How to Secure Linux Servers

How to Secure Linux Servers

Basic Linux Server Security

Install Firewall (APF or CSF Firewall with BFD)

  ModSecurity (Web application firewall)

  ModEvasive (Prevent DDOS attacks)

  Harden SSH server

  Fix Open DNS Recursion

  Install RKhunter

  Install ClamAV (Antivirus)

  XInet Servers Hardening (Disable Telnet/Finger or unwanted services)

  Securing PHP

  PortsEntry (tool to detect portscans)

  Harden host.conf (against IP spoofing)

  Check User Uploaded files

  Secure /tmp Folders (noexec, nosuid)

This tutorial guide covers only basic linux server security
  tips intended for linux learners. I am writing this guide assuming that you
  are running Centos 5 or later versions.

Install Firewall

The very first first step on securing a server is installing a firewall (atleast
  IP tables based) to close all unused or unwanted ports. Once the firewall is
  installed it is often considered 50% of work done. You can install CSF firewall
  or APF firewall. Often BFD (brute force detection) utilities comes with firewall.

We will install CSF (Config security firewall) as it is easy to install with
  plenty of features and easily integrated to CPanel (if you are running)

wget http://www.configserver.com/free/csf.tgz

  tar zxf csf.tar.gz

  sh /csf/install.sh

Follow the installer and once installed, you can start the firewall.

csf -s

  // start the firewall

  csf -r

  // restart the firewall

  csf -f

  // flush the rules or stop the firewall.

You can see the full installing tutorial here

Harden SSH server

Very often you will see SSH attacks from various bots trying to get access
  to your server by connected to port 22 with unlimited number of login attempts
  to break in to your system. Imagine attacks coming from different IPs can put
  lot of load in you server. You can trace those failed attempts by checking your
  log file

cat /var/log/secure

  cat /var/log/messages

To harden your SSH server,

      

  • Run SSH on other port rather than default port 22
  •   

  • Disable Root login
  •   

  • Use only protocol 2
  •   

  • Enable Public key authentication.

You can see the full SSH hardening tutorial here

Disable Telnet & Other Unused Services

You may want to disable services like telnet, finger and other unwanted services
  running on your server with xinet.

nano /etc/xinetd.d/telnet

  // OR

  nano /etc/xinetd.d/krb5-telnet

look for lines disable=no and change to disable=yes

chkconfig telnet off

Hardening PHP for Security

推荐

PHP is the most popular scripting language for apache and mysql. You will need
  to disable system level functions in the php configuration file.

nano /usr/local/lib/php.ini

Look for the lines and make sure you have the lines as below..

disable_functions = exec,system,shell_exec,passthru

  register_globals = Off

  expose_php = Off

  magic_quotes_gpc = On

It is best to keep magic_quotes to on as otherwise you forms using
  POST may be used for SQL injection attacks.

Disable Open DNS Recursion (DNS Server)

If you are running bind DNS server, then you might want to check your dns server
  statistics with dnstools.com. You dont want to allow recursive lookups to performed
  on your server other than local IP. It can also slowdown your server.

nano /etc/named.conf

Under Options { place a line

Options {

  recursion no;

  …..

Then restart the bind

service named restart

You will also need to restrict zone transfers and notifications
  if you are running Bind 9. Refer to: dns
  server hardening

Install Mod_Security

推荐

ModSecurity is a free open source web application firewall which can help
  you to guard against LFI (local file inclusion attacks) and SQL injection vulnerabilities.

CPanel Installation:

Just go to Cpanel WHM > Plugins > Enable Mod_Security > Save

Source Installation:

That should install mod security in your cpanel. Under apache it should show
  under installed modules if you run test.php with phpinfo() in it. Try adding
  some mod security rules. Installing mod_security could be sometimes complicated.
  Dont use apxs for compiling mod_security as it causes number
  of problems.

Note: Mod_security needs libxml2 and http-devel
  libraries before it can be installed. It also requires mod_unique_id
  enabled in apache modules. To install mod_unique_id, you have to place

LoadModule unique_id_module modules/mod_unique_id.so

in your httpd.conf file.

yum install libxml2 libxml2-devel httpd-devel

Download the latest version of mod_security for apache2 from http://www.modsecurity.org

wget http://www.modsecurity.org/download/modsecurity-apache_2.1.7.tar.gz

  tar zxf modsecurity-apache_2.5.4.tar.gz

  cd modsecurity-apache_2.5.4

  cd apache2

Then

If you cannot find ./configure then you will need to edit Makefile
  
and make change to top_dir = /usr/lib/httpd (for centos)

make

  make install

Next, copy the rule files depending on which you want (you can also select
  minimal rules file which comes with source). Make a directory named modsecurity
  under /etc/httpd/conf and copy all the modsecurity rules there.
  Finally include those files in the httpd.conf file

# /etc/httpd/conf/httpd.conf

LoadModule unique_id_module modules/mod_unique_id.so

  LoadFile /usr/lib/libxml2.so

  LoadModule security2_module modules/mod_security2.so

  Include conf/modsecurity/*.conf

Then

/etc/init.d/httpd restart

Log Files

Watch for log files to detect any errors or intrusion activity

/var/log/httpd/modsec_audit

  /var/log/httpd/error_log

If you get any errors, i have compiled a list of errors while compiling. see
  here

Install Mod_Evasive

ModEvasive module
  for apache offers protection against DDOS (denial of service attacks) in your
  server.

wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

  tar zxf mode_evasive-1.10.1.tar.gz

  cd mod_evasive

then run the following command for apache2…

> /usr/sbin/apxs -cia mod_evasive20.c

Once mod evasive is installed, place the following lines in your /etc/httpd/conf/httpd.conf

<IfModule mod_evasive20.c>

  DOSHashTableSize 3097

  DOSPageCount 2

  DOSSiteCount 50

  DOSPageInterval 1

  DOSSiteInterval 1

  DOSBlockingPeriod 10

  </IfModule>

Follow the instructions in the README for more tuning of mod_evasive. This
  will compile, install and activate the module in your server.

Install RkHunter (Rootkit)

推荐

RkHunter is a rootkit scanner scans for vulnerabilities, insecure files, backdoors
  in your system and reports it so that you can further harden the server. Installing
  RkHunter is very easy!

yum install rkhunter

To run checks in your system

rkhunter –checkall

  OR

  rkhunter -c

You can find what command options are available under rkhunter by issuing this
  help command

> rkhunter –help

Install PortsEntry

Portsentry is a tool to detect port scans and log it. Download the sorce package
  of portsentry from sourceforge.net

wget http://path/to/portsentry-1.2.tar.gz

  tar zxf portsentry-1.2.tar.gz

  make linux

  make install

If you get errors like while compiling

make linux

  SYSTYPE=linux

  Making

  gcc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \

  ./portsentry_io.c ./portsentry_util.c

  ./portsentry.c: In function ‘PortSentryModeTCP’:

  ./portsentry.c:1187: warning: pointer targets in passing argument 3 of ‘accept’
  differ in signedness

  ./portsentry.c: In function ‘PortSentryModeUDP’:

  ./portsentry.c:1384: warning: pointer targets in passing argument 6 of ‘recvfrom’
  diffe r in signedness

  ./portsentry.c: In function ‘Usage’:

  ./portsentry.c:1584: error: missing terminating " character

  ./portsentry.c:1585: error: ‘sourceforget’ undeclared (first use in this function)

  ./portsentry.c:1585: error: (Each undeclared identifier is reported only once

  ./portsentry.c:1585: error: for each function it appears in.)

  ./portsentry.c:1585: error: expected ‘)’ before ‘dot’

  ./portsentry.c:1585: error: stray ‘\’ in program

  ./portsentry.c:1585: error: missing terminating " character

  ./portsentry.c:1595: error: expected ‘;’ before ‘}’ token

  make: *** [linux] Error 1

To fix:

Open portsentry.c and look for the following line. There will
  be a extra carriage return breaking the line and you have to delete
  the carriage return
and make single line. It should look like below.

printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland
  at users dot sourceforget dot net>\n");

Then run make and make install. That should fix it!

To launch portsentry

/usr/local/psionic/portsentry/portsentry -stcp

  /usr/local/psionic/portsentry/portsentry -sudp

check the log files /var/log/secure on what portsentry is
  active or not.

Prevent IP Spoofing

IP spoofing is a security exploit and can be prevented from placing nospoof
  on
in host.conf file. Edit the host.conf file and place the following
  lines. If you run dns bind, give it preference.

order bind,hosts

  nospoof on

Install ClamAV

Antivirus protection is the last thing you need for your security to protect
  against worms and trojans invading your mailbox and files! Just install clamav
  (a free open source antivirus software for linux). More information can be found
  on clamav website

yum install clamav

Once you have installed clamav in your centos…here are some of the basic
  commands using the software..

1. To update the antivirus database

> freshclam

2. To run antivirus

clamav -r /home

3. Running as Cron Daily Job

To run antivirus as a cron job (automatically scan daily) just run crontab
  -e from your command line. Then add the following line and save the file.

02 1 * * * root clamscan -R /var/www

This will run the cron job daily @ 1.02 AM by scanning the public html. You
  can change the folder to whatever you want for mail etc.

Thats it! Always keep an eye for log files for any attacks or error messages!

Source: http://www.mysql-apache-php.com/basic-linux-security.htm

《How to Secure Linux Servers》上有1条评论

发表评论

您的电子邮箱地址不会被公开。

Time limit is exhausted. Please reload CAPTCHA.