While the only way to secure a server 100% is to unplug it from the network, there are quite a few things that I do to enhance security. A few of them (the non client exclusive stuff) can be found right here. Questions, as always can be asked and I'll try to explain it as easily as humanly possible.
Anything added like this should be added to the file right above it, using whatever shell editor you choose (vi, pico, etc).

in /etc/sysctl.conf, add

# disable packet forwarding
net.ipv4.ip_forward = 0
# enable source route verification
net.ipv4.conf.all.rp_filter = 1
# ignore broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable syn cookies
net.ipv4.tcp_syncookies = 1
# size of syn backlog
net.ipv4.tcp_max_syn_backlog = 512
# disable automatic defragmentation
# set max files
fs.file-max = 32768
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 1


What does this do?
This sets a variety of code for the linux OS to use itself. It tells the system to ignore pings, icmp, enable SYN protection, disable network forwarding and more.
Please note
After doing this, you will need to restart your network (generally rebooting the server works fine).

in /etc/rc.local, add

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 >
done
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

This does much of the same thing as the above, it's more repetitive, but it's another layer of 'security' as it were. ICMP is denied, broadcasts denied, tcp syn is denied.

in /etc/host.conf, the following is added (if it doesn't exist already)

# Lookup names via DNS first then fall back to /etc/hosts.
order bind,hosts
# We have machines with multiple IP addresses.
multi on
# Check for IP address spoofing.
nospoof on

The comments are quite clear on this one. The first uses bind, then hosts to lookup domain names. The second says we have machines with multiple ip addresses (in many cases it's important). The third (somewhat) prevents individuals from "spoofing" an ip address and hitting up your server.

In /etc/hosts.deny, the following line is added:

ALL: PARANOID

More "spoof" protection there.

From there, it's time for the firewall. The firewall is the most important thing to a linux server. Without it, you can be literally killed. With it, you are somewhat defended and protected. While no good firewall will fully protect a Linux server, it's an extra layer of security, which is a very good thing.
Personally, I use APF (http://www.rfxnetworks.com/apf.php) which maintains a decent ballance between blocking ports you don't want accessed and limiting traffic. There's also a wonderful attempt at a ddos protection system in place there. While (again) no ddos protection can work on a TRUE ddos, it'll stop a number of attacks.

From there, it's time for the kernel. Look around for a tutorial on kernels. You can either custom compile the kernel (not recommended unless you're highly familliar with Linux) or use an RPM (or whatever package system you're using).

Compiling a kernel is NOT recommended on non local machines. Why? Because if you screw something up, you have no chance at hitting that power down button, starting up in single user mode and recompiling it. You have to wait for the datacenter to respond to the ticket, which (usually) is slow and very costly.


There are a variety of other (personal) configuration changes that I make to applications, to prevent them from overloading, such as:
proftpd:
in /etc/proftpd.conf, I add:

TimeoutIdle 600
TimeoutNoTransfer 600
TimeoutLogin 300
MaxInstances 30
MaxClientsPerHost 2

at the top. This is pretty much self explanatory

for mysql:
in /etc/my.cnf (or wherever my.cnf is located)

[mysqld]
port = 3306
skip-locking
set-variable = max_connections=100
set-variable = max_user_connections=20
set-variable = key_buffer=16M
set-variable = join_buffer=4M
set-variable = record_buffer=4M
set-variable = sort_buffer=6M
set-variable = table_cache=1024
set-variable = myisam_sort_buffer_size=32M
set-variable = interactive_timeout=100
set-variable = wait_timeout=100
set-variable = connect_timeout=10
set-variable = thread_cache_size=128


And finally, in /etc/rc.local, I add:

TMOUT=180
export TMOUT

at the bottom. This logs everyone off if they're idle for more than 3 minutes. Adjust that at will, it goes by seconds, so say 300 seconds would be 5 minutes, 600 would be 10 minutes idle, etc.

There's a number of other security tricks that I use , such as:
limiting ssh access
in /etc/hosts.deny

sshd: ALL

in /etc/hosts.allow

sshd: host.ip.number.1,host.ip.number.2,etc

Some would eliminate root login, but I wouldn't take it that far. If your server is properly monitored, you won't need to elliminate it.

