Ayman Hourieh

Interesting, thanks.

Great Tutorial and very helpful for Gentoo Linux users.

These are some very good tips that everyone should follow. One thing I don't recommend doing, though is using vi to look at /var/log/messages.

Use cat or tail instead.

Port 21 is it????? I don't think so.

I don't know whether LSB requires /tmp to be writable, but I know programs such as gzexe that require an executable /tmp. nodev and nosuid are better settings as executables can most often be placed elsewhere too. The suggestions mentioned above are mostly paranoid.

Dugg :)

http://digg.com/linux_unix/Tips_to_Secure_Linux_Workstation

Port 21 is for FTP, port 22 is for ssh by default...

TW

If you need to open MySQL for remote access, consider running MySQL on another port. There are numerous exploits (mainly brute force) which look for MySQL on it's default port (3306). If you use port forwarding on your incoming router, you won't even have to change your MySQL installation. Forward a different port on your external interface to 3306 internal.

Also, there is no reason in the world why the 'root' user in MySQL needs to exist (in the 'mysql' database). Clone this user to another username and remove the 'root' username account from MySQL. Most brute force kits look for the default 'root' account.

setting /tmp to noexec won't stop the script kiddies, they just download perl scrips and execute them from somewhere else, if fact I've found it caused more problems then it solved in the past due to applications falsely assuming they could exec temp stuff in /tmp

Instead of using netfilter/iptables, which even you admit has configuration headaches, I'd suggest investing in a separate fireall device.

You get to stop all incoming traffic before it reaches and attempts to swamp your machine, and in general it's easier to manage.

Do you really want to have to worry about your firewall during an upgrade<->downgrade<->upgrade problem with portage because one of the devs (bless their little hearts) got something slightly wrong?

I've been running Gentoo on my workstation and one server for 3 years very successfully but I'd rather have my fireall be an appliance while I'm upgrading and changing configurations.

My firewall only cost 60$ 3 or 4 years ago and has worked flawlessly ever since.

the default port is 22, telnet uses port 21...

i would also suggest this added to the sshd_config

StrictModes yes X11Forwarding no UsePrivilegeSeparation yes

and this option is not even valid for ssh MaxAuthTries 6

--T

telnet does NOT use port 21, it uses tcp port 23

FTP uses tcp ports 20 and 21, though might only use 21 in some cases if passive ftp is possible.

I also find AllowUsers to be helpful in allowing specific users the ability to log in using SSH

AllowUsers [username] [username 2] ... [username n]

i persnally use the command netstat -luntp to show all open ports and programms listening on the ports. on bsd one can use sockstat -4 -l and see the same.

greetings

As you suggested dropping incoming conn at the firewall is a really good idea.

If you do login to the server using ssh from a remote location, it is always safe to configure iptables to allow incoming conn to sshd only from a particular IP addrs. (you can allow conn to port 22 from the ip xxx.xxx.xxx.xxx)

In case the client uses DHCP, and the IP changes regularly, u can configure iptables on the server to allow incoming conn only from ur clients MAC addrs. This is better than using IP addrs bcoz someone might be able to use ur client IP address when ur client is not using it. (you can allow conn to port 22 from MAC addrs xx-xx-xx-xx-xx-xx)

Also note that if for some reason if ur network card fails, there is no way you can do a remote login to the machine. Someone shld change the settings by physically being at the terminal.

Good article, wish I had something similar when I was starting out.

Instead of your proposed vi /var/log/messages use some scripts like Logcheck http://logcheck.org/ which runs through your logs and emails you things that are out of place. It's easy to modify the conf files to train it to ignore things that come up often that you're not worried about. I have it set to run nightly, and it's amazing what it's able to help out with. It easily cuts out the cruft (regular events) allowing me to focus on things that are unexpected.

Also, aside from sub'ing to your distro's security mailling list, sub to things like Security Focus, or other apps that are 'live' to the world. I found out about and fixed some Drupal vulns before my distro (freebsd) did since I was on the Drupal list.

Thanks fak3r

i tried changing the default port and it didn't work...i was using putty to connect to a different ssh port, could that be the problem or maybe the port i chose to use...do you recommend another port outside of 22?

great article by the way...i implented most of you ideas for ssh...was getting multiple hacking attempts

Just passing through when I saw your thread, great tips I also have a few that people may find useful. If you add this to the end of your /etc/profile file, it will alert you when an account is created. Unfortuntely I haven't been able to verify if this works just yet

if "$UID" > 1000 ; then echo 'ALERT - New Account Created (MachineName) on:' date who | mail -s "New Account Created on (MachineName) who | cut -d'(' -f2 | cut -d')' -f1" you@yourdomain.com fi

Now just modify it a bit to alert you if someone creates an acount that is part of the root group:

if "$GID" == 0 ; then echo 'ALERT - New Account Created With Root Group Privileges (MachineName) on:' date who | mail -s "New Account Created With Root Group Privileges on (MachineName) who | cut -d'(' -f2 | cut -d')' -f1" you@yourdomain.com fi

Add this line to your /etc/hosts.deny file and it will email you if there is a refused connection from the Inetd daemon ( TCP Wrappers):

ALL:ALL:/bin/mail -s %s connection attempt from %c you@yourdomain.com

m0n0wall is not a netfilter/iptables frontend. It's an embedded "firewall distribution" based on FreeBSD.

Hello there, Well, what a great guide on security basics, some very interesting stuff too, Thanks for the interesting read, It's proved useful to me, with some of the debian machines I run,

Thanks again

Adam

Also which distro has out-of-the-box support for SATA hard drives. Any suggestions?

Have you tried Ubuntu. It's a gr8 distro and has very good support for a variety of vendors. You need to have a good connection for downloading necessary packages.

I have tried FC5 too and it seems to contain good support in a single DVD (5 CDs).

The following /proc manipulation is minimal to secure linux for networking:

# don't answer to broadcast pings
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# don't answer to bogus ICMP messages
echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# enable source validation and kick the ip spoofing shit
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# change default TTL (default in Linux is 64)
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
# send RST packages if buffer is full
echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow
# wait max. 30 seconds for FIN/ACK
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# max 3  SYN packages for one connection attempt
echo 3 > /proc/sys/net/ipv4/tcp_syn_retries
# max 3 SYN/ACK packages for one connection attempt
echo 3 > /proc/sys/net/ipv4/tcp_synack_retries

you would have to be insane or very inexperienced to allow password access to any machine running SSH, especially in the wild. any sysadmin with any clue whatsoever disables password authentication and uses keyfiles. keep them with you on an encrypted usb stick: if you use freeOFTE and luks then you have windows + linux compatibility for accessing your keys. additionally, SELinux is very useful for protecting the system against your legitimate users and rogue programs.

Your notes are good and helpful. I notice you use hosts.allow, and I do too, but I think you should mention putting ALL: ALL in hosts.deny. You might also warn FC5 users that the xinetd package is not installed by default. As far as I know, hosts.allow is a tcpwrappers thing, right? So without xinetd, it doesn't do anything. Does it?

in a computer lab with lots of systems, I use ssh related tools a lot to administer the systems and if I follow your advice and turn off root logins in sshd, then my administrative problems are much more difficult. If I do allow root access with sshd, I think there should be some other ways to secure the system.

For example, is there a way with iptables to allow root logins only from a few IP numbers? Or is there a way to make ssh accept logins only from systems that have a particular PGP security key (an id_rsa file) in .ssh?

Just wondering...

pj

Hey Aymanh,

Good stuff; keep it up. A buddy of mine wrote an extremely useful Python script for security called DenyHosts:

http://denyhosts.sourceforge.net/

It's open source and is already included in a number of Linux distros already. It'll be included in the next Ubuntu release ("Edgy Eft"), as well.

HTH!

Hey, this is the very great post. i've got the new ideas of securing the linux box. i hope it will work on my red hat enterprise server 2004.

hi, due to Darren Tucker you need to disable ChallengeResponseAuthentication with ChallengeResponseAuthentication no if you are using Pam with openssh.

so it won't accept no more passwords and just pubkeys

It helps somewhat, but not too much. I'm using it on a server, and was just hacked by a "/tmp" script.

simple really: instead of executing a script, the hacker just initiated perl script.pl and voila, noexec does nothing, since perl itself is obviously not on a noexec partition.

http://goinggnu.wordpress.com/2007/01/30/tips-to-secure-linux-workstation-2/

exactly same article.....

yes port 21 exists....the port 21 is used by ftp.....

Nice list. You can also make accounts inaccessable by locking them. As root do "passwd -l useraccount". Now its impossible to login as this user. The advantage of locking is that you can unlock it later. Another good tip for securing the server is making an wheel group - add all the users who can become root to this group. This way only one user may change to root. I don't know why this isn't enabled by default like the BSD's do.

Ssh - I only login using keys. if you do not have the key you won't be able to enter a passphrase to login. This way an attacker either needs both your key and passphrase to login or use an exploit to gain access. Also if you have a fixed ip address - add rules that only your ip address can login via ssh. You can do this with iptables or use hosts.allow and hosts.deny.

I've put up some nice tips on my squidoo lens. http://www.squidoo.com/linux-tips-and-tricks

pretty sure it works on most distros, not just gentoo

thx for the great post!!!best wishes from romania.

I agree with everything about this article except

1) the tmp noexec

That is about it... the use of a firewall is also not nessassary... as you are poking a hole in the firewall to access ssh port and others...so why bother?

The key is to use TCP Wrappers... set ssh: in /etc/hosts.allow

Than if anyone not coming from that IP address, will simply be instantly denied with no attempt for any kind of attack whatso ever....

How ever, I do recomment that if you do use KEYED ssh passwords, that you create a user account SPECIFICALLY for the sole purpose of logging into SSH... a user that is bare minimum rights.. than from there elevate to ROOT.

Using TCP Wrappers and a non root user to log in...and your pretty much safe. I have never been hacked... but I can tell you they have tried... but since TCP wrappers blocks them from the get go.. they go elsewhere.

Also, changing the PORT will not do much good, as using nmap will tell you all open ports anyways, and only inconviences you from having to use another odd port number.. although layers of security never hurts.

If you enable networking for remote mysql... they you can add mysqld: to hosts.allow just like you do for sshd.

There is never really a need to access mysql directly. Typically using phpMyADMIN thru apache which then connects through the localhost... is more secure.. but if you have multiple servers with mysql running on them, then you can as I just mentioned use TCPWRAPPERS for mysql/mysqld restricted by ip address...

Good article. While I agree with many people its better to have a separate firewall at the edge of the network before anything ever hits an internal box that just isn't realistic in all applications. Take SIP and many streaming media related applications. NAT is a nightmare to deal with when using SIP and including supplemental solutions like STUN/proxies create more bottlenecks and potential points of failure/overhead. I think this article does a great job showing how to harden SSH to any box that must be on the public internet. From there many people would want to keep adding more layers of security. Good stuff.

You can give ssh a config file for specific machines so you don't have to specify port and user on the command line:

Example for ~/.ssh/config:

Host 192.168.0.1 Port 12345 User john_doe