hardening and securing new linux box

Posted by admin - 21/01/11 at 03:01:29 am

Securing your linux server is important to protect your data from malicious individuals.  Here are few tips that help making a linux OS secure and hard to break.

1- upgrade your system to the latest kernel and software stacks using

# yum update

# yum upgrade

2- Minimize installed software: with fresh installations, there are several installed software stacks running. Some of the pre-installed software can be totally useless depending on your requirements. List and remove your installed packages using :

# yum list installed
# yum list packageName
# yum remove packageName

You can optionally keep the installed package, but kill the running process and remove it from the auto-start scripts:

ex:

# /etc/init.d/sendmail stop
# chkconfig sendmail off

# /etc/init.d/yum-updatesd stop
# chkconfig yum-updatesd off

# /etc/init.d/cups stop
# chkconfig cups off

# /etc/init.d/gpm stop
# chkconfig gpm off

# /etc/init.d/crond stop
# chkconfig crond off

3- Use Linux Security Extensions: using SELinux provides a standard access control for applications and processes, such as file operations, sockets, and other processes. This will protect the system against flawed applications that can access the file system.

4- Accounts and passwords:
a- enable password expiration:
# chage -M 9999 userName
b- lock user accounts after login fail using the faillog command
c- disable root login by editing sshd.conf

4- Configure IPtables rules to filter out malicicous/unwanted traffic. This could very well reduce the risks of DOS attacks.

5- Harden /etc/sysctl.conf:

# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1

6- Permissions set by linux are irrelevant if an attacker has a physical access to your hard disks, in this situation you can protect files and partitions using the following tools:
a- gpg command to symmetrically encrypt/decrypt files.
b- TrueCrypt is a free open source disk encryption software that is easy to use.

Powered by WordPress with GimpStyle Theme design by Horacio Bella.
Entries and comments feeds. Valid XHTML and CSS.