Linux Server Hardening Best Practices
When you want to improve the security posture of your Linux server. This article explains recommended Linux server hardening practices.
Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment. This is due to the advanced security measures that are put in place during the server hardening process.
Disable lamed server logging:
- Run the commands:
service named stop nano -w /etc/named.conf - Add these lines at the top. Some servers will already have a logging {} section. If so, simply add these lines inside the existing logging section:
logging { category lame-servers { null; }; }; - Under the options {} section, add these lines below directory /var/…:
allow-transfer { none; }; version “[null]“; recursion no; - Restart the named service using the command:
service named restart nano /etc/resolv.conf
For BIND, make sure that it is not in a clustered environment or master slave setup.
Disable direct root login:
- Run the commands below. The third command will prompt you for a password:
groupadd wheelusername useradd wheelusername -gwheelusername passwd wheelusername - Run the command to add the user to the group:
Search for wheel and append wheelusername.nano -w /etc/group - Run the command:
Uncomment the line,nano -w /etc/ssh/sshd_config
and change it to the below:PermitRootLogin no
At the end of the file, add the below line:PermitRootLogin yesAllowUsers wheelusername
Change the default SSH port:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup
vi /etc/ssh/sshd_config
Change the port from 22 to any desired port number.
Restart the SSH service:
c/etc/init.d/sshd restart
Tweak the TCP stack (sysctl.conf):
mv /etc/sysctl.conf /etc/sysctl.conf.bak
cd /etc
Place the following content in the sysctl.conf:
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
Install Rkhunter and setup weekly cron:
cd /root
wget https://sourceforge.net/projects/rkhunter-1.3.4.tar.gz/download
tar -zxf rkhunter-1.3.4.tar.gz
cd rkhunter*
./installer.sh –layout default –install
cd /etc/cron.weekly
#!/bin/bash
EMAIL=your@domain.com
rkhunter -c –sk –summary -q | mail -s “Rkhunter Scan Report – $hostname” $EMAIL
chmod 755 /etc/cron.weekly/rkhunter.sh
Install chkrootkit and setup weekly cron:
cd /root/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
mv chkrootkit.tar.gz /usr/local/src/
cd /usr/local/src/
tar -zxf chkrootkit.tar.gz
cd /usr/local/src/chkrootkit*
cd /root
mv /usr/local/src/chkrootkit* /usr/local/chkrootkit
cd /etc/cron.weekly
#!/bin/bash
EMAIL=your@domain.com
/usr/local/chkrootkit/chkrootkit -q | mail -s “ChrootKit Scan Report – $(hostname)” $EMAIL
Disable PHP functions that might pose a risk:
vi /usr/local/lib/php.ini
disable_functions = symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd,ini_set,phpinfo
Install and configure Mod_security to prevent web based attack:
cPanel Server
- Login to your WHM as root.
- Click on EasyApache (Apache Update) under the Software section.
- While selecting modules in the Short Options List, select Mod Security.
- Select Start customizing based on profile.
Now, the Wizard will start recompiling Apache. Monitor the screen carefully and note down if there are any error messages being shown. When the build is complete, verify that the PHP pages are loading correctly.
Plesk Server
- Since Plesk is fully rpm based, you can just install the mod_security module. Since mod_secuirty is not available in the common rpm repos, you can use the below script to install module:
wget -q -O - https://www.atomicorp.com/installers/atomic.sh | sh yum install mod_security - Unlike other Apache modules rpm installation, this process will not add LoadModule in the httpd.conf file by default. Edit the httpd.conf file and add the following lines below the LoadModule section:
vi /etc/httpd/conf/httpd.conf LoadFile /usr/lib/libxml2.so LoadModule security2_module modules/mod_security2.so Include conf/mod_security.d/*.conf - Create mod_security.d under the /etc/httpd/conf/ folder to download and setup the mod_security rule-set:
mkdir /etc/httpd/conf/mod_security.d cd /etc/httpd/conf/mod_security.d - Download the rule-set and make sure that you are extracting the file inside the /etc/httpd/conf/mod_security.d directory:
wget https://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.3.tar.gz tar zxf modsecurity-core-rules_2.1-1.4.3.tar.gz rm -f modsecurity-core-rules_2.1-1.4.3.tar.gz - Restart the web server:
service httpd restart
Rules may block the web application throwing access denied errors. Keep monitoring the /etc/httpd/logs/error_logs file and remove the rules which you do not require. If you are getting the ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). warning in your error logs, it may eat up all your CPU and memory resources by creating around 100 to 150 MB of RSS memory per pid and you will see an unusual usage of locale-archive around 60 MB in pmap. To solve this problem, create the file pcre_modsecurity_exceeded_limits.conf inside the /etc/httpd/conf folder:
vi /etc/httpd/conf/pcre_modsecurity_exceeded_limits.conf
Add the below lines:
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000
Restart Apache and monitor the Apache error logs.
Setup root login alert script:
vi .bashrc
echo ‘ALERT – Root Shell Access (hostname) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” mailto:you@domain.com
Upgrade the kernel:
Check for kernel update:
yum check-update | grep kernel
If kernel update is available:
yum update kernel
Edit grub.conf to modify the default value to newly updated kernel and then reboot the server.
vi /boot/grub/grub.conf
After server reboot, check the kernel version by using the command:
uname -r
Configure both local and remote backup
Change the permision of /bin/ln to 760.
Do the basic package updates using yum commands.
Exclude the packages that may possible break the setup of the server by entering it in the yum.conf file.
Complete scan of the server and perform corrective actions needed. Scan the complete server. Install Maldet if not present in the server:
mkdir tmp
cd tmp
wget https://www.rfxn.com/downloads/maldetect-current.tar.gz
tar xf maldetect-current.tar.gz && cd maldetect-*
./instal.sh
Temporary Directory Hardening:
/bin/cp /etc/fstab /etc/fstab.bak
Use df to check if a /tmp partition is already present.
cd /usr
dd if=/dev/zero of=/usr/tmpMnt bs=1024 count=2000000
mke2fs -j /usr/tmpMnt
cd /
cp -R /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /usr/tmpMnt /tmp
chmod 0777 /tmp
/bin/cp -R /tmp_backup/* /tmp/
rm -rf /tmp_backup
nano -w /etc/fstab
If /tmp partition exist: At the end, add the below.
/usr/tmpMnt /tmp ext3 loop,noexec,nosuid,rw 0 0
nano -w /etc/fstab
mount /tmp
rm -rf /var/tmp
ln -s /tmp /var/tmp
Disable remote MySQL:
Check the status of skip-networking parameter in MySQL configuration:
mysql -e "show variables like %networking%"
It is recommended to disable this parameter.
Install a software firewall such as CSF(ConfigServer) firewall or Advanced Policy Firewall (APF)(for Plesk).