Server Hardening

Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment. This is due to the advanced security measures that are put in place during the server hardening process.

  • Disable lamed server logging:

    1. Run the commands:

      service named stop

      nano -w /etc/named.conf
    2. Add these lines at the top. Some servers will already have a logging {} section. If so, simply add these lines inside the existing logging section:

      logging {

      category lame-servers { null; };

      };
    3. Under the options {} section, add these lines below directory /var/…:

      allow-transfer { none; };

      version “[null]“;

      recursion no;
    4. Restart the named service using the command:

      service named restart nano /etc/resolv.conf
    Note

    For BIND, make sure that it is not in a clustered environment or master slave setup.

  • Disable direct root login:

    1. Run the commands below. The third command will prompt you for a password:

      groupadd wheelusername

      useradd wheelusername -gwheelusername

      passwd wheelusername
    2. Run the command to add the user to the group:

      nano -w /etc/group

      Search for wheel and append wheelusername.

    3. Run the command:

      nano -w /etc/ssh/sshd_config

      Uncomment the line,

      PermitRootLogin no

      and change it to the below:

      PermitRootLogin yes

      At the end of the file, add the below line:

      AllowUsers wheelusername
  • Change the default SSH port:

    cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup

    vi /etc/ssh/sshd_config

    Change the port from 22 to any desired port number.

    Restart the SSH service:

    /etc/init.d/sshd restart
  • Tweak the TCP stack (sysctl.conf):

    mv /etc/sysctl.conf /etc/sysctl.conf.bak

    cd /etc

    Place the following content in the sysctl.conf: #Kernel sysctl configuration file for Red Hat Linux
    #
    # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
    # sysctl.conf(5) for more details.
    # Disables packet forwarding
    net.ipv4.ip_forward=0
    # Disables IP source routing
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv4.conf.lo.accept_source_route = 0
    net.ipv4.conf.eth0.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0
    # Enable IP spoofing protection, turn on source route verification
    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.conf.lo.rp_filter = 1
    net.ipv4.conf.eth0.rp_filter = 1
    net.ipv4.conf.default.rp_filter = 1
    # Disable ICMP Redirect Acceptance
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.lo.accept_redirects = 0
    net.ipv4.conf.eth0.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0
    # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
    net.ipv4.conf.all.log_martians = 0
    net.ipv4.conf.lo.log_martians = 0
    net.ipv4.conf.eth0.log_martians = 0
    # Disables IP source routing
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv4.conf.lo.accept_source_route = 0
    net.ipv4.conf.eth0.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0
    # Enable IP spoofing protection, turn on source route verification
    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.conf.lo.rp_filter = 1
    net.ipv4.conf.eth0.rp_filter = 1
    net.ipv4.conf.default.rp_filter = 1
    # Disable ICMP Redirect Acceptance
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.lo.accept_redirects = 0
    net.ipv4.conf.eth0.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0
    # Disables the magic-sysrq key
    kernel.sysrq = 0
    # Decrease the time default value for tcp_fin_timeout connection
    net.ipv4.tcp_fin_timeout = 15
    # Decrease the time default value for tcp_keepalive_time connection
    net.ipv4.tcp_keepalive_time = 1800
    # Turn off the tcp_window_scaling
    net.ipv4.tcp_window_scaling = 0
    # Turn off the tcp_sack
    net.ipv4.tcp_sack = 0
    # Turn off the tcp_timestamps
    net.ipv4.tcp_timestamps = 0
    # Enable TCP SYN Cookie Protection
    net.ipv4.tcp_syncookies = 1
    # Enable ignoring broadcasts request
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    # Enable bad error message Protection
    net.ipv4.icmp_ignore_bogus_error_responses = 1
    # Log Spoofed Packets, Source Routed Packets, Redirect Packets
    net.ipv4.conf.all.log_martians = 1
    # Increases the size of the socket queue (effectively, q0).
    net.ipv4.tcp_max_syn_backlog = 1024
    # Increase the tcp-time-wait buckets pool size
    net.ipv4.tcp_max_tw_buckets = 1440000
    # Allowed local port range
    net.ipv4.ip_local_port_range = 16384 65536

  • Install Rkhunter and setup weekly cron:

    cd /root

    wget http://sourceforge.net/projects/rkhunter-1.3.4.tar.gz/download

    tar -zxf rkhunter-1.3.4.tar.gz

    cd rkhunter*

    ./installer.sh –layout default –install

    cd /etc/cron.weekly

    #!/bin/bash

    EMAIL=your@domain.com

    rkhunter -c –sk –summary -q | mail -s “Rkhunter Scan Report – $hostname” $EMAIL

    chmod 755 /etc/cron.weekly/rkhunter.sh
  • Install chkrootkit and setup weekly cron:

    cd /root/

    wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

    mv chkrootkit.tar.gz /usr/local/src/

    cd /usr/local/src/

    tar -zxf chkrootkit.tar.gz

    cd /usr/local/src/chkrootkit*

    cd /root

    mv /usr/local/src/chkrootkit* /usr/local/chkrootkit

    cd /etc/cron.weekly

    #!/bin/bash

    EMAIL=your@domain.com

    /usr/local/chkrootkit/chkrootkit -q | mail -s “ChrootKit Scan Report – $(hostname)” $EMAIL
  • Disable PHP functions that might pose a risk:

    vi /usr/local/lib/php.ini

    disable_functions = symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd,ini_set,phpinfo
  • Install and configure Mod_security to prevent web based attack:

    cPanel Server

    1. Login to your WHM as root.

    2. Click on EasyApache (Apache Update) under the Software section.

    3. While selecting modules in the Short Options List, select Mod Security.

    4. Select Start customizing based on profile.

    Now, the Wizard will start recompiling Apache. Monitor the screen carefully and note down if there are any error messages being shown. When the build is complete, verify that the PHP pages are loading correctly.

    Plesk Server

    1. Since Plesk is fully rpm based, you can just install the mod_security module. Since mod_secuirty is not available in the common rpm repos, you can use the below script to install module:

      wget -q -O - http://www.atomicorp.com/installers/atomic.sh | sh

      yum install mod_security
    2. Unlike other Apache modules rpm installation, this process will not add LoadModule in the httpd.conf file by default. Edit the httpd.conf file and add the following lines below the LoadModule section:

      vi /etc/httpd/conf/httpd.conf

      LoadFile /usr/lib/libxml2.so
      LoadModule security2_module modules/mod_security2.so
      Include conf/mod_security.d/*.conf
    3. Create mod_security.d under the /etc/httpd/conf/ folder to download and setup the mod_security rule-set:

      mkdir /etc/httpd/conf/mod_security.d

      cd /etc/httpd/conf/mod_security.d
    4. Download the rule-set from http://www.modsecurity.org/download/ and make sure that you are extracting the file inside the /etc/httpd/conf/mod_security.d directory:

      wget http://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.3.tar.gz

      tar zxf modsecurity-core-rules_2.1-1.4.3.tar.gz

      rm -f modsecurity-core-rules_2.1-1.4.3.tar.gz
    5. Restart the web server:

      service httpd restart

    Note

    Rules may block the web application throwing access denied errors. Keep monitoring the /etc/httpd/logs/error_logs file and remove the rules which you do not require. If you are getting the ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). warning in your error logs, it may eat up all your CPU and memory resources by creating around 100 to 150 MB of RSS memory per pid and you will see an unusual usage of locale-archive around 60 MB in pmap. To solve this problem, create the file pcre_modsecurity_exceeded_limits.conf inside the /etc/httpd/conf folder:

    vi /etc/httpd/conf/pcre_modsecurity_exceeded_limits.conf

    Add the below lines:

    SecPcreMatchLimit 150000
    SecPcreMatchLimitRecursion 150000

    Restart Apache and monitor the Apache error logs.

  • Setup root login alert script:

    vi .bashrc

    echo ‘ALERT – Root Shell Access (hostname) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” mailto:you@domain.com
  • Upgrade the kernel:

    Check for kernel update:

    yum check-update | grep kernel

    If kernel update is available:

    yum update kernel

    Edit grub.conf to modify the default value to newly updated kernel and then reboot the server.

    vi /boot/grub/grub.conf

    After server reboot, check the kernel version by using the command:

    uname -r
  • Configure both local and remote backup.

  • Change the permission of /bin/ln to 760.

  • Do the basic package updates using yum commands.

    Note

    Exclude the packages that may possibly break the setup of the server by entering it in the yum.conf file.

  • Complete scan of the server and perform corrective actions needed. Scan the complete server. Install Maldet if not present in the server:

    mkdir tmp

    cd tmp

    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

    tar xf maldetect-current.tar.gz && cd maldetect-*

    ./install.sh
  • Temporary Directory Hardening:

    /bin/cp /etc/fstab /etc/fstab.bak

    Use df to check if a /tmp partition is already present.

    • If /tmp partition does not exist: Run the commands.

      cd /usr

      dd if=/dev/zero of=/usr/tmpMnt bs=1024 count=2000000

      mke2fs -j /usr/tmpMnt

      cd /

      cp -R /tmp /tmp_backup

      mount -o loop,noexec,nosuid,rw /usr/tmpMnt /tmp

      chmod 0777 /tmp

      /bin/cp -R /tmp_backup/* /tmp/

      rm -rf /tmp_backup

      nano -w /etc/fstab
    • If /tmp partition exists: At the end, add the below.

      /usr/tmpMnt /tmp ext3 loop,noexec,nosuid,rw 0 0

      nano -w /etc/fstab

      mount /tmp

      rm -rf /var/tmp

      ln -s /tmp /var/tmp

  • Disable remote MySQL:

    Check the status of skip-networking parameter in MySQL configuration:

    mysql -e "show variables like %networking%"

    It is recommended to disable this parameter.

  • Install a software firewall such as CSF (ConfigServer) firewall or Advanced Policy Firewall (APF)(for Plesk).