Techy: Handy Security Tips
If you have a new box you want to use for web hosting etc, then here are just a few of the things you can do to help make the box secure. This list is not comprehensive, nor do I take any responsibility for any harm that may come to your server if you use any of these commands. These are mainly “quick reference” commands in case I need them in a rush (for example: we’ve put a box online and need it at least “semi-secured” - we’ll spend a bit more time securing a box then just these commands, but they’re a good starting point)
Run commands as root/su:
Disable telnet
Modify /etc/xinetd.d/telnet (could also be /etc/xinetd.d/telnet and change disable=no to disable=yes
Disable code compilation
Add compiler group: /usr/sbin/groupadd compiler
Move to correct directory: cd /usr/bin
Make most common compilers part of the compiler group chgrp compiler *cc*
chgrp compiler *++*
chgrp compiler ld
chgrp compiler as
Set access on mysqlaccess chgrp root mysqlaccess
Set permissions chmod 750 *cc*
chmod 750 *++*
chmod 750 ld
chmod 750 as
chmod 755 mysqlaccess
To add users to the group, modify /etc/group and change compiler:x:123: to compiler:x:123:username1,username2 (’123′ will be different on your installation)
Disable direct root login: SSH
Modify /etc/ssh/sshd_config.
Ensure the Protocol line is not commented out and reads Protocol 2 (increases the encryption level)
Modify PermitRootLogin yes to PermitRootLogin no
Restart SSHD /etc/rc.d/init.d/sshd restart
Disable direct root login: ProFTP
Modify /etc/proftpd.conf
Add RootLogin off
Restart ProFTP /sbin/service proftpd stop
/sbin/service proftpd start
Restrict access to Inet services
Modify /etc/hosts.allow
Suggested format:
# Approved IP addresses
ALL: 192.168.0.1
ALL: 192.168.5.2
# CSV uploader machine
proftpd: 10.0.0.5
# pop3 from anywhere
ipop3: ALL
Modify /etc/hosts.deny
ALL:ALL EXCEPT localhost:DENY
Mount /tmp as being not executable
(not recommended for Cpanel servers)
cd /dev
Create 100Mb (the “count”) storage file: dd if=/dev/zero of=tmpMnt bs=1024 count=100000
Make an extended filesytem /sbin/mke2fs /dev/tmpMnt (answer yes to “…is not a block special device. continue?”)
Backup existing temp files cp -R /tmp/ /tmp_backup
Mount new file system with noexec mount -o loop,rw,nosuid,noexec /dev/tmpMnt /tmp
chmod 0777 /tmp
Copy the backup files back: cp -R /tmp_backup/* /tmp/
Remove backups rm -rf /tmp_backup
Modify /etc/fstab to add the following to ensure the mount point is recreated on boot up/dev/tmpMnt /tmp ext2 loop,rw,nosuid,noexec 0 0 (spaces are tabs)
Remove unused RPMs
Create a file called “cleardown” with the following contents:
#!/bin/bash
# Remove unneeded RPMs
# by jd_waverly
# Please read this script completely before executing to verify that you are
# not using any of these rpms
# Remove # from following line to display every command as it executes
#set -x
# Add # in front of any you don't want removed
# Several removals are commented out by default including:
#
# ipchains
# squid
# grub
# mutt
# mouseconfig
# rdate
# kernel source code
# ash shell
echo Rebuilding rpm database
echo Please wait
# Make sure rpm database is clean before beginning
rpm --rebuilddb
echo Removing Ghostscript and Japanese vector fonts
# Description of these modules
# VFlib2 Japanese vectorfont library
# VFlib2-devel Japanese vectorfont development support
# ghostscript Postscript interpreter and renderer
# ghostscript-fonts Ghostscript postscript fonts
rpm -e VFlib2 VFlib2-devel ghostscript ghostscript-fonts
echo Removing unused Print Utilities
rpm -e LPRng printconf #print spooler
rpm -e pnm2ppa #HP printer drivers
rpm -e mpage #Page print utility
rpm -e Omni Omni-foomatic #Omni print driver management
rpm -e foomatic #Printer driver database
echo Removing typically unused network services
# Descriptions of modules see below for the rest
# portmap manage RPC connections
# ypbind NIS client binding
# rusers-server rusers command server
# rwall-server rwall message server
# nfs-utils NFS server
# ypserv NIS server
# yp-tools NIS client programs
rpm -e portmap ypbind rusers-server rwall-server nfs-utils ypserv yp-tools
rpm -e dhcpcd #DHCP support
rpm -e finger #finger client
rpm -e finger-server #finger server
#rpm -e ipchains lokkit #ipchains not needed if using iptables
#SNMP support is a security risk
# rpm -e php-snmp-4.2.2-2ensim5 #php snmp support under ensim
rpm -e ucd-snmp ucd-snmp-utils ucd-snmp-devel
#rpm -e squid #squid proxy server
rpm -e talk #Talk client program
rpm -e talk-server #Talk server
rpm -e radvd #IPV6 router advertisement
rpm -e inews #For posting usenet articles
rpm -e inn #News server
echo Removing rsh, rlogin, rcp, rwho, rusers, rdate support
rpm -e rsh #rsh, rlogin, rcp command
#rpm -e rdate #rdate program
rpm -e rsh-server #rsh server
rpm -e rwho #rwho command
echo Removing utilities
rpm -e a2ps #postscript converter
rpm -e aspell #spell checker
#rpm -e ash #alternative to bourne shell
echo Removing various font support
#Description of modules see below for the rest
# chkfontpath Font path for X server
# urw-fonts Postscript fonts
# ttfonts-ja Japanese TrueType fonts
rpm -e chkfontpath urw-fonts ttfonts-ja
rpm -e nkf #Kanji code converter
rpm -e watanabe-vf #Watanabe font
echo Removing mouse support utilities and links browser
#rpm -e mouseconfig #mouse setup
#rpm -e mc #midnight commander
rpm -e gpm gpm-devel links #console mouse support and links www browser
echo Removing Docbook support
rpm -e docbook-utils docbook-utils-pdf
rpm -e docbook-style-dsssl #docbook style sheets
rpm -e docbook-dtd30-sgml docbook-dtd31-sgml #docbook style sheets
rpm -e docbook-dtd40-sgml docbook-dtd41-sgml #docbook style sheets
echo Removing useless hardware support
rpm -e bcm5820 #broadcomm comm processor support
rpm -e efax #fax program
rpm -e hotplug #hotplug USB support
rpm -e eject #software media eject support
rpm -e apmd #laptop power management is dangerous on a server
rpm -e hwcrypto #hardware crypto support
rpm -e pciutils #tweak tool for pci hardware
rpm -e kudzu-devel pciutils-devel #hardware development tools
echo Removing file management tools
rpm -e CVS #CVS software development management
rpm -e rcs #file management tool
echo Removing Tex text formatting
rpm -e tetex tetex-dvilj tetex-latex tetex-afm tetex-dvips tetex-fonts jadetex
echo Removing various mail utilities
#rpm -e mutt #text mode mail agent
rpm -e fetchmail #PPP mail client
echo Removing various development packages
#Carnegie Mellon Cyrus mail system development package
rpm -e cyrus-sasl-devel
echo Removing SGML utilities
rpm -e psgml #Emacs SGML support
rpm -e sgml-tools #text formatting suite
echo Removing grub
#rpm -e grub #grub not used by RS
echo Removing DOS utilities
rpm -e mkbootdisk dosfstools #Make dos boot disk and FAT filesystem support
echo Removing Redhat logos
rpm -e redhat-logos
echo Removing kernel development tools and source
rpm -e ksymoops #kernel error message devel tool
#rpm -e kernel-source-2.4.18-18.7.x #kernel source code for devel
#rpm -e kernel-source-2.4.18-17.7.x #kernel source code
echo Removals complete
exit
Run using /bin/bash cleardown
Firewall ports
A firewall in necessary and I quite like Cheetaweb’s “APF”/iptables based one.
This can be downloaded from http://download.cheetaweb.com/apf-0.8.7-1.i386.rpm and installed using rpm -Uvh apf-0.8.7-1.i386.rpm.
You’ll need to modify /etc/apf/conf.apf to use the correct ports for the web server software you are using:
Cpanel servers: TCP_CPORTS=”21,22,53,80,110,443,2082,2083,2086,2087,2095,2096″
Ensim/Ensim Pro servers:
TCP_CPORTS=”21,22,25,53,80,110,143, 443, 19638″
# Common UDP Ports
UDP_CPORTS=”53″
Run on reboot: /sbin/chkconfig --level 2345 apf on
Hide Apache Information
Show only that you are running Apache: no details of any of the modules or version numbers.
Modify /etc/httpd/conf/httpd.conf
Change the ServerSignature line to:
ServerSignature Off
and add/amend:
ServerTokens ProductOnly
Restart Apache: /sbin/service httpd restart
Cpanel users: This may break the “Needs upgrade” display on WHM.
Hide PHP information
Modify php.ini (locations vary) from:
expose_php=On
to:
expose_php=Off
You may need to restart Apache.
Install ChkRootKit
Download ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
Unpack it tar xvzf chkrootkit.tar.gz
Compile it: cd chkrootkit*
make sense
Remove the install file rm ../chkrootkit.tar.gz
Find out “full path” pwd
Add cronjob to run daily by adding a file called “chkrootkit” to /etc/cron.daily with: #!/bin/bash
/"full path"/./chkrootkit -q | mail -s "[servername] chkrootkit Output" youremailaddress@example.com
Chmod it chmod 755 /etc/cron.daily/chkrootkit
Installed System Integrity Monitor
See http://www.r-fx.net/sim.php for full information.
August 9th, 2003 at 8:33 am
One for the bookmarks :). Thanks Richy.
December 3rd, 2003 at 3:08 pm
The latest version of APF Firewall can be found at http://www.rfxnetworks.net/downloads/apf-current.rpm .
Logwatch ( http://www.logwatch.org/ ) is also worth installing.
December 15th, 2003 at 7:41 pm
Careful when removing rpm -e aspell #spell checker
This is used by Horde for spell checking if you wish to enable it.
December 15th, 2003 at 7:41 pm
Careful when removing rpm -e aspell #spell checker
This is used by Horde for spell checking if you wish to enable it.
December 31st, 2003 at 3:47 pm
Great info on the compiler details… We also suggest a host based IDS like Tripwire, AIDE or similar products.
January 24th, 2005 at 6:41 pm
While configuring firewall for Cpanel servers, you need to leave port 2089 open for cpanel license to work correctly. Cpanel uses 2089 to communicate with the license server.