Techy: Handy Security Tips

August 9th, 2003 by Richy B. Leave a reply »

If you have a new box you want to use for web hosting etc, then here are just a few of the things you can do to help make the box secure. This list is not comprehensive, nor do I take any responsibility for any harm that may come to your server if you use any of these commands. These are mainly “quick reference” commands in case I need them in a rush (for example: we’ve put a box online and need it at least “semi-secured” – we’ll spend a bit more time securing a box then just these commands, but they’re a good starting point)

Run commands as root/su:

Disable telnet
Modify /etc/xinetd.d/telnet (could also be /etc/xinetd.d/telnet and change disable=no to disable=yes

Disable code compilation
Add compiler group: /usr/sbin/groupadd compiler
Move to correct directory: cd /usr/bin
Make most common compilers part of the compiler group chgrp compiler *cc*
chgrp compiler *++*
chgrp compiler ld
chgrp compiler as

Set access on mysqlaccess chgrp root mysqlaccess
Set permissions chmod 750 *cc*
chmod 750 *++*
chmod 750 ld
chmod 750 as
chmod 755 mysqlaccess

To add users to the group, modify /etc/group and change compiler:x:123: to compiler:x:123:username1,username2 (‘123’ will be different on your installation)

Disable direct root login: SSH
Modify /etc/ssh/sshd_config.
Ensure the Protocol line is not commented out and reads Protocol 2 (increases the encryption level)
Modify PermitRootLogin yes to PermitRootLogin no
Restart SSHD /etc/rc.d/init.d/sshd restart

Disable direct root login: ProFTP
Modify /etc/proftpd.conf
Add RootLogin off
Restart ProFTP /sbin/service proftpd stop
/sbin/service proftpd start

Restrict access to Inet services
Modify /etc/hosts.allow
Suggested format:
# Approved IP addresses
ALL: 192.168.0.1
ALL: 192.168.5.2
# CSV uploader machine
proftpd: 10.0.0.5
# pop3 from anywhere
ipop3: ALL

Modify /etc/hosts.deny
ALL:ALL EXCEPT localhost:DENY

Mount /tmp as being not executable
(not recommended for Cpanel servers)
cd /dev
Create 100Mb (the “count”) storage file: dd if=/dev/zero of=tmpMnt bs=1024 count=100000
Make an extended filesytem /sbin/mke2fs /dev/tmpMnt (answer yes to “…is not a block special device. continue?”)
Backup existing temp files cp -R /tmp/ /tmp_backup
Mount new file system with noexec mount -o loop,rw,nosuid,noexec /dev/tmpMnt /tmp
chmod 0777 /tmp

Copy the backup files back: cp -R /tmp_backup/* /tmp/
Remove backups rm -rf /tmp_backup
Modify /etc/fstab to add the following to ensure the mount point is recreated on boot up/dev/tmpMnt /tmp ext2 loop,rw,nosuid,noexec 0 0 (spaces are tabs)

Remove unused RPMs
Create a file called “cleardown” with the following contents:
#!/bin/bash
# Remove unneeded RPMs
# by jd_waverly
# Please read this script completely before executing to verify that you are
# not using any of these rpms

# Remove # from following line to display every command as it executes
#set -x
# Add # in front of any you don't want removed
# Several removals are commented out by default including:
#
# ipchains
# squid
# grub
# mutt
# mouseconfig
# rdate
# kernel source code
# ash shell

echo Rebuilding rpm database
echo Please wait
# Make sure rpm database is clean before beginning
rpm --rebuilddb

echo Removing Ghostscript and Japanese vector fonts

# Description of these modules
# VFlib2 Japanese vectorfont library
# VFlib2-devel Japanese vectorfont development support
# ghostscript Postscript interpreter and renderer
# ghostscript-fonts Ghostscript postscript fonts
rpm -e VFlib2 VFlib2-devel ghostscript ghostscript-fonts

echo Removing unused Print Utilities

rpm -e LPRng printconf #print spooler
rpm -e pnm2ppa #HP printer drivers
rpm -e mpage #Page print utility
rpm -e Omni Omni-foomatic #Omni print driver management
rpm -e foomatic #Printer driver database

echo Removing typically unused network services
# Descriptions of modules see below for the rest
# portmap manage RPC connections
# ypbind NIS client binding
# rusers-server rusers command server
# rwall-server rwall message server
# nfs-utils NFS server
# ypserv NIS server
# yp-tools NIS client programs

rpm -e portmap ypbind rusers-server rwall-server nfs-utils ypserv yp-tools

rpm -e dhcpcd #DHCP support
rpm -e finger #finger client
rpm -e finger-server #finger server
#rpm -e ipchains lokkit #ipchains not needed if using iptables

#SNMP support is a security risk
# rpm -e php-snmp-4.2.2-2ensim5 #php snmp support under ensim
rpm -e ucd-snmp ucd-snmp-utils ucd-snmp-devel

#rpm -e squid #squid proxy server
rpm -e talk #Talk client program
rpm -e talk-server #Talk server
rpm -e radvd #IPV6 router advertisement
rpm -e inews #For posting usenet articles
rpm -e inn #News server

echo Removing rsh, rlogin, rcp, rwho, rusers, rdate support
rpm -e rsh #rsh, rlogin, rcp command
#rpm -e rdate #rdate program
rpm -e rsh-server #rsh server
rpm -e rwho #rwho command

echo Removing utilities
rpm -e a2ps #postscript converter
rpm -e aspell #spell checker
#rpm -e ash #alternative to bourne shell

echo Removing various font support
#Description of modules see below for the rest
# chkfontpath Font path for X server
# urw-fonts Postscript fonts
# ttfonts-ja Japanese TrueType fonts
rpm -e chkfontpath urw-fonts ttfonts-ja
rpm -e nkf #Kanji code converter
rpm -e watanabe-vf #Watanabe font

echo Removing mouse support utilities and links browser
#rpm -e mouseconfig #mouse setup
#rpm -e mc #midnight commander
rpm -e gpm gpm-devel links #console mouse support and links www browser

echo Removing Docbook support
rpm -e docbook-utils docbook-utils-pdf
rpm -e docbook-style-dsssl #docbook style sheets
rpm -e docbook-dtd30-sgml docbook-dtd31-sgml #docbook style sheets
rpm -e docbook-dtd40-sgml docbook-dtd41-sgml #docbook style sheets

echo Removing useless hardware support
rpm -e bcm5820 #broadcomm comm processor support
rpm -e efax #fax program
rpm -e hotplug #hotplug USB support
rpm -e eject #software media eject support
rpm -e apmd #laptop power management is dangerous on a server
rpm -e hwcrypto #hardware crypto support
rpm -e pciutils #tweak tool for pci hardware
rpm -e kudzu-devel pciutils-devel #hardware development tools

echo Removing file management tools
rpm -e CVS #CVS software development management
rpm -e rcs #file management tool

echo Removing Tex text formatting
rpm -e tetex tetex-dvilj tetex-latex tetex-afm tetex-dvips tetex-fonts jadetex

echo Removing various mail utilities
#rpm -e mutt #text mode mail agent
rpm -e fetchmail #PPP mail client

echo Removing various development packages
#Carnegie Mellon Cyrus mail system development package
rpm -e cyrus-sasl-devel

echo Removing SGML utilities
rpm -e psgml #Emacs SGML support
rpm -e sgml-tools #text formatting suite

echo Removing grub
#rpm -e grub #grub not used by RS

echo Removing DOS utilities
rpm -e mkbootdisk dosfstools #Make dos boot disk and FAT filesystem support

echo Removing Redhat logos
rpm -e redhat-logos

echo Removing kernel development tools and source
rpm -e ksymoops #kernel error message devel tool
#rpm -e kernel-source-2.4.18-18.7.x #kernel source code for devel
#rpm -e kernel-source-2.4.18-17.7.x #kernel source code

echo Removals complete
exit

Run using /bin/bash cleardown

Firewall ports
A firewall in necessary and I quite like Cheetaweb’s “APF”/iptables based one.
This can be downloaded from http://download.cheetaweb.com/apf-0.8.7-1.i386.rpm and installed using rpm -Uvh apf-0.8.7-1.i386.rpm.
You’ll need to modify /etc/apf/conf.apf to use the correct ports for the web server software you are using:
Cpanel servers: TCP_CPORTS=”21,22,53,80,110,443,2082,2083,2086,2087,2095,2096″
Ensim/Ensim Pro servers:
TCP_CPORTS=”21,22,25,53,80,110,143, 443, 19638″
# Common UDP Ports
UDP_CPORTS=”53″
Run on reboot: /sbin/chkconfig --level 2345 apf on

Hide Apache Information
Show only that you are running Apache: no details of any of the modules or version numbers.
Modify /etc/httpd/conf/httpd.conf
Change the ServerSignature line to:
ServerSignature Off
and add/amend:
ServerTokens ProductOnly
Restart Apache: /sbin/service httpd restart
Cpanel users: This may break the “Needs upgrade” display on WHM.

Hide PHP information
Modify php.ini (locations vary) from:
expose_php=On
to:
expose_php=Off
You may need to restart Apache.

Install ChkRootKit
Download ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
Unpack it tar xvzf chkrootkit.tar.gz
Compile it: cd chkrootkit*
make sense

Remove the install file rm ../chkrootkit.tar.gz
Find out “full path” pwd
Add cronjob to run daily by adding a file called “chkrootkit” to /etc/cron.daily with: #!/bin/bash
/"full path"/./chkrootkit -q | mail -s "[servername] chkrootkit Output" youremailaddress@example.com

Chmod it chmod 755 /etc/cron.daily/chkrootkit

Installed System Integrity Monitor
See http://www.r-fx.net/sim.php for full information.

This post is over 6 months old.

This means that, despite my best intentions, it may no longer be accurate.

This blog holds over 12 years of archived content - during that time, I may have changed my opinion of something, technology will have advanced (and old "best standards" may no longer be the case), my technology "know how" has improved etc etc - it would probably take me a considerable amount of time to update all the archival entries: and defeat the point of keeping them anyway.

Please take these posts for what they are: a brief look into my past, my history, my journey and "caveat emptor".

6 comments

  1. Neil T. says:

    One for the bookmarks :). Thanks Richy.

  2. Richy C. says:

    The latest version of APF Firewall can be found at http://www.rfxnetworks.net/downloads/apf-current.rpm .

    Logwatch ( http://www.logwatch.org/ ) is also worth installing.

  3. Mike says:

    Careful when removing rpm -e aspell #spell checker

    This is used by Horde for spell checking if you wish to enable it.

  4. Mike says:

    Careful when removing rpm -e aspell #spell checker

    This is used by Horde for spell checking if you wish to enable it.

  5. rackaid says:

    Great info on the compiler details… We also suggest a host based IDS like Tripwire, AIDE or similar products.

  6. varghese says:

    While configuring firewall for Cpanel servers, you need to leave port 2089 open for cpanel license to work correctly. Cpanel uses 2089 to communicate with the license server.

Leave a Reply

gamy-dance
%d bloggers like this: