Securing your environment starts during the ordering process when you are deploying server resources. If you want to deploy a quick server without putting it behind an extra hardware firewall layer or deploying it with an APF (Advanced Policy Firewall).
There are a couple of security hardening tips. I set my servers to have a solid base level of security when I deploy a Linux system.
Limit physical access and booting capabilities
- Enable BIOS password
- Disable floppy and usb booting
- Set a LILO or GRUB password (/etc/lilo.conf or /boot/grub/menu.lst, respectively)
- check that the LILO or GRUB configuration file is read-protected.
Disable Root Login
When you need super-user permissions, use sudo instead of su. Sudo is more secure than using su: When a user uses sudo to execute root-level commands, all commands are tracked by default in /var/log/secure. Furthermore, users will have to authenticate themselves to run sudo commands for a short period of time.
Note:
You should Stop Using Root!
Partitioning
- Separate user-writable data, non-system data, and rapidly changing run-time data to their own partitions
- Set nosuid,noexec,nodev mount options in /etc/fstab on ext2 partitions such as /tmp
Limiting the network access
- Install and configure ssh (suggest PermitRootLogin No in /etc/ssh, PermitEmptyPasswords No; note other suggestions in text also)
- Consider disabling or removing in.telnetd
- Generally, disable gratuitous services in /etc/inetd.conf using update-inetd –disable (or disable inetd altogether, or use a replacement such as xinetd or rlinetd)
- Disable other gratuitous network services; mail, ftp, DNS, www etc should not be running
- if you do not need them and monitor them regularly.
- For those services which you do need, do not just use the most common programs, look for more secure versions shipped with Debian (or from other sources). Whatever you end up running,make sure you understand the risks.
- Set up chroot jails for outside users and daemons.
- Configure firewall and tcpwrappers (i.e. hosts_access); note trick for /etc/hosts.deny in text
- If you run ftp, set up your ftpd server to always run chrooted to the user’s home director
- If you run X, disable xhost authentication and go with ssh instead; better yet, disable remote X if you can (add -nolisten tcp to the X command line and turn off XDMCP in /etc/X11/xdm/xdm-config by setting the requestPort to 0)
- Disable outside access to printers
- Tunnel any IMAP or POP sessions through SSL or ssh; install stunnel if you want to provide this service to remote mail users Set up a loghost and configure other machines to send logs to this host (/etc/syslog.conf)
- Secure BIND, Sendmail, and other complex daemons (run in a chroot jail; run as non-root pseudo-user)
- Install snort or a similar logging tool.
- Do without NIS and RPC if you can (disable portmap).
Password hygiene and login security
- Do not choose passwords less than 8 characters “Create complexity with upper and lower-case of letters ,Special character and numbers e.g Qu4DL1nux*I0″
- Enable password shadowing and MD5
- Install and use PAM – Add MD5 support to PAM and make sure that (generally speaking) entries in /etc/pam.d/ files which grant access to the machine have the second field in the pam.d file set to “requisite” or “required”.
- Tweak /etc/pam.d/login so as to only permit local root logins.
- Also mark authorized tty:s in /etc/security/access.conf and generally set up this file to limit root logins as much as possible.
- Add pam_limits.so if you want to set per-user limits
- Tweak /etc/pam.d/passwd: set minimum length of passwords higher (6 characters maybe) and enable md5
- Add group wheel to /etc/group if desired; add pam_wheel.so group=wheel entry to /etc/pam.d/su
For custom per-user controls, use pam_listfile.so entries where appropriate - Have an /etc/pam.d/other file and set it up with tight security
- Set up limits in /etc/security/limits.conf (note that /etc/limits is not used if you are using PAM)
- Tighten up /etc/login.defs; also, if you enabled MD5 and/or PAM, make sure you make the corresponding
Note:
Disable root ftp access in /etc/ftpusers
Disable network root login; use su or sudo.
Policy issues
- Educate users about the whys and hows of your policies. When you have prohibited something which is regularly available on other systems, provide documentation which explains how to accomplish similar results using other, more secure means.
- Prohibit use of protocols which use cleartext passwords (telnet, rsh and friends; ftp, imap, http)
- Prohibit programs which use SVGAlib.
- Use disk quotas.
Update Kernel and Software
Ensure your kernel and software patches are up to date. I like to make sure my Linux kernel and software are always up to date because patches are constantly being released with corrected security flaws and exploits. Remember you have access to SoftLayer’s private network for updates and patches, so you don’t have to expose your server to the public network to get updates. Run this with sudo to get updates in RedHat or CentOS: yum update.