Friday 22 May 2009

Hardening a RHEL5 Box and the NSA

Hardening a server takes two general activities: Reducing the number of services that can be attacked and protecting any services that are still required.

There are a lot of discussions on how to do this for various operating systems including RedHat Linux. RedHat's Deployement Guide is a good resource.

The NSA also has documents on securing your operating system. However, they're a little hard to get. I tried searching for RHEL5 on their site and had some difficulty access the documents in the search results:

NSA Site Search for RHEL5

Now it's a little hard to access the documents on the NSA's E drive, but I was able to eventually find them by getting in another way ;) ;) ... Okay, I didn't breakin to the NSA to get on their E drive, I found the page that actually good links: NSA/CSS Operating Systems.

There's a longer document (about 170 pages) and also a short reference (2 pages) which gives lots of good things to secure.

There are a lot of other good resources Online as well, so I won't ramble further. Just turn off anything you don't need, update what you do need frequently, and secure your system with a firewall, and other security tools (PortSentry, fail2ban, DenyHosts, anti-virus software, rootkit detection, etc, etc, etc).

- Arch

Wednesday 20 May 2009

Virtual Host Debugging

I just came across this obscure feature of apache2ctl / httpd:


# apache2ctl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443 webmail.nibble.bz (/etc/apache2/sites-enabled/webmail.nibble.bz:3)
*:80 is a NameVirtualHost
default server alia.dl.nibble.bz (/etc/apache2/sites-enabled/000-default:2)
port 80 namevhost alia.dl.nibble.bz (/etc/apache2/sites-enabled/000-default:2)
port 80 namevhost blog.nibble.bz (/etc/apache2/sites-enabled/blog.nibble.bz:3)
port 80 namevhost www.nibble.bz (/etc/apache2/sites-enabled/blog.nibble.bz:17)
port 80 namevhost forums.thenibble.org (/etc/apache2/sites-enabled/forums.thenibble.org:2)
port 80 namevhost lists.thenibble.org (/etc/apache2/sites-enabled/lists.thenibble.org:10)
port 80 namevhost siona.nibble.bz (/etc/apache2/sites-enabled/siona.nibble.bz:1)
port 80 namevhost uro.mine.nu (/etc/apache2/sites-enabled/uro.mine.nu:2)
port 80 namevhost webmail.nibble.bz (/etc/apache2/sites-enabled/webmail.nibble.bz:51)
port 80 namevhost www.thenibble.org (/etc/apache2/sites-enabled/www.thenibble.org:3)
port 80 namevhost thenibble.org (/etc/apache2/sites-enabled/www.thenibble.org:15)
Syntax OK


"man apache2ctl" doesn't give the switch parameters but merely alludes to the presence of them:


SYNOPSIS
When acting in pass-through mode, apachectl can take all the arguments available for the httpd binary.

apachectl [ httpd-argument ]


And on my system (Ubuntu 8.04), "man httpd" doesn't report diddly. It is in a manpage *somewhere* so I found it Online:

http://www.manpagez.com/man/8/httpd/

And what it says is:


-S Show the settings as parsed from the config file (currently only
shows the virtualhost settings).


So there you go. Hidden away in the documentation "somewhere" is possibly the most useful virtual host diagnostic tool.

- Arch

Popular Posts