Want to secure your linux box..then read this
 

Please keep these steps in mind while working on security

1)Create a security policy ( Security policy is created from business requirements and risk analysis ).This is the first step one should follow while working on security.

2) Based on the security policy create a checklist

The check list is created according to the security policy
================check list ================================
Check List
#######################
Software Vulnerabilities
Kernel Upgrades and vulnerabilities
Check For any Trojans
Run chkrootkits
Checks Ports
Check for any hidden process
Use audittools to check system
Check logs
Check Binaries
Check Binaries and RPMS
Check the email relays
Check the cron entries
Check /dev /tmp /var filefolders
Checked whether Backup is maintained
Check for unwanted users,groups etc in the system
Check and Disable unwanted services
Locate malicious scripts
Querylog in DNS
Check whether Backup is maintained
Check for the suid scripts and nouser scripts
Check valid scripts in /tmp
Use intrusion detection tools
Check the system performance
Check memory performance ( conduct memtest)

Note: Please feel free to add the steps which i had missed
================end ===========================

3) With this check list .Please Conduct a security audit

Format of security audit will be like this
=====================Fromat ==========================================
Issues or softwares # Current version ( version used in the server) # Stable Version # Notes :
===============================================================

In this step we will not do any upgrades or security related work on the box.Just find out the vulnerabilities
Find out the current versions of the software and check if it has any vulnerability .if so please note it down and add it in the notes section of audit report.


Use tools like Nessus, nikto (Audit tool for web server ) , Chkrootkit ,dsa ( dns security audit tool ) ,memtest and find out the vulnerability

Notes: The below section is called Security Implementation stage

4) According to this audit report.We should first correct all software vulnerability ( can use software patches which and eliminate the bugs in the software )

(a)Upgrade kernel if its old and vulnerable.While compiling,please remove all unwanted options and reduce the size of the kernel

(b)Upgrade apache and its related software if its vulnerable

(c)Upgrade php,mysql,proftpd,pure-ftpd,named if its vulnerable.

(d)upgrade mod_ssl,openssh,openssl etc ( can be done manually or through up2date )

(e)If the control panel has any bugs .The software vendores should be contacted and they should be informed about this bug.So that they will provide a fast fix to it.

5) Now the proper security work comes .
Security is divided into two sections host security and network security.And each these sections has 3 parts common

(a )Protection

(b) Detection

(c) Recovery

5.1 )Host Security
==================
(a)Please protect your system with password

(b)Check file systems ( set correct permission and ownerships to files )
eg: chmod -R 700 /etc/rc.d/init.d/*
eg: Use rpm -Va to find out the if the rpm is modified or effect

(c)Apply security patches to vulnerable softwares (eg : patch -p1 < patch file )

(d)Remove all unwanted ttys and console logins by removing the entry from /etc/securetty

(e)Check system logs ( eg : /var/log/messages , /var/log/secure etc )

(f) Set password for boot loaded ( lilo an grub supports it )

(g)Monitor the system ( nagios or big rother )

5.2) Network Security
=====================
(1)Remove all unwanted users,groups

(2)use the below script to mail the sysadmin to when another user with uid 0 is created
=========================================
The below script will mail user when another user with uid 0 is added
-------------------------script----------------------------------
#!/bin/sh
#
# This script must be owned by root or at least setuid 0
# It will scan the system and mail the root user when another user gains uid 0.

for id in `awk 'FS=":" {if(($3 == 0 && $1 != "root" )) \
print $1}' /etc/passwd`
do

echo 'ALERT Login ID' `echo ${id}` 'has uid 0 !!' `date "+Detected On Date :%D Time :%r"` | mail -s "ALERT: User `echo ${id}` has UID O" blessen@blessen.com

done
-----------------------------------------------------------------
========================================================

(3) Only allow password with 16 characters ( can be done by making changes in login.def )

(4)Disable unwanted services,use tcp warappers( unwanted service can be disabled through xinet.d or xinetd.cong ).

(5)Set timeout ,so that the ideal users will be logged out after a certain amount of time

(6)Disable all console program acess
(eg : rm -rf /etc/security/console.app/<service name > )

(7) Enable nospoof option in /etc/host.conf

(8) Specify the oder in which the domain name should be resolved ( eg : order bind hosts )

(9) Lock the /etc/service files so that no one modifies it

(10)Restrict direct root login ( comment the PermitRootLogin login option in sshd_config )

(11)Restrict su ,so that only wheel group members are able to su.
(can use pam or disable the permission of other for the su binary )

(12)Limits users resources ( can use pam,specify the limits for each user in /etc/security/limit.conf )

(13) Secure /tmp ( mount /tmp with noexec,nodev,nosuid )

(14) Hide the server details.For that removes /etc/issues and /etc/issues.net

(15) Disable unwanted suid and sgid files
find -type -perm -04000 -o perm 02000

eg : gpasswed,wall,traceroute etc....

