I am a total newbie and have probably done a silly thing. A couple of weeks ago I got my new dedicated server - planning to learn as I go. However I timed out before doing all the things I should have done - then went on holiday.

So, I would much appreciate it if someone could show me step by step how to make my server as secure as possible while I gradually learn about it and install a firewall, etc.

In particular I think I need to shutdown all external services (except ssh) just to make it secure for the time being, how do I do this?

Also, is there some way I can check that my machine has not been compromised whilst I left it in its insecure state?

It has Red Hat 9 and Plesk 6.

Thanks for your help, Jack.

Here is a tutorial on hardening a linux computer. It is probably not the best, it has poor grammar, but it does take you from the ground up.
>> http://linux.box.sk/newsread.php?newsid=775 <<

You may want to check out a book entitled "Linux System Administration" published by New Riders. I found a copy at my local library

And for the last question; look through the logs!

First, I might recommend using ntsysv. This utility can be run from the command line. Uncheck or 'unstar' the services you do not want to run. Definitely turn off sendmail and telnet. Telnet may be called telnetd. Ntsysv is located in:

/usr/sbin/ntsysv

You need to be root to run it.

Also, you can use lokkit to help set up a decent firewall until you feel ready to tackle iptables. Lokkit is in /usr/sbin/lokkit and you need to be root to run it. For very basic services like ssh and telnet, you can just check or uncheck the boxes. You can add other ports on the text line below the checkboxes in the format of port:service. For example to allow Samba, you need to let the following ports through:

137:udp
138:udp
139:tcp

You would put these on the 'other ports' line in lokkit with a space between each. Strangely enough, when installing RH9, you can also set up these 'extra ports' during one of the setup screeens in the same mannor but must separate each value with a comma.

You will want to make sure the internet server configuration does not start up programs by checking the configuration file of each service in "/etc/xinetd.d" . The internet server listens for connections on the ports of these services in this file. To disable an individual service, you can open the file in pico or nano or vi and add or edit the "disable = " line to say "disable = yes".

For example here is a copy of my /etc/xinetd.d/rshd file. I want it turned off for good. I added the line disable = yes as the first configuration line inside the brackets.

# default: on
# description: The rshd server is the server for the rcmd(3) routine and, \
# consequently, for the rsh(1) program. The server provides \
# remote execution facilities with authentication based on \
# privileged port numbers from trusted hosts.
service shell
{
disable = yes
socket_type = stream
wait = no
user = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/in.rshd
}


Use ntsysv to kill:

telnet (for sure!)
rlogin
finger
ntalk
rexec
rsh
rhnsd (maybe - check with someone else to conform this)
rtalk
rstald
rwhod
talk
tftp
ypbind
wu-ftpd

Use an editor to change those /etc/xinetd.d configurations then
you can restart the xinetd with:

/etc/rc.d/init.d/xinetd restart

This is only a small start. I reccomend 'Maximum Linux Security' as a readable primer for newbies (like me).

Thanks guys, this has helped.

JD - I have killed telnet, but none of the other services in your list appear to be present when I do chkconfig --list - though there are many other ones - how would I go about working out which ones I need and at what level?

Also, when I ran lokkit it appeared to be already set at high - so I assume I am reasonably safe for the time being while I gradually work out what I need to run my site.

I've got RedHat 9, and I assume my provider (Rackshack) has defaulted to a reasonably safe default installation (or am I now being unduly optimistic?).

Is there a checklist of logs I should check now and periodically to ensure my machine is not compromised?

Thanks, Jack.

>>>>how would I go about working out which ones I need and at what level?

unfortunately, you have to go to the web and research (Google) what each service does and make that determination yourself. In general, the services in /etc/xinetd.d that start with the letter 'r' are used to provide 'r'emote services but not all. For example:

I pulled this off Google about rhnsd:

rhnsd is a daemon process that runs in the background and periodically polls the Red Hat Network to see if there are any queued actions available. If any are queued, it runs them.

Based on this, you may want to run this to keep your OS up to date, but I dont think you need it because I think you can run Up2Date from the main console to do the same thing. So you must research each daemon/service.

