Linux Server Security ? The Sensible Approach ? Part 1

[felosi]

Posting some guides from my blog

Linux Server Security ? The Sensible Approach ? Part 1

Linux server security, securing your server and preventing hacks/ddos, etc; is the most important part of running a server on the internet. Whether you are doing web hosting, management, your own sites or whatever security is very important. in doing server management I am surprised at the amount of people with servers on the net that have never done anything to harden their server, they simply buy a server and after OS install they upload their site and leave it. Eventually they have problems, get hacked and either lose their data or get kicked off networks for being compromised attacking other servers, spamming and such. `I have went in many servers where even as much as a yum update was not done and on others with control panels that do updates they have never been rebooted to boot into new kernel.
There are lots of guides out there on how to secure servers as well as lots of software, scripts and such but ultimately there is no silver bullet or do all approach to getting it done. My guide here will offer a walk through on doing basic security which will prevent a lot of hacks and attacks but by no means is it 100%. You still need to do regular updates, reboots and most importantly frequent backups.
Ok so you have just got your new server, hopefully you have chosen the current version of a redhat flavored distro like centos or fedora. I recommend CentOS for stability but updates usually come slow so a good security setup is imperative. With fedora it is definitely more up to date as far as newer software versions go but there can be stability issues.

Before server install specifying a partiton scheme is a wise thing to do as most datacenters will simply put everything in / and make a swap. Sometimes certain places have suggested schemes for certain control panels but even they are not perfect. then again you have some datacenters who no matter what you tell them to do they wont partition it correctly, I know a company i work for ordered a server at 100tb.com. Twice we asked them for a certain partition scheme only for them to put everything in / and make a 500 mb tmp partition. Servers these days with mostly dynamic sites running on them will require at least a 1gb tmp partition, 2gb to be extra sure.
The partition scheme I recommend is

/boot ? 500 mb
/tmp 2gb
/swap ? 1gb (varies depending on amount of ram but usually nevermore then 1gb is needed and even it wont be fully used ever unless there is some memory leaking process or other problem.)
/ ? grow (use rest of free space)

First as soon as you get your server before you do anything do updates/upgrades with

Code: 

yum -y update

Then reboot to make sure you will be in latest kernel

Code: 

shutdown -r now

If you have to install your control panel yourself go ahead and do this process. If it is done installed for you, when you are done installing or you have none then continue
Next we install a firewall. In my opinion CSF from configserver.com is hands down the best firewall and security script on the net. It has tons of features including brute force and dos protection. You can see about it and the features HERE.
First make sure libwww-perl is installed. Most control panels like cpanel will install this but some do not. Simply issue the yum install command

Code: 

yum -y install perl-libwww-perl

Code: 

wget http://configserver.com/free/csf.tgz ; tar zxvf csf.tgz ; cd csf ; sh install.sh

Now to CSF configurations. It will put the proper ingress and egress ports per running processes when installed but sometimes it misses some so make sure all your ports IN and OUT for both tcp and udp are open. Make sure to never allow all ports or unnecessary ports. In my novice admin days I used to lazily put 20:65535 for both OUT protocols but this is a bad idea. If you allow all outgoing ports it is easy for bindshells and other malicious stuff to run so definitely allow only the needed ports in and out.
Now I cant really explain all config parameters here and the best configs for each. i suggest you read the docs and the commented areas around each config for ideas on what they do. Using mod security you will want to check the modsec option, for protection against spamming scripts and such select proper options. Some config parameters I will advise on are the ddos protection. The best config for a normal site that does not incur much ddos or even if it does some good settings that will not ban legit users are CT_LIMIT=40, CT_PERM=0 (for temp ban only, sites with ddos problems will want to perm ban) for both deny ip limits set to 1000 as you never know when you will need to ban that many under attack. 100 is far too low to mitigate even the smallest of attacks. The temp ban time of 1800 should normally be ok and any ip that gets temp banned so many times will be perm banned, there is setting for4 this as well. The most important setting to avoid bans of legit users is CT_STATES=NEW,ESTABLISHED,SYN_RECV. So that only those connection states will be counted. Then set CT_TESTING to 0 and you will be good to go. Make sure you read up on all config parameters and firewall usage, it is not a hard software to master and will be one of your most used things on the server.
Next ? sysctl tuning. The default config parameters for nearly everything is too small for systems these days, especially tcp stack settings. The default system parameters are basically set for servers with 512mb ram or less. It is definitely needed to tune these things. ON tcp settings you need to set for your system memory as each conntrack table uses so much memory and so on. Usually you can set this way higher then your memory/setting equation so it is not very important to get these right on. The default sysctl I use for servers with 4-8gb ram are as follows (note, not a good idea to mess with the settings already in sysctl.conf such as shmax and shmall. Adding these parameters will usually do the trick. But this is just an example, google and search around for the ideal config for your particular situation.

Code: 

nano -w /etc/sysctl.conf

enter under the last entry:

Code: 

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.ipfrag_time=30
net.core.rmem_default=65535
net.core.rmem_max=131071
net.ipv4.tcp_rmem=4096 87380 174760
net.core.wmem_default=65535
net.core.wmem_max=231071
net.ipv4.tcp_wmem=4096 16384 131072
net.ipv4.tcp_mem=195584 196096 196608
net.core.optmem_max=10240
net.ipv4.tcp_max_tw_buckets=360000
net.core.hot_list_length=256
net.core.netdev_max_backlog=262144
net.core.somaxconn=262144
net.ipv4.tcp_reordering=5
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.tcp_syn_retries=3
net.ipv4.tcp_timestamps=0
net.ipv4.tcp_sack=1
net.ipv4.tcp_window_scaling=0
net.ipv4.tcp_keepalive_time=1200
net.ipv4.tcp_fin_timeout=15
net.ipv4.tcp_tw_recycle=1
net.ipv4.conf.default.log_martians=0
net.ipv4.conf.all.log_martians=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.netfilter.ip_conntrack_max=1048576
net.nf_conntrack_max=1048576
fs.file-max=263840

Then to activate:

Code: 

 sysctl -p

Next kernel security. In the past I would have recommended only a grsecurity/pax kernel but for novice users it is not such a good idea and is really only needed for situations requiring very high security and an admin who can configure all settings and pax flags properly. In the future I will add a detailed tutorial for this but for now we will use libsafe which will prevent some classes of kernel exploits. To read more about libsafe check HERE
To install

Code: 

rpm -ivh http://pubs.research.avayalabs.com/src/libsafe-2.0-16.i386.rpm

Next we do mount permissions and parameters If you have a control panel that works with csf gui option the server security check will detect and advise proper mount settings but I always heard that using noatime will help lower disck I/O so I usually put it, however I have not done any extensive benchmarks to validate this claim so ity is up to you on this.
For your /tmp and /dev/shm partitons you will want to mount those with nosuexec, nosuid
For /proc nosuid is a good idea in case any future race conditions come up it will be harder to get root with this mount setting.
Here is an example fstab from a server I manage so you can get an idea
LABEL=/ / ext3 defaults,usrquota,noatime 1 1
LABEL=/boot /boot ext3 defaults,noatime 1 2
tmpfs /dev/shm tmpfs defaults,noexec,nosuid,noatime 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults,noatime,nosuid 0 0
LABEL=SWAP-sda3 swap swap pri=0,defaults 0 0
/usr/tmpDSK /tmp ext3 defaults,noauto,noatime,noexec,nosuid 0 0
/tmp /var/tmp ext3 defaults,usrquota,bind,noauto,noexec,nosuid 0 0

Some things like pear and pectl will not work default with noexec on tmp so some config changes may need to be made for such software.
And that will be it for this installment I will make at least 3 parts to this. Part 2 will talk about mod security, php security and other web level security. Part 3 will be on malware detection and prevention.

felosi Reviewed by felosi on 20th Feb 2011. Linux Server Security ? The Sensible Approach ? Part 1 Posting some guides from my blog Linux Server Security ? The Sensible Approach ? Part 1 Linux server security, securing your server and preventing hacks/ddos, etc; is the most important part of running a server on the internet. Whether you are doing web hosting, management, your own sites or whatever security is very important. in doing server management I am surprised at the amount of people with servers on the net that have never done anything to harden their server, they simply Rating: 5