From the time a servers goes to live environment its prone to too many attacks from the hands of crackers (hackers) also as a system administrator you need to secure your Linux server to protect and save your data, intellectual property, and time here server hardening comes into effect. Securing a server is much different than securing a desktop computer for a variety of reasons. By default, a desktop operating system is installed to provide the user with an environment that can be run out of the box. Desktop operating systems are sold on the premise that they require minimal configuration and come loaded with as many applications as possible to get the user up and running. Conversely, a server’s operating system should abide by the Principle of Least Privilege, which states that it should have only the services, software, and permissions necessary to perform the tasks it’s responsible for.
We already covered some topics in earlier articles some of them are linked here.
Here are some tips for servers hardening ( Some already mentioned in my previous posts)
1) Removing Unnecessary Software Packages (RPMs)
An administrator should be crystal clear about the primary function or role of the Linux server also should know what is on the server.Therefore, it is very critical to look at the default list of software packages and remove unneeded packages.
To get a list of all installed RPMs you can use the following command:
Remove the unneeded packages from the list.
In Linux servers, some services are enabled to start at boot up by default.
it is safe to disable all services that are not needed as they are risks security and waste of hardware resources. Read more.
3) Reviewing Inittab and Boot Scripts
The inittab file /etc/inittab also describes which processes are started at bootup and during normal operation. For example, Oracle uses it to start cluster services at bootup. Therefore, it is recommended to ensure that all entries in /etc/inittab are legitimate in your environment.
I would at least remove the CTRL-ALT-DELETE trap entry to prevent accidental reboots:
The default runlevel should be set to 3 since in my opinion X11 (X Windows System) should not be running on a production server. In fact, it shouldn’t even be installed.
# grep ':initdefault' /etc/inittab id:3:initdefault:
To have changes in /etc/inittab become effective immediately, you can run:
# init q
4) Securing SSH
Ssh is a great protocol and as it name stands for Secure SHell its secure but its prone to attacks with basic configuration. There are ways to make ssh even more secure than it is now.Read more
Automated authentication onto server using RAS key authenticating mechanism . Read more
6) Kernel Tuning
Following are some tunable kernel parameters you can use to secure your Linux server against attacks .We need to add these entries inside /etc/sysctl.conf configuration file to make the change permanent after reboots.To activate the configured kernel parameters immediately at runtime, use:
Disable IP Source Routing
net.ipv4.conf.all.accept_source_route = 0
Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
Enable Ignoring Broadcasts Request
net.ipv4.icmp_echo_ignore_broadcasts = 1
Enable Bad Error Message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
The above mentioned are only few steps for harding . There are many more steps like providing strong password , locking user accounts after too many login failures , restricting use of previous used passwords , setting banners etc.
Hardening five or six servers can be done quite easily at a stretch but when the number of servers increases it just becomes tiresome and time consuming . So why don’t we think about a running a script that does all the hardening jobs and there wont be any waste of time. The script presented can be customized according to the requirement.
#!/bin/bash chkconfig autofs off chkconfig avahi-daemon off chkconfig avahi-dnsconfd off chkconfig bluetooth off chkconfig conman off chkconfig cups off chkconfig dhcdbd off chkconfig firstboot off chkconfig gpm off chkconfig haldaemon off chkconfig isdn off chkconfig iptables off chkconfig ip6tables off chkconfig irda off chkconfig irqbalance off chkconfig kdump off chkconfig kudzu off chkconfig mcstrans off chkconfig microcode_ctl off chkconfig multipathd off chkconfig netconsole off chkconfig netfs off chkconfig netplugd off chkconfig nfs off chkconfig nfslock off chkconfig nscd off chkconfig pcscd off chkconfig portmap off chkconfig rdisc off chkconfig rhnsd off chkconfig restorecond off chkconfig rpcgssd off chkconfig rpcidmapd off chkconfig rpcsvcgssd off chkconfig sendmail off chkconfig smartd off chkconfig winbind off chkconfig wpa_supplicant off chkconfig xfs off chkconfig ypbind off chkconfig yum-updatesd off chkconfig acpid on chkconfig anacron on chkconfig atd on chkconfig cpuspeed on chkconfig lvm2-monitor on chkconfig messagebus on chkconfig ntpd on chkconfig network on chkconfig oracle on chkconfig oracleasm on chkconfig readahead_early on chkconfig readahead_later on chkconfig syslog on chkconfig sshd on cat > /root/banner << EOF |-----------------------------------------------------------------| | This system is for the use of authorized users only. | | Individuals using this computer system without authority, or in | | excess of their authority, are subject to having all of their | | activities on this system monitored and recorded by system | | personnel. | | | | In the course of monitoring individuals improperly using this | | system, or in the course of system maintenance, the activities | | of authorized users may also be monitored. | | | | Anyone using this system expressly consents to such monitoring | | and is advised that if such monitoring reveals possible | | evidence of criminal activity, system personnel may provide the | | evidence of such monitoring to law enforcement officials. | |-----------------------------------------------------------------| EOF cat /root/banner sed -i 's/id:5:initdefault:/id:3:initdefault:/g' /etc/inittab sed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g' /etc/inittab echo PermitRootLogin no >> /etc/ssh/sshd_config echo Banner /root/banner >> /etc/ssh/sshd_config sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' /etc/ssh/sshd_config sed -i 's/#X11Forwarding no/X11Forwarding no/g' /etc/ssh/sshd_config sed -i 's/X11Forwarding yes/#X11Forwarding yes/g' /etc/ssh/sshd_config sed -i 's/#StrictModes yes/StrictModes yes/g' /etc/ssh/sshd_config sed -i 's/#IgnoreRhosts yes/IgnoreRhosts yes/g' /etc/ssh/sshd_config sed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/g' /etc/ssh/sshd_config sed -i 's/#RhostsRSAAuthentication no/RhostsRSAAuthentication no/g' /etc/ssh/sshd_config service sshd restart echo net.ipv4.conf.all.accept_source_route = 0 >> /etc/sysctl.conf echo net.ipv4.conf.all.accept_redirects = 0 >> /etc/sysctl.conf echo net.ipv4.icmp_echo_ignore_broadcasts = 1 >> /etc/sysctl.conf echo net.ipv4.icmp_ignore_bogus_error_responses = 1 >> /etc/sysctl.conf echo net.ipv4.conf.all.log_martians = 1 >> /etc/sysctl.conf sysctl -p if [ $(id -u) -eq 0 ]; then read -p "Enter username : " username read -s -p "Enter password : " password egrep "^$username" /etc/passwd >/dev/null if [ $? -eq 0 ]; then echo "$username exists!" exit 1 else pass=$(perl -e 'print crypt($ARGV, "password")' $password) useradd -m -p $pass $username [ $? -eq 0 ] && echo "User has been added to system!" || echo "Failed to add a user!" fi else echo "Only root may add a user to the system" exit 2 fi