Choosing the correct password, as well as informing and enforcing password security for users is an important task for the administrator. Security is built upon passwords, so close attention should be paid to making passwords an effective tool in security.
Aspects of a Good Password
1. 8 characters or more
2. use numbers in the password
3. use letters in the password
4. use case in the password
5. avoid dictionary words
These five aspects are critical because software programs can employ “brute force” tactics to try to guess passwords on your network. Using the five aspects above will make it more difficult to crack your passwords. Security usually begins with most systems at the user level. One of the most important aspects of user security is the user password. A lot of security can go down the drain with poor passwords that can be easily cracked. Several important elements of a user password are length of the password, randomness and the forced creation of new passwords at regular intervals. Most users resist all of these elements.
The length of a password is directly proportional to the ease at which it could be cracked. As a result all passwords should be at least 8 characters long. In addition, passwords should not be based on dictionary words, they should be random. One way to make secure passwords is to create passwords from phrases that are common to you. For example in the phrase ” I live at 101 Maple Street in Phoenix Arizona,” could be turned into the password
This is a password built on the first letter of each word to create a secure password. Remember Linux is case sensitive.
Password Management allows you to force changes in the password or have the account be automatically disabled in a period of time. It is a good idea to force users to change their passwords at regular intervals. Of course this is even more important for administrator’s to do as well. The downside to this is that users forget their passwords if forced to change often making possibly a worse situation.
Ubuntu is trying to break into the server market. Indeed as I talk with companies moving to Linux on a weekly basis over 50% of them want to move to Ubuntu as the server of choice. If Ubuntu 8.04 is the server of choice of so many and if Ubuntu wants so desperately to move into the server market then you would expect Ubuntu to have server quality options easily available on the Ubuntu install. What I cannot understand then is why RAID tools are not available, why Logical Volume Management version 2 is not installed and why Access Control Lists for the file system are also not installed on the server. All of these can easily be installed and upgraded but my question is …why not default?
Note: With 8.04.1 some of these issues like LVM2 have been updated, the original install DID NOT have LVM2.
If you want to create RAID on Ubuntu you will need to install RAID tools before you can do so. Now I am talking about software RAID. You do have access to tools to install RAID during installation but the mdadm program is not installed by default. So if you want to install RAID after the installation you need to add it so you have the tools.
sudo apt-get install mdadm
If you would like to see a tutorial on installing RAID on Ubuntu CLICK HERE.
Install LVM2 on Ubuntu
Ubuntu does not have LVM2 installed by default…why? If Ubuntu wants to move to the server market why not have lvm2 intalled by default like RHEL 5 or CentOS 5? Now it can easily be upgraded with this command:
sudo apt-get install lvm2
If you want to see a tutorial on how to install and configure LVM2 on Ubuntu 8.04 CLICK HERE.
Access Control Lists
Access Control Lists (ACLs) allow you to provide different levels of access to files and folders for different users. The Red Hat Enterprise 5 / CentOS 5 have implemented ACLs in the file system by default. This new feature will allow you to set a file where one user can read, other users cannot read and yet other users are able to read and write to the same file. This was not possible previously.
sudo apt-get install acl
If you would like to see a tutorial on installing and configuring acls CLICK HERE.
If Ubuntu really wants to break into the server market, they will need to install by default features that the server market really wants to use, specifically RAID tools, LVM2 and acls. Until they make this transition many will not take them seriously in the server arena.
Joomla is a very popular content management program that uses PHP and MySQL. It does have a history of security issues so these series of articles will focus on how to protect Joomla from many of these attacks. The first article is about using a Reverse Proxy Server to stop attempts to inject SQL strings into the database to create a compromise.
Joomla 1.5.1 was developed to allow reverse proxy protection. It now has an optional livesite parameter to facilitate the reverse proxy so that all features work properly.
“Squid can be placed in front of an insecure web server to protect it from the outside world: not merely to stop unwanted clients from accessing the machine, but also to stop people from exploiting bugs in the server code” Squid-cache.org
Using a Simple Reverse Proxy
There are many things you can do with Squid to provide additional security for your Joomla install, but this first article will just provide the basics which actually do a great deal to protect your web server with Joomla content. The Reverse Proxy with Squid is a separate box placed in front of your Joomla server. The Reverse Proxy will have a cache that will store the static content from your Joomla site and provide that cache for those who make requests. The advantage is a speed enhancement as the content is delivered from the cache not your Joomla server. The other real security advantage is that the SQL attacks will often be done on the cache content on the reverse proxy, not on the actual Joomla server. This one factor provides a real advantage to stopping many, not all, attacks on your server. The Reverse Proxy will basically minimize cross-site scripting exploits that are common.
CLICK HERE to see the details on setting up a Reverse Proxy with Squid.
Examples of Security Issues
SANS Consensus Security Vulnerability Alerts
Here are a few that are mentioned in the Vulnerability Alerts
8.08.28 – Joomla! MCQuiz Component “tid” Parameter SQL Injection
08.08.29 – Joomla! PAXXGallery Component “userid” Parameter SQL Injection
08.08.30 – Joomla! and Mambo “com_quiz” Component “tid” Parameter SQL Injection
08.08.32 – Joomla! and Mambo “com_smslist” Component “listid” Parameter SQL Injection
08.08.33 – Joomla! and Mambo “com_activities” Component “id” Parameter SQL Injection
08.08.34 – Joomla! and Mambo “com_sg” Component “pid” Parameter SQL Injection
08.08.35 – Joomla! and Mambo “faq” Component “catid” Parameter SQL Injection
08.08.39 – Joomla! and Mambo “com_salesrep” Component “rid” Parameter SQL Injection
08.08.40 – Joomla! and Mambo “com_lexikon” Component “id” Parameter SQL Injection
08.08.41 – Joomla! and Mambo “com_filebase” Component “filecatid” Parameter SQL Injection
08.08.42 – Joomla! and Mambo “com_scheduling” Component “id” Parameter SQL Injection
08.08.44 – Joomla! and Mambo “com_galeria” Component “id” Parameter SQL Injection
08.08.45 – Joomla! and Mambo “com_jooget” Component “id” Parameter SQL Injection
08.08.47 – Joomla! and Mambo Quran Component SQL Injection
08.08.49 – Joomla! and Mambo Portfolio Manager Component “categoryId” Parameter SQL Injection
08.08.50 – astatsPRO com_astatspro Component “id” Parameter SQL Injection
08.08.51 – Joomla! and Mambo com_profile Component “oid” Parameter SQL Injection
08.08.52 – Joomla! and Mambo com_detail Component “id” Parameter SQL Injection
08.08.56 – Joomla! and Mambo com_downloads Component “cat” Parameter SQL Injection
08.08.59 – Joomla! and Mambo “com_pccookbook” Component “user_id” Parameter SQL Injection
08.08.63 – Joomla! and Mambo “com_team” Component SQL Injection
08.08.64 – Joomla! and Mambo com_iigcatalog Component “cat” Parameter SQL Injection
08.08.65 – Joomla! and Mambo com_formtool Component “catid” Parameter SQL Injection
08.08.67 – Joomla! and Mambo com_genealogy Component “id” Parameter SQL Injection
08.08.68 – iJoomla com_magazine Component “pageid” Parameter SQL Injection
Apache 2.28 is the current version that ships with Ubuntu 8.04. There are several meaningful changes. One of those changes is a much smaller apache2.conf configuration file. When you look at the apache2.conf you will see one of those changes is that this file now contains only the Global Configuration options. The config file is only 298 lines as you can see in the example.
291 # Include of directories ignores editors’ and dpkg’s backup files,
292 # see README.Debian for details.
294 # Include generic snippets of statements
295 Include /etc/apache2/conf.d/
297 # Include the virtual host configurations:
298 Include /etc/apache2/sites-enabled/
Ubuntu 8.04 Training CLICK HERE
Note the modular support, which was available in the past as well, but now is more important to understand. The include statements will help fill out the configuration file with the options in /etc/apache2/conf.d/ provided so applications can add features to apache without directly modifying the file. Also note that the configuration for virtual servers is found in /etc/apache2/sites-enabled. These actually have symbolic links to files that you modify in sites-available.
For a tutorial on how to configure Virtual Hosting on Ubuntu 8.04 CLICK HERE.
The apache2.conf file also contains include statements that impact the ports that can be used by the web server and modules which can be used. The mods-enabled directory contains those modules that have been made available for the web server. The httpd.conf file is for compatibility with configurations that you may have had with Red Hat or CentOS based distros.
For a tutorial on CentOS Virtual Hosting CLICK HERE. This will give you a good comparision of the different ways to set up apache.
184 # Include module configuration:
185 Include /etc/apache2/mods-enabled/*.load
186 Include /etc/apache2/mods-enabled/*.conf
188 # Include all the user configurations:
189 Include /etc/apache2/httpd.conf
191 # Include ports listing
192 Include /etc/apache2/ports.conf
The other include line you see is to set the ports that are available to the Web Server. Looking at the file you can see the default is port 80 and the other SSL option is 443.
The MPM (multi-processing modules) are an additional feature for the modular design of apache to make it more flexible for various operating systems and for scalability for servers. The prefork MPM is the default for Ubuntu 8.04 and provides basic settings that can be modified to help your server scale to whatever load you will need to work with. Your apache web server will start with 5 web servers running by default. Each user that comes to your server will need an instance of apache to be able to view your site. That is why 5 are started immediately so that when users come there are severs already in memory to speed up the process for people to see your site. If 10 people came at the same time, five new servers would have to be started which will take time, and be noticeable by those trying to view your site. This is part of the scalability issues is that you need to decide how many people will be on your site at one time. Just remember that each instance of apache takes resources from your hardware especially in the area of RAM so have sufficient RAM for the machine. If you site in not very busy you could reduce the “StartServers” number to 3 and save on resources. If it was very busy you may need to increase to 20, etc. You will need to modify the Minimum and Maximum numbers as well for you server. The whole idea is to provide excellent scalability for your particular needs.
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
The interest in the Ubuntu Server is directly related to the interest in the Ubuntu Desktop.
As a Linux Trainer, I have access to as many as 75 different students each week. These students are typically IT people from small organizations who have a Windows administration background and now since their company sees the cost savings of Linux are moving to Linux Servers. A typical pattern that I see is people who have a GUI preference, little understanding of the Linux OS in general and want a fast easy path to managing a Linux Server. The other typical aspect of these users is that they have a Linux laptop loaded with, yep you guessed it, Ubuntu. Easily 75% use Ubuntu as a Desktop experiment.
No one argues too much that Ubuntu dominates the Linux Desktop. That is clearly seen in all of my contact with people that I train. So how does the experience with the Ubuntu Desktop impact a choice for a Server OS and should it?
The impact that the Desktop has on the Server choice is in the following:
1. Easy Administration
Sure everyone likes easy, no one but an idiot wants hard. But, can you label a text based only server as easy. Yes installation is fast, slick and one click options for things like the LAMP Install, but is that easy administration? No, it may be easy install but in reality CentOS is just as easy to install. I don’t know how many people have told me that they selected Ubuntu because the LAMP install was so easy. Well with CentOS it is simply:
yum install PHP mysql-server
One command, but the perception is that CentOS is more difficult. Just not so. My point is, there is no such thing as “Easy Administration”, Linux servers, especially from the command line, will take Windows based administrators some time to come up to speed on administration.
2. Community Based Support
Now this is really an interesting aspect. Red Hat probably has the largest most fully developed Pay for Support available for any Linux distro. Ubuntu’s Pay for Support is not well known, in fact many users had no idea that it was an option. But Pay for Support is not what Ubuntu Server admins are looking for. They are looking for the FREE Community based support. This is where Ubuntu shines. Their community based support both at the site and across the Internet is much better known than any other distro. This is the support that Ubuntu users are used to and what they think will be the answer for the server as well.
3. Cutting Edge Technology
Here is one of the major differences of philosophy between Red Hat/CentOS based servers and Ubuntu Servers. Red Hat/CentOS focus very thorough testing of drivers and applications. Whereas Ubuntu, because they pride themselves on being on the cutting edge, focus on drivers and application versions that, well…they have not been as completely tested. Again, much of this acceptance is driven by Ubuntu Desktop users who choose Ubuntu based on the ability to better detect wireless drivers for their laptop and this cutting edge thinking has carried over to the Server choice. Cutting edge is great, but you will certainly be exposing your server to greater risk in bugs and security issues with this type of focus.
4. Simple Security
Here again, Ubuntu’s lack of security focus is what draws users and what will eventually create serious issues for Ubuntu users. The “Uncomplicated Firewall” by Ubuntu is a good example. The attempt to create a firewall that is easy to manage is a misnomer. You just cannot do it …simple firewalls on a server are bad firewalls. What I mean is, you cannot just boil security for an Ubuntu server down into a few basic commands. One of the reasons administrators look at Ubuntu as an option is that it is not using the dreaded SELinux that Red Hat/CentOS uses by default. The fact that 90% of all Red Hat/CentOS servers have turned off SELinux seems to be lost on Red Hat people. The point is, users came to the Ubuntu Desktop because of it’s simple security, and now that carries over to the Server.
So what’s my point?
I believe there is trouble on the horizon for Ubuntu administrators in general. Organizations that choose a server OS based on Simple Administration, Community Based Support, Cutting Edge Technology and Simple Security are likely to regret it. That is not to say that the Ubuntu Server is a bad choice. Organizations need to choose Ubuntu Server with a focus on training their administrators in the difficult aspects of server administration. They need to evaluate fee based support and reject the temptation to just “google” all of their solutions. Organizations must carefully evaluate if they need cutting edge drivers and if not, carefully eliminate applications that could be potential risks. And finally, business must get serious, very serious about security. Security is not simple…it is hard work. If an organization will carefully evaluate these issues their Ubuntu Server experience will be much more rewarding.