Search

Wednesday, August 10, 2011

Server Hardening Steps

Steps for security hardening 

The steps usually I follow:


1. Firewall Installation(APF/CSF).
 
2. Firewall Configuration   CSF Installation steps 
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
Next, test whether you have the required iptables modules: perl
/etc/csf/csftest.pl
sh install.sh
 
/etc/csf/csf.conf
MONOLITHIC_KERNEL = "0" and change to MONOLITHIC_KERNEL = "1"
Specify which ports you want to allow
# Allow incoming TCP ports
TCP_IN =
"20,21,22,25,53,80,110,143,443,465,953,993,995,2077,2078,2082,2083,2087"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"
# Allow incoming UDP ports
UDP_IN = "20,21,53,953"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123,873,953,6277"
21 => FTP
22 => SSH
23 => Telnet
25 => SMTP Mail Transfer
43 => WHOIS
53 => name server (DNS)
80 => HTTP (Web server)
110 => POP protocol (for email)
443 => HTTP Secure (SSL for https:// )
995 => POP over SSL/TLS
9999 => Urchin
3306 = > MysQL Server
2082 => CPANEL Default
2083 => CPANEL - Secure/SSL
2086 => CPANEL WHM
2087 => CPANEL WHM - Secure/SSL
2095 => cpanel webmail
2096 => cpanel webmail - secure/SSL
Plesk Control Panel => 8443
DirectAdmin Control Panel => 2222
Webmin Control Panel => 10000
 
Disable the Testing Mode and Start the Firewall
nano /etc/csf/csf.conf
//Look for the first line and set testing mode to "0"
TESTING = "0"
//Now restart the firewall!
csf -r
 
 
SSHD Hardening
/etc/ssh/sshd_config

1. edit /etc/ssh/sshd_config
2. Look for the following line: #Port 22
3. Change the line so it looks like this Port no
4. Save and close the file
5. Load the new configuration service sshd reload
 
 
disable direct root logins at the SSH
Check SSH on non-standard port. Moving SSH to a non-standard port avoids basic SSH port scans.
Edit /etc/ssh/sshd_config and setting: Port nnnn Where nnnn is a port of your choosing. Don't
forget to open the port in the firewall first!
Before doing this create the user: admin with password and add the user to wheel group
1. Edit /etc/ssh/sshd_config
2. Replace "Protocol 2, 1" to "Protocol 2" and uncomment
3. Replace "PermitRootLogin yes" to "PermitRootLogin no"
Restart SSH
1. /etc/rc.d/init.d/sshd restart
This will prevent a "root" user to login directly through SSH or other way and also we can easily
trace the log file to find out who is doing what process. Check SSH PasswordAuthentication. For
ultimate SSH security, you might want to consider disabling PasswordAuthentication and only
allow access using PubkeyAuthentication.
 
Temporary Space hardening
In cpanel server this can be done by using the script /scripts/securetmp
Check /tmp permissions. /tmp should be chmod 1777
Check /tmp ownership /tmp should be owned by root:root
Check /var/tmp permissions. /var/tmp should be chmod 1777
Check /var/tmp ownership. /var/tmp should be owned by root:root
Check /var/tmp is mounted as a filesystem. /var/tmp should either be symlinked to /tmp or mounted
as a filesystem

Tmp hardening in VPS
OpenVZ does not support 'BINDMOUNT' option, so I created mount an umount scripts which
automatically mounts /tmp and /var/tmp on VE start and umount on stop.
Here are the scripts:
$VEID.mount: /etc/vz/conf/ dir
============================================================================
#!/bin/bash
[ -d /vz/private/$VEID/var/rtmp ] || mkdir /vz/private/$VEID/var/rtmp
[ -d /vz/private/$VEID/var/rvtmp ] || mkdir /vz/private/$VEID/var/rvtmp
mount --bind /vz/root/$VEID/var/rtmp /vz/root/$VEID/tmp -o nosuid,noexec,nodev
mount --bind /vz/root/$VEID/var/rvtmp /vz/root/$VEID/var/tmp -o
nosuid,noexec,nodev
=============================================================================
$VEID.umount: /etc/vz/conf/ dir
=============================================================================
#!/bin/bash
mount|grep "/vz/root/$VEID/tmp" 2>/dev/null 1>&2 && umount /vz/root/$VEID/tmp
mount|grep "/vz/root/$VEID/var/tmp" 2>/dev/null 1>&2 && umount /vz/root/
$VEID/var/tmp
exit 0
==============================================================================
They should be placed as $VEID.mount and $VEID.umount into /etc/vz/conf/ dir.
It will take an effect after VE restart.
CHMOD the TMP directory to 777 in the VE.
 


Installing mod evasive
cd /usr/local/src
wget http://www.zdziarski.com/blog/wp-
content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
tar xfz mod_evasive_1.10.1.tar.gz
cd mod_evasive

For cpanel server with apache 2.x
/usr/local/apache/bin/apxs -cia mod_evasive20.c
nano /usr/local/apache/conf/httpd.conf
Add the below codes in httpd.conf
==========================================
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 300
</IfModule>
===========================================
/usr/local/cpanel/bin/apache_conf_distiller --update
 
 
Hosts.conf hardening
To "harden" your /etc/host.conf file just put the following into the file:
order bind,hosts
multi on
nospoof on
 
Hide apache software version
To hide the information, add the following two apache directives in Apache configuration file.
ServerTokens ProductOnly
ServerSignature Off
/usr/local/cpanel/bin/apache_conf_distiller --update
 
Hide BIND DNS Sever Version
Open your named.conf file, find out options { ... }; section, version "YOUR
Message"; 
Save and close the file. 
Restart named, enter: # service named restart





Cpanel/WHm Tweak
 
Disable all instances of IRC – BitchX, bnc, eggdrop, generic-sniffers, guardservices, ircd, psyBNC, ptlink. If you are using WHM you can do this in the
Background Process Killer.
 
cPanel/WHM set Shell Fork Bomb Protection.
Server Setup =>> Tweak Settings
Check the following items...
Under Domains: Prevent users from parking/adding on common internet domains. (ie
hotmail.com, aol.com)
Under Mail: Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
Under System: Use jailshell as the default shell for all new accounts and
modified accounts
Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Goto Server Setup =>> Manage Wheel Group Users
When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges
always disable Allow Creation of Packages with Shell Access and enable Never allow creation of
accounts with shell access; under Root Access disable All Features.
Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)
Reject nobody from sending mails.

 
Compact Hardening Steps 
SSHD hardening ( Change root password, Disable direct root login, ssh port changing. etc )
Software upgrade
Installing and configuring firewall ( CSF and LFD )
MySQL optimization
Installing and scanning with rkhunter
Installing and scanning with clamav
Installing and scanning with Lynis ( Fixing security issues reported by it )
Installing mod evasive
Hardening sysctl.conf
Hide Apache Version
Hide Bind Version
 
 
 
Things to take care during hardening 
Check for web applications which use proc_open, popen,  disk_free_space, diskfreespace, set_time_limit, leak, tmpfile, exec,  system, shell_exec, passthru. If no applications use these function,  disable it in php.ini 

Checking for programs with suid



 Checking for programs with suid




find / -perm -2000 2>/dev/null 
 
 
 Checking for programs with sgid




find / -perm -2000 2>/dev/null
 
 
For further Reference: 


 
http://kevin.hatfieldfamilysite.com/?p=147
http://www.puschitz.com/SecuringLinux.shtml#SecuringSSH
 
 
 
 










Posted by



at





















Labels:


















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)