Portal Home > Knowledgebase > Articles Database > How can I "harden" my server?
How can I "harden" my server?
| Posted by jalapeno55, 04-15-2008, 01:21 PM |
| How can I "harden" my server?
And what exactly does harden mean?
|
| Posted by ServerSurgeon George, 04-15-2008, 01:26 PM |
| Firewall Installation/Configuration and Login Failure Daemon:
If it is a cPanel server then proceed to configuring the firewall further via WHM
If it is a non-cPanel server then edit /etc/csf/csf.conf and set up TCP_IN, TCP_OUT, UDP_IN, UDP_OUT with the required ports
After you are happy with the firewall config set TESTING to "0" and restart the firewall
Remove unused processes:
Just remove the: cups samba portmap packages
Install Logwatch:
The default answers are fine.
Edit /etc/logwatch/conf/logwatch.conf and change:
MailTo = your@email.com
Print = No
OpenSSH configuration check:
Edit /etc/ssh/sshd_config and change:
Protocol 2
PermitRootLogin no (if needed)
Rootkit Hunter, Chkrootkit:
Full OS Patching/Updating:
Depending on the OS.
Name server configuration check:
edit /etc/named.conf and add:
to the "options" section and restart BIND
Secure /tmp /var/tmp /dev/shm:
Edit /etc/fstab and change to match:
tmpfs /dev/shm tmpfs defaults,nosuid,noexec 0 0
tmpfs /tmp tmpfs defaults,nosuid,noexec 0 0
(the spaces are TABS)
Run:Delete unnecessary OS users:
Investigate /etc/passwd and depending on each server remove users that are not used.(usually users left behind by applications that were installed)
Remove SUID/GUID from binaries:
This is done by LES when management is set up
mod_security:
http://www.gotroot.com/tiki-index.ph...20mod_security
LSM Installation:
|
| Posted by jalapeno55, 04-15-2008, 01:46 PM |
| Thanks! I don't understand that one though.
What are the suid/guid binaries?
And what is LES?
|
| Posted by ServerSurgeon George, 04-15-2008, 01:52 PM |
| sorry for that
Here's how you set up LES:
It secures all the binaries that hackers often use to download stuff onto the server via vulnerable php scripts
|
| Posted by hbhb, 04-15-2008, 11:19 PM |
| so useful, can the admin move this to how-to's and pin it?
|
| Posted by spal911, 04-15-2008, 11:58 PM |
| LES (Linux Environment Security) Installation
LES Run
Disable SSH root access
Create a user if needed
Add user to the wheel group and make sure users in the wheel group can sudo.
Deny root ssh
Change the SSH port 22 to 2099 for example
Uncomment Port and change 22 to 2099
|
| Posted by jalapeno55, 04-22-2008, 11:29 PM |
| How do I do that?
yum remove cups
?
|
| Posted by HostingDeals, 04-22-2008, 11:34 PM |
| izghitu, holy !!! nice post. I saved this to my EverNote. Thanks.
|
| Posted by domainworldaccess, 04-23-2008, 01:04 AM |
| Anything that "fails" to stop was not installed. Please make sure you do not need any of these services before disabling them:
|
| Posted by jw0ollard, 04-23-2008, 12:41 PM |
| Is anything above 1024 slow for SSH?
Sorry, I'm new to this. The example port 2099, is this just completely arbitrary? I tried a port close to this number and I couldn't even type it was so slow. I thought also maybe such a high # was suggested because #'s above 1024 were also somehow safer.
I re-edited the conf file, and put the port # somewhere between 22 and 1024 and now it is fine.
*shrug*
|
| Posted by spal911, 04-28-2008, 06:00 PM |
| You can use any port for the SSH connection and any port above 1024 shouldn't be slow for SSH.
|
| Posted by xeonfan, 04-28-2008, 06:43 PM |
| I sometimes see, SSH is slow when accessed from a Slow Dialup connections.
You can check your internet connection speed.
Although SSH doesn't needs much bandwidth, but it does need constant, stable connection.
|
| Posted by ub3r, 04-28-2008, 06:54 PM |
| Disable password authentication in ssh and only allow key-based authentication.
|
| Posted by jalapeno55, 05-01-2008, 06:02 PM |
| What do these do pcscd, avahi-daemon, cups?
|
| Posted by blueroomhosting, 05-01-2008, 08:07 PM |
| There is another way of looking at root SSH access. If you are routinely going to ssh onto a box and then "su -" you have just created another attack vector. Now someone can get root just by compromising your non-root account and setting up a malicious su.
Root is (hopefully) the most protected account on the system, the same can't be said for your normal user account so this new attack vector really weakens your security.
The reason people recommend against going in as root is simply that if you have to login as another user then the attacker has to guess two things - the username and the password. But depending on how much an attacker can find out about the owner of a system the username might be quite easy to guess (often seen on emails etc.) so you would be better off using a longer password.
Having said that I think it is better not to use a password at all, then it can't be guessed. Setting sshd to only accept public keys and using strong identities (and with strong pass phrases) is much more secure.
Changing the port is rather pointless too. Yes it might stop the bots from taking pot shots at you (but they won't if you only allow public key authentication anyway), but anyone interested in finding out what port your sshd is running on only has to run nmap.
If you notice poor performance on high port numbers this can be due to packet shaping somewhere along the line. I know my ISP considers ssh connections to be interactive and thus prioritizes the packets. I would probably lose this benefit if it were running on another port.
Remember that security starts right in front of you, your username, password, pass phrase and random port are all useless if the machine you are logging in from is compromised. One key logger is all that is required. If you are truly paranoid you might want to set up a secure terminal that runs nothing but the OS and is used for nothing but ssh connections to your server.
Jim
|
Add to Favourites 
Print this Article
Also Read
