LINUX: Guide to Secure your Web Server
CATEGORIES: Linux
DATE: Friday, April 1st, 2011 at 7:01 pm
For most people Linux Security is a nightmare and to be quite honest… it is!!. But more than a nightmare hardning a server is a task that you need to understand is not a Set it and Forget it proposition; a good server admin will check security and improve it as needed; please note that I recommend you to hire a professional due to the different environments and that this guide will not necessarily work for your specific setup. Because there are no absolutes, strongconstant monitoring is essential. Having a Web Server makes things a little bit harder since there are many services that need to be enabled and dealing with them (so you dont break anything) needs special attention. In this short guide we will touch a few of the most important security issues that a Linux Web Server Administrator has to address for security purposes.
So lets put our hands on work!!
. Disable Anonymus FTP: Some FTP daemons permit emanonymous/em access. This means that any user in the world can access certain files. If the anonymous access is set up correctly, only a restricted set of files is accessible anonymously. Some FTP daemons switch on support for anonymous FTP if the user ftp is defined on the system. So you may be running anonymous FTP without realising.
To disable it SSH to the server and find a file called vsftpd.conf. The file may be located in either the code/etc/code or the code/etc/vsftpd/code directories depending on your Linux distribution. Scroll down in the file and look for the following line
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
This is pretty straight forward, huh? You might just remove or add the # at the beginning of the line, then save the file using ^O and ^X to exit.
OS and Apache: Since this step really depends on your distribution Im not going to mention all different options here. Instead I recommend you to go to your vendors website and search the forums, faqs or documentation to see how this applies to you. This is mostly using the commands sudo apt-get update apt-get upgrade.
Restrict SSH Access: (Credit 000000000 at cPanel Forums)
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
SSH into server and login as root.
Note: You can download Putty by Clicking Here. Its a clean running application that will not require installation on Windows-boxes.
At command prompt type:
pico /etc/ssh/sshd_config
Scroll down to the section of the file that looks like this:
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::
Uncomment and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)
Uncomment and change
#Protocol 2, 1
to look like
Protocol 2
Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (this has to be an IP address assigned to your server)
Note: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no
Save by pressing ^O on your keyboard, and then exit by pressing ^X on your keyboard.
Note: You can also create a custom nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
Now restart SSH
At command prompt type:
/etc/rc.d/init.d/sshd restart
Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.
Note: Should you have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.
*** Optional | Set an SSH Legal Message ***
To create an SSH legal message, SSH into server and login as root.
At command prompt type:
pico /etc/motd
Enter your message, save and exit.
Note: I use the following message…
ALERT! You are entering a secured area! Your IP and login information
have been recorded. This system is restricted to authorized access only.
All activities onthis system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.
Now everytime someone logs in as root, they will see this message… go ahead a try it.
Disable Telnet connections: The Telnet Deamon which usually sits on the port 23 needs to be removed as SSH is a far better way of remotely doing a login into your system. The big difference between telnet and SSH, is that SSH provides significantly enhanced security for your login situations. It provides an encrypted communications path between two untrusted hosts over a potentially insecure network and thus prevents users passwords and other sensitive data from being transmitted across the network in clear-text form.
SSH into server and login as root.
At shell command prompt type the following command and press Enter. This example use pico to edit text file, you can use vi or other text editor if you want.
pico -w /etc/xinetd.d/telnet
Locate the following line:
disable = no
Change it to look like
disable = yes
Save (^O) and exit (^X).
Now Restart the inetd service by using the following command:
/etc/rc.d/init.d/xinetd restart
Turn off Telnet through chkconfig as well because it can still start through that:
/sbin/chkconfig telnet off
Create automatic notification everytime someone logs in as root: It is very useful to know when someone logs in to your server so I recommend this as well. The following will generate an email (or even a text message) to the admininstrator notifying of the server access.
At command prompt type:
pico .bash_profile
Scroll down to the end of the file and add the following line:
echo ALERT - Root Shell Access on: `date` `who` | mail -s Alert: Root Access from `who | awk {print $6}` your@email.com
Save (^O) and exit (^X).
Disable identification output for Apache: You might be thinking Why disable Apache identification?; well, the answer is simple, an atacker will collect every single type of information available before developing the actual attack. Knowing your Apache version will lead the attack in the right way of attacking your server as there are always known bugs on each release which gets fixed on the next one which will get its bugs fixed as well on the next release and so on.
At command prompt type:
pico /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to
ServerSignature Off
Restart Apache
At command prompt type:
/etc/rc.d/init.d/httpd restart
Install APF Firewall and configure it: There is a lot of information on APF firewall (Advanced Policy Firewall) on their user forums, for that reason I recommend you to check their site at www.rfxnetworks.com. I believe APF deserves its own post so I will eventually publish a guide on this specific subject including configuration and other options.
Install chkrootkit: This is a tool that locally check for signs of a rootkit which are hdden files that are left after an intrussion.
Download the chkrootkit program to /usr/src, and then untar.
In shell, type in the following commands:
cd /usr/src
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar zxvf chkrootkit.tar.gz
cd chkrootkit-0.43
make sense
Thats it! To run the chkrootkit, in shell type:
./chkrootkit
If you wish to run chkrootkit on a daily basis, and allow it to send out a report via email, follow these steps:
cd /etc/cron.daily
touch chkrootkit.cron
Next, use your favorite text editor, and add the following text to the chkrootkit.cron file.
#!/bin/bash<br />
cd /usr/src/chkrootkit-0.43/<br />
./chkrootkit 21 | mail chkrootkit daily report<br />
username@yourdomain.com
Note: Replace username@yourdomain.com with your email.
Install BFD (Brute Force Detection):
At command prompt type:
cd /root/
At command prompt type:
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
At command prompt type:
tar -xvzf bfd-current.tar.gz
At command prompt type:
cd bfd-0.4
At command prompt type:
./install.sh
After BFD has been installed, you need to edit the configuration file.
At command prompt type:
pico /usr/local/bfd/conf.bfd
Under Enable brute force hack attempt alerts:
Find
ALERT_USR=0
and change it to
ALERT_USR=1
Find
EMAIL_USR=root
and change it to
EMAIL_USR=your@email.com
Save (^O) the changes then exit (^X).
To start BFD
At command prompt type:
/usr/local/sbin/bfd -s
Install and learn to use Webmin: Webmin is a web-based interface for system administration for Unix. It will simplify your daily Administration tasks like no other tool around. There are several third party modues that will extend its functionality. Download the latest build at wwww.webmin.com/
Enforce Passwords policy: My Linux boxes logs hundreds of brute force attempts every day. I cannot stress enough the importance of having a secure password. Hackers use rainbow tables, they are basically tables that contain every single possible combination of characters that made up a password; they can even be purchased online. A password with upper and lowercase letters will give 62 different possibilities on each position. Watch now how the more characters the more secure it becomes:
1 character = 62^1 = 62
2 characters = 62^2 = 3844
3 characters = 62^3 = 238,328
4 characters = 62^4 = 14,776,336
5 characters = 62^5 = 916,132,832
6 characters = 62^6 = 56,800,235,584
7 characters = 62^7 = 3,521,614,606,208
8 characters = 62^8 = 218,340,105,584,896
9 characters = 62^9 = 13,537,086,546,263,552
10 characters = 62^10 = 839,299,365,868,340,224
MySQL can generate 900 million passwords and SHA-1 hashes in only 7 hours, eventually a password of ten characters can be hacked in little less than 2 to 3 days or even less if is not complex of follows a pattern. Enough said… just try to make your passwords strong with combination of Uppercase, Lowercase, characters and numbers so at least an intruder will have some trouble to decode it.
Learn how to check the Server Logs: Usually you should periodically check the logs on your system. All the vital things about the current status of your system can be seen from the logs. While manually checking all the files takes some time, and time is precious, there are a few tools that help you automate the process of checking your system logs. I use cPanel products (and others) but if you are looking for a freebie try to use LogSentry.
You MUST check the vendor websites regularly for updates: This applies to the Distro, Apache and other software you use like SSH, Webmin, Firewall, etc.
Please submit your comments. If you want something to be added to this guide please do let me know as well, if its good enough I will post it and credit your colaboration.
Author:
mario
POST TAGS:
Linux, server admin