Security on hosting/servers (ids, ips)

Just some things i started to wonder / looking for. What systems are you guys using to monitor en protect attacks from the inside? Lets say somehow someone breaks into the server, how do you notice and or prevent this form happening? I’m more thinking about elastic auditbeat, wazuh and snort then just the simple answers like ssh key only login and stuff like that! Let met know what you use.

It really depends on who you’re protecting against and what you are protecting.

If we’re talking a normal personal server, chances are, adopting basic security practices will save you against all common attacks. SSH key-only auth is a good start.

If we were to discuss servers containing sensitive data (e.g. company servers with intellectual property on them), auditing, monitoring (proactive!) and alerting are essential.

Some stuff I would do/use:

  • SELinux (preventing unauthorized access)
  • AIDE (auditing system changes)
  • Disable prelinking
  • Audit installed packages (e.g. rpm can check integrity against hashes)
  • User auth changes - lockout time, enforce password quality, disable login of passwordless accounts
  • Auditd - make sure you’re logging all the good stuff (access denied on files and processes, filesystem getting (dis)mounted…), make it kill the system if the log drive is full…
  • Keep packages up to date
  • Set up centralized logging on a separate server with alerting on certain events (e.g. Graylog)
  • Disable any unnecessary running services
  • Uninstall any unnecessary packages. Mainly talking about stuff like Xorg
  • FIREWALL! Allow only necessary ports, reject/drop all
  • You can use an IDS/IPS, although it probably won’t help you much with securing the server per se… it can be a very powerful tool if you’re protecting stuff like web applications though - but that’s a job for application level IPS like Naxsi or mod_security. (prevents SQLi, XSS if configured correctly)
  • If you have an option of sending traffic over a private network, do it instead of exposing it to the internet
  • Disable DHCP client and IPv6 autoconf

This is not an exhaustive list by any means, however not everything I mention is applicable to every environment… in fact, I would argue most stuff is not relevant to common environments :smiley: Tools like Openscap can help you audit and make recommendations.

This is for RHEL/CentOS btw, should apply to other OSes as well, although the toolset will be different.

6 Likes

I like a simplistic approach that focuses on limiting the scope of events and alerting for common signs of trouble. Realistically if you keep your systems up to date, use keys and not passwords, keep your personal computers secure, and have public facing applications running under privileged users then you get to sleep at night without having to review everything. You really don’t want to be reviewing logs for every perceived event of a WAF or IDS, it’s an unsustainable path to anxiety. Some people think the wealth of information keeps them secure and informed, but eventually it just fills up an inbox that no one reads.

There are all kinds of security levels that have to be considered with context as well. Example: Grandma’s cookie recipe blog is exploitable for an XSS attack? Who cares.

If an app under a privileged user gets compromised and the underlying server is up to date, it’s easily one in a million shot that anything happens other than that privileged user being used to preform outgoing attacks rather than someone obsessively trying to exploit your kernel to root the box. So that means you’ll see increased outbound traffic, large mail queues, increased CPU usage by weird procs, blacklisted IPs, something will reveal itself somewhere. If you’re watching for outliers in all outputs, you’ll generally be alerted to something strange.

3 Likes

non-privileged users?

Thanks for the tips guys! Now I have some more reading and trying out todo! This was mainly related to webhosting servers with other people’s ip.