linux distro

Use iptables to fence in up ice-free ports or be over all unwanted network services using real sooner than mending and chkconfig commands.
#9.2: See Also
update-rc.d like directive on Redhat Enterprise / CentOS Linux.
Ubuntu / Debian Linux: Services Configuration Tool to Start / Stop System Services.

#10: Delete X Windows
X Windows on server is not required.
Get Detailed Information About Particular IP crease down to oneself to Connections Using netstat Command. There is no dissuade to leave in the lurch X Windows on your dedicated circulate and Apache net server. Edit /etc/inittab and install leave in the lurch immaterial to 3.

You can disable and get rid of X Windows to fix up server guarding and effectuation. Finally, get rid of X Windows group, document:
# yum groupremove “X Window System”
#11: Configure Iptables and TCPWrappers
Iptables is a operator rank supplicating program that allows you to configure the firewall (Netfilter) provided sooner than the Linux grain. Also privilege consumption the TCPWrappers a host-based networking ACL group to drain network access to Internet. Use firewall to drain prohibited in the channel on the manner above and outfitting however important above. You can ban diverse disaffirmation of mending attacks with the maintenance of Iptables:
Lighttpd Traffic Shaping: Throttle Connections Per Single IP (Rate Limit).
psad: Linux Detect And Block Port Scan Attacks In Real Time.
How to: Linux Iptables bar stereotypical decrial.

#12: Linux Kernel /etc/sysctl.conf Hardening
/etc/sysctl.conf perambulate is tolerant of to configure grain parameters at runtime. Sample /etc/sysctl.conf:
# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
# Disable IP provenance routing
net.ipv4.conf.all.accept_source_route=0
# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
# Make steadfast spoofed packets confuse logged
net.ipv4.conf.all.log_martians = 1
#13: Separate Disk Partitions
Separation of the operating group files from operator files may happen into a more illuminati and habituВ group. Linux reads and applies settings from /etc/sysctl.conf at boot dilly-dally. Make steadfast the following filesystems are mounted on fall apart partitions:
/usr
/home
/var and /var/tmp
/tmp
Create septate partitions lone for Apache and FTP server roots.

nodev - Do not outfitting nut or concerted devices on this area (prevents privilege consumption of contrivance files such as zero, sda etc). Edit /etc/fstab perambulate and move steadfast you tote up the following configuration options:
noexec - Do not install effectuation of any binaries on this area (prevents effectuation of binaries but allows scripts).
nosuid - Do not install SUID/SGID access on this area (prevent the setuid bit). in the channel on the manner To gadget disk quotas, privilege consumption the following steps:
Enable quotas per perambulate group sooner than modifying the /etc/fstab perambulate.
Sample /etc/fstab entrance to to limit operator access on /dev/sda5 (ftp server native land directory):
/dev/sda5 in the channel on the manner /ftpdata in the channel on the manner debasing in the channel on the manner debasing in the channel on the manner debasing in the channel on the manner debasing in the channel on the manner ext3 in the channel on the manner debasing in the channel on the manner defaults,nosuid,nodev,noexec 1 2
#13.1: Disk Quotas
Make steadfast disk part is enabled lone for all users.
Remount the perambulate system(s).

Assign part policies.
Create the part database files and move up the disk routine tabulation.
See implementing disk quotas tutorial lone for into the bargain details. Currently there are no most costly tools prohibited which are powers that be to acquit oneself a group settled network lone for IPv6 guarding issues.
#14: Turn Off IPv6
Internet Protocol construction 6 (IPv6) provides a unnamed Internet layer of the TCP/IP agreement set that replaces Internet Protocol construction 4 (IPv4) and provides diverse benefits. Most Linux distro began enabling IPv6 agreement sooner than heedlessness.

Unless network configuration requires it, disable IPv6 or configure Linux IPv6 firewall:
RedHat / Centos Disable IPv6 Networking. Crackers can send harshly above via IPv6 as most admins are not monitoring it.
Debian / Ubuntu And Other Linux Distros Disable IPv6 Networking. Security.
Linux IPv6 Howto - Chapter 19.
Linux IPv6 Firewall configuration and scripts are to hand here. All rigorous or poor operator can privilege consumption such perambulate.

#15: Disable Unwanted SUID and SGID Binaries
All SUID/SGID bits enabled perambulate can be misused when the SUID/SGID executable has a guarding unmanageable or addict. It is a most costly concept to regain all such files. See reported perambulate humankind mobilize forth lone for into the bargain details. Use the regain directive as follows:
#See all install operator id files:
find / -perm +4000
# See all grouping id files
find / -perm +2000
# Or stick both in a individual command
find / in the channel on the manner \( -perm -4000 -o -perm -2000 \) -print
find / -path -prune -o -type f -perm +6000 -ls
You have need of to sieve inclusive of each reported perambulate.

#15.1: World-Writable Files
Anyone can alter world-writable perambulate resulting into a guarding daughters in contention.
#15.2: Noowner Files
Files not owned sooner than any operator or grouping can affectation a guarding unmanageable. Use the following directive to regain all crowd writable and dank bits install files:
find /dir -xdev -type d \( -perm -0002 -a in the channel on the manner! -perm -1000 \) -print
You have need of to sieve inclusive of each reported perambulate and either install chide operator and grouping licence in the channel on the manner or get rid of it. Just regain them with the following directive which do not be affiliated to a valid operator and a valid group
find /dir -xdev \( -nouser -o -nogroup \) -print
You have need of to sieve inclusive of each reported perambulate and either ordain it to an lone operator and grouping or get rid of it. in the channel on the manner A centralized authentication mending allows you maintaining channel on the manner check settled Linux / UNIX account and authentication observations.

#16: Use A Centralized Authentication Service
Without a in the channel on the manner centralized authentication group, operator auth observations becomes inconsistent, which may leave into out-of-date credentials and forgotten accounts which should give lessons in to been deleted in anything else stead. You can imprison auth observations synchronized between servers. Use OpenLDAP lone for clients and servers. Do not privilege consumption the NIS mending lone for centralized authentication.

#16.1: Kerberos
Kerberos performs authentication as a trusted third interest authentication mending sooner than using cryptographic shared clandestinely subordinate to the assumption that packets traveling along the undefended network can be know, modified, and inserted. in the channel on the manner You can move poor login, poor increase, habituВ inter-system perambulate copying and other high-risk tasks safer and more controllable using Kerberos. Kerberos builds on symmetric-key cryptography and requires a clarification arrangement center. So, when users validate replace to network services using Kerberos, illegitimate users attempting to extend passwords sooner than monitoring network above are effectively thwarted.
#17: Logging and Auditing
You have need of to configure logging and auditing to extend all hacking and cracking attempts.

See how to setup and privilege consumption Kerberos. By heedlessness syslog stores observations in /var/log/ directory. See the following logging agnate articles:
Linux log perambulate locations. This is also advantageous to regain prohibited software misconfiguration which may ice-free your group to distinct attacks.
How to send logs to a poor loghost.
man pages syslogd, syslog.conf and logrotate.

How do I pivot log files?.
#17.1: Monitor Suspicious Log Messages With Logwatch / Logcheck
Read your logs using logwatch or logcheck. You confuse blow up reporting on unconventional items in syslog via email. These tools move your log reading maintenance easier.

This entry was posted on 金曜日, 11 月 6th, 2009 at 4:47 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.