Raised This Month: $12 Target: $400
 3% 

[TuT] Linux how to harden install


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
Mavrick4283
Veteran Member
Join Date: Apr 2010
Location: 127.0.0.1@root
Old 08-30-2011 , 02:32   [TuT] Linux how to harden install
Reply With Quote #1

As i said before in my iptables tut i am making a tut on how to help keep hackers and script kiddie out of your server. First off i want to say that i am in now way a expert on every thing security tho i like to think i have advance knowledge. I am in school for network security so the information he is not being pulled out my ass i am doing my research.

Any talk about exploits // hacks that include download links or tell the players how to use them will be removed.

Also any talk about illegal actions such as DDoS/DoS attacks will also be removed.

Also I do not want this turning in to a thread about how to hack in to other peoples servers, any thing along that lines will be removed....


That being said if you have a way you use to help protect your servers feel free to post it or PM me it if you do not want to let people know what community are using what.


There is not one way to protect your servers, it is a combo of things that will help you keep your data safe. For example just because you are running a firewall that does not allow any traffic but you server does not mean that your server can not be comprised. But if you are running that firewall and the server in a jail it will be much harder for a person to damage your server but once again not impossible. What i am trying to do is give a intro in to security and some concepts that people use to get into your servers.

Basics:

Upates: this one is just common sence keep your server and the running software up to date, not only does this add new features to them but fix bugs and exploits.
Code:
Red Hat, Fedora, CentOS, and other Red Hat derivatives:
yum upgrade

Debian, Ubuntu, Knoppix, and other Debian derivatives:
apt-get update
apt-get upgrade
apt-get dist-upgrade
Unneeded accounts: As with most OS's linux has extra accounts that do not need to be able to interactively login, such as www or mysql. This can be done many ways but here are some of the most common.

Forcing the default shell to nologin

Code:
nano /etc/passwd

Change the default shell from /bin/bash or what ever shell you are using to:

/sbin/nologin
Lock the account
Code:
passwd -l <account name>
Disable ssh access

Code:
nano /etc/ssh/sshd_config

AllowUsers  <Accountname1> <Accountname2>
SSH: As with updates you want to change this to use a different port and the best authentication // encryption it can.

Because ssh is a service it simply has a config file to change it around

Quit being lazy and read the man pages so you know every thing it can do...
Code:
http://linux.die.net/man/5/ssh_config
Here are some of the things your should be looking at tho.
Code:
Protocol 2 

AllowUsers user1 user2

Ciphers blowfish-cbc,aes256-cbc,aes256-ctr

PasswordAuthentication no

PermitRootLogin no 

Subsystem sftp /usr/libexec/sftp-server

Unneeded services: As with all OS's when you install the system there are things that run that you probably do not need or want such as a web server on your gaming box.

To see what ports are being used and what is using them type:
Code:
lsof -i
You should get a print out like this.


To turn off any services that i do not want to run.
Code:
/etc/init.d/<serivce name> stop

#to stop it from starting with the systems
chkconfig --del <service>
Harden the file system:this is offtion over looked but you want to make sure that your file swaps are not dynamic and nothing can be exec on it to prevent exploits.

For this we have to make sure there is not X server running. (if you have any problems with the file systems being in use also do this)
Code:
init 1
Now to start editing the file system. It is a RELY good idea to have a full back up before you try this.
Code:
#Clean out /tmp....
rm -r /tmp/.[a-zA-Z]*

#Open / edit /etc/fstab
nano /etc/fstab

#Add this to the file
none /tmp tmpfs rw,noexec,nosuid,nodev,size=100000000 0 0

#Do the same for var,home,usr but use the following flags.
/var	nosuid,nodev,noexec

/home	nosuid,nodev

/usr	nodev
Harden root authentication:Ok even tho you can not login with root directly with ssh you can still use SU to become root, this is bad you only want 1 or 2 accounts MAX to have rights to become root.

Code:
#Make certain that the file /etc/pam.d/login contains the line:
auth required /lib/security/pam_securetty.so


#Specify that no device is trusted for root login:
cp /etc/securetty /etc/securetty-BACKUP
echo "null" > /etc/securetty
#Now we have to make the wheel account
Code:
#Create a group wheel (and if you already have one, don't worry about any error message at the groupadd command):

groupadd -r wheel

#Add the desired users to the group wheel (and you must add at least one!):


usermod -G wheel <account>


#Change the group affiliation of the su command, and make it remain setuid as root and executable only by group wheel members:

chgrp wheel /bin/su
chmod 4750 /bin/su

#Test to verify that group wheel members can use su to become root BEFORE you close your root session.
Just because only your user can become root does not mean you can use a simple password for it....

I will be adding more as requested
__________________
Mavrick4283 is offline
Mavrick4283
Veteran Member
Join Date: Apr 2010
Location: 127.0.0.1@root
Old 08-30-2011 , 02:33   Re: [TuT] Linux how to harden install
Reply With Quote #2

reserved
__________________
Mavrick4283 is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 18:45.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode