Announcement Announcement Module
Collapse
No announcement yet.
Basic Steps to make Linux server secure Part I Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Basic Steps to make Linux server secure Part I

    These are the Basic steps that can be followed for securing a linux server.

    A) CHKRootKit –Detects hacker software and notifies via email

    B) CSF – A policy based iptables firewall system used for the easy configuration of iptables rules.

    C) SSH Securing – For a better security of ssh connections.

    D) Host.conf Hardening –Prevents IP spoofing and dns poisoning

    E) Sysctl.conf Hardening – Prevents syn-flood attacks and other network abuses.

    F) FTP Hardening – Secure FTP software by upgrading to latest version




    A) CHKRootKit –Detects hacker software and notifies via email

    Chkrootkit’s installation is very easy. I am describing the steps below.

    1. Ssh to the server as ‘root’, and then wget the chkrootkit from its FTP location.

    wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz


    2. Unpack the tarball in the current directory.

    tar xvzf chkrootkit.tar.gz


    3. Go to the directory newly created, and compile the script.

    cd chkrootkit*
    make sense


    4. Once the compilation is complete, use the below command to execute chkrootkit.

    ./chkrootkit


    NOTE: Make sure that you have gcc and make on the server or else the installation will fail

    At this point, I would suggest that you set a crontab to execute this chkrootkit daily. You can even have the results sent to you via email.

    For that, create a file /etc/cron.daily/chkrootkit.sh

    Insert the following to the new file and save it:

    #!/bin/bash
    cd /yourinstallpath/chkrootkit-0.42b/
    ./chkrootkit | mail -s "Daily chkrootkit from Servername" admin@youremail.com


    1. Replace ‘yourinstallpath’ with the actual path to where you unpacked Chkrootkit.
    2. Change ‘Servername’ to the server your running so you know where it’s coming from.
    3. Change ‘admin@youremail.com’ to your actual email address where the script will mail you.

    Change the file permissions so that it can execute:

    chmod 755 /etc/cron.daily/chkrootkit.sh


    You will receive daily chkrootkit reports on your email address from now on.



    B) CSF – A policy based iptables firewall system used for the easy configuration of iptables rules.

    Installation:

    # cd /usr/src/
    # rm -fv csf.tgz
    # wget http://www.configserver.com/free/csf.tgz
    # tar -xzf csf.tgz
    # cd csf*
    # sh install.sh


    Next, test whether you have the required iptables modules:

    # perl /etc/csf/csftest.pl



    C) SSH Securing – For a better security of ssh connections.


    Disable SSH protocol 1

    To disable protocol 1 for SSH make sure your “/etc/ssh/sshd_config” has the following uncommented:

    # Protocol 2,1
    Protocol 2


    Restart SSH.

    Change the SSH Port on the server

    This step is more security by obscurity, changing SSH default port 22 to a port of your choice (normally high) will reduce the amount of bots trying to brute for your SSH server.

    To change SSH server port add the following entry in your “/etc/ssh/sshd_config”:

    # Run ssh on a non-standard port:
    Port 2233


    NOTE **** DONT FORGET TO OPEN FIREWALL PORT IN CSF AND RESTART CSF BEFORE RESTARTING SSHD ****

    (Don’t use the port number listed above and don’t use 2222, everyone uses this port and it gets scanned almost as much as 22).

    You will need to specify the new port you have chosen in Putty or on the command line when connecting, on Putty this is pretty obvious on Unix you would do so by:

    ssh -p 2233 user@server

    Disable root Login

    Adding the following to your sshd_config file :

    PermitRootLogin no


    Allow specific Users on SSH

    If it’s only you and a bunch of other admin’s accessing the server over SSH I would recommend the use of AllowUser in the ssh_config, this is a ACL for SSH allowing only the users written in the config file. The example below would allow keith & bart to access the server over SSH:

    AllowUsers keith bart


    Change SSH login grace time

    This is the period of unauthenticated time the connection is left open, the time you have to login. By default it’s normally 2 minutes, which is far to long in my opinion… I change mine to 30 seconds.

    LoginGraceTime 30


    Limit the amount of unauthenticated SSH connections

    When SSH servers are cracked attackers open up as many SSH connections to your server as possible, the more connections they can open the more simultaneous parallel crack attempts then can run.

    Adding the following to your sshd_config file will allow 2 unauthenticated connections to your server at the same time and randomly and increasingly drop connection attempts between 2 and the maximum of 10. If you have a lot of valid SSH user authenticating on your servers at the same time this should be increased.

    #MaxStartups 10
    MaxStartups 2:50:10

    D) Host.conf Hardening –Prevents IP spoofing and dns poisoning


    The host.conf file resides in /etc/host.conf. This is it before hardening:

    order hosts,bind


    After Host.conf Hardening

    order bind,hosts
    multi on
    nospoof on


    E) Sysctl.conf Hardening – Prevents syn-flood attacks and other network abuses.


    # mv /etc/sysctl.conf /etc/sysctl.conf.orig


    # vi /etc/sysctl.conf


    #Kernel sysctl configuration file for Red Hat Linux
    #
    # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
    # sysctl.conf(5) for more details.

    # Disables packet forwarding
    net.ipv4.ip_forward=0

    # Disables IP source routing
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv4.conf.lo.accept_source_route = 0
    net.ipv4.conf.eth0.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0

    # Enable IP spoofing protection, turn on source route verification
    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.conf.lo.rp_filter = 1
    net.ipv4.conf.eth0.rp_filter = 1
    net.ipv4.conf.default.rp_filter = 1

    # Disable ICMP Redirect Acceptance
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.lo.accept_redirects = 0
    net.ipv4.conf.eth0.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0

    # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
    net.ipv4.conf.all.log_martians = 0
    net.ipv4.conf.lo.log_martians = 0
    net.ipv4.conf.eth0.log_martians = 0

    # Disables IP source routing
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv4.conf.lo.accept_source_route = 0
    net.ipv4.conf.eth0.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0

    # Enable IP spoofing protection, turn on source route verification
    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.conf.lo.rp_filter = 1
    net.ipv4.conf.eth0.rp_filter = 1
    net.ipv4.conf.default.rp_filter = 1

    # Disable ICMP Redirect Acceptance
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.lo.accept_redirects = 0
    net.ipv4.conf.eth0.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0

    # Disables the magic-sysrq key
    kernel.sysrq = 0

    # Decrease the time default value for tcp_fin_timeout connection
    net.ipv4.tcp_fin_timeout = 15

    # Decrease the time default value for tcp_keepalive_time connection
    net.ipv4.tcp_keepalive_time = 1800

    # Turn off the tcp_window_scaling
    net.ipv4.tcp_window_scaling = 0

    # Turn off the tcp_sack
    net.ipv4.tcp_sack = 0

    # Turn off the tcp_timestamps
    net.ipv4.tcp_timestamps = 0

    # Enable TCP SYN Cookie Protection
    net.ipv4.tcp_syncookies = 1

    # Enable ignoring broadcasts request
    net.ipv4.icmp_echo_ignore_broadcasts = 1

    # Enable bad error message Protection
    net.ipv4.icmp_ignore_bogus_error_responses = 1

    # Log Spoofed Packets, Source Routed Packets, Redirect Packets
    net.ipv4.conf.all.log_martians = 1

    # Increases the size of the socket queue (effectively, q0).
    net.ipv4.tcp_max_syn_backlog = 1024

    # Increase the tcp-time-wait buckets pool size
    net.ipv4.tcp_max_tw_buckets = 1440000

    # Allowed local port range
    net.ipv4.ip_local_port_range = 16384 65536


    After you make the changes to the file you need to run


    # /sbin/sysctl -p

    and


    # sysctl -w net.ipv4.route.flush=1

    to enable the changes without a reboot.


    F) FTP Hardening – Secure FTP software by upgrading to latest version


    CPANEL:

    # /scripts/ftpup --force


    WHM – Service Configuration – FTP Configuration:

    Disable anonymous FTP access



Tag Cloud Tag Cloud Module
Collapse
Working...
X