|
Softwares          |
Main /
How-to-Secure-Linux-Server
How to Secure a Linux Server. 1. Kernel recompile with GR security 2. firewall = CSF 3. Stop unnecessary processes 4. Install Logcheck 5. Install Logwatch Optimizing host.conf and sysctl.conf http://www.eth0.us/node/104 To modify LogWatch, SSH into server and login as root. At command prompt type: pico -w /etc/log.d/conf/logwatch.conf Scroll down to MailTo = root and change to Mailto = [email protected] Note: Set the e-mail address to an offsite account incase you get hacked. Now scroll down to Detail = Low Change that to Medium, or High... Detail = 5 or Detail = 10 Note: High will give you more detailed logs with all actions. Save and exit. 6. If cpanel server then WHM configuration check 7. OpenSSH configuration check 8. Switch from proftpd to pure-ftpd 9. Rootkit Hunter rkhunter: 1. Login to your server via SSH as root. Then Type: cd /usr/local/src/ 2. Download RKHunter Version 1.1.4 Type: wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz 3. Extract files Type: tar -xzvf rkhunter-1.1.4.tar.gz 4. Type: cd rkhunter 5. Type: ./installer.sh 6. Lets setup RKHunter to e-mail you you daily scan reports. Type: pico -w /etc/cron.daily/rkhunter.sh Add The Following:
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" [email protected]) Replace the e-mail above with your e-mail!! It is best to send the e-mail to an e-mail off-site so that if the box IS compromised the hacker can't erase the scan report unless he hacks another server too. Type: chmod +x /etc/cron.daily/rkhunter.sh 10. Chkrootkit Installing chkrootkit [root@server ~]# wget >>ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz [root@server ~]# tar xvfz chkrootkit.tar.gz [root@server ~]# ./chkrootkit*/chkrootkit 11. mod_security 12. mod_evasive 13. Host spoof protection 14. Operating System check 15. Name server configuration check 16. Disk check 17. Kernel check 18. Apache tune and check 19. MySQL tune and check 20. Enhanced log rotation 21. Day of the week backup rotations 22. Secure /tmp /var/tmp /dev/shm 23. Libsafe for 2.4 kernels 24. Exploit check 25. Delete unnecessary OS users 26. Disable open DNS recursion 27. Enhanced path protection 28. Remove SUID/GUID from binaries 29. PHP hardening 30. phpsuexec 31. Disable vulnerable phpBB installs 32. Initial cPanel configuration 33. Check iptables is configured 34. Check incoming MySQL port 35. Check /etc/cron.daily/logrotate 36. Check /etc/resolv.conf for localhost entry 37. Check /etc/named.conf for recursion restrictions 38. Check server runlevel 39. Check nobody cron 40. Check Operating System support 41. Check SSHv1 is disabled 42. Check SSH on non-standard port 43. Check SSH PasswordAuthentication 44. Check telnet port 23 is not in use 45. Check shell limits 46. Check Background Process Killer 47. Check root forwarder 48. Check exim for extended logging 49. Check php for enable_dl = enable_dl = Off 50. Check php for disable_functions= disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen 51. Check php for register_globals register_globals = Off 52. Check php open_basedir protection 53. Check phpsuexec 54. Check cPanel login is SSL only 55. Check boxtrapper is disabled 56. Check max emails per hour is set 57. Check whether users can reset passwords via email 58. Check whether native cPanel SSL is enabled 59. Check compilers 60. Check Anonymous FTP access 61. Check allow remote domains 62. Check block common domains 63. Check allow park domains 64. Check package updates 65. Check security updates 66. Check melange chat server
67. service cups stop; chkconfig cups off 68. service xfs stop; chkconfig xfs off 69. service atd stop; chkconfig atd off 70. service nfslock stop; chkconfig nfslock off 71. service canna stop; chkconfig canna off 72. service FreeWnn stop; chkconfig FreeWnn off 73. service cups-config-daemon stop; chkconfig cups-config-daemon off 74. service iiim stop; chkconfig iiim off 75. service mDNSResponder stop; chkconfig mDNSResponder off 76. service nifd stop; chkconfig nifd off 77. service rpcidmapd stop; chkconfig rpcidmapd off 78. service bluetooth stop; chkconfig bluetooth off 79. service anacron stop; chkconfig anacron off 80. service gpm stop; chkconfig gpm off 81. service saslauthd stop; chkconfig saslauthd off 82. service avahi-daemon stop; chkconfig avahi-daemon off 83. service avahi-dnsconfd stop; chkconfig avahi-dnsconfd off 84. service hidd stop; chkconfig hidd off 85. service pcscd stop; chkconfig pcscd off 86. service sbadm stop; chkconfig sbadm off 87. service webmin stop; chkconfig webmin off 88. Add Load Alert Scripts with 1 min cron #!/bin/bash
#uptime alerti script ..
UP=`uptime|awk '{print $(NF-2)}'|cut -d. -f1`
if test $UP -gt 4
then
`uptime| mail -s "**SERVER LOAD is $UP" [email protected]`
fi
89. ignore ping :
echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all vi /etc/sysctl.conf Append following line: net.ipv4.icmp_echo_ignore_all = 1 90. Find directory with 777 permission. find . -type d -perm 777 91.Check for open ports using nmap command. 92. Disable identification output for Apache To disable the version output for proftp, SSH into server and login as root. At command prompt type: pico /etc/httpd/conf/httpd.conf Scroll (way) down and change the following line to ServerSignature Off Restart Apache At command prompt type: /etc/rc.d/init.d/httpd restart 93.Change ssh ListenAddress /etc/ssh/sshd_config 94.PermitRootLogin no 95.Add root login alert vi .bash_profile echo 'ALERT - Root Shell Access on:' `date` `who`
| mail -s "Alert: Root Access from `who | awk '{print $6}'`" [email protected]
96.Set an SSH Legal Message in /etc/motd 97.Locate. locate shell.php locate irc locate eggdrop locate bnc locate BNC locate ptlink locate BitchX locate guardservices locate psyBNC locate .rhosts 98.Perform some udp and tcp scan here : http://www.hackerwatch.org/probe/ This site is not bad too : https://grc.com/x/ne.dll?bh0bkyd2 99.Check /var/log/secure , /var/log/messages and other log files of services running to see if there are any issues. 100.Check your box to see if your performance has degraded or if your machine is being over used. For that, use the commands vmstat Displays information about memory, cpu and disk.
Ex: bash# vmstat 1 4 (where 1 is delay and 4 is count)
mpstat Displays statistics about cpu utilization. This will help us to see if your cpu is over worked or not.
Ex: bash# mpstat 1 4 (where 1 is delay and 4 is count)
iostat This command displays statistics about the disk system.
Useful options:
-d - Gives the device utilization report.
-k - Display statistics in kilobytes per second.
Ex: bash# iostat -dk 1 4 (where 1 is delay and 4 is count)
sar Displays overall system performance. Check to see if your server has any hidden processes running. ps Displays the status of all known processes. lsof 101. List all open files. In Linux everything is considered a file, so you will be able to see almost all of the activity on your system with this command. chmod -R 700 /etc/rc.d/init.d/*
Use rpm -Va to find out if an rpm is modified
* Apply security patches to vulnerable software (ie. patch -p1 < patch file)
* Remove all unneeded ttys and console logins by removing the entry from /etc/securetty
* Check system logs (eg: /var/log/messages, /var/log/secure, etc.)
* Set a password on the boot loader (lilo and grub both support this)
* Monitor the system (nagios or big brother)
102. Install AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. = http://www.cs.tut.fi/~rammer/aide.html 103. Testing phase when in production. Use tools like nessus, nikto, and nmap to do a penetration test and see how well your server is secured. Also do a stress test. find /usr/local/apache/domlogs -exec egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)' {} \; Reference
|