■さくらVPSにSnortを導入 # apt-get install -y snort # tail /var/log/snort/alert [**] [1:527:8] BAD-TRAFFIC same SRC/DST [**] [Classification: Potentially Bad Traffic] [Priority: 2] 08/28-15:20:31.722756 0.0.0.0 -> 224.0.0.1 IGMP TTL:1 TOS:0xC0 ID:0 IpLen:24 DgmLen:32 DF IP Options (1) => RTRALT [Xref => http://www.cert.org/advisories/CA-1997-28.html] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016] [Xref => http://www.securityfocus.com/bid/2666] ■apache2の導入 ngixでも良い気はするけど、認証付きにする予定なので分かりやすい方を。 # apt-get install -y apache2 # a2ensite default-ssl Enabling site default-ssl. To activate the new configuration, you need to run: service apache2 reload # a2enmod ssl Enabling module ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: service apache2 restart # /etc/init.d/apache2 restart [ ok ] Reloading web server config: apache2. # netstat -an | grep "\:80 \|\:443" tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN ■Postfixのポート変更 お試し期間中だったので、OB25対応しておく。 「さくらのVPS」でメールの送信ができません。 http://sakura.custhelp.com/app/answers/detail/a_id/1378 サブミッションポート(587番ポート)に対応していますか? http://sakura.custhelp.com/app/answers/detail/a_id/1196/related/1/session/L2F2LzEvdGltZS8xNDA5MjEzOTY1L3NpZC9Na240RFkqbA%3D%3D ■オプションで色々制限出来るけど、今回は有効にするのみ。 # grep "submission\|^smtp.*smtpd\$" /etc/postfix/master.cf smtp inet n - - - - smtpd #submission inet n - - - - smtpd # -o syslog_name=postfix/submission # sed -i s/"^smtp.*smtpd\$"/"#&"/ /etc/postfix/master.cf; \ sed -i s/"#\(submission.*\)"/"\1"/ /etc/postfix/master.cf; \ postfix check && /etc/init.d/postfix reload [ ok ] Reloading Postfix configuration...done. # netstat -an | grep "\:.*25\|587" tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN ■IPv6の無効化 # echo "options ipv6 disable=1" > /etc/modprobe.d/disable-ipv6.conf # modprobe -c | grep "^options ipv6" options ipv6 disable=1 # grep "^net.ipv6" /etc/sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # sysctl -p net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # shutdown -r now && exit # netstat -an | grep ^[tu][cd]p6 udp6 0 0 :::123 :::* ■sshdのrootログインを禁止 # sed -i s/"\(PermitRootLogin \)yes"/"\1no"/ /etc/ssh/sshd_config # /etc/init.d/ssh restart [ ok ] Restarting OpenBSD Secure Shell server: sshd. ■iptablesの設定について iptablesの設定方法 http://support.sakura.ad.jp/manual/vps/security/iptables.html ■iptablesで入力のみ制御 web、mail、sshの通信と自身のIP宛のUDP設定のみ許可する NTPのルールは不要だったのでコメントアウトした。 # cat myvpsinput.sh #!/bin/bash if [ `id -u` -ne "0" ];then echo "Sorry Not Permit User!" >&2 exit 1 fi export PATH=/sbin:/usr/sbin:/bin:/usr/bin IPTABLES=/sbin/iptables FAIL2BAN=/etc/init.d/fail2ban SSHDCONFIG=/etc/ssh/sshd_config NTPDCONFIG=/etc/ntp.conf SMTPPORT=587 # at 1st if [ -x $FAIL2BAN ];then $FAIL2BAN stop else FAIL2BAN="x" fi $IPTABLES -P INPUT ACCEPT $IPTABLES -F -t filter $IPTABLES -F -t nat $IPTABLES -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # for ssh if [ -f $SSHDCONFIG ];then grep ^Port /etc/ssh/sshd_config | awk '{print $2}' | \ for SSHPORT in `xargs`;do $IPTABLES -A INPUT -p tcp -m tcp --dport $SSHPORT -j ACCEPT done else SSHPORT=22 $IPTABLES -A INPUT -p tcp -m tcp --dport $SSHPORT -j ACCEPT fi # for web services $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # for mail services $IPTABLES -A INPUT -p tcp -m tcp --dport $SMTPPORT -j ACCEPT # for ntp #grep ^server $NTPDCONFIG | awk '{print $2}' | \ # for list in `xargs`;do # $IPTABLES -A INPUT -p udp -m udp -s ${list} --dport 123 -j ACCEPT # done # for lo $IPTABLES -A INPUT -i lo -j ACCEPT # eth0 FLAG=`ip a list eth0 | grep "state UP" > /dev/null 2>&1;echo $?` if [ "$FLAG" -eq "0" ];then MYIP=$(ip a list eth0 | grep "inet " | awk '{print $2}' | sed s%/[0-9]*%%) $IPTABLES -A INPUT -p udp -m udp -d $MYIP -j ACCEPT $IPTABLES -A INPUT -d 224.0.0.1 -j DROP fi if [ -x $FAIL2BAN ];then $FAIL2BAN start fi # default policy $IPTABLES -P INPUT DROP if [ -x $FAIL2BAN ];then # for save $FAIL2BAN restart fi $IPTABLES -L -v -n unset IPTABLES MYIP FLAG FAIL2BAN SSHDCONFIG NTPDCONFIG SSHPORT SMTPPORT PATH exit 0 # /etc/rc.local > /dev/null ■外部からの通信テストスクリプト $ cat vpscheck.sh #!