scott_m_ruby
asked on
Security Audit on Linux Server
It has been recommended to me to have a security audit performed on a Linux Server that is being hosted an outside hosting company. This server is running Apache, Tomcat, & Oracle. Can you please provide me with a checklist of things to look for. Is it worth hiring an outside company to perform this security audit for me? If so, do you have any recommendations.
While nessus is a good tool, you will also want to investigate other tools as well such as NMAP. You may wish to also check the file permissions in the trees, and other issues, which some distro's have great tools for. For example Mandriva has "MSEC", etc..
If you can provide more information I can better direct you. Please provide the output of these commands:
uname -a
If you are using RedHat, then
cat /etc/redhat-release
If you are using another version of Linux, say SuSe or whatever, you can find your distro with
ls /etc/*yourosname*
(Usually)
Then cat that file and send over the version information. In many cases we can just set you up with a find statement that looks at the permissions.
Mostly you will have to look at versions of software such as Apache, Oracle, SSH, and other system deamons. If it's too far behind the times you might be in trouble.
If you have nmap installed please post the output of 'nmap localhost' as well.
Bear in mind that if the hosting is done by an outside hosting company, typically they are responsible for security on the host, and should data be comprimised then you would have legal recourse against the provider for not protecting your data.
For what purpose was the audit recommended? Is there some suggestion that security was lax? Do you have any evidence to compel you to audit?
Regards,
~K Black~
If you can provide more information I can better direct you. Please provide the output of these commands:
uname -a
If you are using RedHat, then
cat /etc/redhat-release
If you are using another version of Linux, say SuSe or whatever, you can find your distro with
ls /etc/*yourosname*
(Usually)
Then cat that file and send over the version information. In many cases we can just set you up with a find statement that looks at the permissions.
Mostly you will have to look at versions of software such as Apache, Oracle, SSH, and other system deamons. If it's too far behind the times you might be in trouble.
If you have nmap installed please post the output of 'nmap localhost' as well.
Bear in mind that if the hosting is done by an outside hosting company, typically they are responsible for security on the host, and should data be comprimised then you would have legal recourse against the provider for not protecting your data.
For what purpose was the audit recommended? Is there some suggestion that security was lax? Do you have any evidence to compel you to audit?
Regards,
~K Black~
ASKER
I have 2 servers with different versions of Linux:
uname -a: "Linux 2.4.20-18.8smp #1 SMP Thu May 29 07:20:32 EDT 2003 i686 i686 i386 GNU/Linux"
"Linux 2.6.11-1.1369_FC4smp #1 SMP Thu Jun 2 23:08:39 EDT 2005 i686 i686 i386 GNU/Linux"
cat /etc/redhat-release: "Red Hat Linux release 8.0 (Psyche)"
"Fedora Core release 4 (Stentz)"
nmap localhost:
"Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1593 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
111/tcp open sunrpc
443/tcp open https
1521/tcp open oracle
8009/tcp open ajp13
8080/tcp open http-proxy
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second"
-------------------------- ---------- ---------- ---------- ---------- ---------- -----
"Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-06-02 11:50 CDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1663 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
199/tcp open smux
443/tcp open https
1521/tcp open oracle
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
32771/tcp open sometimes-rpc5
Nmap finished: 1 IP address (1 host up) scanned in 0.359 seconds"
uname -a: "Linux 2.4.20-18.8smp #1 SMP Thu May 29 07:20:32 EDT 2003 i686 i686 i386 GNU/Linux"
"Linux 2.6.11-1.1369_FC4smp #1 SMP Thu Jun 2 23:08:39 EDT 2005 i686 i686 i386 GNU/Linux"
cat /etc/redhat-release: "Red Hat Linux release 8.0 (Psyche)"
"Fedora Core release 4 (Stentz)"
nmap localhost:
"Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1593 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
111/tcp open sunrpc
443/tcp open https
1521/tcp open oracle
8009/tcp open ajp13
8080/tcp open http-proxy
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second"
--------------------------
"Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-06-02 11:50 CDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1663 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
199/tcp open smux
443/tcp open https
1521/tcp open oracle
8000/tcp open http-alt
8009/tcp open ajp13
8080/tcp open http-proxy
32771/tcp open sometimes-rpc5
Nmap finished: 1 IP address (1 host up) scanned in 0.359 seconds"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would strongly recommend nessus:
http://www.nessus.org/
Nessus scans machines for vulnrerbilitys and will report its finding to you in a report