Recent Changes - Search:

Softwares

.

How-to-Secure-Linux-Server


How to Secure a Linux Server.

1. Kernel recompile with GR security

2. firewall = CSF

3. Stop unnecessary processes

4. Install Logcheck

5. Install Logwatch

   Optimizing host.conf and sysctl.conf
   http://www.eth0.us/node/104

To modify LogWatch, SSH into server and login as root. At command prompt type: pico -w /etc/log.d/conf/logwatch.conf

Scroll down to

MailTo = root

and change to

Mailto = [email protected]

Note: Set the e-mail address to an offsite account incase you get hacked.

Now scroll down to

Detail = Low

Change that to Medium, or High...

Detail = 5 or Detail = 10

Note: High will give you more detailed logs with all actions. Save and exit.

6. If cpanel server then WHM configuration check

7. OpenSSH configuration check

8. Switch from proftpd to pure-ftpd

9. Rootkit Hunter

rkhunter:


1. Login to your server via SSH as root. Then Type: cd /usr/local/src/

2. Download RKHunter Version 1.1.4

Type: wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz

3. Extract files

Type: tar -xzvf rkhunter-1.1.4.tar.gz

4. Type: cd rkhunter

5. Type: ./installer.sh

6. Lets setup RKHunter to e-mail you you daily scan reports.

Type: pico -w /etc/cron.daily/rkhunter.sh

Add The Following:

  1. !/bin/bash

(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" [email protected])

Replace the e-mail above with your e-mail!!

It is best to send the e-mail to an e-mail off-site so that

if the box IS compromised the hacker can't erase the scan report unless he hacks another server too.

Type: chmod +x /etc/cron.daily/rkhunter.sh

10. Chkrootkit

Installing chkrootkit


   [root@server ~]# wget >>ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
   [root@server ~]# tar xvfz chkrootkit.tar.gz
   [root@server ~]# ./chkrootkit*/chkrootkit

