11 Feb
2022
11 Feb
'22
7:12 p.m.
Hi,
I'm 'hardening' up a server, and Tom has done some Pen-Testing for me.
If you have time, please attack:
informatics.plus.com
This is a server I've configured for "noVNC" and "SSH" on
obfuscated
ports to keep script-kiddies at bay, but easily discoverable by port
scan. I'm running "fail2ban" on "sshd" and "apache2"
services.
I know a bit about defending "SSH", but SFA about defending "Apache".
I'd appreciate any help/advice and will buy beer and/or Club Mate for
anyone who gets in and leaves me a note how to block the attack in:
/root/you_left_the_back_door_open
Thanks,
Tony.
--
Minke Informatics Limited, Registered in Scotland - Company No. SC419028
Registered Office: 3 Donview, Bridge of Alford, AB33 8QJ, Scotland (UK)
tel. +44(0)19755 63548 http://minke-informatics.co.uk
mob. +44(0)7985 078324 mailto:tony.travis@minke-informatics.co.uk
11 Feb
11 Feb
10:48 p.m.
Tony
Some thoughts.
My current choice of setup for Apache is to use nginx in front for HTTPS
termination and use letsencrypt for certificates. One thing I like about
nginx is that you can use a special error response of 444 which does not
send an http response it just drops the connection, which slows down
attackers.
I am using the Apache/nginx pair for a number of uses, some API servers
and an user web interface server. (Named virtual hosts)
On the API servers I explicitly list the calls that can be made and just
drop any others (444).
If you can use nginx this is a usefull snippet to drop in, matches any
url that starts with a full stop, e.g. .git, .env and just drops the
connection. I am also seeing attempts to aws credentials.
location ~ /\..* {
return 444;
}
Also api servers do not necessarily get accessed at / (root) so that URL
can also be dropped.
There are rules for fail2ban that can monitor nginx/apache logs as well.
Depending what you use Apache for these ideas may or may not be useful.
Script kiddies will also try accessing admin pages for wordpress and
similar.
Lawrence
On 11/02/2022 19:12, Tony Travis wrote:
Hi,
I'm 'hardening' up a server, and Tom has done some Pen-Testing for me.
If you have time, please attack:
informatics.plus.com
This is a server I've configured for "noVNC" and "SSH" on
obfuscated
ports to keep script-kiddies at bay, but easily discoverable by port
scan. I'm running "fail2ban" on "sshd" and "apache2"
services.
I know a bit about defending "SSH", but SFA about defending
"Apache".
I'd appreciate any help/advice and will buy beer and/or Club Mate for
anyone who gets in and leaves me a note how to block the attack in:
/root/you_left_the_back_door_open
Thanks,
Tony.
12 Feb
12 Feb
11:57 a.m.
Hi Tony,
Our standard toolkit for server hardening at work is:
https://dev-sec.io/
You can find the Apache hardening spec at:
https://dev-sec.io/baselines/apache/
They also have Linux and SSH hardening specs there that you can check your setup against.
In practice we are using Ansible to provide compliance assurance, but going through it
manually can help to understand which things the Ansible role is locking down. (The
Ansible role for Apache is broken right now though so you could only do that manually, we
primarily use nginx, and even then it's usually behind either AWS CloudFront or
CloudFlare Access.)
These are guidelines more than rules, and don't work in all cases. For example the
Linux baseline disables some sysctls that we require for Docker. The Ansible roles give a
way to override that though, and we've documented the decision to deviate from the
baseline.
If you try these out I'd be interested to hear how you get on.
Thanks,
Iain.
On Fri, Feb 11, 2022, at 10:48 PM, Lawrence wrote:
Tony
Some thoughts.
My current choice of setup for Apache is to use nginx in front for HTTPS
termination and use letsencrypt for certificates. One thing I like about
nginx is that you can use a special error response of 444 which does not
send an http response it just drops the connection, which slows down
attackers.
I am using the Apache/nginx pair for a number of uses, some API servers
and an user web interface server. (Named virtual hosts)
On the API servers I explicitly list the calls that can be made and just
drop any others (444).
If you can use nginx this is a usefull snippet to drop in, matches any
url that starts with a full stop, e.g. .git, .env and just drops the
connection. I am also seeing attempts to aws credentials.
location ~ /\..* {
return 444;
}
Also api servers do not necessarily get accessed at / (root) so that URL
can also be dropped.
There are rules for fail2ban that can monitor nginx/apache logs as well.
Depending what you use Apache for these ideas may or may not be useful.
Script kiddies will also try accessing admin pages for wordpress and
similar.
Lawrence
On 11/02/2022 19:12, Tony Travis wrote:
Hi,
I'm 'hardening' up a server, and Tom has done some Pen-Testing for me.
If you have time, please attack:
informatics.plus.com
This is a server I've configured for "noVNC" and "SSH" on
obfuscated
ports to keep script-kiddies at bay, but easily discoverable by port
scan. I'm running "fail2ban" on "sshd" and "apache2"
services.
I know a bit about defending "SSH", but SFA about defending
"Apache".
I'd appreciate any help/advice and will buy beer and/or Club Mate for
anyone who gets in and leaves me a note how to block the attack in:
/root/you_left_the_back_door_open
Thanks,
Tony.
_______________________________________________
57north-discuss mailing list -- 57north-discuss(a)lists.57north.org.uk
To unsubscribe send an email to 57north-discuss-leave(a)lists.57north.org.uk
3:06 p.m.
