Please add your suggestions to make this artical a sucesss

I have writen this doc from what i know....i know its not complete.....i need to get more data from experts...

Experts..please add in your comments ..so that everyone can make use of this doc.

=========================================
Security Audit and Securing the System

====================================





Security Audit

############



1)Conduct a Security Audit on the box and create a report for it.



(a)Check intrusion Detection.Use chkrootkit for this purpose.Update the report with these details.



(b)Check for bugs in softwares which is currently installed on the box.(ie

Kernel,openssl,openssh etc )Update the report with these details.



(c)Scan all ports and find out which all are the unwanted ports open.Update the

report with these details.



(d)Check if /tmp is secured.Update the report with these details.



(e)Check for hidden processs.Update the report with these details.



(f)Check for bad blocks in all particular partition.(this is just to make sure

that the system is ok).Update the report with these details.



(g)Check for file permissions.Update the report with these details.



(h)Check if kernel has ptrace vulnerability.Update the report with these details.



(i)Check memory(This is to mak sure that the memory is ok).Update the

report with these details.



(j)Check for open relay .Update the report with these details.



(k)Check if the partitions have enough space.Update the report with these details.



(l)Check for the size of logs.Its better that the log size remains in MBs.



(m) Do stress test on the box .Update the report with this details.

Steps to be followed for Securing a Server

==============================

1)Correct the file permissions if anything was found wrong in the Security Audit





2)Close all uwanted port as per Security Audit report.





3)Disable direct root login.(Configure your server such that no direct root login will

be allowed.To login as root we should login as admin4u and then su as root)





4)Configure iptables to accept all ports used .(ie control panel and other

softwares) and disabled all other ports.





5)Install and setup apf





6)Install mod_security .Add this module as DSO to apache





7)Secure /tmp.Make /tmp noexec and nosuid





8)Upgrade all softwares which are buggy according to the security audit report.

(ie upgrade softwares like openssl,openssh etc )





9)Add a script which will mail the owner of the box when some one adds user with uid 0.





10)Take preventive measure for DOS attack ,ip spoofing etc.





11)If Clients permits installation of tripwire.Then go with it.Its one of the best intrusion dedection software.




========================================
Reference:

http://Linuxsecurity.com

http://www.rfxnetworks.com/apf.php

http://www.modsecurity.org/

http://www.tripwire.com/

============================================

__________________

nice howto, although you shoud provide links to articles explaining how to do each step. :)

I wanted more input from experts for my post .....thats why i posted in WHT....so that i can make a artical on security...

Experts ..please find some time and add your comments in this post....

Use PHP's security features.. open_basedir restrictions, safe mode.

ok..thanks for the advice....

A good firewall is essential, APF is an excellent choice IMHO

John

This is a good how to - however I don't think it has quite enough detail/instructions for a newbie to follow. The article lists what you need to do - but doesn't tell you how to do it. It would be great if someone were willing to create separate how-to articles for each of the steps you outlined above, then we can link to those articles in this one.

I'm attaching some really good answers to all those steps in a txt file because I couldnt post them due to the fact that I cant post URLS with less than 5 posts (Some of the urls are urls to where to get new kernels and things like that, no spam)

I'll try to keep working on it whenever I have more time.

Any feedback ?

I'll respond...
good simple notes, although my one complaint, is that the stress test would be better if mentioning a test that an admin can setup and run remotely as I would suspect that 80% or more wht admins don't have physical access to their servers to run a cd.

even if a newbie doesnt know exactly how to do all that , he wil at least put in his mind that one day he will have to do all that;)

Block every port that's not used from the outside..

9)Add a script which will mail the owner of the box when some one adds user with uid 0.

howto do this ?

bit basic all of this..?

i wont take the whole thing apart but..


ps aux should show all of the processes, remember that in order to trust this information you need to trust that the ps binary hasnt been corrupted (that's why you should run chkrootkit first)
IF you find any strange process that you dont know about, google it !


what happens if theres a kernel trojan thats affecting the proc output, or a library has been trojaned, and the ps binary hasnt been touched?

If you're a run of the mill sysadmin, or even a good one, chances are you arent going to be able to adequately audit many/most of your system binaries either

my usual process on getting a new box:

shut down unneeded services.

chmod 750 /bin/su; chgrp wheel /bin/su; add only 1 user to the wheel group

shutdown external root logins, disallow ssh passwords (make people use keys)

chmod -s 95% of the suid binaries on the system (find / -perm +4000 -uid 0). I dont usually bother with gid root binaries but for the ultra paranoid you could do

update to the latest kernel, add grsecurity with higher logging

where possible make syslog log to a remote host

add a firewall

perhaps disallow access to key binaries - wget/gcc/make(?) for example

secure php! dont allow popen and the like. turn on open_basedir, dont allow customers to run phpnuke/phpbb etc etc :D



stress test isnt really part of a security audit is it ?

if you've got the latest kernel, you arent going to have a problem with the ptrace vuln


(i)Check memory(This is to mak sure that the memory is ok).Update the

report with these details.

You can use software like memtest86 to check the status of your memory, issuing a
cat /proc/meminfo should return all the information available about your memory


haha. is this a security audit or a stress test or...?

