Results 1 to 15 of 15
  1. #1
    Join Date
    Oct 2005
    Posts
    393

    How can I "harden" my server?

    How can I "harden" my server?

    And what exactly does harden mean?

  2. #2
    Firewall Installation/Configuration and Login Failure Daemon:

    Code:
    mkdir /usr/local/src
    cd /usr/local/src
    wget http://www.configserver.com/free/csf.tgz
    tar xfz csf.tgz
    cd csf
    ./install.sh
    If it is a cPanel server then proceed to configuring the firewall further via WHM
    If it is a non-cPanel server then edit /etc/csf/csf.conf and set up TCP_IN, TCP_OUT, UDP_IN, UDP_OUT with the required ports

    After you are happy with the firewall config set TESTING to "0" and restart the firewall
    Code:
    /etc/init.d/csf restart
    Remove unused processes:

    Just remove the: cups samba portmap packages

    Install Logwatch:

    Code:
    cd /usr/local/src
    wget ftp://ftp.kaybee.org/pub/linux/logwatch-7.3.6.tar.gz
    tar xfz logwatch-7.3.6.tar.gz
    cd logwatch-7.3.6
    ./install_logwatch.sh
    The default answers are fine.

    Code:
    cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
    Edit /etc/logwatch/conf/logwatch.conf and change:
    MailTo = [email protected]
    Print = No

    OpenSSH configuration check:

    Edit /etc/ssh/sshd_config and change:
    Protocol 2
    PermitRootLogin no (if needed)

    Rootkit Hunter, Chkrootkit:

    Code:
    cd /usr/local/src
    wget http://puzzle.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.2.tar.gz
    tar xfz rkhunter-1.3.2.tar.gz
    cd rkhunter-1.3.2
    ./installer.sh --layout default --install
    rkhunter --update
    rkhunter -c
    
    cd /usr/local/src
    wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
    tar xfz chkrootkit.tar.gz
    cd chkrootkit-0.48
    make sense
    ./chkrootkit
    Full OS Patching/Updating:

    Code:
    yum update
    
    up2date -p
    up2date -u
    
    aptitude update
    aptitude upgrade
    Depending on the OS.

    Name server configuration check:

    edit /etc/named.conf and add:
    Code:
    allow-recursion {$IP; $IP; ...;};
    to the "options" section and restart BIND

    Secure /tmp /var/tmp /dev/shm:

    Code:
    cp -a /tmp /tmp_backup
    mount -t tmpfs tmpfs /tmp
    cp -a /tmp_backup/* /tmp/
    rm -f /tmp_backup/
    rm -rf /var/tmp
    ln -s /tmp /var/tmp
    Edit /etc/fstab and change to match:
    tmpfs /dev/shm tmpfs defaults,nosuid,noexec 0 0
    tmpfs /tmp tmpfs defaults,nosuid,noexec 0 0

    (the spaces are TABS)

    Run:
    Code:
    mount -oremount /dev/shm
    mount -oremount /tmp
    Delete unnecessary OS users:

    Investigate /etc/passwd and depending on each server remove users that are not used.(usually users left behind by applications that were installed)

    Remove SUID/GUID from binaries:

    This is done by LES when management is set up

    mod_security:

    http://www.gotroot.com/tiki-index.ph...20mod_security

    LSM Installation:

    Code:
    cd /usr/local/src
    wget http://download.serversurgeon.com/pub/source/lsm-current.tar.gz
    tar xvfz lsm-current.tar.gz
    cd lsm-0.6
    ./install.sh
    Server Surgeon George
    http://www.serversurgeon.com
    Linux, BSD and Windows Administration Services
    Toll Free US 877-378-7436 International +1-213-291-9191

  3. #3
    Join Date
    Oct 2005
    Posts
    393
    Quote Originally Posted by izghitu View Post
    [B]
    Remove SUID/GUID from binaries:

    This is done by LES when management is set up
    Thanks! I don't understand that one though.

    What are the suid/guid binaries?

    And what is LES?

  4. #4


    sorry for that

    Here's how you set up LES:
    Code:
    wget http://www.r-fx.ca/downloads/les-current.tar.gz
    tar xfz les-current.tar.gz
    cd les-*
    ./install.sh
    les -sb on
    It secures all the binaries that hackers often use to download stuff onto the server via vulnerable php scripts
    Server Surgeon George
    http://www.serversurgeon.com
    Linux, BSD and Windows Administration Services
    Toll Free US 877-378-7436 International +1-213-291-9191

  5. #5
    Join Date
    Apr 2006
    Posts
    516
    so useful, can the admin move this to how-to's and pin it?

  6. #6
    Join Date
    Mar 2008
    Posts
    47
    LES (Linux Environment Security) Installation

    Code:
    wget http://rfxnetworks.com/downloads/les-current.tar.gz
    tar -zxvf les-current.tar.gz
    cd les-*/
    ./install.sh
    LES Run

    Code:
    /usr/local/sbin/les --secure-bin on
    /usr/local/sbin/les --secure-path on

    Disable SSH root access

    Create a user if needed

    Code:
    /usr/sbin/useradd -p pass user
    Add user to the wheel group and make sure users in the wheel group can sudo.

    Deny root ssh

    Code:
     vi /etc/ssh/sshd_config
     PermitRootLogin no
     /etc/rc.d/init.d/sshd restart
    Change the SSH port 22 to 2099 for example

    Code:
    vi /etc/ssh/sshd_config
    Uncomment Port and change 22 to 2099

    Code:
    /etc/rc.d/init.d/sshd restart
     /etc/init.d/firewall start
    GlowHost.com - Your fully managed, dedicated server specialists.
    >> FFmpeg Web Hosting - Video Sharing and Social Networking web sites
    >>> SHOUTcast Servers - 128k - Unlimited Users - Radio Control Panel
    >>>> 99.9% Uptime Guarantee - 60 day risk free money back - 24/7/365 Support

  7. #7
    Join Date
    Oct 2005
    Posts
    393
    Quote Originally Posted by spal911 View Post
    Remove unused processes:

    Just remove the: cups samba portmap packages
    How do I do that?

    yum remove cups
    ?

  8. #8
    Join Date
    Aug 2003
    Location
    Utah
    Posts
    274
    izghitu, holy !!! nice post. I saved this to my EverNote. Thanks.
    BestVPSReviews.com - KnownHost VPS? Liquid Web VPS? See my personal experience with these hosts.
    Best Web Hosting - The Best Web Hosting Deals and News

  9. #9
    Join Date
    Jul 2007
    Location
    Dallas, TX
    Posts
    320
    Quote Originally Posted by jalapeno55 View Post
    How do I do that?

    yum remove cups
    ?
    Anything that "fails" to stop was not installed. Please make sure you do not need any of these services before disabling them:

    Code:
    service cups stop
    chkconfig cups off
    service nfslock stop
    chkconfig nfslock off
    service rpcidmapd stop
    chkconfig rpcidmapd off
    service anacron stop
    chkconfig anacron off
    service xfs stop
    chkconfig xfs off
    service atd stop
    chkconfig atd off
    service canna stop
    chkconfig canna off
    service FreeWnn stop
    chkconfig FreeWnn off
    service cups-config-daemon stop
    chkconfig cups-config-daemon off
    service iiim stop
    chkconfig iiim off
    service mDNSResponder stop
    chkconfig mDNSResponder off
    service nifd stop
    chkconfig nifd off
    service rpcidmapd stop
    chkconfig rpcidmapd off
    service bluetooth stop
    chkconfig bluetooth off
    service anacron stop
    chkconfig anacron off
    service gpm stop
    chkconfig gpm off
    service saslauthd stop
    chkconfig saslauthd off
    service avahi-daemon stop
    chkconfig avahi-daemon off
    service avahi-dnsconfd stop
    chkconfig avahi-dnsconfd off
    service hidd stop
    chkconfig hidd off
    service pcscd stop
    chkconfig pcscd off
    service sbadm stop
    chkconfig sbadm off
    service webmin stop
    chkconfig webmin off
    https://ServersAndHosting.com
    Dedicated Servers | Guaranteed Hosting

  10. #10
    Is anything above 1024 slow for SSH?

    Sorry, I'm new to this. The example port 2099, is this just completely arbitrary? I tried a port close to this number and I couldn't even type it was so slow. I thought also maybe such a high # was suggested because #'s above 1024 were also somehow safer.

    I re-edited the conf file, and put the port # somewhere between 22 and 1024 and now it is fine.

    *shrug*

  11. #11
    Join Date
    Mar 2008
    Posts
    47
    Quote Originally Posted by jw0ollard View Post
    Is anything above 1024 slow for SSH?

    Sorry, I'm new to this. The example port 2099, is this just completely arbitrary? I tried a port close to this number and I couldn't even type it was so slow. I thought also maybe such a high # was suggested because #'s above 1024 were also somehow safer.

    I re-edited the conf file, and put the port # somewhere between 22 and 1024 and now it is fine.

    *shrug*
    You can use any port for the SSH connection and any port above 1024 shouldn't be slow for SSH.
    GlowHost.com - Your fully managed, dedicated server specialists.
    >> FFmpeg Web Hosting - Video Sharing and Social Networking web sites
    >>> SHOUTcast Servers - 128k - Unlimited Users - Radio Control Panel
    >>>> 99.9% Uptime Guarantee - 60 day risk free money back - 24/7/365 Support

  12. #12
    Join Date
    Jan 2008
    Location
    /home/xeon/
    Posts
    245
    I sometimes see, SSH is slow when accessed from a Slow Dialup connections.
    You can check your internet connection speed.

    Although SSH doesn't needs much bandwidth, but it does need constant, stable connection.

  13. #13
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858
    Disable password authentication in ssh and only allow key-based authentication.

  14. #14
    Join Date
    Oct 2005
    Posts
    393
    Quote Originally Posted by domainworldaccess View Post
    Anything that "fails" to stop was not installed. Please make sure you do not need any of these services before disabling them:

    Code:
    service cups stop
    chkconfig cups off
    service nfslock stop
    chkconfig nfslock off
    service rpcidmapd stop
    chkconfig rpcidmapd off
    service anacron stop
    ...
    chkconfig webmin off
    What do these do pcscd, avahi-daemon, cups?

  15. #15
    There is another way of looking at root SSH access. If you are routinely going to ssh onto a box and then "su -" you have just created another attack vector. Now someone can get root just by compromising your non-root account and setting up a malicious su.

    Root is (hopefully) the most protected account on the system, the same can't be said for your normal user account so this new attack vector really weakens your security.

    The reason people recommend against going in as root is simply that if you have to login as another user then the attacker has to guess two things - the username and the password. But depending on how much an attacker can find out about the owner of a system the username might be quite easy to guess (often seen on emails etc.) so you would be better off using a longer password.

    Having said that I think it is better not to use a password at all, then it can't be guessed. Setting sshd to only accept public keys and using strong identities (and with strong pass phrases) is much more secure.

    Changing the port is rather pointless too. Yes it might stop the bots from taking pot shots at you (but they won't if you only allow public key authentication anyway), but anyone interested in finding out what port your sshd is running on only has to run nmap.

    If you notice poor performance on high port numbers this can be due to packet shaping somewhere along the line. I know my ISP considers ssh connections to be interactive and thus prioritizes the packets. I would probably lose this benefit if it were running on another port.

    Remember that security starts right in front of you, your username, password, pass phrase and random port are all useless if the machine you are logging in from is compromised. One key logger is all that is required. If you are truly paranoid you might want to set up a secure terminal that runs nothing but the OS and is used for nothing but ssh connections to your server.

    Jim
    Blue Room Hosting - High availability UK VPS
    KVM Plans - Multiple OS support. Virtual console and CD drive.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •