Press "Enter" to skip to content

Techy: Handy Security Tips

If you have a new box you want to use for web hosting etc, then here are just a few of the things you can do to help make the box secure. This list is not comprehensive, nor do I take any responsibility for any harm that may come to your server if you use any of these commands. These are mainly “quick reference” commands in case I need them in a rush (for example: we’ve put a box online and need it at least “semi-secured” – we’ll spend a bit more time securing a box then just these commands, but they’re a good starting point)

Run commands as root/su:

Disable telnet
Modify /etc/xinetd.d/telnet (could also be /etc/xinetd.d/telnet and change disable=no to disable=yes

Disable code compilation
Add compiler group: /usr/sbin/groupadd compiler
Move to correct directory: cd /usr/bin
Make most common compilers part of the compiler group chgrp compiler *cc*
chgrp compiler *++*
chgrp compiler ld
chgrp compiler as

Set access on mysqlaccess chgrp root mysqlaccess
Set permissions chmod 750 *cc*
chmod 750 *++*
chmod 750 ld
chmod 750 as
chmod 755 mysqlaccess

To add users to the group, modify /etc/group and change compiler:x:123: to compiler:x:123:username1,username2 (‘123’ will be different on your installation)

Disable direct root login: SSH
Modify /etc/ssh/sshd_config.
Ensure the Protocol line is not commented out and reads Protocol 2 (increases the encryption level)
Modify PermitRootLogin yes to PermitRootLogin no
Restart SSHD /etc/rc.d/init.d/sshd restart

Disable direct root login: ProFTP
Modify /etc/proftpd.conf
Add RootLogin off
Restart ProFTP /sbin/service proftpd stop
/sbin/service proftpd start

Restrict access to Inet services
Modify /etc/hosts.allow
Suggested format:
# Approved IP addresses
ALL: 192.168.0.1
ALL: 192.168.5.2
# CSV uploader machine
proftpd: 10.0.0.5
# pop3 from anywhere
ipop3: ALL

Modify /etc/hosts.deny
ALL:ALL EXCEPT localhost:DENY

Mount /tmp as being not executable
(not recommended for Cpanel servers)
cd /dev
Create 100Mb (the “count”) storage file: dd if=/dev/zero of=tmpMnt bs=1024 count=100000
Make an extended filesytem /sbin/mke2fs /dev/tmpMnt (answer yes to “…is not a block special device. continue?”)
Backup existing temp files cp -R /tmp/ /tmp_backup
Mount new file system with noexec mount -o loop,rw,nosuid,noexec /dev/tmpMnt /tmp
chmod 0777 /tmp

Copy the backup files back: cp -R /tmp_backup/* /tmp/
Remove backups rm -rf /tmp_backup
Modify /etc/fstab to add the following to ensure the mount point is recreated on boot up/dev/tmpMnt /tmp ext2 loop,rw,nosuid,noexec 0 0 (spaces are tabs)

Remove unused RPMs
Create a file called “cleardown” with the following contents:
#!/bin/bash
# Remove unneeded RPMs
# by jd_waverly
# Please read this script completely before executing to verify that you are
# not using any of these rpms

# Remove # from following line to display every command as it executes
#set -x
# Add # in front of any you don't want removed
# Several removals are commented out by default including:
#
# ipchains
# squid
# grub
# mutt
# mouseconfig
# rdate
# kernel source code
# ash shell

echo Rebuilding rpm database
echo Please wait
# Make sure rpm database is clean before beginning
rpm --rebuilddb

echo Removing Ghostscript and Japanese vector fonts

# Description of these modules
# VFlib2 Japanese vectorfont library
# VFlib2-devel Japanese vectorfont development support
# ghostscript Postscript interpreter and renderer
# ghostscript-fonts Ghostscript postscript fonts
rpm -e VFlib2 VFlib2-devel ghostscript ghostscript-fonts

echo Removing unused Print Utilities

rpm -e LPRng printconf #print spooler
rpm -e pnm2ppa #HP printer drivers
rpm -e mpage #Page print utility
rpm -e Omni Omni-foomatic #Omni print driver management
rpm -e foomatic #Printer driver database

echo Removing typically unused network services
# Descriptions of modules see below for the rest
# portmap manage RPC connections
# ypbind NIS client binding
# rusers-server rusers command server
# rwall-server rwall message server
# nfs-utils NFS server
# ypserv NIS server
# yp-tools NIS client programs

rpm -e portmap ypbind rusers-server rwall-server nfs-utils ypserv yp-tools

rpm -e dhcpcd #DHCP support
rpm -e finger #finger client
rpm -e finger-server #finger server
#rpm -e ipchains lokkit #ipchains not needed if using iptables

#SNMP support is a security risk
# rpm -e php-snmp-4.2.2-2ensim5 #php snmp support under ensim
rpm -e ucd-snmp ucd-snmp-utils ucd-snmp-devel

#rpm -e squid #squid proxy server
rpm -e talk #Talk client program
rpm -e talk-server #Talk server
rpm -e radvd #IPV6 router advertisement
rpm -e inews #For posting usenet articles
rpm -e inn #News server

echo Removing rsh, rlogin, rcp, rwho, rusers, rdate support
rpm -e rsh #rsh, rlogin, rcp command
#rpm -e rdate #rdate program
rpm -e rsh-server #rsh server
rpm -e rwho #rwho command

echo Removing utilities
rpm -e a2ps #postscript converter
rpm -e aspell #spell checker
#rpm -e ash #alternative to bourne shell

echo Removing various font support
#Description of modules see below for the rest
# chkfontpath Font path for X server
# urw-fonts Postscript fonts
# ttfonts-ja Japanese TrueType fonts
rpm -e chkfontpath urw-fonts ttfonts-ja
rpm -e nkf #Kanji code converter
rpm -e watanabe-vf #Watanabe font

echo Removing mouse support utilities and links browser
#rpm -e mouseconfig #mouse setup
#rpm -e mc #midnight commander
rpm -e gpm gpm-devel links #console mouse support and links www browser

echo Removing Docbook support
rpm -e docbook-utils docbook-utils-pdf
rpm -e docbook-style-dsssl #docbook style sheets
rpm -e docbook-dtd30-sgml docbook-dtd31-sgml #docbook style sheets
rpm -e docbook-dtd40-sgml docbook-dtd41-sgml #docbook style sheets

echo Removing useless hardware support
rpm -e bcm5820 #broadcomm comm processor support
rpm -e efax #fax program
rpm -e hotplug #hotplug USB support
rpm -e eject #software media eject support
rpm -e apmd #laptop power management is dangerous on a server
rpm -e hwcrypto #hardware crypto support
rpm -e pciutils #tweak tool for pci hardware
rpm -e kudzu-devel pciutils-devel #hardware development tools

echo Removing file management tools
rpm -e CVS #CVS software development management
rpm -e rcs #file management tool

echo Removing Tex text formatting
rpm -e tetex tetex-dvilj tetex-latex tetex-afm tetex-dvips tetex-fonts jadetex

echo Removing various mail utilities
#rpm -e mutt #text mode mail agent
rpm -e fetchmail #PPP mail client

echo Removing various development packages
#Carnegie Mellon Cyrus mail system development package
rpm -e cyrus-sasl-devel

echo Removing SGML utilities
rpm -e psgml #Emacs SGML support
rpm -e sgml-tools #text formatting suite

echo Removing grub
#rpm -e grub #grub not used by RS

echo Removing DOS utilities
rpm -e mkbootdisk dosfstools #Make dos boot disk and FAT filesystem support

echo Removing Redhat logos
rpm -e redhat-logos

echo Removing kernel development tools and source
rpm -e ksymoops #kernel error message devel tool
#rpm -e kernel-source-2.4.18-18.7.x #kernel source code for devel
#rpm -e kernel-source-2.4.18-17.7.x #kernel source code

echo Removals complete
exit

Run using /bin/bash cleardown

Firewall ports
A firewall in necessary and I quite like Cheetaweb’s “APF”/iptables based one.
This can be downloaded from http://download.cheetaweb.com/apf-0.8.7-1.i386.rpm and installed using rpm -Uvh apf-0.8.7-1.i386.rpm.
You’ll need to modify /etc/apf/conf.apf to use the correct ports for the web server software you are using:
Cpanel servers: TCP_CPORTS=”21,22,53,80,110,443,2082,2083,2086,2087,2095,2096″
Ensim/Ensim Pro servers:
TCP_CPORTS=”21,22,25,53,80,110,143, 443, 19638″
# Common UDP Ports
UDP_CPORTS=”53″
Run on reboot: /sbin/chkconfig --level 2345 apf on

Hide Apache Information
Show only that you are running Apache: no details of any of the modules or version numbers.
Modify /etc/httpd/conf/httpd.conf
Change the ServerSignature line to:
ServerSignature Off
and add/amend:
ServerTokens ProductOnly
Restart Apache: /sbin/service httpd restart
Cpanel users: This may break the “Needs upgrade” display on WHM.

Hide PHP information
Modify php.ini (locations vary) from:
expose_php=On
to:
expose_php=Off
You may need to restart Apache.

Install ChkRootKit
Download ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
Unpack it tar xvzf chkrootkit.tar.gz
Compile it: cd chkrootkit*
make sense

Remove the install file rm ../chkrootkit.tar.gz
Find out “full path” pwd
Add cronjob to run daily by adding a file called “chkrootkit” to /etc/cron.daily with: #!/bin/bash
/"full path"/./chkrootkit -q | mail -s "[servername] chkrootkit Output" youremailaddress@example.com

Chmod it chmod 755 /etc/cron.daily/chkrootkit

Installed System Integrity Monitor
See http://www.r-fx.net/sim.php for full information.

6 Comments

  1. One for the bookmarks :). Thanks Richy.

  2. Mike Mike

    Careful when removing rpm -e aspell #spell checker

    This is used by Horde for spell checking if you wish to enable it.

  3. Mike Mike

    Careful when removing rpm -e aspell #spell checker

    This is used by Horde for spell checking if you wish to enable it.

  4. Great info on the compiler details… We also suggest a host based IDS like Tripwire, AIDE or similar products.

  5. varghese varghese

    While configuring firewall for Cpanel servers, you need to leave port 2089 open for cpanel license to work correctly. Cpanel uses 2089 to communicate with the license server.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.