Some would suggest using tripwire (http://prdownloads.sourceforge.net/tripwire/tripwire-2.3.1-2.tar.gz?download), and at the beginning, I did, as well, until I started working with hosts who had real data on their server, and it (literally) crippled the servers. Tripwire is something that will check everything on your server to ensure that it's running smoothly, and that it hasn't been modified. The downside to that is if you've got a ton of files on the server, it loads the server down untill it just can't be accessed any longer. The same goes with updatedb, which is why I actually remove the cron entry for that as well.

Unfortunately, there's no real "automation" for security and systems administration. The best key in the game is knowing your logs, reading them, understanding what they say, and how to react based on it. As well, tools such as chkrootkit (ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz) and FAF (http://www.rfxnetworks.com/downloads/faf-current.tar.gz) will help, and knowing as well as working with Linux for years helps. A lot of the security job is knowing when to react, and just exactly how to react, as well as being informed. If you don't know something, ask, especially if it looks suspicious ;)

Aide is also good in replacement for tripwire

got a link? I'm always looking for new toys (errm utilities) to play with ;)

http://www.cs.tut.fi/~rammer/aide.html

Compiling a kernel is NOT recommended on non local machines

You might want to change that to remote instead of local.

Originally posted by TheVoice
You might want to change that to remote instead of local.

Doesn't this same meaning?
non local and remote?
Or you mean:
Compiling a kernel is NOT recommended on non remote machines
instead of:
Compiling a kernel is NOT recommended on non local machines

I really should stop posting at 3 in the morning :)

This post was helpful. THank you.

Nice post and information. Very appreciated. :)

I see no reason for disabling ICMP - can anyone explain?

regards,
M.

Originally posted by Miha
I see no reason for disabling ICMP - can anyone explain?

regards,
M.

Prevents pinging. I guess in a DDoS attack that's a good thing.

Quoted from Security-HOWTO (http://tldp.org/HOWTO/Security-HOWTO/network-security.html):
Ping flooding is a simple brute-force denial of service attack. The attacker sends a "flood" of ICMP packets to your machine. If they are doing this from a host with better bandwidth than yours, your machine will be unable to send anything on the network. A variation on this attack, called "smurfing", sends ICMP packets to a host with your machine's return IP, allowing them to flood you less detectably. You can find more information about the "smurf" attack here (http://www.cert.org/advisories/CA-1998-01.html).

actually ICMP packets are being "cut" at the router (your closest router, to be correct). Try doing "ping -f -s 40000 somehost.com" for example - you will see a lot (more than 50%; probably close to 90%) of packets getting lost. Your provider won't allow such action most likely, unless, of course, there is some very old router that allows you to pass such amount of ICMP packets per second.
I remember when one could knock Win98 with "ping -f" (ping of death), but this is not an issue anymore.
ICMP pings are useless these days, and I can't remember any host/network suffering from ICMP flood for the past "N" years.

regards,
M.

<edit>signature removed</edit>

Actually, you're wrong
Just because the -f option to ping is limited doesn't mean ping can't be used to launch any sort of attack against a server. The best response is to nullroute icmp alltogether.

It's entirely possible to flood a server, not with packets but with data, which customer has to pay for, and (usually) ends up crippling a server until whoever is doing it has decided they are done.

If ping flooding were disabled, or weren't such a common thing, then datacenters wouldn't have a single problem, but, it is, unfortunately. ICMP is a very dangerous protocol to leave open on your server.

<edit>signature removed</edit>

Originally posted by wolfstream
Actually, you're wrong
Just because the -f option to ping is limited doesn't mean ping can't be used to launch any sort of attack against a server. The best response is to nullroute icmp alltogether.

hm, I think I've covered that in my last post - most (if not all) providers have decent routers. This problem with ICMP flood is not a problem anymore - nearly all routers limit the ICMP packet rate and size of ICMP packet. I don't think you will be able to send a packet larger than 67k of data - router simply won't accept it.


It's entirely possible to flood a server, not with packets but with data, which customer has to pay for, and (usually) ends up crippling a server until whoever is doing it has decided they are done.

again, if you sent 10.000 echo requests, it does not mean destination will take all of them because routers will cut more than 3/4th of it, unless you send 1 packet per second, as suggested, which isn't going to cause you flood with terabytes of bandwidth.


