On Fri, Apr 15, 2011 at 10:53 AM, Stephen <cryptworks@gmail.com> wrote:
As this is a home server im not expecting that many logs :-)

and root cannot be accessed via ssh or console at the moment, its at
the default Ubuntu setup. I just haven't decided on the exact changes
i wanted to make yet.

On Fri, Apr 15, 2011 at 9:02 AM, Matt Graham <danceswithcrows@usa.net> wrote:
> From: JD Austin <jd@twingeckos.com>
>> 1. Disable root login via ssh (usually in /etc/ssh/sshd_config ->
>> PermitRootLogin no)
>
> If you've got to get in there as root non-interactively (which could happen),
> then "PermitRootLogin without-password" is a better idea.  That means you have
> to keep root's private SSH key extremely private, though.
>
>> 4. Disable any services you don't need/use
>
> This should probably be point 1, considering how important it is.
>
>> https://help.ubuntu.com/community/SELinux
>
> If you decide to do this, put it in "permissive" mode first and then run
> through a bunch of normal tests.  Then look at the logs, figure out where all
> your normal tests would've failed, change the security contexts and/or the
> applications you're using so that the operations would be permitted.  Rerun
> tests.  Keep doing this.  Allow several days.  If you have to run things that
> you don't maintain (like MySQL, or WordPress) or don't have time to fix
> extensively, you may realize you don't have enough time and energy to deal
> with selinux.  (In general, security is directly proportional to how much of a
> pain in the ass it is to get anything done.)
>
>> 7. Check all of your logs daily :)
>
> This gets difficult if you have multiple G of logs every day....
>
> --
> Matt G / Dances With Crows
> The Crow202 Blog:  http://crow202.org/wordpress/
> There is no Darkness in Eternity/But only Light too dim for us to see
>
Hi Stephen,

How are you?

The full analysis of any TCP/IP application solution follows each of the OSI layers.

0) You would need to evaluate every port opening from your router/firewall to the application layer.
1) You would need to check your software versions against the known database of exploits.  For instance if you have enabled some of the mods in Apache that have known exploits (mod_proxy) you could be at risk. 
2) You could have failed to configure or protect your server and have a known issue. (For instance, running any SSH without a fully random 89 character password can be exploited if you allow repeated requests to the your ssh daemon; once they get a user account, it's trivial to get a root shell).

Therefore you really need to run a scanner or security test suite against your LAMP server AS CONFIGURED.

I have a Rapid7 installation that I can use to test your server if you would like? 
Just email me off-list.

--
(503) 754-4452 iPhone
(623) 239-3392 Skype
(623) 688-3392 Google Voice

 http://www.obnosis.com
 http://www.it-clowns.com

"It took me many years but I have gained access to the root account and have removed the user God."   -Saros