background preloader

20 Linux Server Hardening Security Tips

20 Linux Server Hardening Security Tips
Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for security Linux box. In this first part of a Linux server security series, I will provide 20 hardening tips for default installation of Linux system. Linux Server Hardening Checklist and Tips The following instructions assume that you are using CentOS/RHEL or Ubuntu/Debian based Linux distribution. #1: Encrypt Data Communication All data transmitted over a network is open to monitoring. Use scp, ssh, rsync, or sftp for file transfer. #1.1: Avoid Using FTP, Telnet, And Rlogin / Rsh Services Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. #2: Minimize Software to Minimize Vulnerability Do you really need all sort of web services installed? #3: One Network Service Per System or VM Instance

Linux Mint vs. Ubuntu: the Best Option? For the last few years, there has been something of a popularity contest between two well-known Linux distros: Linux Mint and Ubuntu. Both of these distributions share the same code base, as Ubuntu is based on Debian and Linux Mint is based on Ubuntu. In both instances, the distributions took the foundation that Debian built, then added their own flavor to make it more user friendly. When Linux Mint was first being developed, the degree of separation from Ubuntu was very minimal. For this article, I’ll tap into my own experiences with both distributions over the years. Easy isn't a dirty word All too often, I hear the word "easy" being tossed around as if it's a bad word when describing Linux distributions. Despite the mutual goal of offering an easy to use Linux desktop, I've noticed that Ubuntu and Linux Mint have different approaches as to how they appeal to their users. In recent years, I've actually found the two distributions shift further apart than ever before.

Dragon Research Group (DRG) :: sshpwauth-tac The Secure Shell (SSH) architecture is a set of protocols and tools based on the ability to enable encrypted remote system login. SSH has largely replaced tools such as TELNET and rsh for most system administrative needs. Most SSH implementations have had good track records, having been responsible for relatively few bugs that lead to widespread anonymous attacks against the protocol or implementation. However, like many systems, SSH is only as safe as its weakest link. Password Strengths and Weaknesses It might be argued that any reliance on static usernames and passwords for critical system authentication is prone to failure, particularly at scale. Log failed and successful remote connection events preferably to a remote syslog server. SSH Policy and Configuration Options DenyUsers, AllowUsers, DenyGroups, AllowGroups These options contain a list of group names or user names, separated by whitespace. AuthorizedKeysFile Match PasswordAuthentication PermitRootLogin Port Monitoring and Alerting

Valve: Linux More Viable Than Windows 8 for Gaming In a presentation at Ubuntu Developer Summit currently going on in Denmark, Drew Bliss from Valve said that Linux is becoming more viable platform as an alternative to Windows 8. Windows 8 ships with its own app store and it is moving away from an open platform model. Some other points from the talk: Steam client is running nicely on Ubuntu and many developers have approached them with good game products.Cooperation with Canonical has been good.Ubuntu is preferred platform as it has a large user base and good community support with a strong company like Canonical behind it. Drew announced that anyone with a Launchpad account attending UDS will be given Steam access through a beta key. When asked about new Team Fortress 2 Hats, he said that some rumors have been circulating but he has no information about it.

CentOS 5 HTTP/HTTPS web server with PHP, database, virtual hosts, & web statistics [httpd+mpm_itk, mod_ssl, mod_php, awstats] | firewing1 This how-to will show you how to configure: An Apache 2External Links icon web server using virtual hostsThe ITK MPMExternal Links icon allows each virtual host to serve requests as its own user/groupmod_ssl to serve pages over the secure HTTP (HTTPS) protocolmod_security to help prevents everything from SQL injections to data leaksmod_php for PHP scripts along with mod_suhosin to help protect mitigate risks from known and unknown flaws in PHP scripts Rebuilding httpd for ITK About privilege separation By default, the Apache web server runs as the 'apache' user. Privilege separation is a technique that can be used to mitigate the risk of an attack against a shared hosting server. Rebuild process Unfortunately, the ITK MPM is not included in the stock httpd distribution. With that done, let's make a few quick modifications to the RPM spec file located at ~/rpmbuild/SPECS/httpd.spec. We will first need to add the ITK patches. In the %build section of the spec file, you will see these lines:

CentOS 5 server setup series: getting started | firewing1 Preface As of writing, the most recent version of CentOS available is 5.6 so I will be using it as the basis for this howto. If a newer version is available, I recommend you use that version instead. Much of these instructions should still apply, especially if it is only a newer 5.x release. This series of tutorials will help you set up a shared hosting server using hardened CentOS 5. Before starting When writing this tutorial, I assumed that you: Legal Disclaimer Please note that this guide is provided on an informal, as-is basis. Installing CentOS 5 Visit the CentOS project website External Links icon and download the latest 5.x netinstall ISO image from a nearby mirror. . Once you have started the installation process, choose the HTTP install method and enter the URL and path that you noted earlier. For more information on this process, see section 12.11 of the Red Hat Enterprise Linux installation guide, Installing via HTTP Repository setup Note: this command works at the time of writing.

CentOS 5 SSH+SFTP for remote access and secure file transfers [OpenSSH] | firewing1 This how-to will show you how to configure: Remote access over SSH via OpenSSHExternal Links iconSecure, password-less authenticationOptional: OpenSSH 5.4p1 to allow restrict shell access and jail users by groupSecure file transfers over SFTP Configuring OpenSSH openssh-server is already installed by default, it just needs to be configured. We will disable root logins as well as all password-based logins in favour of the more secure public key authentication. The following will configure SSH as described above: cat << EOF >> /etc/ssh/sshd_config### Customizations ### Some of the settings here duplicate defaults, however this is to ensure that# if for some reason the defaults change in the future, your server's # configuration will not be affected. # Do not allow root to login over SSH. # Disable password authentication and enable key authentication. # Do not allow TCP or X11 forwarding by default.AllowTcpForwarding noX11Forwarding no # Why give such a large window? ln -s ../.. Denyhosts

CentOS 5 server setup series: server security & reliability | firewing1 This how-to will not configure any one service in particular, but rather focus on the operating system as a whole in order to improve security and reliability. This how-to will show you how to: Configure the GRUBExternal Links icon bootloader to gracefully handle kernel panics during bootsCreate, edit & manage custom SELinuxExternal Links icon policy modulesDeny access to remote users with too many failed authentication attempts over SSH (DenyhostsExternal Links icon), POP3 or IMAP (Fail2banExternal Links icon)Improve the password hash strengthEnable shell timeouts...and much more! Gracefully recovering from kernel panics: Boot robustness & more GRUB has two very important features that you can use to make your system more robust in the event of a kernel panic or other boot error: saved default boot entries and fallbacks. The fallback command is extremely handy when installing and testing new kernels. So, how do we get this setup? cat << EOF > /usr/local/sbin/grub-set-default#! fallback=1

CentOS 5 SQL database server [MySQL] | firewing1 This how-to will show you how to configure: MySQLExternal Links icon as a secure and performant database serverCreate new databasesAdditional MySQL users with restricted privileges Installing MySQL yum install mysql mysql-serverchkconfig mysqld onservice mysqld startiptables -I RH-Firewall-1-INPUT 4 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPTservice iptables savemysql_secure_installation Adding a new database+user Execute in MySQL: CREATE DATABASE `username_purpose`GRANT ALL ON `username_purpose` TO 'username'@'localhost' IDENTIFIED BY 'new_password'FLUSH PRIVILEGES; The new user will only have privileges on the newly created database. You can choose anything you'd like for username_purpose, username and new_password but to make maintenance easier, name your database users after the corresponding system user for that site. As well, remember that most of your users will simply need to enter the password once at installation time of the CMS or other software.

Related: