Securing a system in a production from the hands of hackers and crackers is a challenging task for a System Administrator.
Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment. This is due to the advanced security measures that are put in place during the server hardening process.
Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment. This is due to the advanced security measures that are put in place during the server hardening process.
Server Hardening Tips & Tricks:
Some common server hardening tips & tricks include:
- Use Data Encryption for your Communications.
- Avoid using insecure protocols that send your information or passwords in plain text.
- Minimize unnecessary software on your servers.
- Disable Unwanted SUID and SGID Binaries.
- Keep your operating system up to date, especially security patches.
- Using security extensions is a plus.
- When using Linux, SELinux should be considered. Linux server hardening is a primary focus for the web hosting industry, however in web hosting SELinux is probably not a good option as it often causes issues when the server is used for web hosting purposes.
- User Accounts should have very strong passwords.
- Change passwords on a regular basis and do not reuse them.
- Lock accounts after too many login failures. Often these login failures are illegitimate attempts to gain access to your system.
- Do not permit empty passwords.
- SSH Hardening
--- Change the port from default to a non standard one
--- Disable direct root logins. Switch to root from a lower level account only when necessary.
- - Securing /tmp /var/tmp /dev/shm
- Hide BIND DNS Sever Version and Apache version
- Hardening sysctl.conf
- Server hardening by installing Root Kit Hunter and ChkrootKit hunter.
- Minimize open network ports to be only what is needed for your specific circumstances.
- Configure the system firewall (Iptables) or get a software installed like CSF or APF. Proper setup of a firewall itself can prevent many attacks.
- Consider also using a hardware firewall
- Separate partitions in ways that make your system more secure.
- Disable unwanted binaries
- Maintain server logs; mirror logs to a separate log server
- Install Logwatch and review logwatch emails daily. Investigate any suspicious activity on your server.
- Use brute force and intrusion detection systems
- Install Linux Socket Monitor - Detects/alerts when new sockets are created on your system, often revealing hacker activity
- Install Mod_security as Web Server Hardening
- Hardening the Php installation
- Limit user accounts to accessing only what they need. Increased access should only be on an as-needed basis.
- Maintain proper backups
- Don't forget about physical server security.
Some common server hardening tips & tricks include:
- Use Data Encryption for your Communications.
- Avoid using insecure protocols that send your information or passwords in plain text.
- Minimize unnecessary software on your servers.
- Disable Unwanted SUID and SGID Binaries.
- Keep your operating system up to date, especially security patches.
- Using security extensions is a plus.
- When using Linux, SELinux should be considered. Linux server hardening is a primary focus for the web hosting industry, however in web hosting SELinux is probably not a good option as it often causes issues when the server is used for web hosting purposes.
- User Accounts should have very strong passwords.
- Change passwords on a regular basis and do not reuse them.
- Lock accounts after too many login failures. Often these login failures are illegitimate attempts to gain access to your system.
- Do not permit empty passwords.
- SSH Hardening
--- Change the port from default to a non standard one
--- Disable direct root logins. Switch to root from a lower level account only when necessary.
- - Securing /tmp /var/tmp /dev/shm
- Hide BIND DNS Sever Version and Apache version
- Hardening sysctl.conf
- Server hardening by installing Root Kit Hunter and ChkrootKit hunter.
- Minimize open network ports to be only what is needed for your specific circumstances.
- Configure the system firewall (Iptables) or get a software installed like CSF or APF. Proper setup of a firewall itself can prevent many attacks.
- Consider also using a hardware firewall
- Separate partitions in ways that make your system more secure.
- Disable unwanted binaries
- Maintain server logs; mirror logs to a separate log server
- Install Logwatch and review logwatch emails daily. Investigate any suspicious activity on your server.
- Use brute force and intrusion detection systems
- Install Linux Socket Monitor - Detects/alerts when new sockets are created on your system, often revealing hacker activity
- Install Mod_security as Web Server Hardening
- Hardening the Php installation
- Limit user accounts to accessing only what they need. Increased access should only be on an as-needed basis.
- Maintain proper backups
- Don't forget about physical server security.
Now proceed with the Steps of Server Hardening:
1. Operating System Installation:
Make sure that in production we will be using minimal installation of the linux OS, so that we are not installing the software which is not required.
2.Removing Software packages:
#rpm -qa
The above command will produce the result of softwares installed on the server. Check and remove unwanted softwares installed in the server.
3.Service disabling in runlevel(chkconfig):
#chkconfig --list | grep on
The above command will produce the result of services that are running on the run levels. Please check and off the unwanted services.
4.Disable Root Login:
Stop Using root at all times. When you need super-user permissions ,use sudo instead of su.Sudo is more secure than using su.when a user uses sudo to execute root -level commands, all commands are tracked by default in /var/log/secure.Furthermore,users will have to authenticate themselves to run sudo command for a short period of time.
The configuration file for the ssh is /etc/ssh/sshd_config.
Replace the #PermitRootLogin Yes as below
#PermitRootLogin no
And also to restrict users access to the server , add the below line in the end of the configuration file.
#AllowUsers root test1 linuxadmin dbadmin networkadmin
#Service sshd restart
5.Access Restrictions with TCP_WRAPPERS:
TCP_Wrappers
is a security framework used to enforce ip address access controls on services
such as ssh and vsftpd. It is installed by default in RedHat.
It can be used two ways:
we can deny specified ip address
or we can restrict access to only
allowed ip addresses.
There are two configuration files that control the access: /etc/hosts.allow and /etc/hosts.deny.
As the names imply, hosts.allow
lists ip addresses that are allowed, and hosts.deny
lists ip addresses that are not allowed.
6.Update Kernel and software
Ensure your kernel and software patches are up to date. I like to make sure my Linux kernel and software are always up to date because patches are constantly being released with corrected security flaws and exploits. Remember you have access to SoftLayer’s private network for updates and patches, so you don’t have to expose your server to the public network to get updates. Run this with
sudo to get updates in RedHat or CentOS
#yum update
7.Add a Welcome/Warning
Add a welcome or warning display for when users remote into your system. The message can be created using MOTD (message of the day). MOTD’s sole purpose is to display messages on console or SSH session logins. I like for my MOTDs to read
# vi /etc/motd
“Welcome to . All connections are being monitored and recorded.”
8.System Logging and Audit files
System logging is an important piece to system hardening and
security. Proper configuration and auditing of log files is recommended. On
Linux there are various different log software daemons. Syslog, syslog-ng and
rsyslog are the commonly included logging utilities with Linux distributions.
Permissions should be set for log files so that root is
owner and they are not available to standard users. Also, we should configure
system log files to be sent or copied to a trusted centralized location so that
they are tamper resistant.
The configuration files for these logging daemons are
located in /etc and the default log file repositories are in /var/log.
/etc/syslog.conf
/etc/rsyslog.conf
The psacct package is utilities for monitoring process activities,
including ac, lastcomm, accton, and sa.
# ac ( displays statistics about how long
users have been logged on. )
# lastcomm ( displays information about previously executed
commands. )
# accton ( turns process accounting on
or off. )
# sa ( summarizes information about previously
executed commands.)
To start the psacct service check below syntax
# service
psacct start
9.Kernel Tuning:
# Disable IP
Source Routing
net.ipv4.conf.all.accept_source_route
= 0
#Disable
ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects
= 0
#Enable
Ignoring Broadcasts Request
net.ipv4.icmp_echo_ignore_broadcasts
= 1
#Enable Bad
Error Message Protection
net.ipv4.icmp_ignore_bogus_error_responses
= 1
#Enable
Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians
= 1
To activate
the configured kernel parameters immediately at runtime, use:
#sysctl
-p
10. Monitor Your Logs
- System boot log:
/var/log/boot.log - Authentication log:
/var/log/secure - Log in records file:
/var/log/utmp or /var/log/wtmp: - Where whole system logs or current activity are available:
/var/log/message - Authentication logs:
/var/log/auth.log - Kernel logs:
/var/log/kern.log - Crond logs (cron job):
/var/log/cron.log - Mail server logs:
/var/log/maillog
11.Check Listening Network Ports
#netstat -tulpn
13.Restrict users to use Old Passwords
#vi /etc/pam.d/system-auth (for RHEL/CENTOS/FEDORA)
#VI /etc/pam.d/common-password (for UBUNTU/DEBIAN/LINUX MINT)
Add the following line to ‘auth‘ section and save the file.
auth sufficient pam_unix.so likeauth nullok
Add the following line to ‘password‘ section to disallow a user from re-using last 5 password of his or her.
password sufficient pam_unix.so nullok yse_authtok md5 shadow remember=5
Only last 5 passwords are remember by server. If you tried to use any of last 5 old passwords, you will get an error like.
Password has been already used.Choose another
12.Disable ctlr +Alt +Delete in Inittab
In most Linux distributions, pressing ‘CTRL-ALT-DELETE’ will takes your system to reboot process. So, it’s not a good idea to have this option enabled at least on production servers, if someone by mistakenly does this.
This is defined in ‘/etc/inittab‘ file, if you look closely in that file you will see a line similar to below. By default line is not commented out. We have to comment it out. This particular key sequence signalling will shut-down a system.
#Trap CTRL-ALT-DELETE
13.Check for Password Expiration
14. Strong Password complexity
15. Add the sudo log entry in the sudoers file, to make sure that sudo logs are monitored.
#visudo or vi /etc/sudoers
Add the line and save the file
Defaults logfile=/var/log/sudolog
0 comments:
Post a Comment