Tightening Server Security

You have to secure anything and everything on the Internet. Doesn’t matter if it’s just a simple website, e-commerce website or your server itself. There is nothing like ultimate security. You just have to find ways to tighten the security of your servers, websites or any data that’s published online. I would just outline some basic stuffs to strengthen the Linux server security.

We will start with setting up your Linux server. The first thing to consider once you setup the server is to make sure your have a password set for BIOS. Also, make sure harddisk is the only boot medium. (You don’t need an optical drive on your server once the OS is installed. Even DVD drives are not required for installing the server OS or for that matter any Linux distros. You can always change the BIOS boot options to boot from LAN, provided a DHCP server is installed and configured to serve the installation packages. You can configure TFTP so that once your server boots up and gets the IP from DHCP, it will find the Linux images from TFTP server. Make sure you change the BOOT option to use only harddisk once the installation is complete.) So, now that the harddisk is the only boot medium, you have to lock down the GRUB (GRand Unified Boot loader) menu so that a person who have access to physical server, doesn’t use the single user mode to login as root user. GRUB security is one of the most important aspects of securing Linux servers. This can be done by encrypting using md5 algorithm (hash). GRUB ships with this utility and is available in system binary (/sbin) folder.

/sbin/grub-md5crypt

The above command will prompt for a password and once we enter the pass phrase, the algorithm will provide us a hashed password. This hash password should be placed in /boot/grub/grub.conf file. You can paste this hash password underneath timeout parameter as follows:

password – -md5paste_the_hash_pass_phrase

This secures the GRUB from allowing users to login in single user mode without providing the secure pass phrase.

Now that we have secured all the physical attempt to break in the server, we have to think about securing all the remote attempts to break in the server. For this we have to define a system baseline as to what services should run on the server and what others should be locked down. Also, if there are multiple ethernet cards or IP aliases, stop and disable it as no data transfer should be allowed if it’s not required. You can disable the IP aliases / extra network cards as follows:

Check network cards and IP addresses associated with each eth* using the command ‘ifconfig -a’. Document the one which is only required and lock down all the others. You can use the following commands to stop and disable other IP aliases:

ifdown eth0:1
ifcfg eth0:1 del 192.168.2.135
ifcfg eth0:1 stop

Also, you should make sure that in case of reboots, the IP aliases or other cards doesn’t grab the IP from any DHCP server. This is done by disabling ONBOOT option or parameter to “no”.

vi /etc/sysconfig/network-scripts/ifcfg-eth0:1

change to: ONBOOT=”no”

This makes sure that the interface is disabled even after rebooting the server.

#################################

There are two important boot log files that can give you information about physical memory, kernel etc and they are dmesg and boot.log files.

You should grep for kernel-version and document it so you can check at a later stage. Also, it should match with the installed or patched version of kernel. You can compare kernel-version from ‘dmesg’ and ‘uname -a’ command for any mismatch. It’s very important to document all these information in a production environment.

You can also grep for mem, cpu, network interfaces etc from dmesg and document it.

eg: grep -i cpu /var/log/dmesg

From boot.log file, you can make sure if ipv4 forwarding is disabled if your system is not intended to bootup as a router and also can check whether to accept source route. In case it’s enabled and if it’s not required, then disable it as follows:

vi /etc/sysctl.conf

net.ipv4.ip_forward = 0
net.ipv4.conf.default.accept_source_route = 0

#################################

Now, as per your drafted baseline, you have to install ONLY the necessary services so that the server serve it’s purpose. Once you are sure that you have installed and configured the server services, you have to document the list of RPM’s installed and also the number of RPM’s installed. This will provide a baseline to cross check later in case of any discrepancies. This can be done as follows:

rpm -qa > `date +%F`.installed_package_list

Document the number of packages installed by piping the output to | ‘wc -l’

At a later stage, you can dump the RPM list to a new file, check the list count and compare the byte count with the original dumped list using ‘diff’ command

>> diff “orignal_dump_file” “new_dump_file”
>> echo $? (check the exit status for any difference)

#################################

You have to now lock down the GUI option, in fact a server should NOT be installed with X11 or GUI packages. So, go to /etc/inittab file and make sure the server boots up in runlevel 3 (Full Multi User Mode without GUI)

id:3:initdefault:

Also, disable rebooting by ctrl+alt+del. In older servers, this option used to be inittab file, but the newer redhat distros has this line in /etc/init/control-alt-delete.conf.

You can check your runlevel by issuing the command ‘runlevel’ or ‘/sbin/runlevel’

You should also reduce the number or TTY’s. Comment out all the run-levels except the first:

# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
#2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6

/etc/securetty file is of prime importance. This file contains the list of terminals that are considered secure enough for the root user of the system to use. “Root” user on a linux system is the ultimate user who has all rights to all files and should be guarded heavily. If a root user is not able to login remotely using telnet, then it’s because the terminal that’s provided via telnet is not listed in securetty file.

Having said this, SSH bypasses this securetty file and implements it’s own root shell mechanism independently.

You can check the terminal you are logged in by issuing the command ‘tty

#################################

You can perform reconnaissance scan using nmap as follows:

nmap -v -sS -sU localhost

This will show the OPEN ports, protocol and services associated with each ports. You have to make sure you lock down unnecessary or unused ports.

You can also check the TCP and UDP listeners via netstat command as follows:

netstat -ntulp

You also have to bind MySQL to only loopback adapter unless you have any other remote requests to MySQL. You can lock down MySQL to bind only to loopback as follows:

vi /etc/my.cnf
bind=127.0.0.1 ##This line has to be added manually
:wq!
service mysqld restart

If NFS or other rpc based services are not configured, then you have to disable rpcbind services and other services like NFS.

service rpcbind stop && chkconfig rpcbind off && chkconfig –list rpcbind
You can confirm if rpcbind is locked down by using netstat command as follows:
netstat -ntlp | grep 111

Lockdown NFS daemons:

service nfs stop && chkconfig nfs off && chkconfig –list nfs && netstat -ntlp | grep 2049

Disable Samba if not used:

service smb stop && chkconfig smb off && netstat -ntlp | grep 445
service nmb stop && chkconfig nmb off && netstat -nulp | grep 137
service winbind stop && chkconfig winbind off

Disable DHCPD if not used:

service dhcpd stop && chkconfig dhcpd off && chkconfig –list dhcpd

Xinetd based services like TFTPD / Telnet should be stopped and disabled on the server.

chkconfig tftp off (or you can go to Xinetd file and disable it manually)

################################

Configure VSFTPD to use Only SSL/TLS

vi /etc/vsftpd/vsftpd.conf
(Got to the last 2 lines and update those as follows)
force_local_logins_ssl=yes
force_local_data_ssl=yes
Now, search for the string “anonymous_enable” and update it as follows:
anonymous_enable=no
:wq!
service vsftpd restart

This secures vsftpd by forcing logins using SSL/TLS
There are more configuration to this. You can check for more details @ SSL_VSFTPD
################################

SSH Security:

vi /etc/ssh/sshd_config
AllowUsers soj joe ##You will have to add this line
PermitRootLogin no ##Update to ‘no’
:wq!

The above will disable direct root login via ssh. Only ‘soj’ and ‘joe’ are allowed to login and once they are in, they can su to root user if they have the root password.

There are so many other security related tasks to lock down your servers which will be discussed in a different post.

Advertisements