State of the Server — Baseline

Server release V1. Meta-Lassi is at a functioning baseline. Probably from a security perspective, this post would be a no-no, but that’s not what this is about. So the server is:

Ubuntu 11.04 with ssh, apache, and mysql running on it. Pretty standard stuff.

Logwatch emails every day, as well as aide.

Webalizer is running for some server statistics, although google analytics probably makes that a little redundant. Monit is running to let me know when thing go off the rails and will restart the apps.

I spent a good amount of time investigating security, so to that end, iptables are functioning fairly well. PSAD reads the iptables logs and bans many incoming probes each day. Those are logged, and added to the logwatch email. Also in the Logwatch email, failed ssh and http requests.

SSH is validated using certificates, so while I still have fail2ban running it’s probably moot (although it does seem to ban a couple of people each night, that’s still a bit of a mystery) Aide file integrity checker sweeps through each night and checks checksums and so far what changes seems to make sense.

So far this backend serves up WordPress, ie, this blog, as well as standard pages. That’s what I’m using it for anyway, but really it should be a fully functioning LAMP server.

Going forward I’m interested in JSON based databases like MongoDB and end-to-end Javascript, ie, Node.

ssl part 2

I have ssl working, using it for my monit instance. I’ll be honest I did it a little while ago and I didn’t document it well. I want to put the links that I used to make it happen here:

http://www.crazysquirrel.com/computing/debian/apache-mod_ssl.jspx
http://catdevblog.nickbair.net/2011/04/02/apache-and-ssl-the-easy-way/

My previous post on ssl wasn’t used, ie that whole snakeoil thing. Overall I now have a “ssl” folder in “/etc/apache2/” and it contains the certificate “apache.pem.” I have, in “/etc/apache2/sites-enabled,” “default-ssl” which defines:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

for my ip address at port :443.

And finally I have, in “/etc/apache2/sites-enabled,” “secure.meta-lassi.com” (my choice of name) which defines for that virtual host name a port :443 instance.

So that’s me looking at it after the fact and seeing more just for form. The elements are all here, but if i had to recreate it I’d dig back into those links.

more on mysql logging

following up on the last post…

“By default, no logs are enabled (except the error log on Windows).”

from mysql official documentation:
http://dev.mysql.com/doc/refman/5.1/en/server-logs.html

so I created a file @/var/log/mysql/mysql.log and I’ll see if mysql can write to it. I’m betting it won’t. The more digging I do it seems more and more unnecessary to get mysql logging. Hate to give up and all, but it DOES come defaulted to not logging and I’m also thinking there might be a bug here. Anyway. I’ll leave the changes I’ve made and see if it starts writing to the log magically.

last bug

trying to address the last bug happening in my initial set-up. I’m getting this error each day from cron:

/etc/cron.daily/logrotate:
/usr/bin/mysqladmin: refresh failed; error: ‘Unknown error’
error: error running shared postrotate script for ‘/var/log/mysql.log /var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log ‘
run-parts: /etc/cron.daily/logrotate exited with return code 1

I checked all the supposed log files and they’re empty.

I believe I’m realizing that mysql just isn’t logging. So perhaps that’s the problem. In /etc/mysql/my.cnf I uncommented the 2 lines defining the “general log file.” It warns that’s the old way of doing things and that log files can be defined at runtime, but I certainly wasn’t doing that.

ALSO, I added .my.cnf to root folder a la:
http://lists.opensuse.org/opensuse/2012-05/msg00699.html

also when I was looking at that article I realized my permissions were funky on /var/log/mysql. I needed 750, but had 660. Not sure why that happened but that was obviously a problem as the logs need to be written in that folder.

That’s a lot of changes, 3, so I’ll have to decifer what’s going on on the flipside.

aide config

Finally wrapped my brain around how the aide configuration is strewn around ubuntu 11.04. I thought I had the right line to get it to stop reporting daily changes to the /var/log/psad folder, but I couldn’t figure out where to put it, but I finally did today.

so,

/etc/aide/aide.conf calls all the files in the directory /etc/aide/aide.conf.d, and one of those files is “70_aide_var”. In there it gives directions to treat /var as VarDir, which is a variable defined back in /etc/aide/aide.conf that actually has an aide comparison strategy attached to it. That’s actually what all (or a lot) of the files in /etc/aide/aide.conf.d seem to be are links back to the definitions set up in the config file.

So anyway, I just added !/var/log/psad/” to the “70_aide_var” file and bingo. That only took me about 2 months to figure out.

oh, and of course the two lines I referred to having edited in the last post, in the file “/etc/aide/conf.settings.d/31_aide_apt_settings”, refer to how aide looks at APT. It clearly says it. Duh.

updates on the syslog-ng error and aide config

the syslog-ng fix from the previous post worked. Enabling the no-caps option worked. Very obscure. so huge thanks to pyro.eu.org.

As far as aide goes, I dug a touch further and at /etc/aide/conf.settings.d/31_aide_apt_settings there are two lines:

IGNORE_ARCHIVES="yes"
IGNORE_FRQCHG="yes"

I added the yes’s so we’ll see if I have to figure out where to add the log file I want it to ignore (psad) or if it can figure it out.

syslog-ng and aide tweaks. Close to a summary post of initial set-up and on to phase 2

SYSLOG-NG:

per http://pyro.eu.org/how-to/micro/syslog-ng-error-setting-capabilities-openvz.txt

(and love this guy’s style)

PROBLEM

In OpenVZ container:

/etc/cron.daily/logrotate:
syslog-ng: Error setting capabilities, capability management disabled; error=’Operation not permitted’

SOLUTION

syslog-ng –no-caps

Debian:
/etc/default/syslog-ng:SYSLOGNG_OPTS=”–no-caps”

And I have been having exactly that error message since forever ago, so if this works, fantastic.

AIDE:

I’ll leverage this writeup: http://www.snekul.com/wordpress/blog/2012/09/27/using-aide-on-ubuntu-12-04-lts-precise-pangolin-and-debian-7-wheezy/ in that it’s time to get aide to a reasonable place. It’s currently doing a daily cron test against the original database, which of course is crazy huge. I’ve been diligently reading it to get a feel for the normal course of things but it’s time to put that to rest a bit. I’ll go ahead and set it to overwrite it’s database daily. Other than that, I’ll naturally get periodic snapshots when I backup the server.

wordpress level (mostly) set-up

• had to a2enmod rewrite to get rewrites working, and with them pretty permalinks

• wp level security plugins, better wp security and sucuri. Also a plugin called core services that seems quite useful. Core services to be explored

wordpress hardening

a motley compilation of web advice, as usual, paired up with some wordpress.com specific stuff and also wordpress plugins that handle it for you.

These 2 sites were my jumping off point:
http://wp.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/
http://codex.wordpress.org/Hardening_WordPress

I picked and chose:

chmod 440 wp-config.php

• protect wp-config (via files directive in .htaccess)

• disabled file editing

• implemented apache level authentication for wp-admin.

I worked with ssl, but only partially got it going. I Intend to make wp-admin through ssl. Here seems to be the next resource to make that happen:
http://codex.wordpress.org/Administration_Over_SSL

i shied away from the scripts in.htaccess solutions to protection from script injections/content scrapers etc. But the first plugin I’ve enabled, sucuri, has auto hardening that sounded similar. Will investigate.

directory listing in apache

ok, so here’s a good one to document. I just spent way too much time trying to get apache’s indexing function to stop, failing at trying to get

options -Indexes

within directory tags in /etc/apache2/sites-available/default

but it was a module called autoindex

ran a2dismod autoindex and it put and end to my misery