kyro Posted January 15, 2005 Share Posted January 15, 2005 I give u some tips to harden/secure/disable services for your linux servers.( i found this on some free webhosters site). this steps will not make your server hack-proof/fort knox ( for that info u gotta pay me.... but here is a tip for making it fort knox... "selinux" :p ).... the following steps just make your server protected from THE RUN OF MILL hacks and your server wont be a "sitting duck" for a avg. hacker. Mask Apache Server Information Server headers and directory defaults usually show Apache server information. This information can be used by hackers to learn about vulnerabilities on your server if the system is not updated. You can mask server information as follows: 1. Log into server as root. 2. Open /etc/httpd/conf/httpd.conf with an editor. 3. Change the line ServerSignature on to ServerSignature Off 4. Find the line "HostnameLookups off" After that line, add "ServerTokens Prod" 5. Save and exit. 6. Restart Apache with /etc/rc.d/init.d/httpd restart Install System Integrity Monitor System Integrity Monitor (SIM) monitors system services and provides a clean and information representation of system status. It is an essential tool for server admins to monitor servers. SIM has several modules that can be installed to help admin with common system processes. SIM will verify that system and services are online, check load averages, and maintain log files. 1. Login to server and su to root. 2. go to /usr/local 3. Get source file wget http://www.r-fx.org/downloads/sim-current.tar.gz 4. Untar file with tar -xzvf sim-current.tar.gz 5. cd sim-2.5-3 (or latest version of SIM) 6. Type ./setup -i 7. Enter and spacebar to continue. 8. Finally, get to auto-configuration script for SIM. Select options you want to install. Security: Use SSH protocol 2 The old SSH Protocol 1 has several security leaks and faces many automated "root kits". Protocol 2 is an improvement to plug the holes. All servers with SSH 1 should use SSH 2. 1. Open /etc/ssh/sshd_config with an editor. 2. Find the line "#Protocol 2, 1". 3. Uncomment (remove #). 4. Save and exit. 5. Restart SSH with /etc/rc.d/init.d/sshd restart : Disable direct root login Root user is the most important account on a server. The root user has access to any file/program/application running on a server. By default, terminal services would allow the root user to login. This is a major threat to security as hackers can try to guess at the root password to gain access. Disabling direct root login will create an extra user account before changing to root user. This will force a hacker to have try and guess 2 seperate passwords to become root user. cPanel users/servers must add the user to 'wheel' group so that the user is allowed to su to root. Failure to do so would cause a lock out of the root account. * A user with SSH access must already be created. 1. SSH into server as user and gain root access by 'su -' 2. Open /etc/ssh/sshd_config with an editor. 3. Find line PermitRootLogin yes 4. Uncomment it. Put no so thatPermitRootLogin no 5. Save the file and exit. 6. Restart SSH with "/etc/rc.d/init.d/sshd restart" Security: Disabling Telnet Telnet is a threat to server security. The protocol communicates on port 23 for both incoming and outgoing messages. Passwords and usernames are sent as clear text during logins, giving hackers the chance to tap the traffic between client and server and then gaining access. Telnet should always be disabled on web servers and replaced with a more secure platform like SSH. To disable telnet on your server, follow these steps: 1. Login as root. 2. Open the file /etc/xinetd.d/telnet with your editor (pico/vi). 3. Find the line "disable = no" , replace with "disable = yes". 4. Restart the inetd service with command /etc/rc.d/init.d/xinetd restart 5. Do a quick scan to make sure port 23 telnet is closed. nmap -sT -O localhost warning :- DO this when u u.stand wht this means... do not blame me if ur dog eats ur cow or ur server crashes and burns. Link to comment Share on other sites More sharing options...
jkrupa128 Posted January 15, 2005 Share Posted January 15, 2005 Are there alot of Linux servers on the net? Link to comment Share on other sites More sharing options...
The_Decryptor Veteran Posted January 15, 2005 Veteran Share Posted January 15, 2005 Yeah, there are lot of Linux/*nix servers on the net. Also, good guide, thanks for posting. Link to comment Share on other sites More sharing options...
Joseph Zollo Posted January 15, 2005 Share Posted January 15, 2005 Excellent guide, I am going to apply them right now! Link to comment Share on other sites More sharing options...
kyro Posted January 15, 2005 Author Share Posted January 15, 2005 what?... no i am not a paranoid sys admin :hmmm: :rolleyes: :ninja: :shifty: :whistle: Link to comment Share on other sites More sharing options...
kyro Posted January 15, 2005 Author Share Posted January 15, 2005 Are there alot of Linux servers on the net? 585296885[/snapback] looki looki .... http://news.netcraft.com/archives/web_server_survey.html Link to comment Share on other sites More sharing options...
dotRoot Posted January 15, 2005 Share Posted January 15, 2005 Are there alot of Linux servers on the net? 585296885[/snapback] Most webservers are linux or BSD what?... no i am not a paranoid sys admin :hmmm: :rolleyes: :ninja: :shifty: :whistle: 585296920[/snapback] You should be. looki looki .... http://news.netcraft.com/archives/web_server_survey.html 585296931[/snapback] That includes Apache for windows. Link to comment Share on other sites More sharing options...
kyro Posted January 15, 2005 Author Share Posted January 15, 2005 You should be. 585297184[/snapback] well ......... actually i am the most paranoid admin around .. :ninja: ... i Link to comment Share on other sites More sharing options...
dotRoot Posted January 15, 2005 Share Posted January 15, 2005 well ......... actually i am the most paranoid admin around .. :ninja: ... i 585297196[/snapback] Hehe yeah, I noticed. Link to comment Share on other sites More sharing options...
markwolfe Veteran Posted January 15, 2005 Veteran Share Posted January 15, 2005 Moved to HOWTO & FAQ section. :p Link to comment Share on other sites More sharing options...
kyro Posted January 15, 2005 Author Share Posted January 15, 2005 Moved to HOWTO & FAQ section. :p 585297676[/snapback] :pinch: thanx for moving it . . :) Link to comment Share on other sites More sharing options...
crazihouse Posted March 8, 2005 Share Posted March 8, 2005 Excellent guide! Works great on Debian! Link to comment Share on other sites More sharing options...
kyro Posted March 24, 2005 Author Share Posted March 24, 2005 glad to see everyone liked this. Link to comment Share on other sites More sharing options...
cooldude7273 Posted May 23, 2005 Share Posted May 23, 2005 Hate to bump an old topic, but I just really wanted to say thanks for the guide! Link to comment Share on other sites More sharing options...
phoe*nix Posted August 12, 2005 Share Posted August 12, 2005 (edited) heh, the second graph on that netcraft site is interesting. notice how, about 3/5 of the way along the graph, the apache and microsoft graphs do the almost exact opposite of each other. The bit where the apache and microsoft graphs go pointy. just thought that was interesting... :happy: Thanks for the thread, i will return when i get round to building my linux server... :) Edited August 12, 2005 by phoe*nix Link to comment Share on other sites More sharing options...
Recommended Posts