Server Hardening

  • Patching up-to-date (#apt-get update ,#apt-get upgrade, #apt-get dist-upgrade)
  • Minimize Software to Minimize Vulnerability {remove any unwanted softwares}
  • Disable root login in “/etc/ssh/sshd_config” [ PermitRootLogin no]
  • Disable IPV6 in “/etc/sysctl.conf”
    • ipv6.conf.all.disable_ipv6 = 1
    • ipv6.conf.default.disable_ipv6 = 1
    • ipv6.conf.lo.disable_ipv6 = 1
  • Disable Ctrl+Alt+Delete in “/etc/init/control-alt-delete.conf” by commenting [exec shutdown] line.
  • Disable X11 forward in “/etc/ssh/sshd_config” [X11Forwarding no]
  • Restrict SSH access by enabling AllowGroups. Create a group called “sshlogin” and add the group name as the value associated with the AllowGroups variable located in the file /etc/ssh/sshd_config.
  • Enable sudo permissions particular group like sudo [%sudo ALL=(ALL:ALL) ALL ] in “/etc/sudoers” file and add required users to that group.
  • Configure timezone by [#dpkg-reconfigure tzdata]
  • Shared memory can be used in an attack against a running service, apache2 or httpd for example. Add the following line to “/etc/fstab” for Ubuntu 12.10 or later:
    • #secure shared memory
    • tmpfs /run/shm    tmpfs           defaults,noexec,nosuid                0              0
  • Scan open ports {# nmap -v -sT localhost , # netstat –tulpn}
  • Version 1 of the protocol contains security vulnerabilities. Make sure you only use Protocol 2 in “/etc/ssh/sshd_config”.

==== use full tips for securing linux :-

PermitRootLogin no

Since SSH protocol version 1 is not as secure you may want to limit the protocol to version 2 only:

Protocol 2

You may also want to prevent SSH from setting up TCP port and X11 forwarding if you don’t need it:

AllowTcpForwarding no

X11Forwarding no

Ensure that all host-based authentications are disabled. These methods should be avoided as primary authentication.

IgnoreRhosts yes

HostbasedAuthentication no

RhostsRSAAuthentication no

To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_redirects = 0

IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address.

To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.rp_filter = 1

World-Writable Files

World-writable files are a security risk since it allows anyone to modify them. Additionally, world-writable directories allow anyone to add or delete files.

To locate world-writable files and directories, you can use the following command:

find / -path /proc -prune -o -perm -2 ! -type l -ls

 

The “! -type l” parameter skips all symbolic links since symbolic links are always world-writable. However, this is not a problem as long as the target of the link

is not world-writable, which is checked by the above find command.

Single User Mode Password for root

Some admins suggest to add the following line to the /etc/inittab file to ensure that a root password is required for Single User Mode logons:

~~:S:wait:/sbin/sulogin

/etc/login.defs PASS_MAX_DAYS 60 Maximum number of days a password is valid.

/etc/login.defs PASS_MIN_DAYS 7 Minimum number of days before a user can change the password since the last change.

/etc/login.defs PASS_MIN_LEN n/a This parameter does not work. It is superseded by the PAM module “pam_cracklib”. See Enforcing Stronger

Passwords for more information.

/etc/login.defs PASS_WARN_AGE 7 Number of days when the password change reminder starts.

/etc/default

/useradd

INACTIVE 14 Number of days after password expiration that account is disabled.

/etc/default

/useradd

EXPIRE Account expiration date in the format YYYY-MM-DD

edit the /etc/pam.d/system-auth file and add/change the following pam_cracklib arguments highlighted in blue:

password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1

pam_cracklib.so minlen=8 Minimum length of password is 8

pam_cracklib.so lcredit=1 Minimum number of lower case letters is 1

pam_cracklib.so ucredit=1 Minimum number of upper case letters is 1

pam_cracklib.so dcredit=1 Minimum number of digits is 1

pam_cracklib.so ocredit=1 Minimum number of other characters is 1

 

Edit the /etc/pam.d/system-auth file and add/change the following pam_cracklib and pam_unix arguments:

password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=6

account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset ——- lock after 5 fail attaempts

To unlock an account after too many login failures, run:

# faillog -u <user> -r