!!
links: http://www.itsecurity.com/features/ubuntu-secure-install-resource/ | see: http://wiki.centos.org/HowTos/OS_Protection
System Hardening Checklist
1. Disk Partitions and Mounting
1. Separate /home, /tmp, /var/tmp from /root partitions (If only if the server has frequent access from general user except administrator). 2. Change mount options in /etc/fstab to limit user access on appropriate filesystems. · Using noexec instead prevents execution of binaries on a file system (though it will not prevent scripts from running). · Using nosuid will prevent the setuid bit from having effect. · The nodev option prevents use of device files on the filesystem.
2. Physical Security
1. Configure BIOS. · Disable booting from CDs/DVDs, floppies, and external devices. · Set BIOS password to protect the settings. 2. Set a password for the GRUB bootloader. · Generate a password hash using the command / /usr/sbin/grub-md5-crypt. Add the hash to the first line of /boot/grub/menu.lst as follows: password --md5 passwordhash · Remove rescue-mode boot section from /boot/grub/menu.lst
3. Keep Software Up to Date Upgrade through the Ubuntu Repository Network to apply upgrade automatically. Security updates should be applied as soon as possible. Create the file apt.cron, make it executable, place it in /etc/cron.daily or /etc/cron.weekly, and ensure that it reads as follows:
#!/bin/sh /usr/bin/apt-get update
4. Detecting listening network ports & Closing open ports and services Detecting listening network ports For a list of network ports that are open you can use the following commands:
# netstat -tulp or lsof -i -n | egrep 'COMMAND|LISTEN|UDP' or just a port scanner (nmap) 9
Closing open ports and services To get a list of running services you can execute the following command: sysv-rc-conf –list | grep on To disable a running service you can execute the command: sysv-rc-conf service name off and then you should stop this service from running by executing: /etc/init.d/service stop.
5. Disable SUID and SGID Binaries To find SUID and SGID files on the system, use the following command:
# find / \( -perm -4000 -o -perm -2000 \) –print
SUID or SGID bits safely disabled (using chmod -s filename) unless required for other program.
6. Configure and Use TCP Wrapper Configure the TCP Wrapper library to protect network daemons that support its use by adding appropriate rules to /etc/hosts.allow and /etc/hosts.deny.
7. Configure and Use AppArmor AppArmor is installed and loaded by default in Hardy. Some packages will install their own enforcing profiles. Active profiles for LAM Server: · usr.sbin.mysqld · usr.sbin.apache2 All activity will be logged by auditd and saved to /var/log/audit/audit.log
8. Rdate or NTP (To keep your server date up to date) Create the file /etc/cron.d/rdate with the following line: 15 * * * * root /usr/sbin/rdate -s content
for NTP Create the file /etc/cron.d/ntp with the following line: 15 * * * * root /usr/sbin/ntpdate server
9. Configure or Disable SSH - Disable it when not required. - If SSH is required, ensure the SSH configuration includes the following lines:
· PermitRootLogin no · Protocol 2
- If possible, limit SSH access to a subset of users. Create a group called sshusers and only add the users that need remote access. Then, add the following line to /etc/ssh/sshd_config:
· AllowGroups sshusers
Edit /etc/group find sshusers and add allowed users.
10. Disable IPv6 - Disable it when not required. Edit the following line from /etc/modprobe.d/aliases:
· Find the line: alias net-pf-10 ipv6 · Edit this to: alias net-pf-10 off ipv6 · Save the file and reboot
11. Disable Compile ·
Add compiler group: /usr/sbin/groupadd compiler · Move to correct directory: cd /usr/bin · Make most common compilers part of the compiler group
chgrp compiler *cc* chgrp compiler *++* chgrp compiler ld chgrp compiler as
· Set access on mysqlaccess
chgrp root mysqlaccess
· Set permissions
chmod 750 *cc* chmod 750 *++* chmod 750 ld chmod 750 as chmod 755 mysqlaccess
· To add users to the group, modify /etc/group and change compiler:x:123: to compiler:x:123:username1,username2 ('123' will be different on your installation)
12. Root Notification Edit .bashrc under /root to get notified by email when someone logs in as root and add the following: echo 'ALERT - Root Shell Access (Server Name) on:' `date` `who` | mail -s “Alert: Root Access from `who | cut -d”(“ -f2 | cut -d”)“ -f1`” admin@myhost.com
13. Securing History chattr +a .bash_history (append) chattr +I .bash_history Get your users know that their history is being locked and they will have to agree before they use your services.
14. Using Welcome Message Edit /etc/motd and put the following banner to be displayed:
WARNING !!! This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized use. Unauthorized use may subject you to criminal prosecution. By accessing this system, you have agreed to the term and condition of use and your actions will be monitored and recorded. □
15. Chmod dangerous file
chmod 700 /bin/ping chmod 700 /usr/bin/who chmod 700 /usr/bin/w chmod 700 /usr/bin/locate chmod 700 /usr/bin/whereis chmod 700 /sbin/ifconfig chmod 700 /bin/nano chmod 700 /usr/bin/vi chmod 700 /usr/bin/which chmod 700 /usr/bin/gcc chmod 700 /usr/bin/make chmod 700 /usr/bin/apt-get chmod 700 /usr/bin/aptitude
16. Specify TTY Devices Root is allowed vi /etc/securetty Leave only two connections:
tty1 tty2
17. Choose a secure password
vi /etc/pam.d/common-password change the detail from this:
password requisite pam_unix.so nullok obscure md5
to
password requisite pam_unix.so nullok obscure md5 min=6
Change min=6 with your company password policy length.
18. Checking for Rootkits Install it from Ubuntu Repository:
# apt-get install chkrootkit
You can run it with the following command: ./chkrootkit Now we are going to add it to contrab to schedule daily automatic scans in the system: vi /etc/cron.daily/chkrootkit.sh and type
#!/bin/bash # Enter the directory where the rootkit is installed cd /root/chkrootkit/ # Enter your email address where you want to receive the report ./chkrootkit | mail -s "Daily chkrootkit from Server Name" admin@myhost.com
Now change the file permissions so we can run it: chmod 755 /etc/cron.daily/chkrootkit.sh To give it a try you can run the chkrootkit.sh file manually from /etc/cron.daily directory and you should receive a report to the email account you provided.
19. Hardening your Kernel (sysctl.conf)
Sysctl.conf is used to harden your kernel. The purpose of hardening this is to avoid DOS and Spoofing attacks to your system. How To: To get a quick overview of the current configuration in the /proc/sys directory type: sysctl –a Now let’s harden our sysctl.conf file
vi /etc/sysctl.conf
and paste the hardened kernel variable (attached).
20. Disable unnecessary PHP variable Edit /etc/php5/apache2/php.ini and /etc/php5/cli/php.ini
Turn off some of this variable:
allow_call_time_pass_reference = Off magic_quotes_gpc = Off register_long_arrays = Off register_argc_argv = Off allow_url_fopen = Off expose_php = Off disable_functions = symlink,shell_exec,proc_close,proc_open,dl,passthru,escapeshellarg,escapeshellcmd,openlog,apache_child_terminate,apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,virtual, phpinfo
21. Apache Hardening - Edit /etc/apache2/apache.conf
- Turn off some of this variable:
TraceEnable off
- (Disable apache root access)
[directory\]
Order deny,allow Deny from all [/directory]
- Enable Module ( /etc/apache2/mods-enable/ ):
alias, auth_basic, authn_file, authz_default, authz_groupfile, authz_host, authz_user, autoindex, dir, env, mime, mod-security2, negotiation, php5, rewrite, setenvif, ssl, unique_id
Hardened Kernel Variable ( /etc/sysctl.conf )
# Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 #Prevent SYN attack net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 # Disables IP source routing net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.eth0.rp_filter = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.lo.log_martians = 1 net.ipv4.conf.eth0.log_martians = 1 # Disables IP source routing net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.eth0.rp_filter = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # Modify system limits for Ensim WEBppliance fs.file-max = 65000 # Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 15 # Decrease the time default value for tcp_keepalive_time connection net.ipv4.tcp_keepalive_time = 1800 # Turn off the tcp_window_scaling net.ipv4.tcp_window_scaling = 0 # Turn off the tcp_sack ( Need to turn on for traffic to internet) #net.ipv4.tcp_sack = 0 # Turn off the tcp_timestamps net.ipv4.tcp_timestamps = 0 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 # Set maximum amount of memory allocated to shm to 256MB kernel.shmmax = 268435456 # Increase the maximum total TCP buffer-space allocatable net.ipv4.tcp_mem = 57344 57344 65536 # Increase the maximum TCP write-buffer-space allocatable net.ipv4.tcp_wmem = 32768 65536 524288 # Increase the maximum TCP read-buffer space allocatable net.ipv4.tcp_rmem = 98304 196608 1572864 # Increase the maximum and default receive socket buffer size net.core.rmem_max = 524280 net.core.rmem_default = 524280 # Increase the maximum and default send socket buffer size net.core.wmem_max = 524280 net.core.wmem_default = 524280 # Increase the tcp-time-wait buckets pool size net.ipv4.tcp_max_tw_buckets = 1440000 # Allowed local port range net.ipv4.ip_local_port_range = 16384 65536 # Increase the maximum memory used to reassemble IP fragments net.ipv4.ipfrag_high_thresh = 512000 net.ipv4.ipfrag_low_thresh = 446464 # Increase the maximum amount of option memory buffers net.core.optmem_max = 57344