Securing FC 4

AragonX aragonx at dcsnow.com
Mon Aug 22 21:55:08 UTC 2005 

<quote who="cromworshipper-fedorastuff at yahoo.com">
>
>
> --- AragonX <aragonx at dcsnow.com> wrote:
> [...]
>> I've gotten some very good information off of the security lists though.
>> Perhaps I should copy it here so that others could benefit?
>
> Yes, please.
>
> What was the weak point that allowed an intrusion on your machine?  I'd
> like
> to know what I should watch out for...

<copy from Tom Walsh's email to focus-linux at securityfocus.com>

Something that LIDS might not catch is a binary uploaded via a remote
file include in a poorly coded PHP script (phpBB comes to mind). We have
had several servers exploited using a combination of this method and an
out of date kernel. Typically the attacker will upload a binary that
exploits the kernel to get local root privs.

To stop most of this behavior, we have been using a combination of PHP
directives (open_basedir restrictions for web space: php_admin_value
open_basedir "/path/to/web/space/html:/tmp:/usr/share/php" in the
httpd.conf) and then mounting /tmp set with noexec and nosuid. As an
additional measure we have also made wget, fetch and a few other
binaries chmod 700 to prevent access by the web server user.

As an aside, I have pretty good results with the linux vserver
(http://www.linux-vserver.org) patch set to provide virtual server
instances of any linux distro I want. I will run a Debian root server
with RedHat instances as vservers. It allows me to segment the server
and limit exposure between the different services I run. I actually had
a root exploit on a vserver a while back, and I was able to recover the
server in about 30 minutes. I just took the vserver offline... ran a rpm
checksum comparison against checksums saved in the root server... and I
determined which binaries were compromised. I replaced them, and then
brought the server back online. I was quite pleased with results. As an
added benefit the vservers are portable between physical machines so
long as the root server has the patch set applied. However I have not
used the patch set with LIDS so I do not know if they are compatible or
not. We generally use vservers for resellers who want to use control
panel software on the server (Plesk works almost flawlessly in this
particular instance).

I hope that helps you.

Take care,

Tom Walsh
http://www.expresswebsystems.com/

This is exactly what happened to me.  A flaw in I believe Squirrelmail
enabled a program to be uploaded to the /tmp directory and executed.

I've adjusted my LIDS policy to prevent execute from that directory.  I'm
going to see if I can remove root's access to it without breaking
anything.  lol

More information about the fedora-list mailing list