Tuesday, April 21, 2009

Housecleaning Linux Style

It’s been quite a busy few days here at the Firm. We’ve gone live with a new website (hosted on Linux of course), exchanged a ton of electronic files with one of our vendors ala TrueCrypt and finished off our monthly reboots (thanks Microsoft).  So the web server was probably the most fun.  During the process I enabled Google Analytics, awstats, logwatch, selinux and iptables. Google Analytics is great for getting the quick on dirty stats for your web server.  This is the first time I’ve enabled it site wide and it has really been eye opening.  Do yourself a favor and use it on your site to track where people are going.  I even enabled it on my blog and it seems my posts on Equallogic and HP Procurve are my top hits.

Awstats is a perl script the parses your Apache access_log and reports back on your web site statistics in a meaningful way.  (It can do other apps like ftp as well, but I’m only using it for httpd.) Lots of great info here but it takes a bit more tuning to get running they way you want it. I’m still tweaking the output but I hope to get it all done soon.

Logwatch is a tool built in to most distros that parses your log files and rolls up some really basic, but important statistics which it then optionally emails to you.  You are probably running this tool already and don’t even know it.  Do yourself a favor and edit your logwatch.conf file (mine is under /usr/share/logwatch/default.conf) and add your email address to the “MailTo =” line.  As this is a web server I’m interested in who is logging in remotely  and logwatch details out SSHD login info :

   Authentication Failures:
      root ( 216 Time(s)
      unknown ( 48 Time(s)
   Invalid Users:
      Unknown Account: 48 Time(s)
   Sessions Opened:
      root: 27 Time(s)

Failed logins from:
    xx.xxxx.xx.xxx: 216 times
       root/password: 216 times

Illegal users from:
    xx.xxx.xx.xxx: 48 times
       oracle/password: 48 times

Users logging in through sshd:
       xx.xxx.xx.xx(aserver.ontthenet.com): 21 times
       xx.xx.xx.xxx(anotherserver.onthenet.com): 3 times
       xx.xx.xx.xx(ahost.outtheresomewhere.com): 2 times
       xx.xx.xxx.xxx(anotherhost.outtheresomewhere.com): 1 time

Received disconnect:
    11: Bye Bye
       xx.xxx.xx.xxx : 264 Time(s)

SFTP subsystem requests: 21 Time(s)

Logwatch will summarize much more then just the sshd logs, but I wanted to give you a sample of it’s power. 

SELinux is of course an application layer firewall. It will keep services/daemons contained in their own “space” so that they all get along.  Should something get hacked, SELinux will keep the hacker from accessing data beyond what the compromised service has rights to. It’s a little hard to get your arms around, but it’s well worth the time invested learning how it works.

iptables is a very flexible and useful firewall.  One thing that I learned how to do was to restrict the number of login attempts so that hackers will be blacklisted by IP address if they try and run something like rainbow tables against your sever.  Here’s the quick and dirty :

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
recent --set --name SSH

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

This lines are wrapped here, but you can use that as a head start.  Lots and lots of buttons and knobs to turn that’s for sure.


No comments: