| ||||||||||||
# yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve 2. Minimise Software to Minimise Vulnerability: If you are one of those that wants to install all sorts of web services, you need to avoid installing unnecessary software to avoid vulnerabilities. Make use of the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages. # yum list installed # yum list packageName # yum remove packageName OR # dpkg –list # dpkg --info packageName # apt-get remove packageName 3. One Network Service Per System or VM Instance: Run different network services on separate servers or VM instance, limiting the number of other services that can be compromised. 4. Keep Linux Kernel and Software Up to Date: Make sure you apply all security patches. While Linux provides all necessary tools to keep your system updated, all security updates should be reviewed and applied as soon as possible. 5. Use Linux Security Extensions: If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel. 6. User Accounts and Strong Password Policy: Make use of the useradd / usermod for the creation and maintenance of user accounts. Also ensure that you have a good password policy in place. Most importantly, you need to pick a password you can remember. The change command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password. The /etc/login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration. To disable password aging, enter: chage -M 99999 userName To get password expiration information, enter: chage -l userName Finally, you can also edit the /etc/shadow file in the following fields: {userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}: 7. Disable root Login: Never make the mistake of logging in as the root user. One can use sudo to execute root level commands as and when required. 8. Physical Server Security: Protection of Linux servers physical console access is of paramount importance. This can be done by configuring the BIOS and disable the booting from external devices such as DVDs / CDs / USB pen. Set BIOS and grub boot loader password to protect these settings. 9. Disable Unwanted Services: Disable all unnecessary services and daemons (services that runs in the background). You need to remove all unwanted services from the system start-up. Type the following command to list all services which are started at boot time in run level # 3: # chkconfig --list | grep '3:on' To disable service, enter: # service serviceName stop # chkconfig serviceName off 10. Delete X Windows: This isn’t even a requirement on the server, there isn’t any reason to run X Windows on your dedicated mail and Apache web server. The service can be disabled altogether or can be removed to work towards the improvement of server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter: # yum groupremove “X Window System” 11. Configure Iptables and TCPWrappers: Iptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel. Use firewall to filter out traffic and allow only necessary traffic. Also use the TCPWrappers a host-based networking ACL system to filter network access to Internet. You can prevent many denial of service attacks with the help of Iptables. 12. Linux Kernel /etc/sysctl.conf Hardening: /etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time. Sample /etc/sysctl.conf: # Turn on execshield kernel.exec-shield=1 kernel.randomize_va_space=1 # Enable IP spoofing protection net.ipv4.conf.all.rp_filter=1 # Disable IP source routing net.ipv4.conf.all.accept_source_route=0 # Ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_messages=1 # Make sure spoofed packets get logged net.ipv4.conf.all.log_martians = 1 13. Separate Disk Partitions: Separation of the operating system files from user files may result into a better and secure system. Make sure the following filesystems are mounted on separate partitions: /usr /home /var and /var/tmp /tmp 14. Turn Off IPv6: This gives users a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and provides many benefits. Currently there are no good tools out which are able to check a system over network for IPv6 security issues. 15. Disable Unwanted SUID and SGID Binaries: All SUID/SGID bits enabled file can be misused when the SUID/SGID executable has a security problem or bug. All local or remote user can use such file. It is a good idea to find all such files. Use the find command as follows: #See all set user id files find / -perm +4000 # See all group id files find / -perm +2000 # Or combine both in a single command find / \( -perm -4000 -o -perm -2000 \) -print find / -path -prune -o -type f -perm +6000 -ls | ||||||||||||
Fonte: Keep Your Linux Server Secure With 15 Easy Ways
Nenhum comentário:
Postar um comentário