Saturday, March 13, 2010
iptables
#icmp-type 8 echo-request
#incoming ping packets
SERVER_IP="192.168.154.7"
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#outgoing ping packets
SERVER_IP="192.168.154.4"
iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
#disable outgoing ICMP request
HOST_TO_BLOCK="192.168.154.4"
iptables -A OUTPUT -p icmp --icmp-type 8 -s 0/0 -d $HOST_TO_BLOCK -j DROP
#disable incoming ICMP request
HOST_TO_BLOCK="192.168.154.7"
iptables -A OUTPUT -p icmp --icmp-type 8 -s$HOST_TO_BLOCK -d 0/0 -j DROP
SQL HARDENING
groupadd mysql
useradd mysql -c "MySQL Server" -d /dev/null -g mysql -s /sbin/nologin
#compiling and installing MySQL in the /usr/local/mysql directory:
./configure --prefix=/usr/local/mysql --with-mysqld-user=mysql --with-unix-socket-path=/tmp/mysql.sock --with-mysqld-ldflags=-all-static
make
su
make install
strip /usr/local/mysql/libexec/mysqld
scripts/mysql_install_db
chown -R root /usr/local/mysql
chown -R mysql /usr/local/mysql/var
chgrp -R mysql /usr/local/mysql
#--with-mysqld-ldflags=-all-static parameter causes the MySQL server to be linked statically which wil simplify the process of chrooting the server
#for installing the software in the /usr/local/mysql directory, run the MySQL daemon with the privileges of the mysql account, and create the mysql.sock socket in the /tmp directory.
#size of the database =medium
cp support-files/my-medium.cnf /etc/my.cnf
chown root:sys /etc/my.cnf
chmod 644 /etc/my.cnf
#start the MySQL server
/usr/local/mysql/bin/mysqld_safe &
#establishing a connection with the database /usr/local/mysql/bin/mysql -u root mysql
#Once the connection is successfully established, we can shutdown the database
/usr/local/mysql/bin/mysqladmin -u root shutdown
#securing MySQL is to prepare the chrooted environment, in which the MySQL server will run
#preparing the chrooted environment
mkdir -p /chroot/mysql/dev
mkdir -p /chroot/mysql/etc
mkdir -p /chroot/mysql/tmp
mkdir -p /chroot/mysql/var/tmp
mkdir -p /chroot/mysql/usr/local/mysql/libexec
mkdir -p /chroot/mysql/usr/local/mysql/share/mysql/english
#access rights to the above directories
chown -R root:sys /chroot/mysql
chmod -R 755 /chroot/mysql
chmod 1777 /chroot/mysql/tmp
#Next, the following files have to be copied into the new directory structure:
cp /usr/local/mysql/libexec/mysqld /chroot/mysql/usr/local/mysql/libexec/
cp /usr/local/mysql/share/mysql/english/errmsg.sys /chroot/mysql/usr/local/mysql/share/mysql/english/
cp /etc/hosts /chroot/mysql/etc/
cp /etc/host.conf /chroot/mysql/etc/
cp /etc/resolv.conf /chroot/mysql/etc/
cp /etc/group /chroot/mysql/etc/
cp /etc/master.passwd /chroot/mysql/etc/passwords
cp /etc/my.cnf /chroot/mysql/etc/
#From the files: /chroot/mysql/etc/passwords and /chroot/mysql/etc/group we must remove all the lines except the mysql account and group
#Next, we have to build the password database as follows
cd /chroot/mysql/etc
pwd_mkdb -d /chroot/mysql/etc passwords
rm -rf /chroot/mysql/etc/master.passwd
#creating a special device file /dev/null:
ls -al /dev/nullmknod /chroot/mysql/dev/null c 2 2
chown root:sys /chroot/mysql/dev/null
chmod 666 /chroot/mysql/dev/null
We must also copy the mysql database, which contains grant tables created during MySQL installation:
cp -R /usr/local/mysql/var/ /chroot/mysql/usr/local/mysql/var
chown -R mysql:mysql /chroot/mysql/usr/local/mysql/var
#test if it runs correctly by executing the following command
chrootuid /chroot/mysql mysql /usr/local/mysql/libexec/mysqld &
#/chroot/mysql/etc/my.cnf for MySQL server and /etc/my.cnf for MySQL tools (mysqladmin, mysql, mysqldump)
#To disable listening on the 3306/tcp port, the following parameter should be added to the [mysqld] section of /chroot/mysql/etc/my.cnf:
skip-networking
#disable the use of LOAD DATA LOCAL INFILE command
#For SQL Injection vulnerabilities in PHP applications, the following parameter should be added in the [mysqld] section in /chroot/mysql/etc/my.cnf:
set-variable=local-infile=0
#in the [client] section of /etc/my.cnf
socket = /chroot/mysql/tmp/mysql.sock
#changing the database administrator's password
chrootuid /chroot/mysql mysql /usr/local/mysql/libexec/mysqld &
#and change the administrator's password as follows:
/usr/local/mysql/bin/mysql -u root
mysql> SET PASSWORD FOR root@localhost=PASSWORD('new_password');
#Remove default users/db ,sample database (test) and all accounts except the local root account
mysql> drop database test;mysql> use mysql;
mysql> delete from db;
mysql> delete from user where not (host="localhost" and user="root");
mysql> flush privileges;
mysql> update user set user="mydbadmin" where user="root";
mysql> flush privileges;
#remove the content of the MySQL history file (~/.mysql_history)
cat /dev/null > ~/.mysql_history
#should be emphasized that these accounts should have access rights only to the databases which are used by the PHP applications
#should not have any access rights to the mysql database administrative privileges (FILE, GRANT, ALTER, SHOW DATABASE, RELOAD, SHUTDOWN, PROCESS, SUPER)