[sclug] Securing a server

Alex Butcher lug at assursys.co.uk
Mon Sep 5 12:34:19 UTC 2005 

On Mon, 5 Sep 2005, Tom Chance wrote:

> I've got a VM and I'm looking into further securing it at the moment. I've got
> the basics - only necessary services running, no root ssh login, permissions
> on files as tight as possible, basic configurations in servers to block
> typical attacks, require encrypted connections, etc.
>
> I've started by looking at mod_security and mod_dosevasive for Apache after
> the server got hit with 60,000 requests in four days by a spammer. I've also
> idly browsed some pages about clever firewall scripts and Intrusion Detection
> Systems.
>
> What would people's recommendations be? Where to start in proactively
> tightening security?

- Configure TCP_WRAPPERS (i.e. hosts.deny/hosts.allow) and/or iptables
(preferably the latter) to only permit SSH from known-safe IP addresses and
ranges.

- Be careful about what server-side code you run (e.g. do some research on
the security track record of any pre-written PHP packages you plan to
install - some are truly awful). If the code is not for general consumption,
use .htaccess to block access from the rest of the Internet.

- Disable all superfluous network services (r-services, CUPS, portmap, NFS,
samba) and restrict access to the minimum set of source addresses for those
that are necessary (restating of rule 1 above)

- Consider configuring SELinux in enforcing mode. Fedora and CentOS/RHEL
include SELinux and a pretty good base configuration, these days.

Beyond those basics:-

- Consider using various unofficial kernel patches (e.g. grsecurity) to
further harden the OS.

- Checksum each file before putting into production and keep the checksums
offline. In the event of suspected compromise, compare checksums.

- Consider using netfilter/iptables and the setgid bit to restrict the type
of connections that binaries can make and accept (e.g. browsers should never
accept incoming FTP connections -
<http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=brownorifice>).

> Regards,
> Tom

HTH,
Alex.
-- 
Alex Butcher      Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK                      Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950                         <http://www.assursys.com/>

More information about the Sclug mailing list