Ubuntu and Debian Security Applications Review

Tuesday, April 27th, 2010 | Learn Linux - Linux help

Ubuntu and Debian Security Applications Review

Securing servers from potential attacks is of utmost importance in today’s economic climate. This article is a personal review of some of the best applications I have reviewed recently to secure my own server as well as others. This document contains applications which may or may not fit every situation to properly secure Internet facing systems. But it does use entirely open source and free host based software, So they will run without the need for expensive external hardware.

When reviewing existing security policies a few factors need to be accounted for first. These being performance, stability and overall use of system resources. Use this to determine the necessity for each of your own requirements. Instead of just pushing all of the suggested on to a single server. As some applications reviewed are not always entirely interchangeable with the others mentioned.

That being said we’ll start with Apache the Worlds most popular Web Server.

Mod Security

Without doubt one of my personal favorite Apache modules is Mod Security. Although it does require registration to download and is not entirely free without restriction. Mod Security is an invaluable Web Application firewall that deters lots of the scum and random bots floating around the Internet today. According to the Mod Security website over 70% of all attacks carried out on the web today are done on the web application level. Which is highly relevant since a single compromised web site can often leak thousands if not hundreds of thousands of passwords and user credentials in just a single compromise.

Pros

Mod Security has a very strict rule-set that is capable of blocking many types of web application attacks most of which can be found in the guidelines set out by the OWASP top 10.

Cons

The default rules can break functionality of Web applications at first. But it can be fixed if you can find the offending rules by viewing log files and commenting those rules out. Common things that may happen is that users are unable to login or some other functionality such as a custom search may break.

Snort

The next very interesting application is Snort the commonly known defacto standard in intrusion detection. Snorts job is to monitor networks while being as light weight as humanly possible. As to not consume to many system resources and slow down the users of the systems it may be running on. What really makes snort unique however is that it has heritage of being a very stable and robust IDS with both open source rule-sets and more advanced commercial rule-sets which are available via subscription.

Pros

Lightweight and flexible, Trusted and stable.

Cons

The free rules available have a lot to be desired when compared to the subscription rules.

AIDE

AIDE the file integrity checker can be used to create hashes of files or directories and is a generic replacement for the older Linux application trip wire. If an application has been modified without consent a simple cross reference via an image disk can reveal insights quickly as to which files may have changed in the process. By providing SHA1 hashes or other algorithms. It is therefore very useful for analyzing the exact cause of a vulnerability in the event of a possible intrusion and in many respects can be considered a root-kit detector without all the fancy bells and whistle like our next application.

Pros

Supports custom algorithms and makes up for where trip wire and others once failed.

Cons

Lack of documentation to properly implement and utilize for less experienced users it can be a concept you may give up on quickly. (I don’t blame you but it’s worth it.)

RKHUNTER

Another good Root-kit detector is RKHUNTER and works very much the same as AIDE but is more specifically a root-kit detector in that it scans all the usual locations where it would make sense for root-kits to hide on a Linux system or where they have historically been stored.

Pros

Very in depth and has support for a wide range of common root-kits.

Cons

By default on debian and ubuntu it flags a false positive for gawk, awk and a few other directories but I believe this to only be a false positive.

FAIL2BAN

Fail2Ban helps block out automated and often brute-force queries by bots or potential attackers over SSH that make too many incorrect log-in attempts.

Pros

By automatically banning bots not only do you protect your system from compromise but also help keep performance of the server at more optimal levels.

Cons

I’ve locked myself out temporarily before by not setting the threshold high enough and forgetting what password I used. As long as you don’t do that you should be fine.

Choose the right Web host

While this is not an application I believe that just as important and a major factor in keeping your web server secure is to choose the right web host and environment for your needs. While their are many cows, daddy’s, gators and other sharks trying to add 1 & 1 together in the 5$ or less discount hosting war. Take some time to reconsider what you are paying for and if you can afford it pay that little bit extra to get the benefits of a well known Secure Hosting provider when ever you can.