5 Great security tools for Ubuntu

Ubuntu usually comes out of the box with a pretty good set of security features. However there are some really great tools out there that can help to save some hassle…

1 – backup-manager
2 – fail2ban
3 – chrootkit, tiger, john
4 – KVM
5 – Nessus

1 – Backup – backup-manager

Security is about backup. Your server get attacked, it’s always good to have a backup of your data somewhere. the tricky part comes when the attacker finds out how to access your backup and get rid of it… Let’s focus only on hardware problems, mistakes or malicious script. (Did you ever get any??)

One great tool available on Ubuntu is Backupmanager.
To install it, simply type:

apt-get install backup-manager

In its configuration file (/etc/backup-manager.conf, Backup-manager will allow you to backup:

  • your files (using tar.gz),
  • your mysql database,
  • a subversion repository,
  • or actually anything else you want using the wonderful "pipe" method.

The tar.gz method allows you to do incremental backup which is great to save space on your backup device.
Also you will be able to specify different directories in the BM_TARBALL_DIRECTORIES configuration variable

export BM_TARBALL_DIRECTORIES="/etc /var/lib/ /var/www /root /home/"

With the mysql method you can setup an export of a selection or all your detabases.

export BM_MYSQL_DATABASES="__ALL__"

The pipe method works that way:

# Archive a remote MySQL database through SSH:
# BM_PIPE_COMMAND[0]="ssh host -c \"mysqldump -ufoo -pbar base\""
# BM_PIPE_NAME[0]="base"
# BM_PIPE_FILETYPE[0]="sql"
# BM_PIPE_COMPRESS[0]="gzip"
# This will make somthing like: localhost-base.20050421.sql.gz

# Archive a specific directory, on a remote server through SSH:
# BM_PIPE_COMMAND[0]="ssh host -c \"tar -c -z /home/user\""
# BM_PIPE_NAME[0]="host.home.user"
# BM_PIPE_FILETYPE[0]="tar.gz"
# BM_PIPE_COMPRESS[0]=""
# This will make somthing like: localhost-host.home.user.20050421.tar.gz

Once we know what to collect, we can select the way to backup the data.
Several methods are available:

  • scp
  • ssh-gpg
  • ftp
  • rsync
  • s3 (Amazon bucket)

The configuration is easy, just follow the instruction in the comments of the configuration file.
You can also decide to use the DVD burning option.

2 – Access control – fail2ban

Fail2ban helps you to lower the load on your server if you get a lot of dictionary attacks from script kiddies. After a given number of attempts to connect to the server without success, the IP of the requester gets blacklisted for some minutes or hours.

Installation:

apt-get install fail2ban

Configuration files:

/etc/fail2ban/

Wikipedia article
Official website

3 – Checking Scripts – chrootkit, tiger, john

These 3 scripts will make different checks on your system in order to find security breaches.

apt-get install chrootkit tiger john

chrootkit

chrootkit will make a quick check of the main binaries of the filesystem and look for well known signatures of rootkits. These rootkits typically come with script kiddies trying dictionary attacks on ssh. (See fail2ban)

john

John the ripper is a great tool to evaluate the strength of your password. The longer it takes to break your password and the better your choosed your password 🙂
You can execute john the ripper that way.

john -user:root /etc/shadow

tiger

tiger is an excellent tool to check hundreds of sources of security breaches. Tiger will use john the ripper and chrootkit.
you can run tiger directly or call it with the -H option which will give you a neat HTML output, easier to browse. The output is usually extremely detailed and contains a lot of information on how to harden the security of your server.
To get more information about a given section you can use:

tigexp fsys006a

The listed files are device files that are located in non-standard
locations. These should be checked. The variable FS_DEVDIRS can be
set in the 'tigerrc' file to specify other directories which can contain
device files.

