Skip to main content

Secure the server

1. Process resource monitor plugin


PRM (from RFX Networks) monitors the process table on a given system and matches process id’s with set resource limits in the config file or per-process based rules. Process id’s that match or exceed the set limits are logged and killed; includes e-mail alerts, kernel logging routine and more. Install, remove, update and manage this feature in this section

wget http://www.rfxn.com/downloads/prm-current.tar.gz
 
 
 2.Linux Socket Monitor

LSM is a bash scripted network socket monitor. It is designed to track changes to Network sockets and Unix domain sockets.

Installation

Download the tar file usign the below link:
wget http://rfxnetworks.com/downloads/lsm-current.tar.gz
Untar the file
tar -zxvf lsm-current.tar.gz
go inside the extracted folder
cd lsm-0.*
run the below command to install it
./install.sh
LSM Testing
/usr/local/sbin/lsm -c
/usr/local/sbin/lsm -g

3. Install Configserver firewall (CSF)

 Install csf on the server. 
cd /usr/src
wget http://www.configserver.com/free/csf.tgz
tar -zvxf csf.tgz
cd csf
sh install.sh
Open any custom ports running in the file /etc/csf/csf.conf. You can add the port number in the section TCP_IN.
start csf with TESTING = “0” in the file /etc/csf/csf.conf. Once the csf is running, try logging into the server ssh from another terminal. Do a basic check of all services and if all are listening fine and can be accessed from outside, edit TESTING = “1” in /etc/csf/csf.conf and restart csf.
Start csf
csf -s
retart csf
csf -r
Flush/Stop csf
csf -f
Disable csf
csf -x
Enable csf
csf -e
Check for server security from the WHM csf area. The following steps should not show warning. If you see warning here, do the steps told there.
Check SSH UseDNS
Check Background Process Killer
Check exim for extended logging (log_selector)
Check apache for mod_security
Check Apache weak SSL/TLS Ciphers (SSLCipherSuite)
Check apache for TraceEnable
Check apache for ServerSignature
Check apache for ServerTokens
Check apache for FileETag
Check mod_userdir protection
Check php for disable_functions
Check php for ini_set disabled
Check php for register_globals
Check php open_basedir protection
Check Anonymous FTP Logins
Check Anonymous FTP Uploads
Check block common domains
Check package updates --> Here if there is custom config for AMP, the update config should be set to manual updates.
Check server startup for xfs
Check server startup for atd
Check server startup for nfslock
Check server startup for rpcidmapd
Check server startup for bluetooth
Check server startup for canna
Check server startup for FreeWnn
Check server startup for cups-config-daemon
Check server startup for iiim
Check server startup for mDNSResponder
Check server startup for nifd
Check server startup for anacron
Check server startup for gpm
Check server startup for saslauthd
Check server startup for avahi-daemon
Check server startup for avahi-dnsconfd
Check server startup for hidd
Check server startup for pcscd
Check server startup for sbadm
  • CSF variables that have some control over Mail Server Abuse.
################################################################################
# Relay Tracking. This allows you to track email that is relayed through the
# server. There are also options to send alerts and block external IP addresses
# if the number of emails relayed per hour exceeds configured limits. The
# blocks can be either permanent or temporary.
# The following information applies to each of the following types of relay
# check:
# RT_[relay type]_ALERT: 0 = disable, 1 = enable
# RT_[relay type]_LIMIT: the limit/hour afterwhich an email alert will be sent
# RT_[relay type]_BLOCK: 0 = no block;1 = perm block;nn=temp block for nn secs


# This option triggers for external email
RT_RELAY_ALERT = "1"
RT_RELAY_LIMIT = "100"
RT_RELAY_BLOCK = "0"

# This option triggers for email authenticated by SMTP AUTH
RT_AUTHRELAY_ALERT = "1"
RT_AUTHRELAY_LIMIT = "100"
RT_AUTHRELAY_BLOCK = "0"

# This option triggers for email authenticated by POP before SMTP
RT_POPRELAY_ALERT = "1"
RT_POPRELAY_LIMIT = "100"
RT_POPRELAY_BLOCK = "0"

# This option triggers for email sent via /usr/sbin/sendmail or /usr/sbin/exim
RT_LOCALRELAY_ALERT = "1"
RT_LOCALRELAY_LIMIT = "100"

# This option triggers for email sent via a local IP addresses
RT_LOCALHOSTRELAY_ALERT = "1"
RT_LOCALHOSTRELAY_LIMIT = "100"


# This is a temporary block for the rest of the hour, afterwhich the IP is
# unblocked
LT_POP3D = "60"

# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP
# address (0=disabled) - not recommended for IMAP logins due to the ethos
# within which IMAP works. If you want to use this, setting it quite high is
# probably a good idea
#
# This is a temporary block for the rest of the hour, afterwhich the IP is
# unblocked
LT_IMAPD = "60"

# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
# per IP
LT_EMAIL_ALERT = "1"

# If LF_PERMBLOCK is enabled but you do not want this to apply to
# LT_POP3D/LT_IMAPD, then enable this option
LT_SKIPPERMBLOCK = "0"

SMTP_BLOCK = "1"

# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
# on the server (e.g. for webmail or web scripts) then enable this option to
# allow outgoing SMTP connections to the loopback device
SMTP_ALLOWLOCAL = "1"

# This is a comma separated list of the ports to block. You should list all
# ports that exim is configured to listen on
SMTP_PORTS = "25,26"

# Always allow the following comma separated users and groups to bypass
# SMTP_BLOCK
#
# Note: root (UID:0) is always allowed
SMTP_ALLOWUSER = "cpanel"
SMTP_ALLOWGROUP = "mail,mailman"


# [*]Enable login failure detection of pop3 connections
LF_POP3D = "10"
LF_POP3D_PERM = "1"

# [*]Enable login failure detection of imap connections
LF_IMAPD = "10"
LF_IMAPD_PERM = "1"

#This option will notify you when a large amount of email is sent from a  particular 
#script on the server, helping track down spam scripts

 LF_SCRIPT_ALERT = 1

# The limit afterwhich the email alert for email scripts is sent. Care should
# be taken with this value if you allow clients to use web scripts to maintain
# pseudo-mailing lists which have large recipients

LF_SCRIPT_LIMIT = "100"

# Checks the length of the exim queue and sends an alert email if the value of
# settings is exceeded.

LF_QUEUE_ALERT = "2000"

# The interval between mail queue checks in seconds.

LF_QUEUE_INTERVAL = "300"
################################################################################
 
 
 

Install RkHunter (Rootkit)

RkHunter is a rootkit scanner scans for vulnerabilities, insecure files, backdoors in your system and reports it so that you can further harden the server. Installing RkHunter is very easy!
yum install rkhunter
To run checks in your system
rkhunter –checkall
OR
rkhunter -c
You can find what command options are available under rkhunter by issuing this help command
> rkhunter –help

Install PortsEntry

Portsentry is a tool to detect port scans and log it. Download the sorce package of portsentry from sourceforge.net
wget http://path/to/portsentry-1.2.tar.gz
tar zxf portsentry-1.2.tar.gz
make linux
make install
If you get errors like while compiling
make linux
SYSTYPE=linux
Making
gcc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \
./portsentry_io.c ./portsentry_util.c
./portsentry.c: In function ‘PortSentryModeTCP':
./portsentry.c:1187: warning: pointer targets in passing argument 3 of ‘accept’ differ in signedness
./portsentry.c: In function ‘PortSentryModeUDP':
./portsentry.c:1384: warning: pointer targets in passing argument 6 of ‘recvfrom’ diffe r in signedness
./portsentry.c: In function ‘Usage':
./portsentry.c:1584: error: missing terminating ” character
./portsentry.c:1585: error: ‘sourceforget’ undeclared (first use in this function)
./portsentry.c:1585: error: (Each undeclared identifier is reported only once
./portsentry.c:1585: error: for each function it appears in.)
./portsentry.c:1585: error: expected ‘)’ before ‘dot’
./portsentry.c:1585: error: stray ‘\’ in program
./portsentry.c:1585: error: missing terminating ” character
./portsentry.c:1595: error: expected ‘;’ before ‘}’ token
make: *** [linux] Error 1
To fix:
Open portsentry.c and look for the following line. There will be a extra carriage return breaking the line and you have to delete the carriage return and make single line. It should look like below.
printf (“Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net>\n”);
Then run make and make install. That should fix it!
To launch portsentry
/usr/local/psionic/portsentry/portsentry -stcp
/usr/local/psionic/portsentry/portsentry -sudp
check the log files /var/log/secure on what portsentry is active or not.

Prevent IP Spoofing

IP spoofing is a security exploit and can be prevented from placing nospoof on in host.conf file. Edit the host.conf file and place the following lines. If you run dns bind, give it preference.
order bind,hosts
nospoof on

Install ClamAV

Antivirus protection is the last thing you need for your security to protect against worms and trojans invading your mailbox and files! Just install clamav (a free open source antivirus software for linux). More information can be found on clamav website
yum install clamav
Once you have installed clamav in your centos…here are some of the basic commands using the software..
1. To update the antivirus database
> freshclam
2. To run antivirus
clamav -r /home
3. Running as Cron Daily Job
To run antivirus as a cron job (automatically scan daily) just run crontab -e from your command line. Then add the following line and save the file.
02 1 * * * root clamscan -R /var/www
This will run the cron job daily @ 1.02 AM by scanning the public html. You can change the folder to whatever you want for mail etc.


Linux Kernel /etc/sysctl.conf Hardening

Linux Kernel /etc/sysctl.conf Hardening

 # Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1

# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1

# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0

# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1

# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Disable ICMP routing redirects
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv6.conf.all.send_redirects=0 

# Disables the magic-sysrq key
kernel.sysrq = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
 
 
 
 chkrootkit

----------

cd /usr/local/src

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz [4]

wget http://www.net-security.org/dl/software/chkrootkit.tar.gz [5]

tar xvzf chkrootkit.tar.gz

cd chkrootkit*

make sense



to add cron:

vi /etc/cron.weekly/chkrootkit.sh



insert the following to the new file:

#!/bin/bash

(cd /usr/local/src/chkrootkit-0.49; ./chkrootkit 2>&1 | mail -s "chkrootkit scan details" mgtalrt@futurehosting.com)

or

#!/bin/bash

(cd /usr/local/src/chkrootkit-0.49; ./chkrootkit 2>&1 | mail -s "chkrootkit scan details" root)



chmod +x /etc/cron.weekly/chkrootkit.sh
 
 
bfd

---

cd /usr/local/src

wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz [8]

tar -xvzf bfd-current.tar.gz

cd bfd-1.4/

./install



vi /usr/local/bfd/conf.bfd

alert=1

bfd -s



les

===

cd /usr/local/src

wget http://www.r-fx.ca/downloads/les-current.tar.gz [9]

tar -zxvf les-current.tar.gz

cd les-0.*

./install.sh

les -sb 1

les -sp 1

les -so 1 

 




Comments

Post a Comment

Popular posts from this blog

SystemD commands

[root@centos7 ~]# systemctl -t target UNIT                   LOAD   ACTIVE SUB    DESCRIPTION basic.target           loaded active active Basic System cryptsetup.target      loaded active active Encrypted Volumes getty.target           loaded active active Login Prompts graphical.target       loaded active active Graphical Interface local-fs-pre.target    loaded active active Local File Systems (Pre) local-fs.target        loaded active active Local File Systems multi-user.target      loaded active active Multi-User System network-online.target  loaded active active Network is Online network.target         loaded active active Network nfs-client.target      loaded active active NFS client services nss-user-lookup.target loaded active active User and Gr...
Post a Comment
Read more

How to tweak linux server harddisk using hdparm

hdparm switches explained http://manpages.ubuntu.com/manpages/intrepid/man8/hdparm.8.html   First of all you have to install hdparm in linux. apt-get install hdparm #hdparm /dev/sda /dev/sda: readonly = 0 (off) readahead = 120 (on) geometry = 8850/255/63, sectors = 142182912, start = 0 Hard disk Performance Information # hdparm -tT /dev/hda /dev/hdd: Timing cached reads: 496 MB in 2.00 seconds = 247.42 MB/sec Timing buffered disk reads: 60 MB in 3.03 seconds = 19.81 MB/sec Hard drive set to low, slow settings # hdparm -cuda /dev/hda /dev/hda: IO_support = 0 (default 16-bit) unmaskirq = 0 (off) using_dma = 0 (off) readahead = 256 (on) Use below tweaks to increase disk read write performance. For sda drive ~]# hdparm -a 2048 /dev/sda /dev/sda: setting fs readahead to 2048 readahead = 2048 (on) For sdb drive [root@439298a ~]# hdparm -a 2048 /dev/sdb /dev/sdb: setting fs readahead to 2048 readahead = 2048 (on) ]# echo “anticipatory” >...
Post a Comment
Read more

RAID

Check the Raid installed lspci | grep RAID     Software Raid ============== Linux Support For Software RAID Currently, Linux supports the following RAID levels (quoting from the man page): LINEAR RAID0 (striping) RAID1 (mirroring) RAID4 RAID5 RAID6 RAID10 MULTIPATH, and FAULTY. MULTIPATH is not a Software RAID mechanism, but does involve multiple devices: each device is a path to one common physical storage device. FAULTY is also not true RAID, and it only involves one device. It provides a layer over a true device that can be used to inject faults. Install mdadm Type the following command under RHEL / CentOS / Fedora Linux: # yum install mdadm Type the following command under Debian / Ubuntu Linux: # apt-get update && apt-get install mdadm How Do I Create RAID1 Using mdadm? Type the following command to create RAID1 using /dev/sdc1 and /dev/sdd1 (20GB size each). First run fdisk on /dev/sdc and /dev/sdd with " Softwa...
Post a Comment
Read more