Silent Bob
11-10-2005, 12:34 PM
Server LockDown Checklist
In today’s world, computer and network security is vitally important. This article will cover many of the steps you can take towards securing your server against intrusion. While nothing short of unplugging it will guarantee 100% security, these tips will improve your defenses. Most of these tips are quoted from other sources, and is part of the checklist I use when securing a new server. These should work with minimal modification on most systems. Those running control panel software may wish to also check their support forums for additional lock-down information or consult with a server management company.
0: Update to current versions
1: Restrict SSH access & Prevent direct Root logins
1a: Securing ROOT on CPANEL Servers
1b: Adding a Privileged User from SSH
2: Remove TELNET
3. Server e-mail everytime someone logs in as root
4. Set an SSH Legal Message
5. Disable identification output for Apache
6. Install chkrootkit
7. Modify LogWatch
8. Secure Common Tools
9. Install RKHUNTER
10. Secure TMP Directory
0: Update to current versions
One of the key ways to ensure a safer server is to be certain you are running the latest versions of your OS.
Yum and Up2Date are 2 of the distribution specific tools available to you that will help keep you current. Follow the vendors suggestions for configuring them to automatically check for updates regularly. Some additional information is found at the sources listed at the end of this document.
------
1: Restrict SSH access & Prevent direct Root logins
One way to improve security is to prevent Root from logging in directly. In order to access root, one must first login as another user then use the “su –“ command to switch to root.
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
SSH into server and login as root.
Note: You can download Putty by Clicking Here (http://www.chiark.greenend.org.uk/%7Esgtatham/putty/download.html). It's a clean running application that will not require installation on Windows-boxes.
At command prompt type: vi /etc/ssh/sshd_config
Scroll down to the section of the file that looks like this:
Code:
#Port 22#Protocol 2, 1#ListenAddress 0.0.0.0#ListenAddress ::
Uncomment and change
#Port 22
to look like
Port 26845 (choose your own 4 to 5 digit port number (49151 is the highest port number)
Uncomment and change
#Protocol 2, 1
to look like
Protocol 2
Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)
Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no
Save by pressing ESC then :wq ENTER on your keyboard.
Note 2: You can also create a custom nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
Now restart SSH
At command prompt type: /etc/rc.d/init.d/sshd restart
Try opening a new SSH connection and logging in. Don’t disconnect the first connection until you are certain you can get back in.
=====
1a: Securing ROOT on CPANEL Servers
Since I am most familiar with CPANEL based systems, here is the procedure to secure Root.
Login to WHM Under the “Security” tab, look for “Manage Wheel Group Users (https://72.36.239.210:2087/scripts/modwheel)” and click it
Scroll down the list to find the account you wish to allow access to and select it.
Click “Add To Group”
=====
1b: Adding a Privileged User from SSH
Those without access to a control panel that allows easy modification can follow these steps.
Add a new user to the system, and include him in the WHEEL group.
To do so, type the following command in shell:
"useradd -G wheel <username>"
Note: If you already have an active user whom you want to add to the WHEEL group, type the following command in shell:
"usermod -G wheel <username>"
One important step is to make sure that you know the user's password, whom you've just added to the WHEEL group. If you do not know the password, in shell type:
"passwd <user>"
Our last step would be to allow only the WHEEL group (whom our user is part of), to be able to run the 'su' command in order to switch to the superuser. To do so, we will edit the /etc/pam.d/su file, and remove the '#' before 'auth required /lib/security/pam_wheel.so use_uid'
Make sure that you have performed correctly all the steps above before attempting to restart the sshd service in order to apply all the settings. Once you verified that everything is correct, type the following command in shell:
"/etc/init.d/sshd restart"
=====
2. Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: vi -w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart
=====
3. Server e-mail everytime someone logs in as root
To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.
At command prompt type: vi .bash_profile
Scroll down to the end of the file and add the following line:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
Save and exit.
=====
4. Set an SSH Legal Message
To an SSH legal message, SSH into server and login as root.
At command prompt type: vi /etc/motd
Enter your message, save and exit.
Note: I use the following message...
Code:
ALERT! You are entering a secured area! Your IP and login informationhave been recorded. System administration has been notified. This system is restricted to authorized access only. All activities onthis system are recorded and logged. Unauthorized access will be fullyinvestigated and reported to the appropriate law enforcement agencies.
Now everytime someone logs in as root, they will see this message... go ahead a try it.
=====
5. Disable identification output for Apache
To disable the version output for proftp, SSH into server and login as root.
At command prompt type: vi /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to
ServerSignature Off
Restart Apache
At command prompt type: /etc/rc.d/init.d/httpd restart
=====
6. Install chkrootkit
To install chrootkit, SSH into server and login as root.
At command prompt type: cd /root/
At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit-0.46.tar.gz
At command prompt type: tar xvzf chkrootkit-0.46.tar.gz
At command prompt type: cd chkrootkit-0.46.tar.gz
At command prompt type: make sense
To run chkrootkit
At command prompt type: /root/chkrootkit-0.46/chkrootkit
Make sure you run it on a regular basis, perhaps including it in a cron job.
7. Modify LogWatch
Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.
To modify LogWatch, SSH into server and login as root.
At command prompt type: pico -w /etc/log.d/conf/logwatch.conf
Scroll down to
MailTo = root
and change to
Mailto = your@email.com
Note: Set the e-mail address to an offsite account incase you get hacked.
Now scroll down to
Detail = Low
Change that to Medium, or High...
Detail = 5 or Detail = 10
Note: High will give you more detailed logs with all actions.
Save and exit.
=====
8. Secure Common Tools
Many php exploit scripts use common *nix tools to download rootkits or backdoors. By simply chmod'ing the files so that no none-wheel or root user can use them we can eliminate many possible problems. The downside to doing this is that shell users will be inconvenienced by not being able to use the the commands below. Mod_security really removes the need to chmod this, but it is an added layer of protection.
#chmod 750 /usr/bin/rcp
#chmod 750 /usr/bin/wget
#chmod 750 /usr/bin/lynx
#chmod 750 /usr/bin/links
#chmod 750 /usr/bin/scp
--------------------------
9. Install RKHUNTER
Now we will install rkhunter so we will atleast know if the server has been cracked.
Download and unzip rkhunter
#cd /usr/local/src/
#wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz
#tar -zxf rkhunter-1.1.4.tar.gz
#cd rkhunter
Install it
#./install.sh
Now create a cronjob so it will email you with notifications to the root mailbox:
#crontab -e
At the bottom add the following line
16 0 * * * /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet
Press control x to save
=====
10. Secure TMP directory
The /tmp partition is one the common places for script kiddies and crackers alike to place trojans or scripts. Because of that you should have the /tmp partition mounted noexec. First we need to check if your /tmp is secure.
#df -h |grep tmp
If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
#cat /etc/fstab |grep tmp
If there is a line that includes /tmp and noexec then it is already mounted as non-executable. You will also want to check if /var/tmp is linked to /tmp.
ls -alh /var/ |grep tmp
If it shows something to the effect of "tmp -> /tmp/" then you are ok. If not go ahead an remove the old /var/tmp and replace it with a sym link to /tmp.
#rm -rf /var/tmp/
#ln -s /tmp/ /var/
If you do not have any /tmp partition you will need to follow the directions below to create and mount a partition.
Create a 190Mb partition
#cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=200000
Format the partion
#mke2fs /dev/tmpMnt
Make a backup of the old data
#cp -Rp /tmp /tmp_backup
Mount the temp filesystem
#mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
Set the permissions
#chmod 0777 /tmp
Copy the old files back
#cp -Rp /tmp_backup/* /tmp/
Once you do that go ahead and start mysql and make sure it works ok. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
Next delete the old /var/tmp and create a link to /tmp
#rm -rf /var/tmp/
#ln -s /tmp/ /var/
If everything still works fine you can go ahead and delete the /tmp_backup directory.
#rm -rf /tmp_backup
====
Additional Tools and Recommendations:
12. Install a FireWall
A firewall should be the first thing installed.. I recommend advanced protection firewall (APF) by rfxnetworks. APF will block unused outgoing and incoming ports. It can also be configured to use information from some block lists.
http://rfxnetworks.net/apf.php
Detailed instructions for installation can be found at the sources listed at the bottom of this document.
=====
13. Install an Attack Detector
Along with installing APF I would suggest installing brute force monitor (BFD) also by rfxnetworks. BFD will monitor your ssh and ftp services and automatically ban users that try to brute force a password. If you install BFD make sure you can get a separate ip to ssh into your server incase it blocks you for some reason! You can add your ip to the allow list via "apf -a IP" if you have a static ip.
http://rfxnetworks.net/bfd.php
Detailed instructions for installation can be found at the sources listed at the bottom of this document.
=====
14: Install a socket monitor
Yet another very handy tool by rfxnetworks is socket monitor (PMON). This tool will alert you whenever a new port is opened on the server. This is very helpful in detecting any users running weird processes or attempting to run backdoors. When any program that it does not recognized is started it will email you with the information.
http://rfxnetworks.net/pmon.php
=====
15: Install an Integrity Monitor
Another tool I would suggest, but that is not really part of securing your server, is system integrity monitor (SIM) which is also by rfxnetworks. SIM will automatically detect when a service is down and restarts it.
http://rfxnetworks.net/sim.php
=====
My thanks to the following for the information contained here:
http://forums.cpanel.net/showthread.php?t=30159&highlight=bfd
http://forums.cpanel.net/showthread.php?t=28742&highlight=tmp+noexec
Standard Disclaimer Here:
These tips have worked for me. Your mileage and success may vary. I take no responsibility if you try these and hose your system. If you aren’t comfortable in digging into the guts of your system, you may wish to hire a server management team. Rates range from $25+ a month, but can be an excellent investment.
In today’s world, computer and network security is vitally important. This article will cover many of the steps you can take towards securing your server against intrusion. While nothing short of unplugging it will guarantee 100% security, these tips will improve your defenses. Most of these tips are quoted from other sources, and is part of the checklist I use when securing a new server. These should work with minimal modification on most systems. Those running control panel software may wish to also check their support forums for additional lock-down information or consult with a server management company.
0: Update to current versions
1: Restrict SSH access & Prevent direct Root logins
1a: Securing ROOT on CPANEL Servers
1b: Adding a Privileged User from SSH
2: Remove TELNET
3. Server e-mail everytime someone logs in as root
4. Set an SSH Legal Message
5. Disable identification output for Apache
6. Install chkrootkit
7. Modify LogWatch
8. Secure Common Tools
9. Install RKHUNTER
10. Secure TMP Directory
0: Update to current versions
One of the key ways to ensure a safer server is to be certain you are running the latest versions of your OS.
Yum and Up2Date are 2 of the distribution specific tools available to you that will help keep you current. Follow the vendors suggestions for configuring them to automatically check for updates regularly. Some additional information is found at the sources listed at the end of this document.
------
1: Restrict SSH access & Prevent direct Root logins
One way to improve security is to prevent Root from logging in directly. In order to access root, one must first login as another user then use the “su –“ command to switch to root.
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
SSH into server and login as root.
Note: You can download Putty by Clicking Here (http://www.chiark.greenend.org.uk/%7Esgtatham/putty/download.html). It's a clean running application that will not require installation on Windows-boxes.
At command prompt type: vi /etc/ssh/sshd_config
Scroll down to the section of the file that looks like this:
Code:
#Port 22#Protocol 2, 1#ListenAddress 0.0.0.0#ListenAddress ::
Uncomment and change
#Port 22
to look like
Port 26845 (choose your own 4 to 5 digit port number (49151 is the highest port number)
Uncomment and change
#Protocol 2, 1
to look like
Protocol 2
Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)
Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no
Save by pressing ESC then :wq ENTER on your keyboard.
Note 2: You can also create a custom nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
Now restart SSH
At command prompt type: /etc/rc.d/init.d/sshd restart
Try opening a new SSH connection and logging in. Don’t disconnect the first connection until you are certain you can get back in.
=====
1a: Securing ROOT on CPANEL Servers
Since I am most familiar with CPANEL based systems, here is the procedure to secure Root.
Login to WHM Under the “Security” tab, look for “Manage Wheel Group Users (https://72.36.239.210:2087/scripts/modwheel)” and click it
Scroll down the list to find the account you wish to allow access to and select it.
Click “Add To Group”
=====
1b: Adding a Privileged User from SSH
Those without access to a control panel that allows easy modification can follow these steps.
Add a new user to the system, and include him in the WHEEL group.
To do so, type the following command in shell:
"useradd -G wheel <username>"
Note: If you already have an active user whom you want to add to the WHEEL group, type the following command in shell:
"usermod -G wheel <username>"
One important step is to make sure that you know the user's password, whom you've just added to the WHEEL group. If you do not know the password, in shell type:
"passwd <user>"
Our last step would be to allow only the WHEEL group (whom our user is part of), to be able to run the 'su' command in order to switch to the superuser. To do so, we will edit the /etc/pam.d/su file, and remove the '#' before 'auth required /lib/security/pam_wheel.so use_uid'
Make sure that you have performed correctly all the steps above before attempting to restart the sshd service in order to apply all the settings. Once you verified that everything is correct, type the following command in shell:
"/etc/init.d/sshd restart"
=====
2. Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: vi -w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart
=====
3. Server e-mail everytime someone logs in as root
To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.
At command prompt type: vi .bash_profile
Scroll down to the end of the file and add the following line:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
Save and exit.
=====
4. Set an SSH Legal Message
To an SSH legal message, SSH into server and login as root.
At command prompt type: vi /etc/motd
Enter your message, save and exit.
Note: I use the following message...
Code:
ALERT! You are entering a secured area! Your IP and login informationhave been recorded. System administration has been notified. This system is restricted to authorized access only. All activities onthis system are recorded and logged. Unauthorized access will be fullyinvestigated and reported to the appropriate law enforcement agencies.
Now everytime someone logs in as root, they will see this message... go ahead a try it.
=====
5. Disable identification output for Apache
To disable the version output for proftp, SSH into server and login as root.
At command prompt type: vi /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to
ServerSignature Off
Restart Apache
At command prompt type: /etc/rc.d/init.d/httpd restart
=====
6. Install chkrootkit
To install chrootkit, SSH into server and login as root.
At command prompt type: cd /root/
At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit-0.46.tar.gz
At command prompt type: tar xvzf chkrootkit-0.46.tar.gz
At command prompt type: cd chkrootkit-0.46.tar.gz
At command prompt type: make sense
To run chkrootkit
At command prompt type: /root/chkrootkit-0.46/chkrootkit
Make sure you run it on a regular basis, perhaps including it in a cron job.
7. Modify LogWatch
Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.
To modify LogWatch, SSH into server and login as root.
At command prompt type: pico -w /etc/log.d/conf/logwatch.conf
Scroll down to
MailTo = root
and change to
Mailto = your@email.com
Note: Set the e-mail address to an offsite account incase you get hacked.
Now scroll down to
Detail = Low
Change that to Medium, or High...
Detail = 5 or Detail = 10
Note: High will give you more detailed logs with all actions.
Save and exit.
=====
8. Secure Common Tools
Many php exploit scripts use common *nix tools to download rootkits or backdoors. By simply chmod'ing the files so that no none-wheel or root user can use them we can eliminate many possible problems. The downside to doing this is that shell users will be inconvenienced by not being able to use the the commands below. Mod_security really removes the need to chmod this, but it is an added layer of protection.
#chmod 750 /usr/bin/rcp
#chmod 750 /usr/bin/wget
#chmod 750 /usr/bin/lynx
#chmod 750 /usr/bin/links
#chmod 750 /usr/bin/scp
--------------------------
9. Install RKHUNTER
Now we will install rkhunter so we will atleast know if the server has been cracked.
Download and unzip rkhunter
#cd /usr/local/src/
#wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz
#tar -zxf rkhunter-1.1.4.tar.gz
#cd rkhunter
Install it
#./install.sh
Now create a cronjob so it will email you with notifications to the root mailbox:
#crontab -e
At the bottom add the following line
16 0 * * * /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet
Press control x to save
=====
10. Secure TMP directory
The /tmp partition is one the common places for script kiddies and crackers alike to place trojans or scripts. Because of that you should have the /tmp partition mounted noexec. First we need to check if your /tmp is secure.
#df -h |grep tmp
If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
#cat /etc/fstab |grep tmp
If there is a line that includes /tmp and noexec then it is already mounted as non-executable. You will also want to check if /var/tmp is linked to /tmp.
ls -alh /var/ |grep tmp
If it shows something to the effect of "tmp -> /tmp/" then you are ok. If not go ahead an remove the old /var/tmp and replace it with a sym link to /tmp.
#rm -rf /var/tmp/
#ln -s /tmp/ /var/
If you do not have any /tmp partition you will need to follow the directions below to create and mount a partition.
Create a 190Mb partition
#cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=200000
Format the partion
#mke2fs /dev/tmpMnt
Make a backup of the old data
#cp -Rp /tmp /tmp_backup
Mount the temp filesystem
#mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
Set the permissions
#chmod 0777 /tmp
Copy the old files back
#cp -Rp /tmp_backup/* /tmp/
Once you do that go ahead and start mysql and make sure it works ok. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
Next delete the old /var/tmp and create a link to /tmp
#rm -rf /var/tmp/
#ln -s /tmp/ /var/
If everything still works fine you can go ahead and delete the /tmp_backup directory.
#rm -rf /tmp_backup
====
Additional Tools and Recommendations:
12. Install a FireWall
A firewall should be the first thing installed.. I recommend advanced protection firewall (APF) by rfxnetworks. APF will block unused outgoing and incoming ports. It can also be configured to use information from some block lists.
http://rfxnetworks.net/apf.php
Detailed instructions for installation can be found at the sources listed at the bottom of this document.
=====
13. Install an Attack Detector
Along with installing APF I would suggest installing brute force monitor (BFD) also by rfxnetworks. BFD will monitor your ssh and ftp services and automatically ban users that try to brute force a password. If you install BFD make sure you can get a separate ip to ssh into your server incase it blocks you for some reason! You can add your ip to the allow list via "apf -a IP" if you have a static ip.
http://rfxnetworks.net/bfd.php
Detailed instructions for installation can be found at the sources listed at the bottom of this document.
=====
14: Install a socket monitor
Yet another very handy tool by rfxnetworks is socket monitor (PMON). This tool will alert you whenever a new port is opened on the server. This is very helpful in detecting any users running weird processes or attempting to run backdoors. When any program that it does not recognized is started it will email you with the information.
http://rfxnetworks.net/pmon.php
=====
15: Install an Integrity Monitor
Another tool I would suggest, but that is not really part of securing your server, is system integrity monitor (SIM) which is also by rfxnetworks. SIM will automatically detect when a service is down and restarts it.
http://rfxnetworks.net/sim.php
=====
My thanks to the following for the information contained here:
http://forums.cpanel.net/showthread.php?t=30159&highlight=bfd
http://forums.cpanel.net/showthread.php?t=28742&highlight=tmp+noexec
Standard Disclaimer Here:
These tips have worked for me. Your mileage and success may vary. I take no responsibility if you try these and hose your system. If you aren’t comfortable in digging into the guts of your system, you may wish to hire a server management team. Rates range from $25+ a month, but can be an excellent investment.