Kernel Configuration: Linux Server Hosting Security

Use Linux firewall rules to protect against attacks. (ipchains: kernel 2.6, 2.4 or iptables: kernel 2.2) Access denial rules can also be implemented on the fly by portsentry.
(Place at the end of /etc/rc.d/rc.local to be executed upon system boot, or some other appropriate script)

  • iptables script:
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP       - Block NFS
    iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP       - Block NFS
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP  - Block X-Windows
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP       - Block X-Windows font server
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP        - Block printer port
    iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP        - Block printer port
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP        - Block Sun rpc/NFS
    iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP        - Block Sun rpc/NFS
    iptables -A INPUT -p all -s localhost  -i eth0 -j DROP            - Deny outside packets from internet which
                                                                        claim to be from your loopback interface.
    
  • ipchains script:
    # Allow loopback access. This rule must come before the rules denying port access!!
    iptables -A INPUT -i lo -p all -j ACCEPT         - This rule is essential if you want your own computer
    iptables -A OUTPUT -o lo -p all -j ACCEPT          to be able to access itself throught the loopback interface
    
    ipchains -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT       - Block NFS
    ipchains -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT          - Block NFS
    ipchains -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT  - Block X-Windows
    ipchains -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT       - Block X-Windows font server
    ipchains -A input -p tcp -s 0/0 -d 0/0 515 -y -j REJECT        - Block printer port
    ipchains -A input -p udp -s 0/0 -d 0/0 515 -j REJECT           - Block printer port
    ipchains -A input -p tcp -s 0/0 -d 0/0 111 -y -j REJECT        - Block Sun rpc/NFS
    ipchains -A input -p udp -s 0/0 -d 0/0 111 -j REJECT           - Block Sun rpc/NFS
    ipchains -A input -j REJECT -p all -s localhost  -i eth0 -l    - Deny and log ("-l") outside packets from internet
                                                                     which claim to be from your loopback interface.
    

Note:

  • iptables uses the chain rule “INPUT” and ipchains uses the lower case descriptor “input”.
  • View rules with iptables -L or ipchains -L command.
  • iptables man page
  • When running an internet web server it is best from a security point of view, that one NOT run printing, X-Window, NFS or any services which may be exploited if a vulnerability is discovered or if misconfigured regardless of firewall rules.

xinetd : Linux Server Hosting Security

It is best for security reasons that you reduce the number of inetd network services exposed. The more sevices exposed, the greater your vulnerability. Reduce the number of network services accessible through the xinet or inet daemon by:

  • inetd: (Red Hat 7.0 and earlier) Comment out un-needed services in the /etc/initd.conf file.
    Sample: (FTP is the only service I run)

        ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a
    

    Restart the daemon to apply changes: /etc/rc.d/init.d/inetd restart

  • xinetd: (Red Hat 7.1 and later) All network services are turned off by default during an upgrade. Sample file: /etc/xinetd.d/wu-ftpd:
    service ftp
    {
         disable = yes          - Default is off. This line controls xinetd service (enabled or not)
         socket_type             = stream
         wait                    = no
         user                    = root
         server                  = /usr/sbin/in.ftpd
         server_args             = -l -a
         log_on_success          += DURATION USERID
         log_on_failure          += USERID
         nice                    = 10
    }
    

    Turning on/off an xinetd service:

    • Edit the file: /etc/xinetd.d/service-name
      Changing to the line “disable = yes” turns off an xinetd serivce.
      Changing to the line “disable = no” turns on an xinetd serivce.
      Xinetd configuration must be performed for each and every file in the directory /etc/xinetd.d/ in order to configure each and every network service.
      Restart the daemon to apply changes: /etc/rc.d/init.d/xinetd restart
    • You may also use the command:
      chkconfig wu-ftpd on
      OR
      chkconfig wu-ftpd off

      This will edit the appropriate file (/etc/xinetd.d/wu-ftpd) and restart the xinetd process.

    Tip:

    • List init settings including all xinetd controlled services: chkconfig --list
    • List status of services (Red Hat/Fedora Core based systems): service --status-all

Linux Server Hosting Security

Security configuration and set-up for Linux servers exposed to the internet: Any computer connected to the internet will require steps and precautions to be taken to reduce the exposure to hacker threats. Web, mail and DNS servers are especially vulnerable. Large operations will hide behind a CISCO firewall for most of their protection. The Linux server must be configured for network security and have its applications and services configured for security. This tutorial covers steps and tools which can be used to monitor and counteract hacker threats. Simply put, it is security risk management.

Basic Linux Security Overview:

Perform the following steps to secure your web site:

  • See Distribution erratas and security fixes
    Update your system where appropriate.