4 – Virtualization – KVM

One great way to protect your server is to run a set of virtual machines.
Imagine you need to run a webserver with some specific experimental parameters and you want to make sure it’s not going to interfere with your production environment. Or you are making some script demo server with an administration interface available to anyone with very high priviledges on the system. Say a webmin server for example.
Some funny guy decide to delete the whole system. Smart. But too bad, you managed to setup that system on a virtual machine. The machine was monitored by a little script on the host machine. If the machine becomes unaccessible, it shutdowns the vitual machine and restore a backup of the virtual machine. The backup is a simple file of about 2Gb which contains everything needed. About 2 minutes after the smart guy tried to screw up everything, the machine is back online. Too bad…

KVM is now available with Ubuntu 8.10 Intrepid.

The first thing you need to do is to check if the CPU of your server supports virtualization:

egrep '(vmx|svm)' --color=always /proc/cpuinfo

Then you can install the needed packages:

apt-get install kvm libvirt-bin ubuntu-vm-builder qemu bridge-utils

More information

5 – Nessus

Nessus is known to be the ultimate world best security tool by the website insecure.org.
Nessus is what we call a vulnerability assessment tool. It’s not free for commercial use but it’s ok for home use. It is very well supported and developed. More than 20,000 plugins are available…

More information

References:

http://ubuntuforums.org/showthread.php?t=510812
http://sectools.org/
http://www.nessus.org/nessus/
http://help.ubuntu.com/community/KVM
http://www.webmin.com/
http://en.wikipedia.org/wiki/Fail2ban
http://www.fail2ban.org
http://www.backup-manager.org

Closing a Thickbox

Thickbox is this great Javascript framework that helps you showing pictures or having a iframe clearly visible on your website.

For example it can be used to create a disclaimer to be displayed when entering a website.

In order to redirect your visitor to an external website if he doesn’t comply with the disclaimer requirement, or to just give access to your website, you need to close the thickbox.

Easy:

<h2><a href="#" onclick="self.parent.tb_remove();self.parent.location='http://www.google.com'">I do <u>not</u> agree</a></h2>

<h2><a href="#" onclick="self.parent.tb_remove();self.parent.location='/'">I agree</a></h2>

Random String Function

A simple function to create a random string.

<?
function generateString ($length = 8)
{
  $string = "";
  $possible = "0123456789bcdfghjkmnpqrstvwxyz";
  $i = 0;
  while ($i < $length) {
    $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
    $string .= $char;
    $i++;
  }
  return $string;
}
?>

A bit more elegant:

<?
function getUniqueCode($length = 8)
{
$code = md5(uniqid(rand(), true));
if ($length != "") return substr($code, 0, $length);
else return $code;
}
?>

php imagerotate function on ubuntu hardy

Looks like many people are having problem with the function imagerotate from the gd library on php.
It also looks like the php guys have made a fork of the gd library and included a heavily customised version of it in php. Our problem is, the Ubuntu guys decided to get rid of that imagerotate and some others for security reasons. Fair enough, but how do I make it work now??

Here is how I do it on my server.

apt-get install build-essential

will install what you need in order to compile the original version of the php-gd library.

Get the sources of the version of php that you have on your server from the php.net website.

wget blabla

install some extra libraries needed during the compilation

apt-get install libxml2 libxml2-dev libjpeg libjpeg62 libjpeg62-dev

uncompress the php tar.bz2 archive

tar xjvf php-5.2.4.tar.bz2 
cd php5.2.4

run the configure script and make sure you enable gd as a shared library

./configure --enable-shared=gd --with-jpeg-dir
compile
make

wait some time…
Once this is done, you should be able to go to the ./module directory and find your gd.so file.
Then type:

locate gd.so

If you don’t get any answer try refreshing your locate database with updatedb
Once you know where gd.so is supposed to be, make a backup of gd.so, copy the one you just created in that place.
Then you can restart your apache server.

In order to check if the new functions are working you can type this:

php -r "var_dump(function_exists('imagerotate'));"
php -r "var_dump(function_exists('imagecreatefromjpeg'));"

You can try with several other functions.