Symfony security: useful methods for the view

31/01/2008

Check if user is logged in:

$sf_user->isAuthenticated()

Check if user belongs to a specific group:

$sf_user->hasCredential('admin')
No Comments

Ruby: generate a random password

24/11/2006 
def random_password(size=8)
  chars = (('a'..'z').to_a + ('0'..'9').to_a) - %w(i o 0 1 l 0)
  (1..size).collect{|a| chars[rand(chars.size)] }.join
end
No Comments

Search to see SSH attempted logins

20/11/2006

See who has been trying to login using SSH:

cat /var/log/secure*|grep smtp|awk -F: '{print $5}'|sed 's/^.*from=//; s/\.[0-9]\{1,3\}$//;'|sort|uniq -c|sed 's/^ *//;'|sort -gnr|more
No Comments

Linux web server hardening tips

13/02/2006

Set password minimum length to 8 characters

In /etc/pam.d/system-auth:

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8

Disallow direct root login

Specify that no device is trusted for root login:

cp /etc/securetty /etc/securetty_bak
cp /dev/null /etc/securetty

Limit the set of people able to attempt to become root

Add the desired users to the group wheel (and you must add at least one!):

usermod -G wheel youruser

Change the group affiliation of the su command, and make it remain setuid as root and executable only by group wheel members:

chgrp wheel /bin/su
chmod 4750 /bin/su

Test to verify that members of the group ‘wheel’ can use su to become root.

Secure /tmp

Remove /var/tmp and symlink to /tmp instead

rm -fR /var/tmp
ln -s /tmp/ /var/

Create a 500Mb partition for /tmp

cd /dev; dd if=/dev/zero of=tmpMnt bs=1024 count=512000
/sbin/mke2fs /dev/tmpMnt

Backup the old tmp folder

cp -Rp /tmp /tmp_backup

Mount the new tmp filesystem

mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
chmod 1777 /tmp

Move the files back into tmp

cp -Rp /tmp_backup/* /tmp/

Add this to /etc/fstab so /tmp is mounted on startup:

/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

And check that the shm line in /etc/fstab looks like this:

none /dev/shm tmpfs noexec,nosuid 0 0

Unmount and remount /dev/shm

unmount /dev/shm; mount /dev/shm

Remove the /tmp backup if everything looks okay

rm -fR /tmp_backup

Restrict permissions on key executables

chmod 700 /usr/bin/rcp
chmod 700 /usr/bin/wget
chmod 700 /usr/bin/lynx
chmod 700 /usr/bin/scp
chmod 700 /usr/bin/GET
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/cc

Remove Samba

yum remove samba

Keep an eye out for root kits

Try RKHunter or chkrootkit.

Turn off Apache server signature

In httpd.conf:

ServerSignature Off
ServerTokens Prod

Stop named providing a version

In /etc/named.conf, search for:

query-source address * port 53

Add a line directly underneath with

version "Named";

Make sure display_errors = Off in /etc/php.ini

Echoing errors to the page on a production server is a bad idea™.

No Comments