Misc security tweaks
Miscellaneous system tweaks
In this guide I am going to go over some basic system tweaks that will help the security of your server. None of are that big of a deal but every little bit helps secure your server more.
Updated Feb 18 to include enabling syncookies
The first thing we are going to do is to enable tcp_syncookies by simply typing the following command.
—–command—–
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
—–command—–
For an explanation of syncookies please refer to this website: http://cr.yp.to/syncookies.html Basically it will allow the server to distinguish SOME legitimate connections from those that are meant to be malicous. It will help with a few different types of DOS style attacks.
Next we are going to do is harden resolv.conf because if improperly configured it can be used to spoof or create a DOS attack. First go ahead and open up the config file:
—–command—–
pico -w /etc/resolv.conf
—–command—–
You should see something like “nameserver xxx.xxx.xxx.xxx” and maybe “search xxx.com”. The important thing is that 127.0.0.1 is NOT listed. At the top you should have your servers internet ip address. This will function basically the same as 127.0.0.1 as many servers were configured with but it is less prone to attacks. You can also remove the search line as it is not needed. Once you are done save out of the config and you are all done.
Next we will look at the /etc/hosts to ensure that it is properly setup and remove additional entries.
—–command—–
pico -w /etc/hosts
—–command—–
You should only have 2 lines listed. One of them should be 127.0.0.1 and to the right of it should be localhost. The second line should have yout servers internet ip and to the right of it should be your servers hostname beside your servers full hostname + domainname (example hostname.domain.com and hostname). If you have any entires that are still there you can go ahead and remove them as they are not needed. Save out and you are done.
Next we will secure sshd.
—–command—–
pico -w /etc/ssh/sshd_config
—–command—–
Locate the line with “Protocol” in it and change it so that it reads “Protocol 2″. This will let ssh only connect on protocol 2 which is more secure and is compatible with any modern client. If for some reason your current client does not support protocol 2 Putty is free and supports it.
Another very good option is to disable root logins. **NOTE** If you do this you need to make sure that you have added a user to the wheel group and have ensured that they are able to “su -” root. Do not turn this feature on without testing that you can first login as another user and gain root access, you have been warned! Look for “PermitRootLogin” and change it to read “PermitRootLogin no”.
Save and restart sshd via “service sshd restart”.
Many php exploit scritps use common *nix tools to download rootkits or backdoors. By simply chmod’ing the files so that no none-wheel or root user can use them we can eliminate many possible problems. The downside to doing this is that shell users will be inconvenienced by not being able to use the the commands below. This may cause some problem if your users are trying to use commands such as wget which is very popular with shell users. If you use mod_security these programs should be blocked out from access to apache which is the main concern.
—–command—–
chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp
—–command—–
Any further ideas for this section are appreciated! Please email or post them.