Results 1 to 23 of 23
Thread: Steps to Secure the server
-
01-26-2004, 12:16 AM #1Web Hosting Master
- Join Date
- Aug 2003
- Location
- Gods Own Country
- Posts
- 892
Steps to Secure the server
Please add your suggestions to make this artical a sucesss
I have writen this doc from what i know....i know its not complete.....i need to get more data from experts...
Experts..please add in your comments ..so that everyone can make use of this doc.
=========================================
Security Audit and Securing the System
====================================
Security Audit
############
1)Conduct a Security Audit on the box and create a report for it.
(a)Check intrusion Detection.Use chkrootkit for this purpose.Update the report with these details.
(b)Check for bugs in softwares which is currently installed on the box.(ie
Kernel,openssl,openssh etc )Update the report with these details.
(c)Scan all ports and find out which all are the unwanted ports open.Update the
report with these details.
(d)Check if /tmp is secured.Update the report with these details.
(e)Check for hidden processs.Update the report with these details.
(f)Check for bad blocks in all particular partition.(this is just to make sure
that the system is ok).Update the report with these details.
(g)Check for file permissions.Update the report with these details.
(h)Check if kernel has ptrace vulnerability.Update the report with these details.
(i)Check memory(This is to mak sure that the memory is ok).Update the
report with these details.
(j)Check for open relay .Update the report with these details.
(k)Check if the partitions have enough space.Update the report with these details.
(l)Check for the size of logs.Its better that the log size remains in MBs.
(m) Do stress test on the box .Update the report with this details.
Steps to be followed for Securing a Server
==============================
1)Correct the file permissions if anything was found wrong in the Security Audit
2)Close all uwanted port as per Security Audit report.
3)Disable direct root login.(Configure your server such that no direct root login will
be allowed.To login as root we should login as admin4u and then su as root)
4)Configure iptables to accept all ports used .(ie control panel and other
softwares) and disabled all other ports.
5)Install and setup apf
6)Install mod_security .Add this module as DSO to apache
7)Secure /tmp.Make /tmp noexec and nosuid
8)Upgrade all softwares which are buggy according to the security audit report.
(ie upgrade softwares like openssl,openssh etc )
9)Add a script which will mail the owner of the box when some one adds user with uid 0.
10)Take preventive measure for DOS attack ,ip spoofing etc.
11)If Clients permits installation of tripwire.Then go with it.Its one of the best intrusion dedection software.
========================================
Reference:
http://Linuxsecurity.com
http://www.rfxnetworks.com/apf.php
http://www.modsecurity.org/
http://www.tripwire.com/
============================================
__________________Last edited by anon-e-mouse; 01-26-2004 at 01:18 AM.
-
01-26-2004, 08:40 AM #2Web Hosting Master
- Join Date
- Oct 2003
- Location
- Georgetown, Ontario
- Posts
- 1,771
nice howto, although you shoud provide links to articles explaining how to do each step.
Last edited by Akash; 02-18-2004 at 02:05 PM.
-
01-26-2004, 10:20 PM #3Web Hosting Master
- Join Date
- Aug 2003
- Location
- Gods Own Country
- Posts
- 892
I wanted more input from experts for my post .....thats why i posted in WHT....so that i can make a artical on security...
Experts ..please find some time and add your comments in this post....Last edited by Akash; 02-18-2004 at 02:05 PM.
-
01-31-2004, 07:12 PM #4Newbie
- Join Date
- Oct 2003
- Posts
- 8
Use PHP's security features.. open_basedir restrictions, safe mode.
-
02-03-2004, 02:14 AM #5Web Hosting Master
- Join Date
- Aug 2003
- Location
- Gods Own Country
- Posts
- 892
ok..thanks for the advice....
Last edited by Akash; 02-18-2004 at 02:06 PM.
-
02-03-2004, 11:30 PM #6Newbie
- Join Date
- Feb 2004
- Posts
- 6
A good firewall is essential, APF is an excellent choice IMHO
JohnLast edited by Akash; 02-18-2004 at 02:07 PM.
-
02-18-2004, 02:09 PM #7Web Hosting Master
- Join Date
- Jan 2001
- Location
- Illinois, USA
- Posts
- 7,175
This is a good how to - however I don't think it has quite enough detail/instructions for a newbie to follow. The article lists what you need to do - but doesn't tell you how to do it. It would be great if someone were willing to create separate how-to articles for each of the steps you outlined above, then we can link to those articles in this one.
-
03-08-2004, 05:49 PM #8Junior Guru Wannabe
- Join Date
- Mar 2004
- Location
- Venezuela
- Posts
- 83
I'm attaching some really good answers to all those steps in a txt file because I couldnt post them due to the fact that I cant post URLS with less than 5 posts (Some of the urls are urls to where to get new kernels and things like that, no spam)
I'll try to keep working on it whenever I have more time.
-
03-08-2004, 10:50 PM #9Junior Guru Wannabe
- Join Date
- Mar 2004
- Location
- Venezuela
- Posts
- 83
Any feedback ?
-
07-12-2004, 01:48 PM #10WHT Addict
- Join Date
- Jun 2002
- Location
- Houston, TX
- Posts
- 121
I'll respond...
good simple notes, although my one complaint, is that the stress test would be better if mentioning a test that an admin can setup and run remotely as I would suspect that 80% or more wht admins don't have physical access to their servers to run a cd.Tony Kammerer - Admin, United Communications Limited
UnitedHosting.co.uk - High Quality UK and USA based web hosting, reseller hosting, and managed clouds and dedicated servers.
UnitedForums.co.uk - Our lively customer community with over 40,000 posts!
***Proudly hosting over 70,000 customer websites since 1998!***
-
07-13-2004, 07:40 AM #11Junior Guru Wannabe
- Join Date
- May 2004
- Posts
- 66
even if a newbie doesnt know exactly how to do all that , he wil at least put in his mind that one day he will have to do all that
-
07-29-2004, 04:53 AM #12Newbie
- Join Date
- Jul 2004
- Posts
- 10
Block every port that's not used from the outside..
-
12-15-2004, 01:14 AM #13Newbie
- Join Date
- Nov 2004
- Posts
- 20
Good advices :)
9)Add a script which will mail the owner of the box when some one adds user with uid 0.
howto do this ?
-
12-15-2004, 06:01 AM #14Web Hosting Master
- Join Date
- Apr 2003
- Location
- UK
- Posts
- 2,569
bit basic all of this..?
i wont take the whole thing apart but..
ps aux should show all of the processes, remember that in order to trust this information you need to trust that the ps binary hasnt been corrupted (that's why you should run chkrootkit first)
IF you find any strange process that you dont know about, google it !
If you're a run of the mill sysadmin, or even a good one, chances are you arent going to be able to adequately audit many/most of your system binaries either
my usual process on getting a new box:
shut down unneeded services.
chmod 750 /bin/su; chgrp wheel /bin/su; add only 1 user to the wheel group
shutdown external root logins, disallow ssh passwords (make people use keys)
chmod -s 95% of the suid binaries on the system (find / -perm +4000 -uid 0). I dont usually bother with gid root binaries but for the ultra paranoid you could do
update to the latest kernel, add grsecurity with higher logging
where possible make syslog log to a remote host
add a firewall
perhaps disallow access to key binaries - wget/gcc/make(?) for example
secure php! dont allow popen and the like. turn on open_basedir, dont allow customers to run phpnuke/phpbb etc etc
stress test isnt really part of a security audit is it ?
if you've got the latest kernel, you arent going to have a problem with the ptrace vuln
(i)Check memory(This is to mak sure that the memory is ok).Update the
report with these details.
You can use software like memtest86 to check the status of your memory, issuing a
cat /proc/meminfo should return all the information available about your memory
-
07-23-2005, 10:33 AM #15Web Hosting Master
- Join Date
- Aug 2003
- Location
- Gods Own Country
- Posts
- 892
I have writen an article about security which will help server owners and system admins to secure their machines
http://linuxgazette.net/111/cherian.html
Please provide me with your comments on thisBlessen Cherian
Follow me on twitter.com/blessenonly
Two decade in Web Hosting Industry
-
08-01-2005, 10:55 PM #16WHT Addict
- Join Date
- Jul 2002
- Location
- ... in my mind ...
- Posts
- 159
how reliable is rkhunter and chkrootkit?
... some newer rootkits are able to intercept queries or "system calls" that are passed to the kernel and filter out queries generated by the rootkit software. The result is that typical signs that a program is running, such as an executable file name, a named process that uses some of the computer's memory, or configuration settings in the operating system's registry, are invisible to administrators and to detection tools...
Hence, my question: How reliable is rkhunter and chkrootkit?Mothers of the world unite! Spank your sons and make them quit fighting...
-
08-01-2005, 11:02 PM #17Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 3,734
Those 'rootkits' detailed in that article are Windows only, while Chkrootkit and RKhunter are linux programs.
Neither are 100% reliable. There are always determined people that can get root and keep it if they want it. Unless there's a determined admin that is one step ahead...
Welcome back, the-muse. It's been an awfully long time since we've seen you around here.
-
08-02-2005, 12:13 AM #18Web Hosting Master
- Join Date
- Jun 2003
- Location
- United States of America
- Posts
- 1,847
Originally posted by Andrew
Unless there's a determined admin that is one step ahead...
Computer Steroids - Full service website development solutions since 2001.
(612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.
-
08-03-2005, 06:46 PM #19WHT Addict
- Join Date
- Jul 2002
- Location
- ... in my mind ...
- Posts
- 159
Sorry I didn't get back sooner. I was anticipating an Email response if there was a reply to my post, but one never came. I'll have to adjust my personal forum settings.
andrew: Those 'rootkits' detailed in that article are Windows only, while Chkrootkit and RKhunter are linux programs.Neither are 100% reliable. There are always determined people that can get root and keep it if they want it. Unless there's a determined admin that is one step ahead...tcp 0 253 www.carhopper.netmtp 222.108.6.220:gdp-port ESTABLISHED
tcp 0 0 www.carhopper.netmtp 59.34.169.56:2240 TIME_WAIT
udp 0 0 www.carhopper.ne:domain *:*
Any thoughts about this mystery? carhopper.net appears faithfully whenever I run Netstat with or without any flag. It never "goes away". I asked the tech at the NOC if there may be some offbeat chance that carhopper.net was somehow still in some file on his network, but haven't had a response from him.Welcome back, the-muse. It's been an awfully long time since we've seen you around here.
Even before I started making this very post, I found something in another forum that caught my eye, and had to jump in to make a comment. I'm already becoming sub-consciously aware of old patterns of the WHT addiction "waking up", with reminders of just how valuable spending some time here can be, even if there isn't a problem that needs addressing. It's a pleasant diversion. I'm now of the mindset that I should set aside an hour or so a day just to immerse myself in the community. There's no other community quite like WHT. Just an hour. Or two.
Best wishes,
The-MuseMothers of the world unite! Spank your sons and make them quit fighting...
-
08-04-2005, 07:52 AM #20New Member
- Join Date
- Aug 2005
- Posts
- 3
Personally i can't stand apf. Iptables will forever be in my heart :p
A little warning if you'v got apf installed: don't use iptables. I once did, while administrating a box of a friend of mine. 5 minutes after the rule was inserted to iptables the box closed all ipv4 connections. I had to log in through ipv6, remove the rule, and restart apf.
-
08-16-2005, 01:38 PM #21Newbie
- Join Date
- Aug 2005
- Posts
- 22
disallow ssh passwords and make people use keys ?
What exactly do you mean by that?
-
08-22-2005, 02:12 PM #22Newbie
- Join Date
- Aug 2005
- Posts
- 12
Originally posted by omes
Personally i can't stand apf. Iptables will forever be in my heart :p
A little warning if you'v got apf installed: don't use iptables. I once did, while administrating a box of a friend of mine. 5 minutes after the rule was inserted to iptables the box closed all ipv4 connections. I had to log in through ipv6, remove the rule, and restart apf.
-
08-27-2005, 01:37 PM #23Junior Guru Wannabe
- Join Date
- Jul 2005
- Location
- Manchester, UK
- Posts
- 32
Originally posted by ChinaHost123
disallow ssh passwords and make people use keys ?
What exactly do you mean by that?Two out three people wonder where the other one is.