11. mod_security

12. mod_evasive

13. Host spoof protection

14. Operating System check

15. Name server configuration check

16. Disk check

17. Kernel check

18. Apache tune and check

19. MySQL tune and check

20. Enhanced log rotation

21. Day of the week backup rotations

22. Secure /tmp /var/tmp /dev/shm

23. Libsafe for 2.4 kernels

24. Exploit check

25. Delete unnecessary OS users

26. Disable open DNS recursion

27. Enhanced path protection

28. Remove SUID/GUID from binaries

29. PHP hardening

30. phpsuexec

31. Disable vulnerable phpBB installs

32. Initial cPanel configuration

33. Check iptables is configured

34. Check incoming MySQL port

35. Check /etc/cron.daily/logrotate

36. Check /etc/resolv.conf for localhost entry

37. Check /etc/named.conf for recursion restrictions

38. Check server runlevel

39. Check nobody cron

40. Check Operating System support

41. Check SSHv1 is disabled

42. Check SSH on non-standard port

43. Check SSH PasswordAuthentication

44. Check telnet port 23 is not in use

45. Check shell limits

46. Check Background Process Killer

47. Check root forwarder

48. Check exim for extended logging

49. Check php for enable_dl = enable_dl = Off

50. Check php for disable_functions=

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen

51. Check php for register_globals register_globals = Off

52. Check php open_basedir protection

53. Check phpsuexec

54. Check cPanel login is SSL only

55. Check boxtrapper is disabled

56. Check max emails per hour is set

57. Check whether users can reset passwords via email

58. Check whether native cPanel SSL is enabled

59. Check compilers

60. Check Anonymous FTP access

61. Check allow remote domains

62. Check block common domains

63. Check allow park domains

64. Check package updates

65. Check security updates

66. Check melange chat server


67. service cups stop; chkconfig cups off

68. service xfs stop; chkconfig xfs off

69. service atd stop; chkconfig atd off

70. service nfslock stop; chkconfig nfslock off

71. service canna stop; chkconfig canna off

72. service FreeWnn stop; chkconfig FreeWnn off

73. service cups-config-daemon stop; chkconfig cups-config-daemon off

74. service iiim stop; chkconfig iiim off

75. service mDNSResponder stop; chkconfig mDNSResponder off

76. service nifd stop; chkconfig nifd off

77. service rpcidmapd stop; chkconfig rpcidmapd off

78. service bluetooth stop; chkconfig bluetooth off

79. service anacron stop; chkconfig anacron off

80. service gpm stop; chkconfig gpm off

81. service saslauthd stop; chkconfig saslauthd off

82. service avahi-daemon stop; chkconfig avahi-daemon off

83. service avahi-dnsconfd stop; chkconfig avahi-dnsconfd off

84. service hidd stop; chkconfig hidd off

85. service pcscd stop; chkconfig pcscd off

86. service sbadm stop; chkconfig sbadm off

87. service webmin stop; chkconfig webmin off

88. Add Load Alert Scripts with 1 min cron

   #!/bin/bash
   #uptime alerti script ..
   UP=`uptime|awk '{print $(NF-2)}'|cut -d. -f1`
   if test $UP -gt 4
   then
   `uptime| mail -s "**SERVER LOAD is $UP" [email protected]`
   fi

89. ignore ping :

  1. iptables -A INPUT -p icmp -j DROP

echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

vi /etc/sysctl.conf

Append following line:

net.ipv4.icmp_echo_ignore_all = 1

90. Find directory with 777 permission.

              find . -type d -perm 777

91.Check for open ports using nmap command.

92. Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off

Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart

93.Change ssh ListenAddress /etc/ssh/sshd_config

94.PermitRootLogin no

95.Add root login alert

vi .bash_profile

   echo 'ALERT - Root Shell Access on:' `date` `who`
   | mail -s "Alert: Root Access from `who | awk '{print $6}'`" [email protected]

96.Set an SSH Legal Message in /etc/motd

97.Locate.

   locate shell.php
   locate irc
   locate eggdrop
   locate bnc
   locate BNC
   locate ptlink
   locate BitchX
   locate guardservices
   locate psyBNC
   locate .rhosts

98.Perform some udp and tcp scan here :

http://www.hackerwatch.org/probe/

This site is not bad too : https://grc.com/x/ne.dll?bh0bkyd2

99.Check /var/log/secure , /var/log/messages and other log files of services running to see if there are any issues.

100.Check your box to see if your performance has degraded or if your machine is being over used.

For that, use the commands

vmstat

    Displays information about memory, cpu and disk.
    Ex: bash# vmstat 1 4 (where 1 is delay and 4 is count)

mpstat

    Displays statistics about cpu utilization. This will help us to see if your cpu is over worked or not.
    Ex: bash# mpstat 1 4 (where 1 is delay and 4 is count)

iostat

    This command displays statistics about the disk system.
    Useful options:
    -d - Gives the device utilization report.
    -k - Display statistics in kilobytes per second.
    Ex: bash# iostat -dk 1 4 (where 1 is delay and 4 is count)

sar

    Displays overall system performance.

Check to see if your server has any hidden processes running.

ps

    Displays the status of all known processes.

lsof

101. List all open files. In Linux everything is considered a file, so you will be able to see almost all of the activity on your system with this command.

    chmod -R 700 /etc/rc.d/init.d/*
    Use rpm -Va to find out if an rpm is modified
    * Apply security patches to vulnerable software (ie. patch -p1 < patch file)
    * Remove all unneeded ttys and console logins by removing the entry from /etc/securetty
    * Check system logs (eg: /var/log/messages, /var/log/secure, etc.)
    * Set a password on the boot loader (lilo and grub both support this)
    * Monitor the system (nagios or big brother)

102. Install AIDE (Advanced Intrusion Detection Environment) is a free

replacement for Tripwire. = http://www.cs.tut.fi/~rammer/aide.html

103. Testing phase when in production.

Use tools like nessus, nikto, and nmap to do a penetration test and see how well your server is secured. Also do a stress test.

find /usr/local/apache/domlogs -exec egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)' {} \;

Reference


Edit - History - Print - Recent Changes - Search
Page last modified on July 12, 2009, at 10:52 AM