• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

[howto] harden your *nix server

Recommended Posts

kyro    2

I give u some tips to harden/secure/disable services for your linux servers.( i found this on some free webhosters site).

this steps will not make your server hack-proof/fort knox ( for that info u gotta pay me.... but here is a tip for making it fort knox... "selinux" :p ).... the following steps just make your server protected from THE RUN OF MILL hacks and your server wont be a "sitting duck" for a avg. hacker.

Mask Apache Server Information

Server headers and directory defaults usually show Apache server information. This information can be used by hackers to learn about vulnerabilities on your server if the system is not updated. You can mask server information as follows:

1. Log into server as root.

2. Open /etc/httpd/conf/httpd.conf with an editor.

3. Change the line ServerSignature on to

ServerSignature Off

4. Find the line "HostnameLookups off"

After that line, add "ServerTokens Prod"

5. Save and exit.

6. Restart Apache with /etc/rc.d/init.d/httpd restart

Install System Integrity Monitor

System Integrity Monitor (SIM) monitors system services and provides a clean and information representation of system status. It is an essential tool for server admins to monitor servers. SIM has several modules that can be installed to help admin with common system processes. SIM will verify that system and services are online, check load averages, and maintain log files.

1. Login to server and su to root.

2. go to /usr/local 3. Get source file wget http://www.r-fx.org/downloads/sim-current.tar.gz

4. Untar file with tar -xzvf sim-current.tar.gz

5. cd sim-2.5-3 (or latest version of SIM)

6. Type ./setup -i

7. Enter and spacebar to continue.

8. Finally, get to auto-configuration script for SIM. Select options you want to install.

Security: Use SSH protocol 2

The old SSH Protocol 1 has several security leaks and faces many automated "root kits". Protocol 2 is an improvement to plug the holes. All servers with SSH 1 should use SSH 2.

1. Open /etc/ssh/sshd_config with an editor.

2. Find the line "#Protocol 2, 1".

3. Uncomment (remove #).

4. Save and exit.

5. Restart SSH with /etc/rc.d/init.d/sshd restart

: Disable direct root login

Root user is the most important account on a server. The root user has access to any file/program/application running on a server. By default, terminal services would allow the root user to login. This is a major threat to security as hackers can try to guess at the root password to gain access.

Disabling direct root login will create an extra user account before changing to root user. This will force a hacker to have try and guess 2 seperate passwords to become root user.

cPanel users/servers must add the user to 'wheel' group so that the user is allowed to su to root. Failure to do so would cause a lock out of the root account.

* A user with SSH access must already be created.

1. SSH into server as user and gain root access by 'su -'

2. Open /etc/ssh/sshd_config with an editor.

3. Find line PermitRootLogin yes

4. Uncomment it. Put no so thatPermitRootLogin no

5. Save the file and exit.

6. Restart SSH with "/etc/rc.d/init.d/sshd restart"

Security: Disabling Telnet

Telnet is a threat to server security. The protocol communicates on port 23 for both incoming and outgoing messages. Passwords and usernames are sent as clear text during logins, giving hackers the chance to tap the traffic between client and server and then gaining access. Telnet should always be disabled on web servers and replaced with a more secure platform like SSH.

To disable telnet on your server, follow these steps:

1. Login as root.

2. Open the file /etc/xinetd.d/telnet with your editor (pico/vi).

3. Find the line "disable = no" ,

replace with "disable = yes".

4. Restart the inetd service with command /etc/rc.d/init.d/xinetd restart

5. Do a quick scan to make sure port 23 telnet is closed.

nmap -sT -O localhost

warning :- DO this when u u.stand wht this means... do not blame me if ur dog eats ur cow or ur server crashes and burns.

Share this post


Link to post
Share on other sites
jkrupa128    3

Are there alot of Linux servers on the net?

Share this post


Link to post
Share on other sites
The_Decryptor    1,105

Yeah, there are lot of Linux/*nix servers on the net.

Also, good guide, thanks for posting.

Share this post


Link to post
Share on other sites
Joseph Zollo    6

Excellent guide, I am going to apply them right now!

Share this post


Link to post
Share on other sites
kyro    2

what?... no i am not a paranoid sys admin :hmmm: :rolleyes: :ninja: :shifty: :whistle:

Share this post


Link to post
Share on other sites
dotRoot    1
Are there alot of Linux servers on the net?

585296885[/snapback]

Most webservers are linux or BSD

what?... no i am not a paranoid sys admin  :hmmm:  :rolleyes:  :ninja:  :shifty:  :whistle:

585296920[/snapback]

You should be.

looki looki .... http://news.netcraft.com/archives/web_server_survey.html

585296931[/snapback]

That includes Apache for windows.

Share this post


Link to post
Share on other sites
kyro    2
You should be.

585297184[/snapback]

well ......... actually i am the most paranoid admin around .. :ninja: ... i

Share this post


Link to post
Share on other sites
dotRoot    1
well  ......... actually i am the most paranoid admin around ..  :ninja:  ... i

585297196[/snapback]

Hehe yeah, I noticed.

Share this post


Link to post
Share on other sites
markjensen    98

Moved to HOWTO & FAQ section. :p

Share this post


Link to post
Share on other sites
kyro    2
Moved to HOWTO & FAQ section. :p

585297676[/snapback]

:pinch: thanx for moving it . . :)

Share this post


Link to post
Share on other sites
crazihouse    0

Excellent guide! Works great on Debian!

Share this post


Link to post
Share on other sites
kyro    2

glad to see everyone liked this.

Share this post


Link to post
Share on other sites
cooldude7273    0

Hate to bump an old topic, but I just really wanted to say thanks for the guide!

Share this post


Link to post
Share on other sites
phoe*nix    0

heh, the second graph on that netcraft site is interesting. notice how, about 3/5 of the way along the graph, the apache and microsoft graphs do the almost exact opposite of each other. The bit where the apache and microsoft graphs go pointy.

just thought that was interesting... :happy:

Thanks for the thread, i will return when i get round to building my linux server... :)

Edited by phoe*nix

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.