Linux Hardening & Security

=======================================|-----------:[INFO]:------------------||-------------------------------------|| Title: "Linux Hardening & Security" || Author: Krun!x | QK                 || E-Mail: only4lul@gmail.com          || Home:   madspot.org | ljuska.org    || Date:   2009-06-20                  |=======================================Content:1) Intruduction2) cP/WHM Installation and cP/WHM Configuration3) The server and it's services | PHP Installation, Optimization & Security4) Kernel Hardening | Linux Kernel + Grsecurity Patch5) SSH6) Firewall | DDoS Protection7) Mod_Security8) Anti-Virus - ClamAV9) Rootkit10) The Rest of Shits===================| 1) Intruduction |===================I wrote a step by step paper how to secure linux server with cP/WHM andApache installed. By default, linux is not secured enough but you haveto understand there is no such thing as "totally secured server/system".The purpose of this paper is to understand how to at least provide somekind of security to the server. I prefer lsws web-server without anyControl Panel at all but for this paper I have used CentOS 5 with cP/WHMand Apache web-server installed since a lot of hosting companies andindividuals out there are using it.Let's start :)So, you bought the server with CentOS 5 installed. If you ordered cP/WHM together with the server you can skip 2.1 step============================================| 2) cP/WHM installation and configuration |============================================2.1) cP/WHM InstallationTo begin your installation, use the following commands into SSH:   root@server [~]# cd /home   root@server [/home]# wget http://layer1.cpanel.net/latest   root@server [/home]# ./latest-----------------------------------------------------------------------------------------------------cd /home - Opens /home directorywget http://layer1.cpanel.net/latest - Fetches the latest installation file from the cPanel servers../latest - Opens and runs the installation files.------------------------------------------------------------------------------------------------------cP/WHM should be installed now. You should be able to access cP viahttp://serverip:2082(SSL-2083) or http://serverip/cpanel and WHM viahttp://serverip:2086(SSL-2087) or http://serverip/whm. Let's configureit now.2.2) cP/WHM ConfigurationLogin to WHM using root username/passwdhttp://serverip:2086 or http://serverip/whmWHM - Server setup - Tweak Security:-------------------------------------Enable open_basedir protectionDisable Compilers for all accounts(except root)Enable Shell Bomb/memory ProtectionEnable cPHulk Brute Force ProtectionWHM - Account Functions:------------------------- Disable cPanel Demo Mode Disable shell access for all accounts(except root)WHM - Service Configuration - FTP Configuration:------------------------------------------------- Disable anonymous FTP accessWHM - MySQL:------------- Set some MySQL password(Don't set the same password like for the root access)-If you didn't set MySQL password someone will be able to login into the DB withusername "root" without password and delete/edit/download any db on the server.WHM - Service Configuration - Apache Configuration - PHP and SuExec Configuration-------------------- Enable suEXEC - suEXEC = OnWhen PHP runs as an Apache Module it executes as the user/group of thewebserver which is usually "nobody" or "apache". suEXEC changes this soscripts are run as a CGI. Than means scripts are executed as the userthat created them. With suEXEC script permissions can't be set to777(read/write/execute at user/group/world level)===============================================================================| 3) The server and it's services | PHP Installation, Optimization & Security |===============================================================================3.1) Keep all services and scripts up to date and make sure that you running the latest secured version.On CentOS type this into SSH to upgrade/update services on the server.[root@server ~]# yum upgradeor[root@server ~]# yum update3.2) PHP installation/update, configuration and optimization + Suhosin patchFirst download what you need, type the following into SSH:root@server [~]# cd /rootroot@server [~]# wget http://www.php.net/get/php-5.2.9.tar.bz2/from/this/mirrorroot@server [~]# wget http://download.suhosin.org/suhosin-patch-5.2.8-0.9.6.3.patch.gzroot@server [~]# wget http://download.suhosin.org/suhosin-0.9.27.tgzUntar PHP:root@server [~]# tar xvjf php-5.2.9.tar.bz2Patch the source:root@server [~]# gunzip < suhosin-patch-5.2.8-0.9.6.3.patch.gz | patch -p0Configure the source. If you want to use the same config as you used forthe last php build it's not a problem but you will have to add:enable-suhosin to old config. To get an old config type this into SSH:root@server [~]# php -i | grep ./configureroot@server [~]# cd php-5.2.9root@server [~/php-5.2.9]# ./configure --enable-suhosin + old config(add old config you got from "php -i | grep ./configure" here)root@server [~/php-5.2.9]# makeroot@server [~/php-5.2.9]# make installNote: If you get an error like make: command not found or patch: Commandnot found, you will have to install "make" and "patch". It can be doneeasly. Just type this into SSH:root@server [~]# yum install makeroot@server [~]# yum install patchNow check is everything as you want. Upload php script like this on the server:<?phpphpinfo();?>And open it via your browser and you will see your PHP configuration there.3.3) SuhosinWe will install Suhosin now, it's an advanced protection system for PHP.root@server [~]# tar zxvf suhosin-0.9.27.tgzroot@server [~]# cd suhosin-0.9.27root@server [~/suhosin-0.9.27]# phpizeroot@server [~/suhosin-0.9.27]# ./configureroot@server [~/suhosin-0.9.27]# makeroot@server [~/suhosin-0.9.27]# make installAfter you installed suhosin you will get something like this: It's installed to /usr/local/lib/php/extensions/no-debug-non-zts-20060613/Now edit your php.ini. If you don't know where php.ini located is, type this into SSH.root@server [~]# php -i | grep php.iniConfiguration File (php.ini) Path => /usr/local/libLoaded Configuration File => /usr/local/lib/php.iniIt means you have to edit /usr/local/lib/php.iniType into SHH:root@server [~]# nano /usr/local/lib/php.iniIf you get an error, nano: Command not found, then:root@server [~]# yum install nanoFind "extension_dir =" and add:extension_dir = /usr/local/lib/php/extensions/no-debug-non-zts-20060613/To save it, CTRL + O and press the enter button on your keyboard.3.4) Zend Optimizer:Download Zend Optimizer from http://www.zend.com/store/products/zend-optimizer.phproot@server [~]# tar -zxvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gzroot@server [~]# cd ZendOptimizer-3.3.3-linux-glibc23-i386root@server [~/ZendOptimizer-3.3.3-linux-glibc23-i386]# ./install.sh   Welcome to Zend Optimizer installation..... - Press Enter button   Zend licence agreement...                   - Press Enter button   Do you accept the terms of this licence...  - Yes, press Enter button   Location of Zend Optimizer...               - /usr/local/Zend, press Enter button   Confirm the location of your php.ini file...- /usr/local/lib, press Enter button   Are you using Apache web-server..           - Yes, press Enter button   Specify the full path to the Apache control utility(apachectl)...-/usr/local/apache/bin/apachectl, press Enter button   The installation has completed seccessfully...- Press Enter buttonNow restart apache, type this into SSH:root@server [~]# service httpd restart3.5) php.ini & disabled functionsEdit php.ini like this:root@server [~]# nano /usr/local/lib/php.ini------------------------------------------------------------safe_mode = Onexpose_php = OffEnable_dl= Offmagic_quotes = Onregister_globals = offdisplay errors = offdisable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd-------------------------------------------------------------root@server [~]# service httpd restartOr you can edit php.ini via WHM:WHM - Service Configuration - PHP Configuration Editor=========================================================| 4) Kernel Hardening | Linux Kernel + Grsecurity Patch |=========================================================Description : grsecurity is an innovative approach to security utilizinga multi-layered detection, prevention, and containment model. It islicensed under the GPL. It offers among many other features: -An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your     entire system with no configuration -Change root (chroot) hardening -/tmp race prevention -Extensive auditing -Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc) -Prevention of arbitrary code execution in the kernel -Randomization of the stack, library, and heap bases -Kernel stack base randomization -Protection against exploitable null-pointer dereference bugs in the kernel -Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs -A restriction that allows a user to only view his/her processes -Security alerts and audits that contain the IP address of the person causing the alertDownloading and patching kernel with grsecurityroot@server [~]# cd /rootroot@server [~]# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.5.tar.gzroot@server [~]# wget http://www.grsecurity.com/test/grsecurity-2.1.12-2.6.26.5-200809141715.patchroot@server [~]# tar xzvf linux-2.6.26.5.tar.gzroot@server [~]# patch -p0 < grsecurity-2.1.12-2.6.26.5-200809141715.patchroot@server [~]# mv linux-2.6.26.5 linux-2.6.26.5-grsecroot@server [~]# ln -s linux-2.6.26.5-grsec/ linuxroot@server [~/linux]# cd linuxroot@server [~/linux]# cp /boot/config-`uname -r` .configroot@server [~/linux]# make oldconfigCompile the Kernel:root@server [~/linux]# make bzImageroot@server [~/linux]# make modulesroot@server [~/linux]# make modules_installroot@server [~/linux]# make installCheck your grub loader config, and make sure default is 0root@server [~/linux]# nano /boot/grub/grub.confReboot the serverroot@server [~/linux]# reboot==========| 5) SSH |==========In order to change SSH port and protocol you will have to edit sshd_configroot@server [~]# nano /etc/ssh/sshd_configChange Protocol 2,1 to Protocol 2Change #Port 22 to some other port and uncomment itLike, Port 1337There is a lot of script kiddiez with brute forcers and they will try to crack our ssh pass because they know username is root, port is 22But we were smarter, we have changed SSH port :)Also, their "brute forcing" can increase server load, which means our sites(hosted on that server) will be slower.SSH Legal Messageedit /etc/motd, write in motd something like this:"ALERT! That is a secured area. Your IP is logged. Administrator has been notified"When someone logins into SSH he will see that message:ALERT! That is a secured area. Your IP is logged. Administrator has been notifiedIf you want to recieve an email every time when someone logins into SSH as root, edit .bash_profile(It's located in /root directory) and put this at the end of file:echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" mail@something.comAnd at the end restart SSH, type "service sshd restart" into SSH=================================| 6) Firewall | DDoS Protection |=================================6.1) Firewall, CSF Installationroot@server [~]# wget http://www.configserver.com/free/csf.tgzroot@server [~]# tar -xzf csf.tgzroot@server [~]# cd csfIn order to install csf your server needs to have some ipt modulesenabled. csftest is a perl script and it comes with csf. You can checkthose mudules with it.root@server [~/csf]# ./csftest.plThe output should be like this:root@server [~/csf]# ./csftest.plTesting ip_tables/iptable_filter...OKTesting ipt_LOG...OKTesting ipt_multiport/xt_multiport...OKTesting ipt_REJECT...OKTesting ipt_state/xt_state...OKTesting ipt_limit/xt_limit...OKTesting ipt_recent...OKTesting ipt_owner...OKTesting iptable_nat/ipt_REDIRECT...OKDon't worry if you don't have all those mudules enabled, csf will work ifyou didn't get any FATAL errors at the end of the output.Now, get to installationroot@server [~/csf]# ./install.shYou will have to edit csf.conf file. It's located here:/etc/csf/csf.confYou need to edit it like this:Testing = "0"And you need to configure open ports in csf.conf or you won't be able toaccess these ports. In most cases it should be configured like this ifyou are using cP/WHM. If you are running something on some other portyou will have to enable it here. If you changed SSH port you will haveto add a new port here:# Allow incoming TCP portsTCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096"# Allow outgoing TCP portsTCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2087,2089,2703"6.2) CSF Connection LimitThere is in csf.conf CT option, configure it like thisCT_LIMIT = "200"It means every IP with more than 200 connections is going to be blocked.CT_PERMANENT = "1"IP will blocked permanentyCT_BLOCK_TIME = "1800"IP will be blocked 1800 secs(1800 secs = 30 mins)CT_INTERVAL = "60"Set this to the the number of seconds between connection tracking scans.After csf.conf editing you need to restart csfroot@server [~# service csf restart6.3) SYN CookiesEdit the /etc/sysctl.conf file and add the following line in order to enable SYN cookies protection:-----------------------------------# Enable TCP SYN Cookie Protectionnet.ipv4.tcp_syncookies = 1-----------------------------------root@server [~/]# service network restart6.4) CSF as security testing toolCSF has an option "Server Security Check". Go to WHM - Plugins - CSF -Test Server Security. You will see additional steps how to secure theserver even more. I'm writing only about most important things here andI covered most of them in the paper but if you want you can follow stepsprovided by CSF to get the server even more secured.6.5) Mod_EvasiveModEvasive module for apache offers protection against DDoS (denial of service attacks) on your server. To install it login into SSH and type:---------------------------------------------------------------------------------root@server [~]# cd /root/root@server [~]# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gzroot@server [~]# tar zxf mode_evasive-1.10.1.tar.gzroot@server [~]# cd mod_evasivethen type...root@server [~/mod_evasive]# /usr/sbin/apxs -cia mod_evasive20.c---------------------------------------------------------------------------------When mod_evasive is  installed, place the following lines in your httpd.conf (/etc/httpd/conf/httpd.conf)--------------------------------<IfModule mod_evasive20.c>DOSHashTableSize 3097DOSPageCount 2DOSSiteCount 50DOSPageInterval 1DOSSiteInterval 1DOSBlockingPeriod 10</IfModule>--------------------------------6.6) Random things:csf -d IP - Block an IP with CSFcsf -dr IP - Unblock an IP with CSFcsf -s - Start firewall rulescsf -f - Flush/stop firewall rulescsf -r - Restart firewall rulescsf -x - Disable CSFcsf -e - Enable CSFcsf -c - Check for updatescsf -h - Show help screen-Block an IP via iptablesiptables -A INPUT -s IP -j DROP-Unblock an IP via iptablesiptables -A INPUT -s IP -j ACCEPT-See how many IP addresses are connected to the server and how many connections has each of them.netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n===================| 7) Mod_Security |===================Mod_Security is a web application firewall and he can help us to secure our sites against RFI, LFI, XSS, SQL Injection etcIf you use cP/WHM you can easly enable Mod_security in WHM - Plugins - Enable Mod_Security and saveNow I will explain how to install Mod_security from source.You can't install Mod_Security if you don't have libxml2 and http-devel libraries. Also, you need to enable mod_unique_id in apache modules, but don't worry, I will explain how to do it :)Login into SSH and type...root@server [~]# yum install libxml2 libxml2-devel httpd-devellibxml2 libxml2-devel httpd-devel should be installed nowthen you need to edit httpd.conf file, you can find it here:root@server [~]# nano /etc/httpd/conf/httpd.confYou need to add this in your httpd.conf fileLoadModule unique_id_module modules/mod_unique_id.soNow download the latest version of mod_security for apache2 from http://www.modsecurity.orglogin into SSH and type...root@server [~]# cd /root/root@server [~]# wget http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gzroot@server [~]# tar zxf modsecurity-apache_2.5.6.tar.gzroot@server [~]# cd modsecurity-apache_2.5.6root@server [~/modsecurity-apache_2.5.6]# cd apache2then type:root@server [~/modsecurity-apache_2.5.6/apache2]#  ./configureroot@server [~/modsecurity-apache_2.5.6/apache2]# makeroot@server [~/modsecurity-apache_2.5.6/apache2]# make installGo at the end of httpd.conf and place an include for our config/rules file...Include /etc/httpd/conf/modsecurity.conf---------------------------------------------------------# /etc/httpd/conf/httpd.confLoadModule unique_id_module modules/mod_unique_id.soLoadFile /usr/lib/libxml2.soLoadModule security2_module modules/mod_security2.soInclude /etc/httpd/conf/modsecurity.conf---------------------------------------------------------You need to find a good rules for Mod_Security. You can find them atofficial Mod_Security site. Also, give a try to gotroot.com rules. Whenyou find a good rules, just put them in /etc/httpd/conf/modsecurity.confAnd restart httpd at the end, type "service httpd restart" into SSH.==========================| 8) Anti-Virus - ClamAV |==========================You need AV protection to protect the server against worms and trojansinvading your mailbox and files! Just install clamav (a free open sourceantivirus software for linux). More information can be found on clamav.website - http://www.clamav.netIn order to install CLamAV login into SSH and typeroot@server [~]# yum install clamavOnce you have installed clamav for your CentOS, here are some basic commands you will need:Update the antivirus databaseroot@server [~]# freshclamRun antivirusroot@server [~]# clamscan -r /homeRunning as Cron Daily JobTo run antivirus as a cron job (automatically scan daily) just runcrontab -e from your command line. Then add the following line and savethe file.@daily root clamscan -R /homeIt means clamav will be scanning /home directory every day. You can change the folder to whatever you want to scan.==============| 9) Rootkit |==============Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like: -MD5 hash compare -Look for default files used by rootkits -Wrong file permissions for binaries -Look for suspected strings in LKM and KLD modules -Look for hidden files -Optional scan within plaintext and binary filesInstalation:Login into SSH and typeroot@server [~]# cd /root/root@server [~]# wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gzroot@server [~]# tar -zxvf rkhunter-1.2.7.tar.gzroot@server [~]# cd rkhunterroot@server [~rkhunter]# ./installer.shScan the server with rkhunterroot@server [~]# rkhunter -c=========================| 10) The Rest of Shits |=========================10.1) Random suggestionsIf you use bind DNS server then we need to edit named.conf filenamed.conf is located here: /etc/named.confand addrecursion no; under Options----------------------------Options{recursion no;----------------------------Now restart bind, type into SSHroot@server [~]# service named restartThis will prevent lookups from dnstools.com and similar services and reduce server loadIn order to prevent IP spoofing, you need to edit host.conf file like this:This file is located here: /etc/host.confAdd that in host.conf------------------order bind,hostsnospoof on------------------Hide the Apache version number:edit httpd.conf (/etc/httpd/conf/httpd.conf)-----------------------ServerSignature Off-----------------------10.2) PasswordsDon't use the same password you are using for the server on some other places.When the Datacenter contacts you via e-mail or phone, always requestmore informations. Remember, someone alse could contact you to get someinformation or even root passwords.10.3) Random thoughtsNo matter what you need to secure the server, don't think you are safeonly because you are not personally involved in any shits with"hackers". When you are hosting hacking/warez related sites you are thetarget. There is no such thing as totally secured server. Most importantthings are backups, make sure you will always have an "up-to-date"offsite backups ^^Anyhow, this is the end of my paper, I hope it will help you to get somekind of security to your server.-Krun!x# milw0rm.com [2009-06-29]