[howto] harden your *nix server


Recommended Posts

kyro

I give u some tips to harden/secure/disable services for your linux servers.( i found this on some free webhosters site).

this steps will not make your server hack-proof/fort knox ( for that info u gotta pay me.... but here is a tip for making it fort knox... "selinux" :p ).... the following steps just make your server protected from THE RUN OF MILL hacks and your server wont be a "sitting duck" for a avg. hacker.

Mask Apache Server Information

Server headers and directory defaults usually show Apache server information. This information can be used by hackers to learn about vulnerabilities on your server if the system is not updated. You can mask server information as follows:

1. Log into server as root.

2. Open /etc/httpd/conf/httpd.conf with an editor.

3. Change the line ServerSignature on to

ServerSignature Off

4. Find the line "HostnameLookups off"

After that line, add "ServerTokens Prod"

5. Save and exit.

6. Restart Apache with /etc/rc.d/init.d/httpd restart

Install System Integrity Monitor

System Integrity Monitor (SIM) monitors system services and provides a clean and information representation of system status. It is an essential tool for server admins to monitor servers. SIM has several modules that can be installed to help admin with common system processes. SIM will verify that system and services are online, check load averages, and maintain log files.

1. Login to server and su to root.

2. go to /usr/local 3. Get source file wget http://www.r-fx.org/downloads/sim-current.tar.gz

4. Untar file with tar -xzvf sim-current.tar.gz

5. cd sim-2.5-3 (or latest version of SIM)

6. Type ./setup -i

7. Enter and spacebar to continue.

8. Finally, get to auto-configuration script for SIM. Select options you want to install.

Security: Use SSH protocol 2

The old SSH Protocol 1 has several security leaks and faces many automated "root kits". Protocol 2 is an improvement to plug the holes. All servers with SSH 1 should use SSH 2.

1. Open /etc/ssh/sshd_config with an editor.

2. Find the line "#Protocol 2, 1".

3. Uncomment (remove #).

4. Save and exit.

5. Restart SSH with /etc/rc.d/init.d/sshd restart

: Disable direct root login

Root user is the most important account on a server. The root user has access to any file/program/application running on a server. By default, terminal services would allow the root user to login. This is a major threat to security as hackers can try to guess at the root password to gain access.

Disabling direct root login will create an extra user account before changing to root user. This will force a hacker to have try and guess 2 seperate passwords to become root user.

cPanel users/servers must add the user to 'wheel' group so that the user is allowed to su to root. Failure to do so would cause a lock out of the root account.

* A user with SSH access must already be created.

1. SSH into server as user and gain root access by 'su -'

2. Open /etc/ssh/sshd_config with an editor.

3. Find line PermitRootLogin yes

4. Uncomment it. Put no so thatPermitRootLogin no

5. Save the file and exit.

6. Restart SSH with "/etc/rc.d/init.d/sshd restart"

Security: Disabling Telnet

Telnet is a threat to server security. The protocol communicates on port 23 for both incoming and outgoing messages. Passwords and usernames are sent as clear text during logins, giving hackers the chance to tap the traffic between client and server and then gaining access. Telnet should always be disabled on web servers and replaced with a more secure platform like SSH.

To disable telnet on your server, follow these steps:

1. Login as root.

2. Open the file /etc/xinetd.d/telnet with your editor (pico/vi).

3. Find the line "disable = no" ,

replace with "disable = yes".

4. Restart the inetd service with command /etc/rc.d/init.d/xinetd restart

5. Do a quick scan to make sure port 23 telnet is closed.

nmap -sT -O localhost

warning :- DO this when u u.stand wht this means... do not blame me if ur dog eats ur cow or ur server crashes and burns.

Link to post
Share on other sites
jkrupa128

Are there alot of Linux servers on the net?

Link to post
Share on other sites
The_Decryptor

Yeah, there are lot of Linux/*nix servers on the net.

Also, good guide, thanks for posting.

Link to post
Share on other sites
Joseph Zollo

Excellent guide, I am going to apply them right now!

Link to post
Share on other sites
kyro

what?... no i am not a paranoid sys admin :hmmm: :rolleyes: :ninja: :shifty: :whistle:

Link to post
Share on other sites
dotRoot
Are there alot of Linux servers on the net?

585296885[/snapback]

Most webservers are linux or BSD

what?... no i am not a paranoid sys admin  :hmmm:  :rolleyes:  :ninja:  :shifty:  :whistle:

585296920[/snapback]

You should be.

looki looki .... http://news.netcraft.com/archives/web_server_survey.html

585296931[/snapback]

That includes Apache for windows.

Link to post
Share on other sites
kyro
You should be.

585297184[/snapback]

well ......... actually i am the most paranoid admin around .. :ninja: ... i

Link to post
Share on other sites
dotRoot
well  ......... actually i am the most paranoid admin around ..  :ninja:  ... i

585297196[/snapback]

Hehe yeah, I noticed.

Link to post
Share on other sites
markjensen

Moved to HOWTO & FAQ section. :p

Link to post
Share on other sites
kyro
Moved to HOWTO & FAQ section. :p

585297676[/snapback]

:pinch: thanx for moving it . . :)

Link to post
Share on other sites
  • 1 month later...
crazihouse

Excellent guide! Works great on Debian!

Link to post
Share on other sites
  • 3 weeks later...
kyro

glad to see everyone liked this.

Link to post
Share on other sites
  • 1 month later...
cooldude7273

Hate to bump an old topic, but I just really wanted to say thanks for the guide!

Link to post
Share on other sites
  • 2 months later...
phoe*nix

heh, the second graph on that netcraft site is interesting. notice how, about 3/5 of the way along the graph, the apache and microsoft graphs do the almost exact opposite of each other. The bit where the apache and microsoft graphs go pointy.

just thought that was interesting... :happy:

Thanks for the thread, i will return when i get round to building my linux server... :)

Edited by phoe*nix
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.