>>>>Also, when I ran lokkit it appeared to be already set at high - so I assume I am reasonably safe for the time being while I gradually work out what I need to run my site.

Here is the official explanation of the settings (Google again):

High Security — This option disables almost all network connects except DNS replies and DHCP so that network interfaces can be activated. IRC, ICQ, and other instant messaging services as well as RealAudioTM will not work without a proxy.

Low Security — This option will not allow remote connections to the system, including NFS connections and remote X Window System sessions. Services that run below port 1023 will not accept connections, including FTP, SSH, Telnet, and HTTP.

Disable Firewall — This option does not create any security rules. It is recommended that this option only be chosen if the system is on a trusted network (not on the Internet), if the system is behind a larger firewall, or if you write your own custom firewall rules. If you choose this option and click Next, proceed to the Section called Activating the iptables Service. The security of your system will not be changed.

As you can see, high prevents ssh from running. Click high in lokkit, then go to customize, and reallow ssh port (22:tcp).

>>>>I've got RedHat 9, and I assume my provider (Rackshack) has defaulted to a reasonably safe default installation (or am I now being unduly optimistic?).

If your not in charge, assume the worst

>>>>Is there a checklist of logs I should check now and periodically to ensure my machine is not compromised?

Yes. But I do not know what they are. I would love to have a complete list of logs, what they mean, what to look for, etc. I asked for this in a previous post, but recieved the less than 'thourough' answers you get sometimes.

Could someone point us to this? There must be a website somewhere?

Ok, thanks again - I think I'm on the right path now - I have used lokkit on high just to keep me safe for the time being while I work out how to get a bit more sphisticated.

As a matter of interest, after looking at other posts I realise that a number of people have had problems with lokkit in the same way that I have (I am talking about the non-GUI version). Every time you go into it it displays 'high', and you assume this is what your settings are, whereas I don't think it is showing you what your current settings are at all - the display just defaults to this. If you then OK rather than cancel you will change your setting to high (with no 'customisation'). The result for me was that this then locked me out of the machine.

I have seen some posts where obviously experienced people have said that it is broken - I doubt it is broken, this is just the way it works. When you know this it works fine. I have set mine to high for the time being and 'customised' SSH and HTTP to work, which suits me until I get a firewall properly sorted.

Hope this may help others (but if I've got it wrong someone please let me know).

Jack.

By the way, I am thinking of going for APF firewall - any views?

This might help. Lokkit is a tool used to write the iptables files for you. When you start up lokkit, you are preparing to write a new file, you are not viewing the contents of the current iptables file. The current file is just sitting at:

/etc/sysconfig/iptables

When you are done setting up lokkit (ie. putting in the ports you want to 'pinhole', checking off the default offerings,etc), and click the final 'OK', then and only then does lokkit "rewrite" the

/etc/sysconfig/iptables

file overtop the old file. I think you are comparing it to a "real-time" utility that would list the current setup while you are making changes, but that is not how it works. lokkit is basically a script generator.

Iptables is a well accepted (must be, it comes with the kernal) and popular firewall that is a nice supplement to your hardware firewall (ie. Linksys Router, 3COM appliance, whatever). Iptables are well documented and "relatively" easy to configure. For these reasons I would learn as much as you can about it before moving on to another firewall system. Ofcourse if you have sensitive or mission critical information on this computer, I have no opinion whatsoever. In my case, my computer is just a toy/distraction/learning experience, and if I were hacked, the information on the computer would not be damaging. By the way, the last time my Linux box got hit, it was through the windows boxes on the network! Apparently even having a windows box is dangerous [lol].

jack101

I found some information on logs in 'Maximum Linux Security' Second Edition. Good book.

Anyway Chapter 21 talks about log files. Looks like a very brief summary of the files you may want to look at/learn about are:

lastlog - a command line utility for reporting the last loggin of each account

last- another command line utility, more thorough

xferlog - for ftp

access_log - httpd logons

error_log - httpd errors and login failures

/var/log/samba - samba login, set up level in smb.conf, contains:

log.nmb - netbios name server log
log.smb - samba stuff
log.[hostname] - individual connections to samba

/var/log/messages - from syslogd and klogd (system logs and kernal logs)