If ping flooding were disabled, or weren't such a common thing, then datacenters wouldn't have a single problem, but, it is, unfortunately. ICMP is a very dangerous protocol to leave open on your server.

however, statistics show that targeted attack on specific service is more common and more dangerous than simple ICMP flood, which isn't a flood, eventually.

regards,
M.

<edit>signature removed</edit>

Post has been helpful...Thanks!

Is this safe to do on a RHE server with Cpanel?

Originally posted by damainman
Is this safe to do on a RHE server with Cpanel?
I (personally) haven't tried this on RHE, but I don't see how it'd be much different. The core is the same.

<edit>signature removed</edit>

thanks,

Now its that i know some code, not much but something have changed for RHE, then RH9... For example disabling recurssive look ups.

Any known conflicts with cpanel?

Thanks for the tutorial, very easy to follow.

Just the info I was looking for. :)

:(( i can't ssh to my server after i do what u said :(( . What now ??

Have your DC login and move hosts.deny and hosts.allow to hosts.deny.bak and hosts.allow.bak.
Make sure your ip is in the exclusion line that I mentioned above.

<edit>signature removed</edit>

but i did not do anything in those files !!!! .

then you didn't do what I suggested ;) I've had servers running on the same scripts and setup for over 2 years without a problem. The only time you'd get denied ssh access is if:
A> you've blocked ssh without allowing your own ip
OR
B> you've got an ip[ that doesn't resolve correctly.

<edit>signature removed</edit>

yes , i can login now . may be my network suck :)

Great tutorial

<edit>signature removed</edit>

How do I keep myself unblocked from SSH if my ISP assigns me a new Dynamic Ip every 36 hours ?




There's a number of other security tricks that I use , such as:
limiting ssh access
in /etc/hosts.deny

sshd: ALL

in /etc/hosts.allow

sshd: host.ip.number.1,host.ip.number.2,etc

Some would eliminate root login, but I wouldn't take it that far. If your server is properly monitored, you won't need to elliminate it.

<edit>signature removed</edit>

If your ISP issuing IP range is 123.456.789.x
Then just use 123.456.789.
Just my thoughts ;)

I wish they were issuing Ip Ranges, my isp is cox and I'm pretty sure they don't just change ip ranges but entire blocks, Ie my last ip was 67.110.47.64 and my new one well is way differen't then the old one

<edit>signature removed</edit>

Then no choice allow ALL?

P.S. Please turn off your signature as signatures are not allowed in all HOWTO forums.

Sorry for the sig, I did not know sigs were not allowed in the how-to forum. I'm gonna go ask cox business side to see if I can talk them into giving me a static ip, if all else fails I'll undo that edit thanks for your help

I posted this on another Security thready in the How To forum, maybe you guys might find it useful too

1)Conduct a Security Audit on the box and create a report for it.

(a)Check intrusion Detection.Use chkrootkit for this purpose.Update the report with these details.

chkrootkit is very straightforward, installation is pretty simple.
Once chkrootkit is installed, run it from the command line, it should return lines like this:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0 is not promisc
Checking `wted'... nothing deleted
Checking `z2'...
nothing deleted

This is a normal, chkrootkit output, if by anychance you find an INFECTED! I suggest checking throughly the binary of the said program.
EXCEPTION: bindshell is known to say it's infected when running software like Portsentry, this is normal.



(b)Check for bugs in softwares which is currently installed on the box.

Very simple, start with checking your kernel version:
uname -r
2.4.25

Then check for your services version, start with the mailserver, ftp, apache, mysql and others:
Use, telnet to read this, or read the documentation about the software, an example should be:

'telnet localhost 21' (FTP)
telnet localhost 21
Trying 127.0.0.1...
Connected to yourserver
Escape character is '^]'.
220 yourserver Proftpd xxxxx FTP server ready.

Where xxx is your server version, next you go to a security related website (www.securityfocus.com) and run a search for any security vulnerability for that version of FTP server.
If none is found, go to the ftp server website, and see if your version is current.

Repeat with all the other processes and upgrade when necessary


(c)Scan all ports and find out which all are the unwanted ports open.Update the report with these details.

