Results 1 to 23 of 23
  1. #1
    Join Date
    Aug 2003
    Location
    Gods Own Country
    Posts
    892

    Steps to Secure the server

    Please add your suggestions to make this artical a sucesss

    I have writen this doc from what i know....i know its not complete.....i need to get more data from experts...

    Experts..please add in your comments ..so that everyone can make use of this doc.

    =========================================
    Security Audit and Securing the System

    ====================================





    Security Audit

    ############



    1)Conduct a Security Audit on the box and create a report for it.



    (a)Check intrusion Detection.Use chkrootkit for this purpose.Update the report with these details.



    (b)Check for bugs in softwares which is currently installed on the box.(ie

    Kernel,openssl,openssh etc )Update the report with these details.



    (c)Scan all ports and find out which all are the unwanted ports open.Update the

    report with these details.



    (d)Check if /tmp is secured.Update the report with these details.



    (e)Check for hidden processs.Update the report with these details.



    (f)Check for bad blocks in all particular partition.(this is just to make sure

    that the system is ok).Update the report with these details.



    (g)Check for file permissions.Update the report with these details.



    (h)Check if kernel has ptrace vulnerability.Update the report with these details.



    (i)Check memory(This is to mak sure that the memory is ok).Update the

    report with these details.



    (j)Check for open relay .Update the report with these details.



    (k)Check if the partitions have enough space.Update the report with these details.



    (l)Check for the size of logs.Its better that the log size remains in MBs.



    (m) Do stress test on the box .Update the report with this details.

    Steps to be followed for Securing a Server

    ==============================

    1)Correct the file permissions if anything was found wrong in the Security Audit





    2)Close all uwanted port as per Security Audit report.





    3)Disable direct root login.(Configure your server such that no direct root login will

    be allowed.To login as root we should login as admin4u and then su as root)





    4)Configure iptables to accept all ports used .(ie control panel and other

    softwares) and disabled all other ports.





    5)Install and setup apf





    6)Install mod_security .Add this module as DSO to apache





    7)Secure /tmp.Make /tmp noexec and nosuid





    8)Upgrade all softwares which are buggy according to the security audit report.

    (ie upgrade softwares like openssl,openssh etc )





    9)Add a script which will mail the owner of the box when some one adds user with uid 0.





    10)Take preventive measure for DOS attack ,ip spoofing etc.





    11)If Clients permits installation of tripwire.Then go with it.Its one of the best intrusion dedection software.




    ========================================
    Reference:

    http://Linuxsecurity.com

    http://www.rfxnetworks.com/apf.php

    http://www.modsecurity.org/

    http://www.tripwire.com/

    ============================================

    __________________
    Last edited by anon-e-mouse; 01-26-2004 at 01:18 AM.

  2. #2
    Join Date
    Oct 2003
    Location
    Georgetown, Ontario
    Posts
    1,771
    nice howto, although you shoud provide links to articles explaining how to do each step.
    Last edited by Akash; 02-18-2004 at 02:05 PM.

  3. #3
    Join Date
    Aug 2003
    Location
    Gods Own Country
    Posts
    892
    I wanted more input from experts for my post .....thats why i posted in WHT....so that i can make a artical on security...

    Experts ..please find some time and add your comments in this post....
    Last edited by Akash; 02-18-2004 at 02:05 PM.

  4. #4
    Use PHP's security features.. open_basedir restrictions, safe mode.

  5. #5
    Join Date
    Aug 2003
    Location
    Gods Own Country
    Posts
    892
    ok..thanks for the advice....
    Last edited by Akash; 02-18-2004 at 02:06 PM.

  6. #6
    A good firewall is essential, APF is an excellent choice IMHO

    John
    Last edited by Akash; 02-18-2004 at 02:07 PM.

  7. #7
    Join Date
    Jan 2001
    Location
    Illinois, USA
    Posts
    7,175
    This is a good how to - however I don't think it has quite enough detail/instructions for a newbie to follow. The article lists what you need to do - but doesn't tell you how to do it. It would be great if someone were willing to create separate how-to articles for each of the steps you outlined above, then we can link to those articles in this one.

  8. #8
    Join Date
    Mar 2004
    Location
    Venezuela
    Posts
    83
    I'm attaching some really good answers to all those steps in a txt file because I couldnt post them due to the fact that I cant post URLS with less than 5 posts (Some of the urls are urls to where to get new kernels and things like that, no spam)

    I'll try to keep working on it whenever I have more time.
    Attached Files Attached Files

  9. #9
    Join Date
    Mar 2004
    Location
    Venezuela
    Posts
    83
    Any feedback ?

  10. #10
    Join Date
    Jun 2002
    Location
    Houston, TX
    Posts
    121
    I'll respond...
    good simple notes, although my one complaint, is that the stress test would be better if mentioning a test that an admin can setup and run remotely as I would suspect that 80% or more wht admins don't have physical access to their servers to run a cd.
    Tony Kammerer - Admin, United Communications Limited
    UnitedHosting.co.uk - High Quality UK and USA based web hosting, reseller hosting, and managed clouds and dedicated servers.
    UnitedForums.co.uk - Our lively customer community with over 40,000 posts!
    ***Proudly hosting over 70,000 customer websites since 1998!***

  11. #11
    Join Date
    May 2004
    Posts
    66
    even if a newbie doesnt know exactly how to do all that , he wil at least put in his mind that one day he will have to do all that

  12. #12
    Block every port that's not used from the outside..

  13. #13

    Good advices :)

    9)Add a script which will mail the owner of the box when some one adds user with uid 0.

    howto do this ?

  14. #14
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,569
    bit basic all of this..?

    i wont take the whole thing apart but..

    ps aux should show all of the processes, remember that in order to trust this information you need to trust that the ps binary hasnt been corrupted (that's why you should run chkrootkit first)
    IF you find any strange process that you dont know about, google it !
    what happens if theres a kernel trojan thats affecting the proc output, or a library has been trojaned, and the ps binary hasnt been touched?

    If you're a run of the mill sysadmin, or even a good one, chances are you arent going to be able to adequately audit many/most of your system binaries either

    my usual process on getting a new box:

    shut down unneeded services.

    chmod 750 /bin/su; chgrp wheel /bin/su; add only 1 user to the wheel group

    shutdown external root logins, disallow ssh passwords (make people use keys)

    chmod -s 95% of the suid binaries on the system (find / -perm +4000 -uid 0). I dont usually bother with gid root binaries but for the ultra paranoid you could do

    update to the latest kernel, add grsecurity with higher logging

    where possible make syslog log to a remote host

    add a firewall

    perhaps disallow access to key binaries - wget/gcc/make(?) for example

    secure php! dont allow popen and the like. turn on open_basedir, dont allow customers to run phpnuke/phpbb etc etc



    stress test isnt really part of a security audit is it ?

    if you've got the latest kernel, you arent going to have a problem with the ptrace vuln

    (i)Check memory(This is to mak sure that the memory is ok).Update the

    report with these details.

    You can use software like memtest86 to check the status of your memory, issuing a
    cat /proc/meminfo should return all the information available about your memory
    haha. is this a security audit or a stress test or...?

  15. #15
    Join Date
    Aug 2003
    Location
    Gods Own Country
    Posts
    892
    I have writen an article about security which will help server owners and system admins to secure their machines

    http://linuxgazette.net/111/cherian.html

    Please provide me with your comments on this
    Blessen Cherian
    Follow me on twitter.com/blessenonly
    Two decade in Web Hosting Industry

  16. #16
    Join Date
    Jul 2002
    Location
    ... in my mind ...
    Posts
    159

    how reliable is rkhunter and chkrootkit?

    ... some newer rootkits are able to intercept queries or "system calls" that are passed to the kernel and filter out queries generated by the rootkit software. The result is that typical signs that a program is running, such as an executable file name, a named process that uses some of the computer's memory, or configuration settings in the operating system's registry, are invisible to administrators and to detection tools...
    The above quote was taken from: http://www.computerworld.com/securit...,99843,00.html After spending several hours over the weekend googling "rootkit detection", "intrusion detection systems", etc., I've found the above "concept" widely distributed at many security oriented sites.

    Hence, my question: How reliable is rkhunter and chkrootkit?
    Mothers of the world unite! Spank your sons and make them quit fighting...

  17. #17
    Join Date
    Jul 2002
    Posts
    3,734
    Those 'rootkits' detailed in that article are Windows only, while Chkrootkit and RKhunter are linux programs.

    Neither are 100% reliable. There are always determined people that can get root and keep it if they want it. Unless there's a determined admin that is one step ahead...

    Welcome back, the-muse. It's been an awfully long time since we've seen you around here.

  18. #18
    Join Date
    Jun 2003
    Location
    United States of America
    Posts
    1,847
    Originally posted by Andrew
    Unless there's a determined admin that is one step ahead...
    lol
    Computer Steroids - Full service website development solutions since 2001.
    (612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.

  19. #19
    Join Date
    Jul 2002
    Location
    ... in my mind ...
    Posts
    159
    Sorry I didn't get back sooner. I was anticipating an Email response if there was a reply to my post, but one never came. I'll have to adjust my personal forum settings.

    andrew: Those 'rootkits' detailed in that article are Windows only, while Chkrootkit and RKhunter are linux programs.
    Ooops. I understand. I believe I knew I was reading an article referring to Windows (not sure though, I read so many that day), but should have selected a different one with the same concept as an example in this thread.
    Neither are 100% reliable. There are always determined people that can get root and keep it if they want it. Unless there's a determined admin that is one step ahead...
    My fear, exactly, and the reason I came scampering back to WHT after a long hiatus. I run both RKhunter and Chkrootkit at least once daily on all my servers. But I was just "goofinig around" with Netstat the other day and noticed something very odd, and very disturbing.
    tcp 0 253 www.carhopper.netmtp 222.108.6.220:gdp-port ESTABLISHED

    tcp 0 0 www.carhopper.netmtp 59.34.169.56:2240 TIME_WAIT

    udp 0 0 www.carhopper.ne:domain *:*
    carhopper.net is a domain I owned a few years ago, and had hosted on a server which was hacked. The domain expired quite a while ago. When I tried two days ago to research for any traces of the domain, I found nothing. It's listed in the whois as "available". The IPs I've found associated with it from the Netstat readout I've traced to Korea and China. I'm concerned about a backdoor trojan - the type that "cloaks" itself successfully from detection by RKhunter, Chkrootkit, LogWatch, etc. When I see my former domain appear in the results of a Netstat call, then can't find any trace of who, if anyone, might be using that domain, I get very nervous. I checked /var/named and grepped /var/log for clues. Nothing with carhopper.net.


    Any thoughts about this mystery? carhopper.net appears faithfully whenever I run Netstat with or without any flag. It never "goes away". I asked the tech at the NOC if there may be some offbeat chance that carhopper.net was somehow still in some file on his network, but haven't had a response from him.
    Welcome back, the-muse. It's been an awfully long time since we've seen you around here.
    Thank you Andrew. It's true. I discovered WHT when I was scampering around as a reseller with a ton of questions (e.g. "what am I getting myself into?"). Then became somewhat fascinated by the idea of trying to help others here who were perhaps a couple of steps behind me, and finally just started "scanning" the forums for anything that looked like it might be of interest, or even "fun". As I migrated to dedicated (asking the same question again), I got so busy I could only drop by here long enough to see if I could find an answer to something that was stumping me (usually could find the answers). I see some old friends now community leaders and liaison, and I think to myself, "Gee, I knew them when they only had 10,000 posts under their belts."

    Even before I started making this very post, I found something in another forum that caught my eye, and had to jump in to make a comment. I'm already becoming sub-consciously aware of old patterns of the WHT addiction "waking up", with reminders of just how valuable spending some time here can be, even if there isn't a problem that needs addressing. It's a pleasant diversion. I'm now of the mindset that I should set aside an hour or so a day just to immerse myself in the community. There's no other community quite like WHT. Just an hour. Or two.

    Best wishes,
    The-Muse
    Mothers of the world unite! Spank your sons and make them quit fighting...

  20. #20
    Personally i can't stand apf. Iptables will forever be in my heart :p
    A little warning if you'v got apf installed: don't use iptables. I once did, while administrating a box of a friend of mine. 5 minutes after the rule was inserted to iptables the box closed all ipv4 connections. I had to log in through ipv6, remove the rule, and restart apf.

  21. #21
    disallow ssh passwords and make people use keys ?

    What exactly do you mean by that?

  22. #22
    Originally posted by omes
    Personally i can't stand apf. Iptables will forever be in my heart :p
    A little warning if you'v got apf installed: don't use iptables. I once did, while administrating a box of a friend of mine. 5 minutes after the rule was inserted to iptables the box closed all ipv4 connections. I had to log in through ipv6, remove the rule, and restart apf.
    APF is just a front end for iptables.

  23. #23
    Join Date
    Jul 2005
    Location
    Manchester, UK
    Posts
    32
    Originally posted by ChinaHost123
    disallow ssh passwords and make people use keys ?

    What exactly do you mean by that?
    SSH supports public/private key authentication. Your public key is stored on the server and your private key is stored on your own machine so when you log in the server knows it's you because nobody else has the private key. This is better that password based authentication because it's is totoally impossible (to all intents and purposes) for someone to guess your private key. The problem is that if you're away from your computer and suddenly need to ssh into your server you won't be able to.
    Two out three people wonder where the other one is.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •