1. File Check:
Check the server behind the IP address above for suspicious files in
#/tmp
Steps:
#cd /usr/local/src
#vi tmpdircheck
find /tmp -type f -name '*[.php,.txt,.pl,.cgi,.dat]' -perm 777 -o -perm 755
#./tmpdircheck
#chmod 0777 /tmp
#/var/tmp
#/dev/shm
#/var/spool/vbox
#/var/spool/squid
#/var/spool/cron
Use "ls -lab" for checking directories as sometimes compromised servers will have hidden files that a
regular "ls" will not show
=========================================================================
2. Killing unwanted Processes:
Check the process tree (ps -efl or ps -auwx) for suspicious processes; (often times the malware / hack
pretends to be an Apache process.)
3.PHP Secure:
register_globals Off
disable_functions = frame,exec,system,passthru,shell_exec,escapeshellarg, scapeshellcmd, proc_close,
proc_open, ini_alter, dl,popen, show_source
4. Password Check:
a. /etc/passwd file
b. Athorized key files
less .ssh/authorized_keys
less .ssh/id_dsa.pub
c./usr/bin/wget (should be 700 and owner and group should be root)
d.last lgoin attempts using 'last' command
e.Cron log
f.Secure log
g.hosts, hosts.allow and hosts.deny
h.Have to run the script find /hsphere/local/home -perm 00777 -exec chmod 755 {} \; (both home and
home2)
i.Find files not owned by a valid user or group.
find / -xdev \( -nouser -o -nogroup \) -print
5. Firewall:
Remove apf and install csf on all the servers (which will be more easier to prevent)
#vi csf.conf
GLOBAL_IGNORE = "64.22.111.82"
CC_DENY = "TR,SY,IL,JO,IQ,IR,GE,VU,LB,AQ,FR,GR,AM,RU,RO,UA,SI,SK,NG,CN,HK"
6.Denial of perl script (.pl) and .pm script upload:
The FTP upload denial (using file extension) can be implemented with the help of Proftp server config
directive "PathDenyFilter"
#vi /hsphere/shared/config/ftpd/proftpd.conf
PathDenyFilter \.pl$|\.py$|\.pm$
:If any of the uploading file extension matches the one specified within this directive, then the file
upload will get denied with the error message as "Forbidded, Illegal File name"
=========================================================================
7.Xen level security:
8.Apache level security:
(a)Find all the httpd group binaries in /bin, /usr/bin, etc and change it to root. Also change all the /usr/
bin/gcc permission to 700
(b)Apache version exposure: (Version 1.3+) Don't allow hackers to learn which version of the web
server software you are running by inducing an error and thus an automated server response. Attacks
are often version specific. Spammers also trigger errors to find email addresses.
ServerSignature Off
Right below that add a line that has the following:
" ServerTokens Prod"
This will identify apache simply as "apache" with no version numbers or OS information
Restart the service
service httpd restart
9. Syctl.conf Hardening:
Check the sysctl file and make sure to have the below settings for IP routing
#vi /etc/sysctl.conf
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
After you make the changes to the file you need to run /sbin/sysctl -p and sysctl -w
net.ipv4.route.flush=1 to enable the changes without a reboot.
10. Syncookies secuirty:
(a)Enable syncookies:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
(b) /usr file permisisons:
chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp
10. Network security:
The first thing you need to do to secure a system from network attacks is find out which processes
are listening for connections and on which ports. There are several time tested tools available for this:
nmap and netstat.
netstat
The following command will show you which ports are being listened on, the IP address of the
listening socket, and which program or PID is associated with the socket (note: running as the superuser or root is necessary for the program field to work properly).
$ netstat -l -n -p -t -u -w
where:
-l is for listening
-n is for IP information
-p is for program/PID information
-t, -u, -w are for tcp, udp and raw socket connections.
Block all the unwanted services.