    • Red Hat/CentOS:
      • yum check-update
        (Print list of packages to be updated.)
      • yum update

      Note that this can be automated using the /etc/init.d/yum-updatesd service (RHEL/CentOS 5) or create a cron job /etc/cron.daily/yum.cron

      1 #!/bin/sh
      2 /usr/bin/yum -R 120 -e 0 -d 0 -y update yum
      3 /usr/bin/yum -R 10 -e 0 -d 0 -y update
    • Ubuntu/Debian:
      • apt-get update
        (Update package list to the latest version associated with that release of the OS.)
      • apt-get upgrade
  • Reduce the number of network services exposed. These will be started by scripts in /etc/rc.d/rc*.d/ directories. (See full list of services in: /etc/init.d/) There may be no need to run sendmail (mail server), portmap (RPC listener required by NFS), lpd (Line printer server daemon. Hackers probe my system for this service all the time.), innd (News server), linuxconf etc. For example, sendmail can be removed from the boot process using the command: chkconfig --del sendmail or by using the configuration tool ntsysv. The service can be terminated using the command /etc/rc.d/init.d/sendmail stop. At the very least one should run the command chkconfig --list to see what processes are configured to be operable after boot-up.
  • Verify your configuration. List the open ports and processes which hold them: netstat -punta (Also try netstat -nlp)
  • List RPC services: [root]# rpcinfo -p localhost
    Ideally you would NOT be running portmapper so no RPC services would be available. Turn off portmapper: service portmap stop (or: /etc/init.d/portmap stop) and remove it from the system boot sequence: chkconfig --del portmap (Portmap is required by NFS.)
  • Anonymous FTP (Using wu_ftpd – Last shipped with RH 8.0. RH 9 and FC use vsftpd): By default Red Hat comes configured for anonymous FTP. This allows users to ftp to your server and log in with the login anonymous and use an email address as the password. If you wish to turn off this feature edit the file /etc/ftpaccess and change:
    class all real,guest,anonymous *
    to
    class all real,guest *
  • Use the find command to locate vulnerabilities – find suid and guid files (which can execute with root privileges) as well as world writable files and directories. For example:
    • find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -print
      Remove suid privileges on executable programs with the command: chmod -s filename
    • find / -xdev \( -nouser -o -nogroup \) -print
      Find files not owned by a valid user or group.
  • Use the command chattr and lsattr to make a sensitive security file unmodifiable over and above the usual permissions.
    Make a file unmodifiable: chattr +i /bin/ls
    Make directories unmodifiable: chattr -R +i /bin /sbin /boot /lib
    Make a file append only: chattr +a /var/log/messages
  • Use “tripwire” [sourceforge: tripwire] for security monitoring of your system for signs of unauthorized file changes. Tripwire is offered as part of the base Red Hat and Ubuntu distributions. Tripwire configuration is covered below.
  • Watch your log files especially /var/log/messages and /var/log/secure.
  • Avoid generic account names such as guest.
  • Use PAM network wrapper configurations to disallow passwords which can be found easily by crack or other hacking programs. PAM authentication can also disallow root network login access. (Default Red Hat configuration. You must login as a regular user and su - to obtain root access. This is NOT the default for ssh and must be changed as noted below.)
  • Remote access should NOT be done with clear text telnet but with an encrypted connection using ssh. (Later in this tutorial)
  • Proc file settings for defense against attackes. This includes protective measures against IP spoofing, SYN flood or syncookie attacks.
  • DDoS (Distributed Denial of Service) attacks: The only thing you can do is have gobs of bandwidth and processing power/firewall. Lots of processing power or a firewall are useless without gobs of bandwidth as the network can get sooo overloaded from a distributed attack.
    Also see:

    • Turn off ICMP (look invisible to network scans)
    • Monitor the attack with tcpdump

    Unfortunately the packets are usually spoofed and in my case the FBI didn’t care. If the server is a remote server, have a dial-up modem or a second IP address and route for access because the attacked route is blocked by the flood of network attacks. You can also request that your ISP drop ICMP traffic to the IP addresses of your servers. (and UDP if all you are running is a web server. DNS name servers use UDP.) For very interesting reading see “The Strange Tale” of the GRC.com DDoS attack. (Very interesing read about the anatomy of the hacker bot networks.)

  • User access can be restricted with the following configuration files:
    • /etc/security/limits.conf
    • /etc/security/group.conf
    • /etc/security/time.conf
  • Remove un-needed users from the system. See /etc/passwd. By default Red Hat installations have many user accounts created to support various processes. It you do not intend to run these processes, remove the users. i.e. remove user ids games, uucp, rpc, rpcd, ...