Linux , InfoSec , Technology and Everything Else

Published: 6 months ago

Fencing Your Linux Server From Hackers

I’ll today post basic tweaks to make it little bit hard for hacker to gain entry into your linux based server but first let me be very clear , If a Hacker wants to get into to your system , he/she will surely do it.Only thing we can do is that we can make it hard for them to do so and here I am going to cover just ‘basics’ hardening steps , so I’ll Assume You are running a Server on Debian/CentOS or their offspring

Disable Root Login and tighten SSH

This should be first step whenever you install new Linux server , use ssh keys to login into your server and also change ssh port.
Start by adding a admin user

~# adduser admin_user

and then add a administrator group

~# addgroup superpower sudo

 

~# usermod -g superpower admin_user

after that generate local ssh keys to connect to your server by

~# ssh-keygen -t rsa

it will ask you location where to save key , press enter for default location then choose passphrase(It’s upto you)
and then copy your id_rsa.pub (ssh key) file to /home/admin_user/.ssh/authorized_key folder
now you can login into server directly by

ssh admin_user@server

great now disable root login by editing /etc/ssh/sshd_config
and edit PermitRootLogin line so that it looks something like

PermitRootLogin no

and finally change ssh port to something else
by editing same file so that Port line reads like

Port 856

and then restart ssh server for changes to take place

~$ sudo service ssh restart #debian like distro

 

~$ sudo service sshd restart #Centos like distro

Install IDS and IPS

IDS aka Intrusion Detection System and IPS aka Intrusion Prevention System are important part for shielding server against Intruders .There are many choices for both of them but my personal favourite is OSSEC and Fail2Ban
OSSEC is Host Based Intrusion Detection System by Trend Micro, It’s a full platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a simple, powerful and open source solution , So let’s load it up

GCC is a dependency so don’t forget to first install it

for Debian

 ~$ sudo apt-get install gcc 

and for CentOS

~$ sudo yum install gcc

and now let’s install

~$ wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
~$ tar -zxvf ossec-hids-*.tar.gz (or gunzip -d; tar -xvf)
~$ cd ossec-hids-*
~$ sudo ./install.sh

During the Installation it would ask you about email notifications , language and installation path.Default options are pretty much okay , you can change them if you don’t like default settings.Look at their Documentation if you need help (http://www.ossec.net/doc/)
Now Start OSSEC HIDS

# /var/ossec/bin/ossec-control start

Now we need to install Fail2Ban
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Because fail2ban is not available from CentOS, we should start by downloading the EPEL repository:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Follow up by installing fail2ban:

~$ sudo yum install fail2ban

In case of Debian/Ubuntu , It can be installed by

~$ sudo apt-get install fail2ban

The default fail2ban configuration file is location at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, however, and we should instead make a local copy of it.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

After the file is copied, you can make all of your changes within the new jail.local file. Many of possible services that may need protection are in the file already. You can edit jail.local file if you need to change default’s ,It configuration is  pretty much self explanatory once you open the configuration file you can easily understand and change default values if you need.

 

Shared Memory

By default, /dev/shm is mounted read/write, with permission to execute programs. In recent years, many security mailing lists have noted many exploits where /dev/shm is used in an attack against a running service, such as httpd. Most of these exploits, however, rely on an insecure web application rather than a vulnerability in Apache. There are a few reasons for it to be mounted read/write in specific configurations, such as real-time configuration of a Synaptics touchpad for laptops, but for servers and desktop installations there is no benefit to mounting /dev/shm read/write. To change this setting, edit the /etc/fstab file to include the following line:

tmpfs /dev/shm tmpfs defaults,ro 0 0

This will mount /dev/shm in read-only mode. If you have a good reason to keep it writable, put this line in /etc/fstab instead:

tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0

This will mount /dev/shm writable, but without permission to execute programs and without permission to change the UID of running programs.

DoS/DDoS

Stopping a DDOS (distributed denial of service attack) or DOS (denial of service attack) is no simple task. Frequently, these attacks become more than just a nuisance, they completely stagnate your server’s services and keep your users
Here are few nice Documents , I’ve found useful while dealing with them
MITIGATING DoS/DDoS ATTACKS USING IPTABLES

(D)DoS Deflate

Tips

1)Use Strong Passwords
2)If you are using web-server you can install ModSecurity (http://www.modsecurity.org/download/)
and you can tighten PHP Security by appending these lines

disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off

It will disable some PHP functions that might be used against your webserver
4)Check for open ports on your system using nmap

nmap -sV <host/ip>

if unknown service/port is open try to put it down

2 Comments.
  1. toor says:

    Dont forget to enable SElinux enforceing.

  2. Jimmy Hogan says:

    Excellent post. I was checking continuously this blog and I’m impressed!
    Very helpful info particularly the last part :) I
    care for such info a lot. I was seeking this
    certain information for a long time. Thank you and
    good luck.

Have a Comment?

Some HTML is OK