/bin/bash MYVPSIP=XXX.XXX.XXX.XXX SSHPORT=XX022 SMTPPORT=587 HTTPPORT=80 HTTPSPORT=443 (sleep 1;echo "EHLO localhost"; sleep 1;echo "mail from:root"; sleep 1;echo "rcpt to:root"; sleep 1;echo "data"; sleep 1;echo "Subject: Test"; sleep 1;echo ""; sleep 1;echo "test body"; sleep 1;echo "."; sleep 1;echo "quit";) | telnet $MYVPSIP $SMTPPORT w3m -dump http://$MYVPSIP:$HTTPPORT w3m -dump https://$MYVPSIP:$HTTPSPORT ssh -p $SSHPORT $MYVPSIP ■クライアントからの動作確認 $ ./vpscheck.sh Trying XXX.XXX.XXX.XXX... Connected to XXX.XXX.XXX.XXX. Escape character is '^]'. 220 XXXXX.sakura.ne.jp ESMTP Postfix (Debian/GNU) 250-XXXXX.sakura.ne.jp 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN 250 2.1.0 Ok 250 2.1.5 Ok 354 End data with <CR><LF>.<CR><LF> 250 2.0.0 Ok: queued as 91DC63C06E0 Connection closed by foreign host. It works! This is the default web page for this server. The web server software is running but no content has been added, yet. self signed certificate: accept? (y/n)y Bad cert ident XXXXX.sakura.ne.jp from XXX.XXX.XXX.XXX: accept? (y/n)y Accept unsecure SSL session:Bad cert ident XXXXX.sakura.ne.jp from XXX.XXX.XXX.XXX It works! This is the default web page for this server. The web server software is running but no content has been added, yet. labunix@XXX.XXX.XXX.XXX's password: X11 forwarding request failed on channel 0 Linux XXXXX 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No mail. Last login: Thu Aug 28 18:13:37 2014 from [外部IP] ■DROPなく正常に通信出来ていることを確認 # watch -d -n 1 'iptables -L INPUT -v -n' Every 1.0s: iptables -L INPUT -v -n Thu Aug 28 18:18:42 2014 Chain INPUT (policy DROP 177 packets, 8904 bytes) pkts bytes target prot opt in out source destination 2 120 fail2ban-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465 5853 396K fail2ban-ssh-ddos tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,XX022 5853 396K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,XX022 8497 2433K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 218 22791 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x00 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02 state NEW 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x3F 10 600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:XX022 11 620 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 14 820 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 14 720 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 3002 145K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 XXX.XXX.XXX.XXX udp 1 32 DROP all -- * * 0.0.0.0/0 224.0.0.1 ■後片付け # a2dismod ssl Module ssl disabled. To activate the new configuration, you need to run: service apache2 restart # a2dissite default-ssl Site default-ssl disabled. To activate the new configuration, you need to run: service apache2 reload # /etc/init.d/apache2 stop [ ok ] Stopping web server: apache2 ... waiting . # chkconfig --list apache2 apache2 0:off 1:off 2:on 3:on 4:on 5:on 6:off # chkconfig apache2 off # chkconfig --list apache2 apache2 0:off 1:off 2:off 3:off 4:off 5:off 6:off # shutdown -r now && exit $ exit ■CPU使用率が0.0%より大きいか、メモリ使用率が1%より大きいプロセスの一覧 snortとfail2ban-serverが仲間入り。 # ps axo pid,cmd,%cpu,%mem | awk '($NF>1)||($(NF-1)>0.0){print}' 2602 /usr/sbin/spamd --create-pr 0.2 3.0 2644 /usr/sbin/amavisd-new (mast 0.2 4.7 2646 spamd child 0.0 2.9 2647 spamd child 0.0 2.9 2648 /usr/sbin/snort -m 027 -D - 0.1 5.5 2668 /usr/sbin/amavisd-new (virg 0.0 4.7 2669 /usr/sbin/amavisd-new (virg 0.0 4.7 2712 /usr/sbin/clamd -c /etc/cla 0.0 13.4 2888 /usr/bin/freshclam -d --qui 0.5 0.1 3583 /usr/bin/python /usr/bin/fa 0.1 0.4 ■全体では微々たる負荷。 # top -b -n 1 | head -5 | sed s/"\([a-z]\),"/"\1\n"/g top - 18:36:55 up 13 min 1 user load average: 0.00, 0.01, 0.05 Tasks: 84 total 1 running 83 sleeping 0 stopped 0 zombie %Cpu(s): 0.9 us 0.2 sy 0.0 ni 98.5 id 0.3 wa 0.0 hi 0.0 si 0.1 st KiB Mem: 2061060 total 798972 used 1262088 free 12064 buffers KiB Swap: 13671420 total 0 used 13671420 free 167192 cached