Check your system for current intruders and backdoors
Before you start securing your system, you should first check to see if your box has already been comprised. If you have already been comprised, you should backup all of your important information and do a format of that hard drive. Usually the first thing an intruder typically installs is a "rootkit". The main purpose of a rootkit is to keep the intruder hidden, so you'll never know he's in your system. Rootkits also give intruders a "backdoor", or another way in to your box. When a rootkit has been installed, nothing on your box can be trusted to provide accurate feedback. A quick way to see if your box has been comprised, is to run Check Root Kit (chkrootkit). More information about Chkrootkit and download mirrors, can be found at their website.
1. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
2. tar -xvzf chkrootkit.tar.gz
3. cd chkrootkit*
4. make sense
5. Lastly, run: "./chkrootkit" without quotes. This will run chkrootkit. Everything should state: not found or not infected. If it says anything else, you may want to run chkrootkit again or investigate your findings on google.
Use STRONG Passwords
You would not believe how many people use weak passwords that are easily cracked with a dictionary brute force attack. Your password should be something that is NOT found in a dictionary, it should be "atleast" 11 characters in length and should contain
erroneous characters like (@!$%^&*). You should also consider mixing up letters with numbers. For example; 3 for E, 1 for i, 7 for T, ect..
Update your system
You should run the command "up2date" without quotes, and have it automatically update your system. This might take awhile, especially on dialup.
Turn Services off that you don't use.
If you have no reason to use a running daemon/service, then you should turn it off. Leaving it on, leaves your box open for exploiting.
If you use FTP to transfer files on your box, then use Secure FTP
FTP is known as a plain text protocol, meaning that your username and password is sent to the server in readable text. Someone with very little knowledge could setup a packet sniffer on you're network (or the remote network, if your Linux box isn't on your network) and grab your username and password for your FTP. Therefore you should never use plain FTP, instead use Secure FTP.
1. First, you will need a Secure FTP client. You can use JFTP, WS-FTP Pro, Filezilla or any other secure capable ftp client.
2. When setting up your SFTP client, be sure to select the SSH2 protocol (it's a more secure protocol). You should be able to connect to your server without any problems.
3. You should now turn off your FTP Server on your Linux box, since it is no longer needed.
If you require remote access to your Linux box, you should ONLY use SSH. NEVER use Telnet. Telnet is a plain text protocol, and a cracker could easily grab your username and password. If you do not require remote access to your Linux box, you should disable the SSH daemon (If you're using Secure FTP, do not disable SSH).
1. Open up your sshd_config file (Usually: /etc/ssh/sshd_config)
2. Find the line that says "#Port 22" and uncomment it and change it to a high port number like 54000. This will help prevent automated scripts & worms on the Internet from probing your SSH to find out if your SSH is exploitable. This adds a little difficulty to your below average cracker.
3. Find "#Protocol 2,1" and uncomment it and change it to: "Protocol 2". This forces SSHD to use SSH version 2 instead of version 1. Version 2 is much more secure than version 1.
4. Find "#PermitRootLogin yes" and uncomment it and change it to "PermitRootLogin no". This prevents you from remotely logging in to your server by user: root. Instead, you will be required to login as a different user (lower privileged user) first, then su to root. For a cracker to gain root access via your SSH, he will now need to know your username and password, and also the root password. This gives the cracker an even harder time to crack your Linux box.
5. Save the file. Restart SSHD. Usually: /etc/rc.d/init.d/sshd restart
6. You can run a "netstat -anp | grep sshd" without quotes, and you should see SSHD running on the high port number you specified.
If you're Linux box is located on the Internet and you access it via SSH, and "your" IP address is static then you should setup your Linux Box to only allow your IP access. This is done with the hosts files.
