Module – 20 Linux Server Security Hardening

Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment. This is due to the advanced security measures that are put in place during the server hardening process.

1. Password control

vi /etc/login.defs 
PASS_MAX_DAYS   180
PASS_MIN_DAYS   8
PASS_MIN_LEN    8
PASS_WARN_AGE   7
LOGIN_TIMEOUT   30

2. Session Time out
# vi /etc/profile.d/security.sh
TMOUT=900
readonly TMOUT
export TMOUT
readonly HISTFILE

3. Secured SSH session/no Direct root access through putty
# vi /etc/ssh/sshd_config
ClientAliveInterval 900
ClientAliveCountMax 0
PermitRootLogin no
PermitEmptyPasswords no

4. Unwanted user ID clean up
# userdel shutdown
# userdel halt
# userdel games
# userdel operator
# userdel ftp
# userdel gopher

5. Remove all non-SSL based servers:
# yum erase xinetd inetd tftp-server ypserv telnet-server rsh-server

6. Disable unnecessary services
for i in rpcbind restorecond nfslock lldpad fcoe rpcidmapd
> do
> service $i stop
> chkconfig $i off
> done

7. Turn off IPV6
vi /etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT=no
IPV6_AUTOCONF=no

8. Disable Job scheduling for all except root (cron /at)
 /etc/cron.allow
/etc/cron.deny
/etc/at.allow
/etc/at.deny

9. Narrow down rights for system files and folders
chmod 700 /root
chmod 700 /var/log/audit
chmod 740 /etc/rc.d/init.d/iptables
chmod 750 /sbin/iptables
chmod -R 700 /etc/skel
chmod 600 /etc/rsyslog.conf
chmod 640 /etc/security/access.conf
chmod 600 /etc/sysctl.conf

10. Welcome Message during  SSH

# vi /etc/motd or /etc/banner
USE OF THIS COMPUTER SYSTEM, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO
MONITORING OF THIS SYSTEM. UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL
PROSECUTION.EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE,CRIMINAL, OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM
CONSTITUTES CONSENT TO MONITORING FOR THESE PURPOSES.

11. kernal Tuning parameters:
#Drop icmp redirects:
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
#Double the syn backlog size
net.ipv4.tcp_max_syn_backlog = 2048
#ignore ping broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 2048
#drop the secure routing ability
net.ipv4.conf.all.accept_source_route = 0
#Log packets destinated to impossible address
net.ipv4.conf.all.log_martians = 1
#ignore bogus icmp error responses
net.ipv4.icmp_ignore_bogus_error_responses = 1
#drop packets that come in using a bad interface
net.ipv4.conf.all.rp_filter = 1

12. Log watching & reporting:
yum install lognwatch -y
vi /usr/share/logwatch/default.conf/logwatch.conf
MailTo=your-eamil@id.com
crontab -l
0 5 * * /usr/sbin/logwatch

 

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>