Wednesday, September 7, 2011

18 STEPS FOR SERVER HARDENING - LINUX


1. Syctl.conf Hardening has been done help prevent spoofing and dos attacks.

Syctl.conf Hardening - Ref: http://www.eth0.us/sysctl

NOTICE: Make sure that eth0 is your primary interface, if it is not
replace eth0 with eth1 in the code below.

-----command-----
vi /etc/sysctl.conf
-----command-----

Basic:
------
# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1

Now paste the following into the file, you can overwrite the current
information.


#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

----------------------------------------------------------

After you make the changes to the file you need to run /sbin/sysctl -p and
sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.

The rules were taken from:
http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html

2. /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can
be directly run from these directories.

Ref:
http://sysadmingear.blogspot.com/2007/10/how-to-secure-tmp-and-devshm-partition.html

A. First you should secure /tmp:

Make a 1GB file for /tmp parition and an ext3 filesystem for tmp:
# dd if=/dev/zero of=/dev/tmpFS bs=1024 count=1000000
# /sbin/mkfs.ext3 /dev/tmpFS

Create a backup copy of your current /tmp drive:
# cp -Rpf /tmp /tmpbackup
Mount our new tmp parition and change permissions:
# mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp
# chmod 1777 /tmp
Copy the old data:
cp -Rpf /tmpbackup/* /tmp/
If you run the mount command and you should get something like this:
/dev/tmpMnt on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)
Edit /etc/fstab and add this:
/dev/tmpMnt /tmp ext3 loop,nosuid,noexec,rw 0 0
Test your fstab entry:
# mount -o remount /tmp

You can test it runnig a script on /tmp partitio, if you get "permission
denied" it is fine :)


B. Secure /var/tmp:

It should be done because some applications use /var/tmp as the temporary
folder, and anything that's accessible by all, needs to be secured.
Rename it and create a symbolic link to /tmp:
# mv /var/tmp /var/tmp1
# ln -s /tmp /var/tmp
Copy the old data back:
# cp /var/tmpold/* /tmp/
Note: you should restart and services that uses /tmp partition

C. Securing /dev/shm:

To get all the work well done, you should secure /dev/shm to stop rootkits
running here.

Edit your /etc/fstab:
# nano /etc/fstab
change:
"none /dev/shm tmpfs defaults,rw 0 0" to
"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"
Remount /dev/shm:
# mount -o remount /dev/shm

3. Miscellaneous system tweaks has been done.
   a. tcp_syncookies enabled which will will help with a few different types
of DOS style attacks.

   b. Hardened the resolv.conf because if improperly configured it can be
used to spoof or create a DOS attack.

   c. verified and setup the /etc/hosts, removed the additional entries.

   d. SSHD has been secured

   e. Changed the permission from 755 to 750 for few binaries

a. tcp_syncookies enabled which will will help with a few different types
of DOS style attacks.

vi sysctl.conf
            # Enable TCP SYN Cookie Protection
            net.ipv4.tcp_syncookies = 1

b. Hardened the resolv.conf because if improperly configured it can be
used to spoof or create a DOS attack.(only nameservers)

nameserver 10.0.80.11
nameserver 10.0.80.12

c. verified and setup the /etc/hosts, removed the additional entries.

127.0.0.1               localhost.localdomain localhost
75.126.147.142          newsj.sjservernew.com newsj

d. SSHD has been secured

Protocol 2
change the port number other than 22
SyslogFacility AUTHPRIV

e. Changed the permission from 755 to 750 for few binaries


chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp

4. Hiddend the versions from apache, named and exim which will help prevent
against many automated attacks that attack based on version number.

Ref: http://www.cyberciti.biz/faq/rhel-centos-hide-httpd-version/
       http://www.cyberciti.biz/faq/hide-bind9-dns-sever-version/
       http://forums.cpanel.net/f43/security-annoyance-hide-exim-version-119521.html

HTTPD.CONF:
-----------
Open your httpd.conf - serversiganture off
                       ServerTokens Prod

/etc/init.d/httpd restart

NAMED.CONF:
-----------
Open your named.conf file, find out options { ... }; section,

options
{
        query-source    port 53;
        query-source-v6 port 53;
        listen-on { 174.ttt.xx.yy; };
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        dnssec-enable yes;
        recursion no;
        allow-notify { 174.zzz.yy.zz; 172.xx.yy.zz; };
        version "BIND";
};

To hide your bind version:
version "YOUR Message";

OR
version "use fpdns to get version number ;)";

Save and close the file. Restart named, enter:

# service bind9 restart

OR

# service named restart

How do I see bind version?

Use dig command, enter

$ dig @ns1.softlayer.com -c CH -t txt version.bind

EXIM.CONF:
----------
Open the file /etc/exim.conf and find for smtp_banner.

The line would look like

smtp_banner = "${primary_hostname} ESMTP Exim ${version_number} \
Remove the "Exim ${version_number}" from the line. The modified line would
look like

smtp_banner = "${primary_hostname} ESMTP \

5. PHP has been secured by disabling few of its functions.(find / -name
php.ini)

vi /etc/php.ini

OR

vi /usr/bin/php/php.ini

expose_php = Off

6. Rkhunter has been installed which is a very useful tool that is used to
check for trojans, rootkits, and other security problems

Download:
http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Frkhunter%2

1. Login to your server via SSH as root.
cd /usr/local/src/
2. Download latest RKHunter Version
wget
http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Frkhunter%2
3. Extract files
tar -xzvf rkhunter-1.3.2.tar.gz
cd rkhunter-1.3.2
./installer.sh
4. Setup cron for RKHunter to e-mail you daily scan reports.
pico /etc/cron.daily/rkhunter.sh
Add The Following Lines:
#!/bin/bash
/usr/local/bin/rkhunter –update && /usr/local/bin/rkhunter -c –cronjob
2>&1 | mail -s "RKhunter Scan Details" support@domain.com (Replace the
e-mail above with your e-mail.)

Type: chmod 700 /etc/cron.daily/rkhunter.sh

7. CHKROOTKIT has been installed which is a powerful tool to scan Linux
server for trojans

Step 1: Downloading and Installing it:

1. Login to your server via SSH as root.
cd /usr/local/src
2. Download latest CHKROOTKIT Version
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
md5sum -c chkrootkit.md5
3. Extract files
tar -zxvf chkrootkit.tar.gz
4. Make directory
mkdir /usr/local/chkrootkit
mv /usr/local/src/chkrootkit*/* /usr/local/chkrootkit
cd /usr/local/chkrootkit
5. Install CHKROOTKIT
make sense

8. System Integrity Monitor has been installed which is a 24x7 Internal
Monitor that checks all services and restarts them if they are down.

System Integrity Monitor

Current Release:

http://www.rfxn.com/downloads/sim-current.tar.gz
http://www.rfxn.com/appdocs/README.sim
http://www.rfxn.com/appdocs/CHANGELOG.sim

9. host.conf hardenening has been done which will prevent dns lookup
poisoning & spoofing protection.

vi /etc/host.conf.

order bind,hosts
nospoof on

10. FTP hardening has been done.

11. Find Listening Network Ports

Ref: http://www.cyberciti.biz/tips/linux-security.html

a. Use the following command to list all open ports and associated programs:

netstat -tulpn

OR

nmap -sT -O localhost
nmap -sT -O server.example.com

Use iptables to close open ports or stop all unwanted network services
using above service and chkconfig commands.

12. Disable Unwanted SUID and SGID Binaries

#See all set user id files:
find / -perm +4000
# See all group id files
find / -perm +2000
# Or combine both in a single command
find / \( -perm -4000 -o -perm -2000 \) -print
find / -path -prune -o -type f -perm +6000 -ls

You need to investigate each reported file. See reported file man page for
further details.

13. Disable Unwanted Services

Disable all unnecessary services and daemons (services that runs in the
background). You need to remove all unwanted services from the system
start-up. Type the following command to list all services which are
started at boot time in run level # 3:

# chkconfig --list | grep '3:on'

To disable service, enter:

# service serviceName stop
# chkconfig serviceName off

14. Make Sure No Non-Root Accounts Have UID Set To 0

Only root account have UID 0 with full permissions to access the system.
Type the following command to display all accounts with UID set to 0:
# awk -F: '($3 == "0") {print}' /etc/passwd

You should only see one line as follows:

root:x:0:0:root:/root:/bin/bash
If you see other lines, delete them or make sure other accounts are
authorized by you to use UID 0.

15. How Do I Verify No Accounts Have Empty Passwords?

Type the following command
# awk -F: '($2 == "") {print}' /etc/shadow

Lock all empty password accounts:
# passwd -l accountName

16. LMD has been installed which is a malware detection tool.

Ref: http://www.rfxn.com/
Download: http://www.rfxn.com/downloads/maldetect-current.tar.gz

17. SSH has been secured and restricted the access.

host.allow

/etc/host.allow

sshd:122.165.59.183
sshd:122.183.241.126
sshd:58.68.29.210

hosts.deny

vi /etc/hosts.deny

sshd:ALL

18. Noowner Files

Files not owned by any user or group can pose a security problem. Just
find them with the following command which do not belong to a valid user
and a valid group
find /dir -xdev \( -nouser -o -nogroup \) -print

You need to investigate each reported file and either assign it to an
appropriate user and group or remove it.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)