1. Open /etc/hosts.allow
2. Add: "sshd: yourip" without quotes (Replace yourip with your static IP address)
3. Save that file. Then open /etc/hosts.deny
4. Add: "sshd: ALL" without quotes. Save it.
Hide Version Information
If you "must" run web services like a web server (Apache) you should disable or change the version to help throw off amateur crackers and stop some automated scripts from "picking" on you. Turning off the version number in Apache is very easy. Simply edit the httpd.conf file (usually: /etc/httpd/conf/httpd.conf) and search for "ServerSignature". Change it to: ServerSignature off Also underneath it add: "ServerTokens ProductOnly" without the quotes. Save it. Restart Apache. This only hides the version number, so now instead of it displaying; Apache 1.3.27 it will just simply say Apache. You can remove or change the "Apache" to something else by editing the httpd.h (header file) and recompiling Apache. You can also change it without recompiling, but I'm not going to cover that. (Hint: Edit the httpd binary and find it in there ) If you have PHP installed, you should also hide it's version from being displayed. Edit your php.ini file (Usually: /etc/php.ini) and search for "expose_php = On" and replace with: "expose_php = off". Save the file and restart apache for the changes to take affect. If you're using Sendmail then you should set it up to hide the server version and product name. This is easily done by editing the /etc/mail/sendmail.mc file and adding this in the config: define(`confSMTP_LOGIN_MSG','') then simply make the config live by running the command: m4 /etc/mail/sendmail.mc > /etc/sendmail.cf Lastly restart sendmail /sbin/service sendmail restart. There are many other web services you can modify to hide the version or product name, you just have to do it. However, be warned: Changing the version information or hiding it, does NOT protect your Linux box from exploits. The only real way to protect yourself is to keep your box updated with the latest versions.
Libsafe is a middle-ware solution to format string attacks and buffer overflows. It provides a dynamically loadable LD_PRELOAD replacement. The LD_PRELOAD replacement is used to replace common functions known to have format string or BOF issues. LibSafe is an ideal solution to stop many issues in simple and basic software – for example the Linux x86 'traceroute' utility has had a history of format string issues, libsafe essentially puts a lid around most of those past/present/future issues.
To install Libsafe:
1. wget http://www.research....2.0-16.i386.rpm
2. rpm -ivh libsafe-2.0-16.i386.rpm
3. To make sure it is installed you can "cat /etc/ld.so.preload" and look for an output similar to: /lib/libsafe.so.2
Install GRSecurity Kernel Patch
This is for the brave at heart Linux administrators, but I highly recommend it. GRSecurity is a kernel patch that hardens your Linux box against buffer overflows and many other security flawed features of the kernel. For an entire list of what GRSecurity helps protect you against, surf over to their features page. You will need to recompile your kernel in order to install this patch, so be ready for that. You can download the patch from the main GRSecurity site. They have installation instructions and a great forum if you have any problems or would like to ask questions.
Mount /tmp with noexec
By default your Linux box's /tmp partition allows files to be executable from within. It's highly recommended that you mount the partition using nonexec as this would protect your box from many remote and local exploits. This is especially true when running a web server. Here's how to do it:
1. cd /dev
2. dd if=/dev/zero of=securetmp bs=1024 count=100000
3. mke2fs /dev/securetmp
4. cp -R /tmp /tmp_backup
5. mount -o loop,noexec,nosuid,rw /dev/securetmp /tmp
6. chmod 0777 /tmp
7. cp -R /tmp_backup/* /tmp/
8. rm -rf /tmp_backup
9. edit /etc/fstab
10. At the bottom of the fstab file. Add:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0(Each space is a TAB)
11. Save the file.
12. Test out your new "more secure" tmp partition by dropping a file in /tmp directory and try executing it. It should say: "Permission denied".
Install a Firewall
I recommend APF (Advance Policy Firewall) script that uses IPTables. It's very easy to install and manage for new Linux users.
1. wget http://www.rfxnetwor...-current.tar.gz
2. tar -xzvf apf-*
3. cd apf-*
4. sh install.sh
5. cat README
6. Your firewall is now installed. Don't forget to read the README file, as it has information on how to turn your new firewall on.
Mask your fingerprint
There are four TCP settings that allows crackers to fingerprint (determine) your operating system. Two of the four settings are required to be changed if you want to change/mask your fingerprint to throw crackers off. Remember the less crackers know about your operating system, the better. The two settings we are going to change is the Default Windows Size and the Default Time to Live. There is an interesting list of fingerprint located at honeynet that shows what the default settings are for each OS. When changing the
default Windows Size and TTL, you're network connection could have a performance drop or increase so remember to backup your settings in case you have problems afterwards.
1. cat 60 /proc/sys/net/ipv4/ip_default_ttl
2. cat 32768 /proc/sys/net/core/rmem_max
3. cat 32768 /proc/sys/net/core/rmem_default
That's more or less the barebones of Linux Security. The security on Linux (Especially in a server enviroment) goes WAY beyond what has been discussed here.
If you can think of anything else that should be added, then let me know.
I'll be posting a full How-To guide on the main site soon. This guide will show you how to accomplish each task, step-by-step. From updating your kernel, installing kernel patches, to protecting your box against DoS attacks. So, stay tuned!