Get NMAP from www.insecure.org

Run a vanilla scan,
'nmap localhost'

A normal return should be

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on yourserver (127.0.0.1):
(The 1547 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
443/tcp open https

A really bad return should be

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on yourserver (127.0.0.1):
(The 1525 ports scanned but not shown below are in state: closed)
Port State Service
1/tcp open tcpmux
11/tcp open systat
15/tcp open netstat
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
79/tcp open finger
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
119/tcp open nntp
143/tcp open imap2
443/tcp open https
540/tcp open uucp
635/tcp open unknown
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open callbook
6667/tcp open irc
12345/tcp open NetBus
12346/tcp open NetBus
27665/tcp open Trinoo_Master
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
54320/tcp open bo2k

As you can see this server is running a bunch of services we dont actually need, not to mention some trojans too :P, check where they come from, most of them run from inet.d (/etc/inetd.conf), some are run stand alone, find out the ones you need and the ones you dont need and kill them.



(d)Check if /tmp is secured.Update the report with these details.

chmod +t directory
That will prevent non-owners of objects in directory (excepting
superuser) from unlinking (removing, moving, etc.) objects in that
directory. In general any world writable directory should always be
protected this way (such as /tmp, /var/tmp, /var/spool/uucppublic (or
substitute usr for var if appropriate on your system)).



(e)Check for hidden processs.Update the report with these details.

ps aux should show all of the processes, remember that in order to trust this information you need to trust that the ps binary hasnt been corrupted (that's why you should run chkrootkit first)
IF you find any strange process that you dont know about, google it !


(f)Check for bad blocks in all particular partition.(this is just to make sure

that the system is ok).Update the report with these details.

e2fsck -f -p -c /dev/hdxx should scan for bad blocks, however it needs to be done with the drive ummounted.



(g)Check for file permissions.Update the report with these details.

I have used a program called sherpa: http://oregonstate.edu/~creliar/sherpa/ that checks file systems permissions and other things



(h)Check if kernel has ptrace vulnerability.Update the report with these details.
All kernels up to 2.4.20 are vulnerable, a simple uname -r should tell you which version are you running. If you are running a vulnerable version, upgrade ASAP (www.kernel.org)

<edit>signature removed</edit>

(i)Check memory(This is to make sure that the memory is ok).Update the

report with these details.

You can use software like memtest86 to check the status of your memory, issuing a
cat /proc/meminfo should return all the information available about your memory



(j)Check for open relay .Update the report with these details.
Open relays let spammers send email through your mail system without having to login to a known user.
For detailed instructions, check http://mail-abuse.org/tsi/ar-fix.html





(k)Check if the partitions have enough space.Update the report with these details.
THe linux command 'df' should tell you how much space you have available.
MY small webserver is partitioned like this:

Filesystem 1k-blocks Used Available Use% Mounted on
/dev/sda7 9614116 19256 9106488 1% /
/dev/sda2 124443 1642 116375 2% /boot
/dev/sda5 24027628 78572 22728520 1% /var
/dev/sda6 9614116 701716 8424028 8% /usr
/dev/sda9 166888792 812360 157598936 1% /home

With /home and /var being the biggest partitions (home for the users and var for all the users logs)


(l)Check for the size of logs.Its better that the log size remains in MBs.
For this you can use programs like logrotate to rotate logs, also, a good way to keep logs in place is to burn them into a CDR/W-DVDR/W for storage



(m) Do stress test on the box .Update the report with this details.

I have heard good reviews about stresslinux, which is a bootable linux distro on a CD that it's sole purpose is to run stress tests on your system (You dont have to install it, just put the cd in the cdrom boot from it and let it run the tests)

<edit>signature removed</edit>

Hey, at that host.deny and host.allow. with the recent torn root kit scare from the cpanel exploit, if you were to deny ALL from ssh but your ip address, would they be able to SSH in?

<edit>signature removed</edit>

Originally posted by joesmoh
Hey, at that host.deny and host.allow. with the recent torn root kit scare from the cpanel exploit, if you were to deny ALL from ssh but your ip address, would they be able to SSH in?

i think they can because they will have a defrant port or another service running that ignores your hosts.deny

they dont ssh in to plant it anyways. remove their backdoor and ur all good

<edit>signature removed</edit>

Please keep these steps in mind while working on security

1)Create a security policy ( Security policy is created from business requirements and risk analysis ).This is the first step one should follow while working on security.

2) Based on the security policy create a checklist

The check list is created according to the security policy
================check list ================================
Check List
#######################
Software Vulnerabilities
Kernel Upgrades and vulnerabilities
Check For any Trojans
Run chkrootkits
Checks Ports
Check for any hidden process
Use audittools to check system
Check logs
Check Binaries
Check Binaries and RPMS
Check the email relays
Check the cron entries
Check /dev /tmp /var filefolders
Checked whether Backup is maintained
Check for unwanted users,groups etc in the system
Check and Disable unwanted services
Locate malicious scripts
Querylog in DNS
Check whether Backup is maintained
Check for the suid scripts and nouser scripts
Check valid scripts in /tmp
Use intrusion detection tools
Check the system performance
Check memory performance ( conduct memtest)

Note: Please feel free to add the steps which i had missed
================end ===========================

3) With this check list .Please Conduct a security audit

Format of security audit will be like this
=====================Fromat ==========================================
Issues or softwares # Current version ( version used in the server) # Stable Version # Notes :
===============================================================

In this step we will not do any upgrades or security related work on the box.Just find out the vulnerabilities
Find out the current versions of the software and check if it has any vulnerability .if so please note it down and add it in the notes section of audit report.


Use tools like Nessus, nikto (Audit tool for web server ) , Chkrootkit ,dsa ( dns security audit tool ) ,memtest and find out the vulnerability

Notes: The below section is called Security Implementation stage

4) According to this audit report.We should first correct all software vulnerability ( can use software patches which and eliminate the bugs in the software )

(a)Upgrade kernel if its old and vulnerable.While compiling,please remove all unwanted options and reduce the size of the kernel

(b)Upgrade apache and its related software if its vulnerable

(c)Upgrade php,mysql,proftpd,pure-ftpd,named if its vulnerable.

(d)upgrade mod_ssl,openssh,openssl etc ( can be done manually or through up2date )

(e)If the control panel has any bugs .The software vendores should be contacted and they should be informed about this bug.So that they will provide a fast fix to it.

5) Now the proper security work comes :-D.
Security is divided into two sections host security and network security.And each these sections has 3 parts common

(a )Protection

(b) Detection

(c) Recovery

5.1 )Host Security
==================
(a)Please protect your system with password

(b)Check file systems ( set correct permission and ownerships to files )
eg: chmod -R 700 /etc/rc.d/init.d/*
eg: Use rpm -Va to find out the if the rpm is modified or effect

(c)Apply security patches to vulnerable softwares (eg : patch -p1 < patch file )

(d)Remove all unwanted ttys and console logins by removing the entry from /etc/securetty

(e)Check system logs ( eg : /var/log/messages , /var/log/secure etc )

(f) Set password for boot loaded ( lilo an grub supports it )

(g)Monitor the system ( nagios or big rother )

5.2) Network Security
=====================
(1)Remove all unwanted users,groups

(2)use the below script to mail the sysadmin to when another user with uid 0 is created
=========================================
The below script will mail user when another user with uid 0 is added
-------------------------script----------------------------------
#!/bin/sh
#
# This script must be owned by root or at least setuid 0
# It will scan the system and mail the root user when another user gains uid 0.

for id in `awk 'FS=":" {if(($3 == 0 && $1 != "root" )) \
print $1}' /etc/passwd`
do

echo 'ALERT Login ID' `echo ${id}` 'has uid 0 !!' `date "+Detected On Date :%D Time :%r"` | mail -s "ALERT: User `echo ${id}` has UID O" blessen@blessen.com

done
-----------------------------------------------------------------
========================================================

(3) Only allow password with 16 characters ( can be done by making changes in login.def )

(4)Disable unwanted services,use tcp warappers( unwanted service can be disabled through xinet.d or xinetd.cong ).

(5)Set timeout ,so that the ideal users will be logged out after a certain amount of time

(6)Disable all console program acess
(eg : rm -rf /etc/security/console.app/<service name > )

(7) Enable nospoof option in /etc/host.conf

(8) Specify the oder in which the domain name should be resolved ( eg : order bind hosts )

(9) Lock the /etc/service files so that no one modifies it

(10)Restrict direct root login ( comment the PermitRootLogin login option in sshd_config )

(11)Restrict su ,so that only wheel group members are able to su.
(can use pam or disable the permission of other for the su binary )

(12)Limits users resources ( can use pam,specify the limits for each user in /etc/security/limit.conf )

(13) Secure /tmp ( mount /tmp with noexec,nodev,nosuid )

(14) Hide the server details.For that removes /etc/issues and /etc/issues.net

(15) Disable unwanted suid and sgid files
find -type -perm -04000 -o perm 02000


eg : gpasswed,wall,traceroute etc....

(16)Allow only ping from a specified location( for monitoring systems to work ).Use iptables for that

(17) Take preventive measures against DOS,ping to death etc..Use the below script for that
http://www.webhostingtalk.com/showthread.php?s=&threadid=236954&highlight=blessen

(18)Install firewall ( eg apf and iptables )

(policy-->allow the ports which the box needs and block all other ports )
Eg: http://www.rfxnetworks.com/
Eg: http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html

(19) Install intrustion detection ( eg install tripwaire or aide )

eg: http://www.cs.tut.fi/~rammer/aide.html
eg:http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html

(20) Install sxid to keep an eye on suid and sgid script.
Link: http://linux.cudeso.be/linuxdoc/sxid.php

(21) Restrict ssh to specific ips and and user ( i suggest go for key authentication using passphrase)

(22)Install logcheck to check the logs

(23) Install tmpwatch to delete the unused files from /tmp directory

(24) Install and setup portsentry and configure it to use iptables to block ips

(25)Install mod_security and mod_dosevasive to safe gurad apache

6) Submit a Status report
========================
Notes: It will contain what all you have done on the server to secure it as per audit

7) Testing and Optimization phase
==========================

Use the tools likes nessus ,nikto,nmap etc to do a penetration test and see how well your server is .Also do a stress test etc.


Optimization
==========
1) Harddisk -->enable DMA for faster disk read

2) Limit user process

3) For mysql use these settings for good performance
=======================mysql settings in my.cnf======================
port = 3306 -- i would always suggest to change the port
skip-locking
set-variable = max_connections=100
set-variable = max_user_connections=20
set-variable = key_buffer=16M
set-variable = join_buffer=4M
set-variable = record_buffer=4M
set-variable = sort_buffer=6M
set-variable = table_cache=1024
set-variable = myisam_sort_buffer_size=32M
set-variable = interactive_timeout=100
set-variable = wait_timeout=100
set-variable = connect_timeout=10
set-variable = thread_cache_size=128
==============================================

4) For proftpd use this settings
==========================ftp settings in proftpd.conf=======================

TimeoutIdle 600
TimeoutNoTransfer 600
TimeoutLogin 300
MaxInstances 30
MaxClientsPerHost 2
==================================================================

5) Disabling the logging of access time in partition where access time always changes ( eg /var) will improve performance
for thst just mount that partition with noatime )

6) Do not create latge firewall policies ,it will delay packets.

7)Setting file sytem parameters to correct values will often provide good performance.

8) While compiling always use these options
for i686
CFLAG=-09 -for best optimization
-funroll-loops
-ffast-math
-mcpu=< your processor type >
-march=< your processor type >
-fomit-frame-pointer

For i586
======
CFLAG=-03
-funroll-loops
-ffast-math
-mcpu=< your processor type >
-march=< your processor type >
-fomit-frame-pointer


Hope this helps you....

<edit>signature removed</edit>

I have made the above post just because of my "PASSION FOR SECURITY"

its driven by passion.....

<edit>signature removed</edit>

When you mention hosts.allow and you say:

sshd: host.ip.number.1,host.ip.number.2,etc

Do you mean
sshd: 204.1.2.1,204.1.2.3,204.1.2.3

I entered the IPS for my box, and then it wouldn't let me login. Luckily I just restarted the net svc and stayed SSH'd in. If I had rebooted, I would have been furious.

Can you show me an example on this one?

skip the commas, use spaces
ie:
123.456.789.0 098.765.432.1
note, there's no commas at all.

Ah... that was what was wrong...

Still, it does not allow me to connect (SSH Telnet) when that's in.

What am I doing wrong?

Make sure you've got the right ip address.
if you're trying to connect from localhost, you'll need at least 127.0.0.1 and the base ip of the machine. if you're trying to connect from your own machine, then you'll need to figure out what ip you need to use.
If you set it up as suggested, it will work. It's yet to fail me, and I've done it on numerous servers.

Wait a tick, these are supposed to be the addresses of the forgien machines connecting, eh? Whoops. I was entering the addresses of my servers.

Can anyone explain to me how I allow only specified IPs to ping my box?

# disable packet forwarding
net.ipv4.ip_forward = 0
# enable source route verification
net.ipv4.conf.all.rp_filter = 1
# ignore broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable syn cookies
net.ipv4.tcp_syncookies = 1
# size of syn backlog
net.ipv4.tcp_max_syn_backlog = 512
# disable automatic defragmentation
# set max files
fs.file-max = 32768
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 1


when u do that.. is there a way to allow 1 port to be seen IE 80 becasue when i take a server to a LAN Party i dont know what the IP address is... and takes a long time to find it again.

so is there a way to do that? or should i just install a firewall?

after configuration, I noticed that user "nobody" is running unusual process:

5528 nobody 0 0.0 0.0 ps aux
5185 nobody 0 0.0 0.0 lpd
5665 nobody 0 0.0 0.0 2 pckt
5689 nobody 0 0.0 0.0 1 pckt

Is it normal?

Thanks

# Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 0


that will allow you to ping your boxes

Originally posted by ymfm
after configuration, I noticed that user "nobody" is running unusual process:

5528 nobody 0 0.0 0.0 ps aux
5185 nobody 0 0.0 0.0 lpd
5665 nobody 0 0.0 0.0 2 pckt
5689 nobody 0 0.0 0.0 1 pckt

Is it normal?

Thanks
No, not at all
lpd is your line printer daemon, which is normal
nobody shouldn't even be logging into your server, yet it's doing a ps? 10:1 you've been hacked. Check for a rootkit and see what's going from there.

OK i did this...

all of the code from the first page...
but the blocking certain ip's form ssh.. didnt wanna go that far...

BUT when it rebooted... i couldnt connect via ssh...

could ping all day but i had to have the host disable iptables so i could get in...

What can i show you to get some help...

Its also a good idea to lock down the compilers:

Disable Compilers:
chmod 000 /usr/bin/*cc*

Enable:
chmod 700 /usr/bin/*cc*

Hope that helps too!

(2)use the below script to mail the sysadmin to when another user with uid 0 is created
=========================================
The below script will mail user when another user with uid 0 is added
-------------------------script----------------------------------
#!/bin/sh
#
# This script must be owned by root or at least setuid 0
# It will scan the system and mail the root user when another user gains uid 0.

for id in `awk 'FS=":" {if(($3 == 0 && $1 != "root" )) \
print $1}' /etc/passwd`
do

echo 'ALERT Login ID' `echo ${id}` 'has uid 0 !!' `date "+Detected On Date :%D Time :%r"` | mail -s "ALERT: User `echo ${id}` has UID O" blessen@blessen.com

done
-----------------------------------------------------------------
========================================================
What shall you call this file and where should it be stored

Originally posted by xathras
What shall you call this file and where should it be stored
What you call it isn't that important. Be creative though, as that will be most often looked for by hackers. Make it something that is checked every day, at minimum through cron.

I followed your tutorial, except for the DENYing SSH access (I never know what IP or DNS i'll be logging in from) proceded to reboot my server - and now it appears to be down permnantly, no access is able to get in from the ouside.. any ideas? it has been down for 20 minutes now...

This is something that I use on all servers I manage (I wouldn't recommend, or write something that I don't ;)) and I've never had it cause any problems except for the complaints about not being able to ping it.

As far as why it is down and not returning, have the DC hook a console up to it, more information can always be obtained that way.

It might be doing a FSCK/

well - I called the datacenter, they said the server was hung on a process - reboot, and it's running fine... cest la vie, hopefully that problem won't come up again.

Gecko been screwing the TAU server? Too much lizard porn ;)

lol, no 2uantum, I don't really work at TAU anymore.. although I still keep my stash of lizard porn on there.

Thankyou. All of these tips worked on my server without flaws.