Results 1 to 25 of 61
-
01-17-2004, 10:33 PM #1
How to (somewhat) secure a Linux Server
While the only way to secure a server 100% is to unplug it from the network, there are quite a few things that I do to enhance security. A few of them (the non client exclusive stuff) can be found right here. Questions, as always can be asked and I'll try to explain it as easily as humanly possible.
Anything addedCode:like this
in /etc/sysctl.conf, add
Code:# disable packet forwarding net.ipv4.ip_forward = 0 # enable source route verification net.ipv4.conf.all.rp_filter = 1 # ignore broadcast pings net.ipv4.icmp_echo_ignore_broadcasts = 1 # enable syn cookies net.ipv4.tcp_syncookies = 1 # size of syn backlog net.ipv4.tcp_max_syn_backlog = 512 # disable automatic defragmentation # set max files fs.file-max = 32768 # Enable IP spoofing protection, turn on Source Address Verification net.ipv4.conf.all.rp_filter = 1 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 # Enable ignoring ping request net.ipv4.icmp_echo_ignore_all = 1
This sets a variety of code for the linux OS to use itself. It tells the system to ignore pings, icmp, enable SYN protection, disable network forwarding and more.
Please note
After doing this, you will need to restart your network (generally rebooting the server works fine).
in /etc/rc.local, add
Code:for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > done echo 1 > /proc/sys/net/ipv4/tcp_syncookies for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > done echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
in /etc/host.conf, the following is added (if it doesn't exist already)
Code:# Lookup names via DNS first then fall back to /etc/hosts. order bind,hosts # We have machines with multiple IP addresses. multi on # Check for IP address spoofing. nospoof on
In /etc/hosts.deny, the following line is added:
Code:ALL: PARANOID
From there, it's time for the firewall. The firewall is the most important thing to a linux server. Without it, you can be literally killed. With it, you are somewhat defended and protected. While no good firewall will fully protect a Linux server, it's an extra layer of security, which is a very good thing.
Personally, I use APF which maintains a decent ballance between blocking ports you don't want accessed and limiting traffic. There's also a wonderful attempt at a ddos protection system in place there. While (again) no ddos protection can work on a TRUE ddos, it'll stop a number of attacks.
From there, it's time for the kernel. Look around for a tutorial on kernels. You can either custom compile the kernel (not recommended unless you're highly familliar with Linux) or use an RPM (or whatever package system you're using).
Compiling a kernel is NOT recommended on non local machines. Why? Because if you screw something up, you have no chance at hitting that power down button, starting up in single user mode and recompiling it. You have to wait for the datacenter to respond to the ticket, which (usually) is slow and very costly.
There are a variety of other (personal) configuration changes that I make to applications, to prevent them from overloading, such as:
proftpd:
in /etc/proftpd.conf, I add:
Code:TimeoutIdle 600 TimeoutNoTransfer 600 TimeoutLogin 300 MaxInstances 30 MaxClientsPerHost 2
for mysql:
in /etc/my.cnf (or wherever my.cnf is located)
Code:[mysqld] port = 3306 skip-locking set-variable = max_connections=100 set-variable = max_user_connections=20 set-variable = key_buffer=16M set-variable = join_buffer=4M set-variable = record_buffer=4M set-variable = sort_buffer=6M set-variable = table_cache=1024 set-variable = myisam_sort_buffer_size=32M set-variable = interactive_timeout=100 set-variable = wait_timeout=100 set-variable = connect_timeout=10 set-variable = thread_cache_size=128
Code:TMOUT=180 export TMOUT
There's a number of other security tricks that I use , such as:
limiting ssh access
in /etc/hosts.deny
Code:sshd: ALL
Code:sshd: host.ip.number.1,host.ip.number.2,etc
Some would suggest using tripwire, and at the beginning, I did, as well, until I started working with hosts who had real data on their server, and it (literally) crippled the servers. Tripwire is something that will check everything on your server to ensure that it's running smoothly, and that it hasn't been modified. The downside to that is if you've got a ton of files on the server, it loads the server down untill it just can't be accessed any longer. The same goes with updatedb, which is why I actually remove the cron entry for that as well.
Unfortunately, there's no real "automation" for security and systems administration. The best key in the game is knowing your logs, reading them, understanding what they say, and how to react based on it. As well, tools such as chkrootkit and FAF will help, and knowing as well as working with Linux for years helps. A lot of the security job is knowing when to react, and just exactly how to react, as well as being informed. If you don't know something, ask, especially if it looks suspicious
-
01-17-2004, 11:48 PM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Aide is also good in replacement for tripwire
Last edited by anon-e-mouse; 01-26-2004 at 09:50 AM.
-
01-17-2004, 11:55 PM #3
got a link? I'm always looking for new toys (errm utilities) to play with
Last edited by anon-e-mouse; 01-26-2004 at 09:51 AM.
-
01-17-2004, 11:57 PM #4Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Last edited by anon-e-mouse; 01-26-2004 at 09:52 AM.
-
01-18-2004, 02:48 AM #5Web Hosting Master
- Join Date
- Oct 2002
- Posts
- 705
Compiling a kernel is NOT recommended on non local machinesLast edited by anon-e-mouse; 01-26-2004 at 09:52 AM.
-
01-18-2004, 02:55 AM #6Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
Originally posted by TheVoice
You might want to change that to remote instead of local.
non local and remote?
Or you mean:
Compiling a kernel is NOT recommended on non remote machines
instead of:
Compiling a kernel is NOT recommended on non local machines
-
01-18-2004, 05:00 PM #7Web Hosting Master
- Join Date
- Oct 2002
- Posts
- 705
I really should stop posting at 3 in the morning
Last edited by anon-e-mouse; 01-26-2004 at 09:53 AM.
-
01-20-2004, 05:55 PM #8Junior Guru Wannabe
- Join Date
- Mar 2003
- Location
- Kansas City, MO
- Posts
- 71
This post was helpful. THank you.
Last edited by anon-e-mouse; 01-26-2004 at 09:55 AM.
-
01-25-2004, 10:54 PM #9Web Hosting Master
- Join Date
- Jul 2002
- Location
- USA
- Posts
- 1,126
Nice post and information. Very appreciated.
Last edited by anon-e-mouse; 01-26-2004 at 09:54 AM.
-
01-26-2004, 09:40 AM #10Web Hosting Master
- Join Date
- Feb 2002
- Posts
- 985
I see no reason for disabling ICMP - can anyone explain?
regards,
M.Last edited by anon-e-mouse; 01-26-2004 at 09:55 AM.
-
01-26-2004, 11:55 AM #11Web Hosting Master
- Join Date
- Aug 2002
- Location
- Chandler, Arizona
- Posts
- 2,564
Originally posted by Miha
I see no reason for disabling ICMP - can anyone explain?
regards,
M.Last edited by interactive; 01-26-2004 at 12:25 PM.
-
01-26-2004, 12:16 PM #12Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
Quoted from Security-HOWTO:
Ping flooding is a simple brute-force denial of service attack. The attacker sends a "flood" of ICMP packets to your machine. If they are doing this from a host with better bandwidth than yours, your machine will be unable to send anything on the network. A variation on this attack, called "smurfing", sends ICMP packets to a host with your machine's return IP, allowing them to flood you less detectably. You can find more information about the "smurf" attack here.
-
01-26-2004, 04:49 PM #13Web Hosting Master
- Join Date
- Feb 2002
- Posts
- 985
actually ICMP packets are being "cut" at the router (your closest router, to be correct). Try doing "ping -f -s 40000 somehost.com" for example - you will see a lot (more than 50%; probably close to 90%) of packets getting lost. Your provider won't allow such action most likely, unless, of course, there is some very old router that allows you to pass such amount of ICMP packets per second.
I remember when one could knock Win98 with "ping -f" (ping of death), but this is not an issue anymore.
ICMP pings are useless these days, and I can't remember any host/network suffering from ICMP flood for the past "N" years.
regards,
M.
<edit>signature removed</edit>Last edited by choon; 02-09-2004 at 09:13 PM.
-
01-26-2004, 05:12 PM #14
Actually, you're wrong
Just because the -f option to ping is limited doesn't mean ping can't be used to launch any sort of attack against a server. The best response is to nullroute icmp alltogether.
It's entirely possible to flood a server, not with packets but with data, which customer has to pay for, and (usually) ends up crippling a server until whoever is doing it has decided they are done.
If ping flooding were disabled, or weren't such a common thing, then datacenters wouldn't have a single problem, but, it is, unfortunately. ICMP is a very dangerous protocol to leave open on your server.
<edit>signature removed</edit>Last edited by choon; 02-09-2004 at 09:13 PM.
-
01-26-2004, 06:32 PM #15Web Hosting Master
- Join Date
- Feb 2002
- Posts
- 985
Originally posted by wolfstream
Actually, you're wrong
Just because the -f option to ping is limited doesn't mean ping can't be used to launch any sort of attack against a server. The best response is to nullroute icmp alltogether.
It's entirely possible to flood a server, not with packets but with data, which customer has to pay for, and (usually) ends up crippling a server until whoever is doing it has decided they are done.
If ping flooding were disabled, or weren't such a common thing, then datacenters wouldn't have a single problem, but, it is, unfortunately. ICMP is a very dangerous protocol to leave open on your server.
regards,
M.
<edit>signature removed</edit>Last edited by choon; 02-09-2004 at 09:14 PM.
-
01-29-2004, 01:55 AM #16Disabled
- Join Date
- Jan 2004
- Posts
- 4
Post has been helpful...Thanks!
-
01-30-2004, 12:59 AM #17Web Hosting Guru
- Join Date
- Nov 2003
- Posts
- 334
Is this safe to do on a RHE server with Cpanel?
-
01-30-2004, 01:12 AM #18Originally posted by damainman
Is this safe to do on a RHE server with Cpanel?
<edit>signature removed</edit>Last edited by choon; 02-09-2004 at 09:14 PM.
-
01-30-2004, 02:19 AM #19Web Hosting Guru
- Join Date
- Nov 2003
- Posts
- 334
thanks,
Now its that i know some code, not much but something have changed for RHE, then RH9... For example disabling recurssive look ups.
Any known conflicts with cpanel?
-
01-31-2004, 02:18 AM #20Web Hosting Guru
- Join Date
- Nov 2003
- Posts
- 334
Thanks for the tutorial, very easy to follow.
-
01-31-2004, 06:33 AM #21Junior Guru Wannabe
- Join Date
- Jan 2004
- Posts
- 32
Just the info I was looking for.
-
02-07-2004, 03:01 AM #22Web Hosting Guru
- Join Date
- Apr 2003
- Posts
- 271
( i can't ssh to my server after i do what u said ( . What now ??
-
02-07-2004, 03:03 AM #23
Have your DC login and move hosts.deny and hosts.allow to hosts.deny.bak and hosts.allow.bak.
Make sure your ip is in the exclusion line that I mentioned above.
<edit>signature removed</edit>Last edited by choon; 02-09-2004 at 09:15 PM.
-
02-07-2004, 03:11 AM #24Web Hosting Guru
- Join Date
- Apr 2003
- Posts
- 271
but i did not do anything in those files !!!! .
-
02-07-2004, 03:13 AM #25
then you didn't do what I suggested I've had servers running on the same scripts and setup for over 2 years without a problem. The only time you'd get denied ssh access is if:
A> you've blocked ssh without allowing your own ip
OR
B> you've got an ip[ that doesn't resolve correctly.
<edit>signature removed</edit>Last edited by choon; 02-09-2004 at 09:15 PM.