Tool Installations:
(a). Install RKHunter on all the servers
Check the server behind the IP address above for suspicious files in
#/tmp
Steps:
#cd /usr/local/src
#vi tmpdircheck
find /tmp -type f -name '*[.php,.txt,.pl,.cgi,.dat]' -perm 777 -o -perm 755
#./tmpdircheck
#chmod 0777 /tmp
#/var/tmp
#/dev/shm
#/var/spool/vbox
#/var/spool/squid
#/var/spool/cron
Use "ls -lab" for checking directories as sometimes compromised servers will have hidden files that a
regular "ls" will not show
=========================================================================
2. Killing unwanted Processes:
Check the process tree (ps -efl or ps -auwx) for suspicious processes; (often times the malware / hack
pretends to be an Apache process.)
3.PHP Secure:
register_globals Off
disable_functions = frame,exec,system,passthru,shell_exec,escapeshellarg, scapeshellcmd, proc_close,
proc_open, ini_alter, dl,popen, show_source
4. Password Check:
a. /etc/passwd file
b. Athorized key files
less .ssh/authorized_keys
less .ssh/id_dsa.pub
c./usr/bin/wget (should be 700 and owner and group should be root)
d.last lgoin attempts using 'last' command
e.Cron log
f.Secure log
g.hosts, hosts.allow and hosts.deny
h.Have to run the script find /hsphere/local/home -perm 00777 -exec chmod 755 {} \; (both home and
home2)
i.Find files not owned by a valid user or group.
find / -xdev \( -nouser -o -nogroup \) -print
5. Firewall:
Remove apf and install csf on all the servers (which will be more easier to prevent)
#vi csf.conf
GLOBAL_IGNORE = "64.22.111.82"
CC_DENY = "TR,SY,IL,JO,IQ,IR,GE,VU,LB,AQ,FR,GR,AM,RU,RO,UA,SI,SK,NG,CN,HK"
6.Denial of perl script (.pl) and .pm script upload:
The FTP upload denial (using file extension) can be implemented with the help of Proftp server config
directive "PathDenyFilter"
#vi /hsphere/shared/config/ftpd/proftpd.conf
PathDenyFilter \.pl$|\.py$|\.pm$
:If any of the uploading file extension matches the one specified within this directive, then the file
upload will get denied with the error message as "Forbidded, Illegal File name"
=========================================================================
7.Xen level security:
8.Apache level security:
(a)Find all the httpd group binaries in /bin, /usr/bin, etc and change it to root. Also change all the /usr/
bin/gcc permission to 700
(b)Apache version exposure: (Version 1.3+) Don't allow hackers to learn which version of the web
server software you are running by inducing an error and thus an automated server response. Attacks
are often version specific. Spammers also trigger errors to find email addresses.
ServerSignature Off
Right below that add a line that has the following:
" ServerTokens Prod"
This will identify apache simply as "apache" with no version numbers or OS information
Restart the service
service httpd restart
9. Syctl.conf Hardening:
Check the sysctl file and make sure to have the below settings for IP routing
#vi /etc/sysctl.conf
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
After you make the changes to the file you need to run /sbin/sysctl -p and sysctl -w
net.ipv4.route.flush=1 to enable the changes without a reboot.
10. Syncookies secuirty:
(a)Enable syncookies:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
(b) /usr file permisisons:
chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp
10. Network security:
The first thing you need to do to secure a system from network attacks is find out which processes
are listening for connections and on which ports. There are several time tested tools available for this:
nmap and netstat.
netstat
The following command will show you which ports are being listened on, the IP address of the
listening socket, and which program or PID is associated with the socket (note: running as the superuser or root is necessary for the program field to work properly).
$ netstat -l -n -p -t -u -w
where:
-l is for listening
-n is for IP information
-p is for program/PID information
-t, -u, -w are for tcp, udp and raw socket connections.
Block all the unwanted services.
Tool Installations:
(a). Install RKHunter on all the servers
Hi Sankar.. Your posts are usefullly.. thanks for the postings.. if it is possible Post RHEL5 to RHEL6 upgradation..
ReplyDeleteSure, Will Post very shortly..
Delete