Securing a server checklist? :-) Need help!!

system · September 6, 2007, 9:54pm

I am trying to secure my server as hard as I can get it without breaking stuff.

Unfortunatly I installed CentOS 5 with the default single partition. Now that does help doesnt it?

I have secured /dev/shm with noexec,nosuid

However my /tmp is simply a folder and I am wary of how to make a partition in CentOS5 to allow me to secure /tmp? Anybody have an easy way to do this that pretty risk free?

Ok here goes for the rest of the checklist:

Installed Security:

APF Firewall config
BFD Brute force detection
Secured PHP and put safemode ON
Secure apache.conf
Disabled all CGIs
Disabled telnet
remove isdn, bluetooth, samba, cups, finger, etc
install nmap to scan ports
install a antivirus and run it in cron.weekly
Installed chkrootkit and cron
Installed rkhunter and cron
chmod wget
Secured /dev/shm

Security to install or consider:

Need to secure /tmp (how? in single partition)
Consider mod_security (broke stuff so at the moment, uninstalled)
suPHP, would this be worth installing? Whats the quickest way of implementing on a PHP5 centos5 interworx set-up?
PortSentry (any opinions?)
Bastille (Any one tried it)

Have I missed anything, and can you advise on my points please?

Thank you very much in advance for any help!

Lightfoot · September 9, 2007, 3:02pm

I think this is what you were looking for: http://www.webhostgear.com/34.html

Bastille is nice for an Assessment report. I didn’t run it in Interactive mode because I want to be able to make the correct changes myself and know what is being done to the server.

Other points to consider:

SSH security (wheel/admin group, ssh session timeouts, alternate port)
IDS (snort or tripwire)
LES (rfx)
LSM (rfx)
SSL
Possibly Suhosin instead of mod_security
Remote backups
Run the command: mysql_secure_installation
chmod cron folders (not files) to 750, cron.d folder to 700
For httpd.conf:

``` Order deny,allow Deny from all

<files ~ “\config.php$”>
Order deny,allow
Deny from all

<ul>
<li>chmod 700 compilers to root only, the following will find the binaries:</ul>

rpm -q --filesbypkg gcc | grep ‘bin’
rpm -q --filesbypkg gcc-c++ | grep ‘bin’

<ul>
<li>Possibly...</ul>

rm -f /etc/security/console.apps/*

HTH. :)

system · September 9, 2007, 3:11pm

Can you point to a few how to’s or anything on some of these? With being not exactly a newbie but not really being well into the security side in the past I’ve not had time to look in-depth. I just want to do the best I can to prevent the server from possible attempts.

system · September 9, 2007, 3:11pm

I made some of those changes above. Thank you

Lightfoot · September 9, 2007, 3:18pm

What exactly did you need more help with? I’d be happy to help.

You can also check out: http://www.faqs.org/docs/securing/

system · September 9, 2007, 3:21pm

What I havent got:
IDS (snort or tripwire)
LES (rfx)
LSM (rfx)
Possibly Suhosin instead of mod_security
chmod cron folders to 750

Are these important additions would you say? And what are the LES and LSM? How good is Suhosin, and how easy is it to install?

Thank you for your help. Much appreciated.

Lightfoot · September 9, 2007, 3:42pm

You’ll find LES and LSM here, along with a few others: http://www.rfxnetworks.com/proj.php

Intrusion detection systems (IDS) will take a snapshot of your filesystem and send you an email when anything important changes. These emails usually come after system updates. I just use a security suite from ConfigServer in place of APF and this includes IDS. I think Snort can be setup to be more proactive in security than traditional IDS from what I’ve read about it, but I haven’t used it.

Changing the permissions on the /etc/cron.d; /etc/cron.hourly; /etc/cron.daily; /etc/cron.weekly; /etc/cron.monthly folders is just something I choose to do on my server because I’m the only one messing around with the cron folders. You could just run the following commands for each folder:

chmod 700 /etc/cron.d
chmod 750 /etc/cron.hourly
chmod 750 /etc/cron.daily
chmod 750 /etc/cron.weekly
chmod 750 /etc/cron.monthly

I think Suhosin is a great addition to php security. It has a good amount of configurable settings if it appears to be breaking any scripts, but the default is usually fine. There are 2 choices on the install. You can install it as an extension, which is easier, or you can install it as a patch, which you would need to recompile php with the patch. Just the extension works fine.

system · September 12, 2007, 3:48am

Looks pretty good.

LES looks interesting. What does it do in a nutshell and would it be likely to cause problems?

Lightfoot · September 25, 2007, 5:36am

[quote=gareth25;14417]Looks pretty good.

LES looks interesting. What does it do in a nutshell and would it be likely to cause problems?[/quote]

I’ve made an update to the cron folder permissions above. The /etc/cron.d/ folder should be set to 700 and any files in it should be 644 or 640. I had forget about this change in my notes, sorry.

There should be an explanation of LES on the rfx website. Those scripts should all be compatible with InterWorx.

system · October 27, 2007, 8:53pm

*Need to secure /tmp (how? in single partition)

All I can really suggest is to make sure it is chmod 775 (not 777) which is I believe the default.

Be careful if you intend to reformat and put this in it’s own partition, we recommend a 2gb partition at least if you are going to do that. The reason is that it is used when you import/restore SiteWorx backups.

Your list looks pretty comprehensive, the only other thing I’d add is really not anything you can do physically to the server.

Do not give ssh access out to anyone who does not NEED it
*.Be aware of all of the php scripts on your server and make sure they are kept up to date.