Securing a server checklist? :-) Need help!!

I am trying to secure my server as hard as I can get it without breaking stuff.

Unfortunatly I installed CentOS 5 with the default single partition. Now that does help doesnt it? :frowning:

I have secured /dev/shm with noexec,nosuid

However my /tmp is simply a folder and I am wary of how to make a partition in CentOS5 to allow me to secure /tmp? Anybody have an easy way to do this that pretty risk free?

Ok here goes for the rest of the checklist:

Installed Security:

  • APF Firewall config
  • BFD Brute force detection
  • Secured PHP and put safemode ON
  • Secure apache.conf
  • Disabled all CGIs
  • Disabled telnet
  • remove isdn, bluetooth, samba, cups, finger, etc
  • install nmap to scan ports
  • install a antivirus and run it in cron.weekly
  • Installed chkrootkit and cron
  • Installed rkhunter and cron
  • chmod wget
  • Secured /dev/shm
Security to install or consider:
  • Need to secure /tmp (how? in single partition)
  • Consider mod_security (broke stuff so at the moment, uninstalled)
  • suPHP, would this be worth installing? Whats the quickest way of implementing on a PHP5 centos5 interworx set-up?
  • PortSentry (any opinions?)
  • Bastille (Any one tried it)
Have I missed anything, and can you advise on my points please?

Thank you very much in advance for any help!

I think this is what you were looking for:

Bastille is nice for an Assessment report. I didn’t run it in Interactive mode because I want to be able to make the correct changes myself and know what is being done to the server.

Other points to consider:

  • SSH security (wheel/admin group, ssh session timeouts, alternate port)
  • IDS (snort or tripwire)
  • LES (rfx)
  • LSM (rfx)
  • SSL
  • Possibly Suhosin instead of mod_security
  • Remote backups
  • Run the command: mysql_secure_installation
  • chmod cron folders (not files) to 750, cron.d folder to 700
  • For httpd.conf:
``` Order deny,allow Deny from all

<files ~ “\config.php$”>
Order deny,allow
Deny from all

<li>chmod 700 compilers to root only, the following will find the binaries:</ul>

rpm -q --filesbypkg gcc | grep ‘bin’
rpm -q --filesbypkg gcc-c++ | grep ‘bin’


rm -f /etc/security/console.apps/*

HTH. :)

Can you point to a few how to’s or anything on some of these? With being not exactly a newbie but not really being well into the security side in the past I’ve not had time to look in-depth. I just want to do the best I can to prevent the server from possible attempts.

I made some of those changes above. :slight_smile: Thank you

What exactly did you need more help with? I’d be happy to help.

You can also check out:

What I havent got:
IDS (snort or tripwire)
LES (rfx)
LSM (rfx)
Possibly Suhosin instead of mod_security
chmod cron folders to 750

Are these important additions would you say? And what are the LES and LSM? How good is Suhosin, and how easy is it to install?

Thank you for your help. Much appreciated.

You’ll find LES and LSM here, along with a few others:

Intrusion detection systems (IDS) will take a snapshot of your filesystem and send you an email when anything important changes. These emails usually come after system updates. I just use a security suite from ConfigServer in place of APF and this includes IDS. I think Snort can be setup to be more proactive in security than traditional IDS from what I’ve read about it, but I haven’t used it.

Changing the permissions on the /etc/cron.d; /etc/cron.hourly; /etc/cron.daily; /etc/cron.weekly; /etc/cron.monthly folders is just something I choose to do on my server because I’m the only one messing around with the cron folders. You could just run the following commands for each folder:

chmod 700 /etc/cron.d
chmod 750 /etc/cron.hourly
chmod 750 /etc/cron.daily
chmod 750 /etc/cron.weekly
chmod 750 /etc/cron.monthly

I think Suhosin is a great addition to php security. It has a good amount of configurable settings if it appears to be breaking any scripts, but the default is usually fine. There are 2 choices on the install. You can install it as an extension, which is easier, or you can install it as a patch, which you would need to recompile php with the patch. Just the extension works fine.

Looks pretty good.

LES looks interesting. What does it do in a nutshell and would it be likely to cause problems?

[quote=gareth25;14417]Looks pretty good.

LES looks interesting. What does it do in a nutshell and would it be likely to cause problems?[/quote]

I’ve made an update to the cron folder permissions above. The /etc/cron.d/ folder should be set to 700 and any files in it should be 644 or 640. I had forget about this change in my notes, sorry.

There should be an explanation of LES on the rfx website. Those scripts should all be compatible with InterWorx.

*Need to secure /tmp (how? in single partition)

All I can really suggest is to make sure it is chmod 775 (not 777) which is I believe the default.

Be careful if you intend to reformat and put this in it’s own partition, we recommend a 2gb partition at least if you are going to do that. The reason is that it is used when you import/restore SiteWorx backups.

Your list looks pretty comprehensive, the only other thing I’d add is really not anything you can do physically to the server.

  • Do not give ssh access out to anyone who does not NEED it
    *.Be aware of all of the php scripts on your server and make sure they are kept up to date.