Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello,
I'm using CentOS 8. I checked my server with Lynis and it showed me below information:
Code:
-[ Lynis 3.0.0 Results ]-
Warnings (3):
----------------------------
! Couldn't find 2 responsive nameservers [NETW-2705]
https://cisofy.com/lynis/controls/NETW-2705/
! Found promiscuous interface [NETW-3015]
- Details : ens192
- Solution : Determine if this mode is required or whitelist interface in profile
https://cisofy.com/lynis/controls/NETW-3015/
! iptables module(s) loaded, but no rules active [FIRE-4512]
https://cisofy.com/lynis/controls/FIRE-4512/
Suggestions (42):
----------------------------
* If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820]
https://cisofy.com/lynis/controls/KRNL-5820/
* Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [AUTH-9229]
https://cisofy.com/lynis/controls/AUTH-9229/
* Configure minimum encryption algorithm rounds in /etc/login.defs [AUTH-9230]
https://cisofy.com/lynis/controls/AUTH-9230/
* Configure maximum encryption algorithm rounds in /etc/login.defs [AUTH-9230]
https://cisofy.com/lynis/controls/AUTH-9230/
* When possible set expire dates for all password protected accounts [AUTH-9282]
https://cisofy.com/lynis/controls/AUTH-9282/
* Configure minimum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/lynis/controls/AUTH-9286/
* Configure maximum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/lynis/controls/AUTH-9286/
* Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027) [AUTH-9328]
https://cisofy.com/lynis/controls/AUTH-9328/
* To decrease the impact of a full /tmp file system, place /tmp on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/
* Consider disabling unused kernel modules [FILE-6430]
- Details : /etc/modprobe.d/blacklist.conf
- Solution : Add 'install MODULENAME /bin/true' (without quotes)
https://cisofy.com/lynis/controls/FILE-6430/
* Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000]
https://cisofy.com/lynis/controls/USB-1000/
* Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]
https://cisofy.com/lynis/controls/STRG-1846/
* Split resolving between localhost and the hostname of the system [NAME-4406]
https://cisofy.com/lynis/controls/NAME-4406/
* Check your resolv.conf file and fill in a backup nameserver if possible [NETW-2705]
https://cisofy.com/lynis/controls/NETW-2705/
* Determine if protocol 'dccp' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Determine if protocol 'sctp' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Determine if protocol 'rds' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Determine if protocol 'tipc' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]
https://cisofy.com/lynis/controls/HTTP-6640/
* Consider hardening SSH configuration [SSH-7408]
- Details : AllowTcpForwarding (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : ClientAliveCountMax (set 3 to 2)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : Compression (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : LogLevel (set INFO to VERBOSE)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : MaxSessions (set 5 to 2)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : Port (set 22 to )
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : TCPKeepAlive (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : X11Forwarding (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Consider hardening SSH configuration [SSH-7408]
- Details : AllowAgentForwarding (set YES to NO)
https://cisofy.com/lynis/controls/SSH-7408/
* Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]
https://cisofy.com/lynis/controls/LOGG-2154/
* Check what deleted files are still in use and why. [LOGG-2190]
https://cisofy.com/lynis/controls/LOGG-2190/
* Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
https://cisofy.com/lynis/controls/BANN-7126/
* Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
https://cisofy.com/lynis/controls/BANN-7130/
* Enable sysstat to collect accounting (no results) [ACCT-9626]
https://cisofy.com/lynis/controls/ACCT-9626/
* Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630]
https://cisofy.com/lynis/controls/ACCT-9630/
* Utilize software pseudo random number generators [CRYP-8005]
https://cisofy.com/lynis/controls/CRYP-8005/
* Determine if automation tools are present for system management [TOOL-5002]
https://cisofy.com/lynis/controls/TOOL-5002/
* Consider restricting file permissions [FILE-7524]
- Details : See screen output or log file
- Solution : Use chmod to change file permissions
https://cisofy.com/lynis/controls/FILE-7524/
* Double check the permissions of home directories as some might be not strict enough. [HOME-9304]
https://cisofy.com/lynis/controls/HOME-9304/
* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
- Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
https://cisofy.com/lynis/controls/KRNL-6000/
* Harden compilers like restricting access to root user only [HRDN-7222]
https://cisofy.com/lynis/controls/HRDN-7222/
* Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230]
- Solution : Install a tool like rkhunter, chkrootkit, OSSEC
https://cisofy.com/lynis/controls/HRDN-7230/
Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
Which of these warnings are serious for a web server?
Have you looked at the pages they link to?
Do that, then ask questions if you still have them.
The first one says your domain doesn’t have the required two authoritative name servers.
There are only three “warnings”. The rest are suggestions...all of which seem valid to me
Have you looked at the pages they link to?
Do that, then ask questions if you still have them.
The first one says your domain doesn’t have the required two authoritative name servers.
There are only three “warnings”. The rest are suggestions...all of which seem valid to me
I did the SSH hardening recommendation but most of these links doesn't show any help. For example, I don't know how can I solve these problems:
Code:
* Consider disabling unused kernel modules [FILE-6430]
- Details : /etc/modprobe.d/blacklist.conf
- Solution : Add 'install MODULENAME /bin/true' (without quotes)
https://cisofy.com/lynis/controls/FILE-6430/
* Split resolving between localhost and the hostname of the system [NAME-4406]
https://cisofy.com/lynis/controls/NAME-4406/
* Determine if protocol 'dccp' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Determine if protocol 'sctp' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Determine if protocol 'rds' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Determine if protocol 'tipc' is really needed on this system [NETW-3200]
https://cisofy.com/lynis/controls/NETW-3200/
* Check what deleted files are still in use and why. [LOGG-2190]
https://cisofy.com/lynis/controls/LOGG-2190/
* Enable sysstat to collect accounting (no results) [ACCT-9626]
https://cisofy.com/lynis/controls/ACCT-9626/
* Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630]
https://cisofy.com/lynis/controls/ACCT-9630/
* Consider restricting file permissions [FILE-7524]
- Details : See screen output or log file
- Solution : Use chmod to change file permissions
https://cisofy.com/lynis/controls/FILE-7524/
* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
- Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
https://cisofy.com/lynis/controls/KRNL-6000/
* Harden compilers like restricting access to root user only [HRDN-7222]
https://cisofy.com/lynis/controls/HRDN-7222/
I'm thankful if anyone help me about them.
About an Antivirus, is ClamAV good?
Lynis appears to be an audit tool - i.e. the entire point of the software is to generate those messages.
A lot of them seem to be self-explanatory (e.g. "Determine if protocol 'dccp' is really needed on this system" - nobody here can tell you that; or "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules" - so pick one and do it), and every message has a link giving more details for someone who knows the system (i.e. you) to decide whether its important or not.
If any of the links do not work or don't give enough details, that's a matter to be solved by raising an issue with the people who make the software / run the website.
Likewise, if you want to address the most important ones first, you need to talk to CISOfy about providing a severity ranking (after checking the docs because maybe there's already an option to output/filter on one).
How can I sure my server need dccp, sctp, rds and tipc protocols or not? It just a web server.
If it's just a web server, then it needs HTTP, TLS, and a secure means for you to update config/data. Everything that a web server doesn't need can be switched off.
If there's any doubt, test everything you need to have working (to confirm it currently works), then turn off one service/protocol, and test everything again - if something has broken, turn it back on again. Rinse and repeat.
If it's just a web server, then it needs HTTP, TLS, and a secure means for you to update config/data. Everything that a web server doesn't need can be switched off.
If there's any doubt, test everything you need to have working (to confirm it currently works), then turn off one service/protocol, and test everything again - if something has broken, turn it back on again. Rinse and repeat.
Thank you for your advice.
How can I turn off dccp, sctp, rds and tipc protocols?
I'm thankful if anyone help me about them.
About an Antivirus, is ClamAV good?
ClamAV, as most, it not all, anti-virus is as good as the virus definitions/signatures it is using is good, accurate and recent.
That said, ClamAV comes with a mechanism to regularly update its database.
I think every 3 hours.
ClamAV, as most, it not all, anti-virus is as good as the virus definitions/signatures it is using is good, accurate and recent.
That said, ClamAV comes with a mechanism to regularly update its database.
I think every 3 hours.
I think ClamAV use a lot of memory and CPU and make system slow!
It surely, as all processes, consumes memory and CPU resources.
I really do not know, if it can then qualifies for being a "heavy" consumer.
The final call will be yours to make.
That will depend on the hardware resources available on your server, the main services (the purpose for which you put in place that server in the first place, I see you mentioned in initial post that it is a web server) the server provides, and the other processes (such as ClamAV) sustaining or assisting those main services.
Deploy, and do aggressive monitoring and baby-sitting at the beginning.
And be ready to react quickly.
The reality is that without any real world load, it is very difficult to act pro actively.
But, rethinking about it while "clicking send button" on my previous post: why would you need a anti-virus on a web server?
I think it will be easier if the web content administrator checks the content from his work station, and only puts in the web server what he knows is virus free.
Unless your web server receives files from its visitors (or clients), and do not see the need to have a running ClamAV daemon on it, or even perform sporadic virus scans.
But, rethinking about it while "clicking send button" on my previous post: why would you need a anti-virus on a web server?
I think it will be easier if the web content administrator checks the content from his work station, and only puts in the web server what he knows is virus free.
Unless your web server receives files from its visitors (or clients), and do not see the need to have a running ClamAV daemon on it, or even perform sporadic virus scans.
Sometimes hackers find security holes for uploading files and...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.