESTION:
What do you folks use/employ to try to stay on top of potential malware traffic
that may originate from your systems.?????
Remember this is not an Enterprise system here!!!!!

Please suggest subjects/program reading and i can take it from here.


thanks in advance
FRCC

Last edited by frcc; 20th November 2012 at 01:45 PM.
Reply With Quote
  #2   (View Single Post)  
Old 19th November 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

On my personal network, I manage a limited amount of outbound traffic. Other than just traffic shaping outbound traffic by bandwidth, the only outbound traffic I govern is Email. I don't prevent malware transmission outbound, I merely eliminate spambots:
I block outbound SMTP traffic except for known, permitted MTAs, operated by my ISP or by other contracted Email service providers, such as DynDNS's mailhop.org. I route outbound traffic through a local MTA. Initially I did so with the intent of filtering outbound Emails with SpamAssassin, but later dropped that idea without implementing it. I did not want to deal with the delays and management complexities of false positives. Now I merely monitor /var/log/maillog for outbound traffic loads. The monitoring tool I use is grep(1) | less(1).

The only time I had a problem with excessive traffic it was due to repetitive Emails caused by a full partition, not any sort of comprised system.

Last edited by jggimi; 19th November 2012 at 08:42 PM. Reason: typo, clarity
Reply With Quote
  #3   (View Single Post)  
Old 19th November 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

I would place the webserver in a DMZ
For the most simple DMZ setup you would need a single box with 3 network cards.

With a proper DMZ pf.conf, a static website, and with all unnecessary services like mail, ftp, ssh disabled, there is not much opportunity for somebody to use your www server for serving malware or attacking others.

If you are really paranoia, you even could use a pf.conf for the server allowing only incoming traffic on tcp port 80, outgoing DNS traffic on tcp & udp port 53 and outgoing ntp (udp port 123).
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 19th November 2012
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default traffic monitoring advice

Do any of you use any kind of malware scanning software such as
"clamscan" is it a valuable/viable tool?

Is there a need for something like rootkit hunter in OpenBSD?

Is/does software that tracks changes to file attributes a useful tool?
lf so what do you use?

Do any of you use a more strict run level from default install?

Do most of you use PF exclusively for all your traffic routing/firewall needs?
ie do you use any addiltional tools to augment PF ?

thanks for the replies so far
FRCC
Reply With Quote
  #5   (View Single Post)  
Old 20th November 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Instead of clamscan or a rootkit detector you could use aide to check the integrity of your server. This would rather be easy to use because you have physical access to the server.

I administer a FreeBSD server in a data center. One of the first things I did was creating a suitable pf.conf to protect the server itself for malicious incoming traffic and to prevent unauthorized outgoing traffic.

Other measures that I took
  • moved ssh to another port than 22
  • disabled ssh root logins
  • disabled ftpd
  • disabled inetd

I check the pflog logs on a regular basis. I see a lot of attempts to connect to MS SQL server, MS Remote Desktop Protocol, MS NetBios and whatever the current exploit of the week is
Also bots that try the telnet , mysql , DNS, imap, smtp, and 8080 ports.

The Apache error logs show a lot of probes for phpMyAdmin and Wordpress admin

Code:
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/_admin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/_myadmin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/_admin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/_admin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/admin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/admin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/admin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/dbadmin
[Sun Sep 02 14:47:40 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/myadmin
[Sun Sep 02 14:47:41 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/mysqladmin
[Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpadmin
[Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin.old
[Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpMyAdmin
[Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin
[Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin1
[Sun Sep 02 14:47:42 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin2
[Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/php-my-admin
[Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmin
[Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpMyAdmin
[Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/php-myadmin
[Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmy-admin
[Sun Sep 02 14:47:43 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/webadmin
[Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/mysqladmin
[Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/mysql-admin
[Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/wbsadmin
[Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpadmin
[Sun Sep 02 14:47:44 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpMyAdmin-2.11.4
[Sun Sep 02 14:47:45 2012] [error] [client 72.51.35.239] File does not exist: /usr/local/www/data/xyz.com/phpmyadmino-ld
By only running a static web server you already eliminate most of these attack possibilities.

I never bothered with securelevel.

At this moment I am looking into mod_security, an web application firewall. Rules for mod_security inspect the payload of the HTTP traffic and depending on the contents can block, log or deny such requests.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 20th November 2012
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

thankyou!
Reply With Quote
  #7   (View Single Post)  
Old 20th November 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by frcc View Post
Do any of you use any kind of malware scanning software such as
"clamscan" is it a valuable/viable tool?
ClamAV's clamscan is a valuable tool for scanning Windows filesystems from a central server. It has no value for OpenBSD.
Quote:
Is there a need for something like rootkit hunter in OpenBSD?
I have no idea if such a tool is available for OpenBSD. If there was such a tool available, my guess is it would have limited value.
Quote:
Is/does software that tracks changes to file attributes a useful tool? lf so what do you use?
I have found OpenBSD's automated security(8) script usually sufficient. For manual inspections I have used mtree(1) once in a while.
Quote:
Do any of you use a more strict run level from default install?
Not me.
Quote:
Do most of you use PF exclusively for all your traffic routing/firewall needs?
PF only, here.
Reply With Quote
  #8   (View Single Post)  
Old 14th December 2012
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

Quote:
Originally Posted by J65nko View Post
Instead of clamscan or a rootkit detector you could use aide to check the integrity of your server. This would rather be easy to use because you have physical access to the server.
Like Jggimi mentioned, one could also use mtree to verify file integrity, thus not needing any additional software (which I like). A short quote from the man page:
Quote:
To detect system binaries that have been ``trojan horsed'', it is recommended that mtree -cK sha1digest be run on the file systems, and a copy of the results stored on a different machine, or, at least, in encrypted form.
Reply With Quote
  #9   (View Single Post)  
Old 23rd January 2013
scrummie02 scrummie02 is offline
Port Guard
 
Join Date: Nov 2011
Posts: 27
Default

what are you looking to accomplish with clam? I use it in conjunction with havp/squid for a proxy/virus scanner solution.

All outbound HTTP traffic from my internal lan is filtered through squid and havp for to scan downloads. It works great.

For inbound you can do the same, set up a squid box for reverse proxy to provide some security. But if you're running and OpenBSD server with nginx chrooted you'll be fine - as long as your application's code is solid.

As someone noted, your publicly accessible boxes should be on your DMZ, if there is an internal service or app that needs to be reached from the outside set up either an ipsec vpn or OpenVPN.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ZFS Performance monitoring replaysMike FreeBSD General 1 14th November 2009 09:32 AM
System Monitoring Tools IronForge OpenBSD Packages and Ports 4 29th October 2009 03:18 AM
How to: DMESG Monitoring damien-NF FreeBSD Installation and Upgrading 2 4th August 2009 11:30 PM
pf NAT monitoring cerulean FreeBSD General 1 20th October 2008 12:27 PM


All times are GMT. The time now is 05:52 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick