[howto] harden your *nix server

[kyro]

I give u some tips to harden/secure/disable services for your linux servers.( i found this on some free webhosters site).

this steps will not make your server hack-proof/fort knox ( for that info u gotta pay me.... but here is a tip for making it fort knox... "selinux" :p ).... the following steps just make your server protected from THE RUN OF MILL hacks and your server wont be a "sitting duck" for a avg. hacker.

Mask Apache Server Information

Server headers and directory defaults usually show Apache server information. This information can be used by hackers to learn about vulnerabilities on your server if the system is not updated. You can mask server information as follows:

1. Log into server as root.

2. Open /etc/httpd/conf/httpd.conf with an editor.

3. Change the line ServerSignature on to

ServerSignature Off

4. Find the line "HostnameLookups off"

After that line, add "ServerTokens Prod"

5. Save and exit.

6. Restart Apache with /etc/rc.d/init.d/httpd restart

Install System Integrity Monitor

System Integrity Monitor (SIM) monitors system services and provides a clean and information representation of system status. It is an essential tool for server admins to monitor servers. SIM has several modules that can be installed to help admin with common system processes. SIM will verify that system and services are online, check load averages, and maintain log files.

1. Login to server and su to root.

2. go to /usr/local 3. Get source file wget http://www.r-fx.org/downloads/sim-current.tar.gz

4. Untar file with tar -xzvf sim-current.tar.gz

5. cd sim-2.5-3 (or latest version of SIM)

6. Type ./setup -i

7. Enter and spacebar to continue.

8. Finally, get to auto-configuration script for SIM. Select options you want to install.

Security: Use SSH protocol 2

The old SSH Protocol 1 has several security leaks and faces many automated "root kits". Protocol 2 is an improvement to plug the holes. All servers with SSH 1 should use SSH 2.

1. Open /etc/ssh/sshd_config with an editor.

2. Find the line "#Protocol 2, 1".

3. Uncomment (remove #).

4. Save and exit.

5. Restart SSH with /etc/rc.d/init.d/sshd restart

: Disable direct root login

Root user is the most important account on a server. The root user has access to any file/program/application running on a server. By default, terminal services would allow the root user to login. This is a major threat to security as hackers can try to guess at the root password to gain access.

Disabling direct root login will create an extra user account before changing to root user. This will force a hacker to have try and guess 2 seperate passwords to become root user.

cPanel users/servers must add the user to 'wheel' group so that the user is allowed to su to root. Failure to do so would cause a lock out of the root account.

* A user with SSH access must already be created.

1. SSH into server as user and gain root access by 'su -'

2. Open /etc/ssh/sshd_config with an editor.

3. Find line PermitRootLogin yes

4. Uncomment it. Put no so thatPermitRootLogin no

5. Save the file and exit.

6. Restart SSH with "/etc/rc.d/init.d/sshd restart"

Security: Disabling Telnet

Telnet is a threat to server security. The protocol communicates on port 23 for both incoming and outgoing messages. Passwords and usernames are sent as clear text during logins, giving hackers the chance to tap the traffic between client and server and then gaining access. Telnet should always be disabled on web servers and replaced with a more secure platform like SSH.

To disable telnet on your server, follow these steps:

1. Login as root.

2. Open the file /etc/xinetd.d/telnet with your editor (pico/vi).

3. Find the line "disable = no" ,

replace with "disable = yes".

4. Restart the inetd service with command /etc/rc.d/init.d/xinetd restart

5. Do a quick scan to make sure port 23 telnet is closed.

nmap -sT -O localhost

warning :- DO this when u u.stand wht this means... do not blame me if ur dog eats ur cow or ur server crashes and burns.

[jkrupa128]

Are there alot of Linux servers on the net?

[The_Decryptor Veteran]

Yeah, there are lot of Linux/*nix servers on the net.

Also, good guide, thanks for posting.

[Joseph Zollo]

Excellent guide, I am going to apply them right now!

[kyro]

what?... no i am not a paranoid sys admin :hmmm: :rolleyes: :ninja: :shifty: :whistle:

[kyro]

Are there alot of Linux servers on the net?

585296885[/snapback]

looki looki .... http://news.netcraft.com/archives/web_server_survey.html

[dotRoot]

Are there alot of Linux servers on the net?

585296885[/snapback]

Most webservers are linux or BSD

what?... no i am not a paranoid sys admin  :hmmm:  :rolleyes:  :ninja:  :shifty:  :whistle:

585296920[/snapback]

You should be.

looki looki .... http://news.netcraft.com/archives/web_server_survey.html

585296931[/snapback]

That includes Apache for windows.

[kyro]

You should be.

585297184[/snapback]

well ......... actually i am the most paranoid admin around .. :ninja: ... i

[dotRoot]

well  ......... actually i am the most paranoid admin around ..  :ninja:  ... i

585297196[/snapback]

Hehe yeah, I noticed.

[markwolfe Veteran]

Moved to HOWTO & FAQ section. :p

[kyro]

Moved to HOWTO & FAQ section. :p

585297676[/snapback]

:pinch: thanx for moving it . . :)

[crazihouse]

Excellent guide! Works great on Debian!

[kyro]

glad to see everyone liked this.

[cooldude7273]

Hate to bump an old topic, but I just really wanted to say thanks for the guide!

[phoe*nix]

heh, the second graph on that netcraft site is interesting. notice how, about 3/5 of the way along the graph, the apache and microsoft graphs do the almost exact opposite of each other. The bit where the apache and microsoft graphs go pointy.

just thought that was interesting... :happy:

Thanks for the thread, i will return when i get round to building my linux server... :)

Edited August 12, 2005 by phoe*nix