Hello friends and neighbors. This post, as it turns out, is the follow-up to our groundbreaking, skybreaking article on server hardening; it also is the prequel to our final post on Windows server hardening. This post, the meat of the sandwich (ham, in this case), is on how to harden Linux servers.
Server hardening is a simple concept, and itâ€™s crucial to initiate if you want safety for your website. Essentially, simiarly to the experience of an end-user on a client machine, when you use a server, the systems are not built (their default settings) for high-end security. Theyâ€™re built, rather, for features. In essence, the Internet is optimized for usability/freedom over administration/security. Securing a system, then, is a matter of revoking freedoms or modifying expectations in order to ensure a secure experience for the system and for all users.
We arenâ€™t only concerned with Windows and Linux servers though. Actually, the NSA Datamine server is one of the most secure options out there. Everyone is thrilled by this server. Itâ€™s been called â€œbootserverliciousâ€ by P. Diddy and â€œP.-Diddy-rifficâ€ by a worldwide consortium of boot servers.
To get a sense of server hardening on any of the major OSs, we are looking at three sources: â€œHost Hardening,â€ by Cybernet Security; â€œ25 Hardening Security Tips for Linux Servers,â€ by Ravi Saive for TecMint.com (good info, though the language is a little rough); and â€œBaseline Server Hardening,â€ by Microsoftâ€™s TechNet. Each of these posts broadens our horizons and is lactose- and gluten-free so that it doesnâ€™t distract from the extra-cheese, thick-crust pizza weâ€™re inhaling.
How to Harden Your Linux Server without Having to Think
No one ever wants to have to think. Letâ€™s not do it, then. Letâ€™s refuse to think, and just feel our way to a hardened server. Donâ€™t call me â€œbaby,â€ though, please, because thatâ€™s disrespectful, sugar. Anyway, the Linux server: here are approaches you can use specific to that OS.
1.Â Â Â Non-Virtual Worlds: Go into BIOS. Disallow any boot operations from outside entitites: DVD drive or anything else thatâ€™s connected to the server. You should also have a password set up for BIOS. GRUB should be password-enabled as well. Your password should be â€œmoonsovermyhammy123987â€; I recommend tattooing it on your lower back for safekeeping.
2.Â Â Â Partitioning as a Standard: Think (no, donâ€™t!) of how a virtual environment or virtual server is constructed. Division into smaller parts is an essential security concept. Any additional pieces of the system will require their own security parameters and challenges. That means you want a streamlined system, of course, like a digestive tract without all the intestines and stuff; but it also means you want everything divided into disparate sections. Any app from an outside source should be installed via options as follows:
3.Â Â Â Packet Policies: Along the same line, you donâ€™t want anything unnecessary. Thatâ€™s the case with anything youâ€™re doing online. Letâ€™s face it: the web is essentially insecure. Itâ€™s like a dinosaur with a new outfit that sheâ€™s afraid to show off to her other dinosaur friends â€¦ sort of.
Hereâ€™s the command to check:
# /sbin/chkconfig –list |grep ‘3:on’
And hereâ€™s the command to disable:
# chkconfig serviceName off
Finally, you want to use yum, apt-get, or a similar program to show you whatâ€™s on the system; that way you can get rid of whatever you donâ€™t need. Here are the command lines for those two services:
# yum -y remove package-name
# sudo apt-get remove package-name
4.Â Â Â Netstat Protocol: Using the command line netstat, you see what ports are being used and what services are accessible through them. Once youâ€™ve done that, use chkconfig to turn off anything thatâ€™s not serving a reasonable function, such as a service thatâ€™s just counting over and over again to a billion but wonâ€™t tell you why. See below and this netstat-geared article for more specifics.
# netstat -tulpn
5.Â Â Â SSH: You want to use secure shell (SSH), but you also want it configured properly to maximize your security. SSH is the secure, cryptographic replacement for telnet, rlogin, and other earlier protocols that sent all data (passwords included) as â€œplain textâ€ (no â€œscrambleâ€ prior to transfer, basically).
You typically donâ€™t want to communicate via SSH as the root user. Sudo allows you to use SSH. See /etc/sudoers for specifics; you can customize them using visudo, available via VI editor.
Finally, switch the port for SSH from 22 to a larger number, and change the settings so that itâ€™s not possible for all account holders to tunnel in through Secure Shell. Here are the file and three specific adjustments:
# vi /etc/ssh/sshd_config
- PermitRootLogin no
- AllowUsers username
- Protocol 2
Conclusion & Continuation
All right. Basic explication: Done. Linux: Done (well, itâ€™s significantly more complex than discussed above; see here for further details). Windows: Next.
By Kent Roberts