My line of defense

D

dec

Verified User
Joined
May 12, 2004
Messages
163
Ok..

So far this is my line of defense against our powerful enemy (Hackers, crackers, spam, viruses, etc…):

I have installed:

Chkrootkit
APF
SIM (System Integrity Monitor)
MailScanner
Clam Antivirus
Logwatch
RKHunter
Snort with Acid (Testing stage)

I have implemented:

Updated to latest Kernel
Updated Apache
Disabled direct root login
Disabled Telnet
Hide Apache and other services info
Forced SSH2 login
Two different passwords. One for admin and One for root. (They are modified every week)
/tmp secured (noexec)

I am paranoiac about security.. So I wonder what else everybody use in reality to secure their server. (web hosting purposes)
 
Last edited:
i did some posts on linux-noob.com for a few extra things.

Hiding Apache Version Number:

http://www.linux-noob.com/forums/index.php?showtopic=765

Securing your /tmp directory (no exec)

http://www.linux-noob.com/forums/index.php?showtopic=766

you should also secure the su binary, and all your compiler binaries (unless your clients need them) - if you need help with this let me know. i disabled from normal user access: wget, ftp, telnet, gcc, cc, make, lynx, fetch among some others.

also rkhunter is very nice too

http://www.rootkit.nl/


oh yeah READ EVERYTHING in /var/log at any time you can
 
Last edited:
You may want to change your SSH port, then install some port scan detection software such as portsentry.

Besides that, changing permissions binaries and having tmp mounted with noexec / nosuid as vandal suggested.

Also, ALL software accessable externally needs to be updated, and if the system is on a local network theres even more to ensure you update. - Simple rule is update everything that can be updated to the latest stable version, especially if there are known security problems between the current release and the release you are using.

Chris
 
you should also secure the su binary, and all your compiler binaries (unless your clients need them) - if you need help with this let me know. i disabled from normal user access: wget, ftp, telnet, gcc, cc, make, lynx, fetch among some others.
Click to expand...

Not sure about how to do this guys...

the /tmp folder was secured, i just forgot to mention it :D

also rkhunter is very nice too
Click to expand...

Reading and installing it as we speak ;)

Thanks
 
You may want to change your SSH port, then install some port scan detection software such as portsentry.
Click to expand...

Excellent idea.. Any How to for Portsentry? :D

Thanks
 
yeah you can put SSH to like 6000 or something high like that :)

snort is also an IDS but i have never used it.

so to secure your binaries do this:

first allow root in your sshd config and test it (just for now)

pico /etc/group

add your username to this line(in this case, I added the user admin):

wheel:x:10:root,admin

then make the binary usable by root or the wheel group only

chmod 4750 /bin/su

chgrp wheel /bin/su

do that for wget, cc, gcc, lynx, ftp, telnet, make and anything else you want to deny normal users access. (to find their binaries try 'locate wget' for example.)

now only root or a user in the wheel group can access this stuff.

log in as admin, try su - you should have access. log in as a regular user and try, you should get permission denied.

if all is well, disable root ssh access on the box again.
 
Chris..

It looks like i have Portsentry already installed as a service in my system.

/etc/log.d/conf/services/portsentry.conf
/etc/log.d/scripts/services/portsentry

But, the configuration file does not give me the option to specify the ports or configure it like in the tutorial you suggested.

Any Ideas...?
 
check if its an rpm,

rpm -q portsentry

if it is, remove it

rpm -e portsentry

and download the source and follow that tutorial above.
 
vandal said:
check if its an rpm,

rpm -q portsentry

if it is, remove it

rpm -e portsentry

and download the source and follow that tutorial above.
Click to expand...

It says portsentry is not installed..

I think this files may have something to do with logwatch

Dec
 
vandal said:
you should also secure the su binary, and all your compiler binaries (unless your clients need them) - if you need help with this let me know. i disabled from normal user access: wget, ftp, telnet, gcc, cc, make, lynx, fetch among some others.
[/B]
Click to expand...

How can I do this?

Matt
 
dec said:
Any comments about the article above?

Dec
Click to expand...

It's correct, but I dont agree with everything it says - it tries to point out that you install it and never check the block list - you need to do a bit of house-keeping yourself to make it work.. but the general idea works..

As for much of it, it all depends on your configuration (for example, "if a user was a checking if you had a service on a particular port" - if there is no common service on the ports you have monitored why would they be scanning it?!)

Chris
 
ProWebUK said:
It's correct, but I dont agree with everything it says - it tries to point out that you install it and never check the block list - you need to do a bit of house-keeping yourself to make it work.. but the general idea works..

As for much of it, it all depends on your configuration (for example, "if a user was a checking if you had a service on a particular port" - if there is no common service on the ports you have monitored why would they be scanning it?!)

Chris
Click to expand...

Hi Chris,

Do you use Snort? Do you recommend it over portsentry?

I have never use both of them before, so to me they are all the same. I just want to know what to use base in others experience and learn and configure whatever i picked.

Dec
 
You must log in or register to reply here.
Back
Top