HSC
 

Hardening Linux

Hardening an OS is a task that can never be finished. We will try to provide here a couple of important directions and hints that can in general be used for any UNIX-like operating systems. (well, hopefully)

Note however that we can not be made responsible for any problems or serious damage your system may suffer in following this hints. The following text tends to be rather paranoid and you'll find a lot of the hints simply too much. Consider yourself disclaimed.

Distribution

Choosing the right distribution is the first step in securing your server. Either use a normal desktop-centric distro and go through all the steps manually or start with a security-enhanced package.
I recommned starting with osix.org.

Services

  • Check your inetd.conf. Eliminate any service you do not need.
  • Use tcp-wrappers for services that do not bring their own access control mechanisms.
  • Run netstat -an and check the output. This will give you hints about tcp/udp deamons that do not get started via inetd but with startup-scripts (e.g. in /etc/rc.d...).
  • Run lsof (list of open files) and go through its output.

Remote Access

  • Kill telnet! (Run a fake deamon instead that logs every telnet attempt to yor machine)
  • Use ssh with strong encryption and RSA based authentication
  • Use IPSec for encrypted tunnels to hosts and networks

Webserver

  • Use SSL (https) for administration pages
  • Change the ID-line of your server (eg "HTTP-Deamon/1.34")
  • Check your robots.txt file. Does it provide information to outsiders that can be abused?
  • Change all suffixes of cgi-scripts or any other server scripts to something unsuspicious. (This needs changes in your webserver's configuration files)
  • Do not use hidden fields in forms to save important information about prizes/session/etc.
  • Do sanity checks for input provided by the user. (eg. form values)
  • chroot the webserver

DNS

  • Use a recent version of bind
  • Prevent zone transfers to unauthorized hosts
  • chroot your dns server
  • Do not use the HINFO fields

Mailserver

  • Do not use sendmail unless you must....(use qmail or postfix instead)
  • Take measures against spammers (prevent unauthorized relaying)
  • Consider using a simple SMTP-deamon on your firewall that act as your mail gateway and relays to your internal mailserver, if the rules allowes it.
  • chroot your mailserver

FTP

  • Do not use ftp, use scp instead.
  • Never allow a regular user to login with ftp, only allow anonymous ftp if you must run ftp at all.
  • chroot your ftp-server

Filesystem

  • Do not allow more suid-programs than you really need (search for them with find!)
  • Check PATH environment variable: no "."!!
  • Run a tool like tripwire (with an offline database, of course) to detect altered binaries that may contain trojan horses. (Also check important configuration files, e.g. sshd.conf, on a regular base)

Security Scanner

Regularly run a security scanner, e.g. nessus.
Last Modified: 20.01.2008 17:18 | Copyright © 2003-2019 by tor.ch | Top