(16)Allow only ping from a specified location( for monitoring systems to work ).Use iptables for that

(17) Take preventive measures against DOS,ping to death etc..Use the below script for that
eg: webhostingtalk.com/showthread.php?s=&threadid=236954&highlight=blessen

(18)Install firewall ( eg apf and iptables )

(policy-->allow the ports which the box needs and block all other ports )
eg: rfxnetworks.com/
eg: yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html

(19) Install intrustion detection ( eg install tripwaire or aide )

eg: cs.tut.fi/~rammer/aide.html
eg: redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html

(20) Install sxid to keep an eye on suid and sgid script.
Link: linux.cudeso.be/linuxdoc/sxid.php

(21) Restrict ssh to specific ips and and user ( i suggest go for key authentication using passphrase)

(22)Install logcheck to check the logs

(23) Install tmpwatch to delete the unused files from /tmp directory

(24) Install and setup portsentry and configure it to use iptables to block ips

(25)Install mod_security and mod_dosevasive to safe gurad apache

(26) Delete files with nouser and nogroup

(27) Deleted unwanted files/folders in htdocs, disable directory indexing

(28)Check for unwanted scripts in /root

(29) Disable open relay

6) Submit a Status report
Notes: It will contain what all you have done on the server to secure it as per audit

7) Testing and Optimization phase

Use the tools likes nessus ,nikto,nmap etc to do a penetration test and see how well your server is .Also do a stress test etc.

################################################3
Optimization
==========
1) Harddisk -->enable DMA for faster disk read

2) Limit user process

3) For mysql use these settings for good performance
=======================mysql settings in my.cnf======================
port = 3306 -- i would always suggest to change the port
skip-locking
set-variable = max_connections=100
set-variable = max_user_connections=20
set-variable = key_buffer=16M
set-variable = join_buffer=4M
set-variable = record_buffer=4M
set-variable = sort_buffer=6M
set-variable = table_cache=1024
set-variable = myisam_sort_buffer_size=32M
set-variable = interactive_timeout=100
set-variable = wait_timeout=100
set-variable = connect_timeout=10
set-variable = thread_cache_size=128
==============================================

4) For proftpd use this settings
==========================ftp settings in proftpd.conf=======================

TimeoutIdle 600
TimeoutNoTransfer 600
TimeoutLogin 300
MaxInstances 30
MaxClientsPerHost 2
==================================================================

5) Disabling the logging of access time in partition where access time always changes ( eg /var) will improve performance
for thst just mount that partition with noatime )

6) Do not create latge firewall policies ,it will delay packets.

7)Setting file sytem parameters to correct values will often provide good performance.

8) While compiling always use these options
for i686
CFLAG=-09 -for best optimization
-funroll-loops
-ffast-math
-mcpu=< your processor type >
-march=< your processor type >
-fomit-frame-pointer

For i586
======
CFLAG=-03
-funroll-loops
-ffast-math
-mcpu=< your processor type >
-march=< your processor type >
-fomit-frame-pointer

every informative dude :)

Yeah, that is some very cool information, which doubtless will come in handy to many people.

1)Create a security policy ( Security policy is created from business requirements and risk analysis ).This is the first step one should follow while working on security.
Cool. This is one of the issues I'll never push here, knowing a lot of ppl only have a single box.
For "larger" outfits it should be mandatory, I would agree to that. Maybe you could outline what is considered secpol stuff, just for those interested?


The check list is created according to the security policy (...) Note: Please feel free to add the steps which i had missed
I think it isn't much in the missing of notes (or dups) as it is in the order: there's stuff there that's basically system hardening, theres upgrade mgmnt and there's regular system auditing. Fortunately there's a lot of tools out there to help, like Tiger, Chkrootkit, LSAT to make life easier. One thing you forgot to mention explicitly is using separate means for verifying system integrity, and backing up any package managers db's to untaintable media. One thing got me baffled is I really don't know what a memtest would help...


3) With this check list .Please Conduct a security audit

Format of security audit will be like this
=====================Fromat ==========================================
Issues or softwares # Current version ( version used in the server) # Stable Version # Notes :
===============================================================

(...)if so please note it down and add it in the notes section of audit report.