I have writen an article about security which will help server owners and system admins to secure their machines

http://linuxgazette.net/111/cherian.html

Please provide me with your comments on this

... some newer rootkits are able to intercept queries or "system calls" that are passed to the kernel and filter out queries generated by the rootkit software. The result is that typical signs that a program is running, such as an executable file name, a named process that uses some of the computer's memory, or configuration settings in the operating system's registry, are invisible to administrators and to detection tools... The above quote was taken from: http://www.computerworld.com/securitytopics/security/story/0,10801,99843,00.html After spending several hours over the weekend googling "rootkit detection", "intrusion detection systems", etc., I've found the above "concept" widely distributed at many security oriented sites.

Hence, my question: How reliable is rkhunter and chkrootkit?

Those 'rootkits' detailed in that article are Windows only, while Chkrootkit and RKhunter are linux programs.

Neither are 100% reliable. There are always determined people that can get root and keep it if they want it. Unless there's a determined admin that is one step ahead...

Welcome back, the-muse. It's been an awfully long time since we've seen you around here.

Originally posted by Andrew
Unless there's a determined admin that is one step ahead...
lol

Sorry I didn't get back sooner. I was anticipating an Email response if there was a reply to my post, but one never came. I'll have to adjust my personal forum settings.

andrew: Those 'rootkits' detailed in that article are Windows only, while Chkrootkit and RKhunter are linux programs. Ooops. I understand. I believe I knew I was reading an article referring to Windows (not sure though, I read so many that day), but should have selected a different one with the same concept as an example in this thread. Neither are 100% reliable. There are always determined people that can get root and keep it if they want it. Unless there's a determined admin that is one step ahead... My fear, exactly, and the reason I came scampering back to WHT after a long hiatus. I run both RKhunter and Chkrootkit at least once daily on all my servers. But I was just "goofinig around" with Netstat the other day and noticed something very odd, and very disturbing. tcp 0 253 www.carhopper.net:smtp 222.108.6.220:gdp-port ESTABLISHED

tcp 0 0 www.carhopper.net:smtp 59.34.169.56:2240 TIME_WAIT

udp 0 0 www.carhopper.ne:domain *:*
carhopper.net is a domain I owned a few years ago, and had hosted on a server which was hacked. The domain expired quite a while ago. When I tried two days ago to research for any traces of the domain, I found nothing. It's listed in the whois as "available". The IPs I've found associated with it from the Netstat readout I've traced to Korea and China. I'm concerned about a backdoor trojan - the type that "cloaks" itself successfully from detection by RKhunter, Chkrootkit, LogWatch, etc. When I see my former domain appear in the results of a Netstat call, then can't find any trace of who, if anyone, might be using that domain, I get very nervous. I checked /var/named and grepped /var/log for clues. Nothing with carhopper.net.


Any thoughts about this mystery? carhopper.net appears faithfully whenever I run Netstat with or without any flag. It never "goes away". I asked the tech at the NOC if there may be some offbeat chance that carhopper.net was somehow still in some file on his network, but haven't had a response from him. Welcome back, the-muse. It's been an awfully long time since we've seen you around here. Thank you Andrew. It's true. I discovered WHT when I was scampering around as a reseller with a ton of questions (e.g. "what am I getting myself into?"). Then became somewhat fascinated by the idea of trying to help others here who were perhaps a couple of steps behind me, and finally just started "scanning" the forums for anything that looked like it might be of interest, or even "fun". As I migrated to dedicated (asking the same question again), I got so busy I could only drop by here long enough to see if I could find an answer to something that was stumping me (usually could find the answers). I see some old friends now community leaders and liaison, and I think to myself, "Gee, I knew them when they only had 10,000 posts under their belts."

Even before I started making this very post, I found something in another forum that caught my eye, and had to jump in to make a comment. I'm already becoming sub-consciously aware of old patterns of the WHT addiction "waking up", with reminders of just how valuable spending some time here can be, even if there isn't a problem that needs addressing. It's a pleasant diversion. I'm now of the mindset that I should set aside an hour or so a day just to immerse myself in the community. There's no other community quite like WHT. Just an hour. Or two.

Best wishes,
The-Muse

Personally i can't stand apf. Iptables will forever be in my heart :p
A little warning if you'v got apf installed: don't use iptables. I once did, while administrating a box of a friend of mine. 5 minutes after the rule was inserted to iptables the box closed all ipv4 connections. I had to log in through ipv6, remove the rule, and restart apf.

disallow ssh passwords and make people use keys ?

What exactly do you mean by that?

Originally posted by omes
Personally i can't stand apf. Iptables will forever be in my heart :p
A little warning if you'v got apf installed: don't use iptables. I once did, while administrating a box of a friend of mine. 5 minutes after the rule was inserted to iptables the box closed all ipv4 connections. I had to log in through ipv6, remove the rule, and restart apf.

APF is just a front end for iptables.

Originally posted by ChinaHost123
disallow ssh passwords and make people use keys ?

What exactly do you mean by that?

SSH supports public/private key authentication. Your public key is stored on the server and your private key is stored on your own machine so when you log in the server knows it's you because nobody else has the private key. This is better that password based authentication because it's is totoally impossible (to all intents and purposes) for someone to guess your private key. The problem is that if you're away from your computer and suddenly need to ssh into your server you won't be able to.