On 12/02/2022 11:57, Iain R. Learmonth wrote:
Hi Tony,
Our standard toolkit for server hardening at work is:
https://dev-sec.io/
You can find the Apache hardening spec at:
https://dev-sec.io/baselines/apache/
[...]
Hi, Ian.
Thanks for your very useful advice!
I'm providing multiple remote Ubuntu-MATE graphical desktops on one of
my 'garage' servers for a "Bioinformatics in Schools" project run by the
University of Edinburgh. At present they use RPi's, which are great for
introducing kids to the principles, but not powerful enough to do 'real'
bioinformatics.
Tony.
--
Minke Informatics Limited, Registered in Scotland - Company No. SC419028
Registered Office: 3 Donview, Bridge of Alford, AB33 8QJ, Scotland (UK)
tel. +44(0)19755 63548 http://minke-informatics.co.uk
mob. +44(0)7985 078324 mailto:tony.travis@minke-informatics.co.uk
3:12 p.m.
Hi Tony,
If you're doing it more than once, and letting students loose on the systems,
orchestrating the setup with Ansible so you can reinstall them easily could be pretty
useful then. (Unless you're just copying the whole SD card image, which would be even
quicker.)
Thanks,
Iain.
On Sat, Feb 12, 2022, at 3:06 PM, Tony Travis wrote:
On 12/02/2022 11:57, Iain R. Learmonth wrote:
Hi Tony,
Our standard toolkit for server hardening at work is:
https://dev-sec.io/
You can find the Apache hardening spec at:
https://dev-sec.io/baselines/apache/
[...]
Hi, Ian.
Thanks for your very useful advice!
I'm providing multiple remote Ubuntu-MATE graphical desktops on one of
my 'garage' servers for a "Bioinformatics in Schools" project run by
the
University of Edinburgh. At present they use RPi's, which are great for
introducing kids to the principles, but not powerful enough to do 'real'
bioinformatics.
Tony.
--
Minke Informatics Limited, Registered in Scotland - Company No. SC419028
Registered Office: 3 Donview, Bridge of Alford, AB33 8QJ, Scotland (UK)
tel. +44(0)19755 63548 http://minke-informatics.co.uk
mob. +44(0)7985 078324 mailto:tony.travis@minke-informatics.co.uk
_______________________________________________
57north-discuss mailing list -- 57north-discuss(a)lists.57north.org.uk
To unsubscribe send an email to 57north-discuss-leave(a)lists.57north.org.uk
3:28 p.m.
On 12/02/2022 15:12, Iain R. Learmonth wrote:
Hi Tony,
If you're doing it more than once, and letting students loose on the systems,
orchestrating the setup with Ansible so you can reinstall them easily could be pretty
useful then. (Unless you're just copying the whole SD card image, which would be even
quicker.)
Hi, Iain.
I'm not giving them VM's, I'm going to show them how to run BIG jobs
using Slurm. We used 'Salt' to configure nodes in Milan but I hated it.
Probably time for me to bite the bullet and try Ansible instead ;-)
Thanks again for the Jungle tips,
Tony.
--
Minke Informatics Limited, Registered in Scotland - Company No. SC419028
Registered Office: 3 Donview, Bridge of Alford, AB33 8QJ, Scotland (UK)
tel. +44(0)19755 63548 http://minke-informatics.co.uk
mob. +44(0)7985 078324 mailto:tony.travis@minke-informatics.co.uk
1:46 p.m.
On 11/02/2022 22:48, Lawrence wrote:
Tony
Some thoughts.
My current choice of setup for Apache is to use nginx in front for HTTPS
termination and use letsencrypt for certificates. One thing I like about
nginx is that you can use a special error response of 444 which does not
send an http response it just drops the connection, which slows down
attackers.
Hi, Lawrence.
I'm familiar with setting up and running Apache, but I'm a total noob
about how to secure it properly. Back in the day when I did this before
the Internet was a _much_ less hostile place!
I am using the Apache/nginx pair for a number of uses,
some API servers
and an user web interface server. (Named virtual hosts)
OK, resistance is futile: I'm going to have to learn how to use Nginx.
[...]
Depending what you use Apache for these ideas may or may not be useful.
Script kiddies will also try accessing admin pages for wordpress and
similar.
This project requires multiple remote Ubuntu-MATE desktops on school
Windows PCs/Laptops without having to install e.g. an "x2go" client.
The minimal requirement I've recommended is an HTML5-compliant web
browser capable of running "noVNC". Everything is set up and working
using XDMCP and Websockify to connect noVNC. I want to 'harden' the
server a bit now.
I used JNLP to provide remote VNC desktops in the dark and distant past,
but the world has changed a lot since then...
Thanks for your thoughts and helpful advice,
Tony.
--
Minke Informatics Limited, Registered in Scotland - Company No. SC419028
Registered Office: 3 Donview, Bridge of Alford, AB33 8QJ, Scotland (UK)
tel. +44(0)19755 63548 http://minke-informatics.co.uk
mob. +44(0)7985 078324 mailto:tony.travis@minke-informatics.co.uk
1044
days inactive
1045
days old
57north-discuss@lists.57north.org.uk
6 comments
3 participants
participants (3)
-
Iain R. Learmonth -
Lawrence -
Tony Travis