To me this looks like the default log any admin should keep per system...



5) Now the proper security work comes .
Security is divided into two sections host security and network security.And each these sections has 3 parts common
(a )Protection
(b) Detection
(c) Recovery



5.1 )Host Security (...)

(b)Check file systems ( set correct permission and ownerships to files )
eg: chmod -R 700 /etc/rc.d/init.d/*
eg: Use rpm -Va to find out the if the rpm is modified or effect
This won't find files that are changed outside the package management scope. Aide, Samhain, tripwire and even md5sum (-c) could.


(c)Apply security patches to vulnerable softwares (eg : patch -p1 < patch file )
I thought you already did that under step 3 or 4?

(d)Remove all unwanted ttys and console logins by removing the entry from /etc/securetty
...and add pam_listfile if you use PAM. Another easy way to help deny some accounts access.


(e)Check system logs ( eg : /var/log/messages , /var/log/secure etc )
...and don't forget logs in unusual places, like when you're running chrooted services. If you use logrotate, als use something like Logwatch to parse for errors and have the delivered regularly.


5.2) Network Security
=====================
(1)Remove all unwanted users,groups
That's host security.


(3) Only allow password with 16 characters ( can be done by making changes in login.def )
Wasn't /etc/login.defs deprecated on systems using PAM?


(4)Disable unwanted services,use tcp warappers( unwanted service can be disabled through xinet.d or xinetd.cong ).
TCP wrappers will only work for services that are compiled --with-libwrap. (X)inetd is not the only place to disable unwanted services, and IMHO the best way is to simply *not* install those services...


(7) Enable nospoof option in /etc/host.conf
I wonder how much this helps?


(8) Specify the oder in which the domain name should be resolved ( eg : order bind hosts )
...and set static ARP addy's for next-hop routers?


(10)Restrict direct root login ( comment the PermitRootLogin login option in sshd_config )
Basically no network services should have root logins enabled.


(12)Limits users resources ( can use pam,specify the limits for each user in /etc/security/limit.conf )
...to really be able to enforce this load a Grsecurity or LIDS reinforced kernel.

(13) Secure /tmp ( mount /tmp with noexec,nodev,nosuid )
... and /var too. Mind /lib/ld-linux.so. Running a Grsecurity reinforced kernel gives you more strict ways to both deny and log violators.

(14) Hide the server details.For that removes /etc/issues and /etc/issues.net
..and your per-server configs, like for example Apache, but mucking with OpenSSH code is a no no. Also remember this is in the "security through obscurity" area and not a qualitatively good way to help harden the system. False sense of security and all that.


(17) Take preventive measures against DOS,ping to death etc..
POD only works against w32 and old Linux kernels AFAIK. You can't stop a DoS. Work with your upstream ISP to temporarily block it and do investigations.

(18)Install firewall ( eg apf and iptables )
...and know how to log and limit traffic.


(19) Install intrustion detection ( eg install tripwaire or aide )
...ah. Finally :-] Really this should be done after installing the OS.


(24) Install and setup portsentry and configure it to use iptables to block ips
...even better, DITCH portsentry and install Snort.

(25)Install mod_security and mod_dosevasive to safe gurad apache
..anyone got this tested?

(26) Delete files with nouser and nogroup
Why not investigate where this is coming from and chown to an inert user?

(27) Deleted unwanted files/folders in htdocs, disable directory indexing
...I gues if you're talking Apache there's more than this?

(28)Check for unwanted scripts in /root
Like?


6) Do not create latge firewall policies ,it will delay packets.
Can you post some figures for this showing degradation, say a router on a fat pipe?

8) While compiling always use these options
...and remind yourself servers should NOT have development tools installed. Use an isolated staging box for that.


Good work. Leaves me to say please check out the LQ FAQ: Security references.

very thorough indeed. Just an opinion here...I dont really like portsentry coz it blocks IP which are detected when alerts are triggered on selected ports...not very clever when the intruder is spoofing his/her IP with one like say ..google's

in that sense i find that snort coupled with guardian works better

and what do you mean by large firewall policies?? i had my box running on like a few lines to allow specific ports and drop the rest to like an iptable script with a couple hundred lines to drop specific IP's and perform specific string match to packets ...and i cant say there was a significant performance degradation between the two

anyone have any more hardening tips for apache???

thanks for the suggestions :-D..i appriciate it

Yes what i had mentioned are the gernal steps a user or system owner should follow in oder to make a system 50% secure .. ...

(Sys Admin will have more powerfull and different ways of securing a box )

thanks for the suggestions :-D..i really appriciate it ...