How to Secure a Linux Server?
The free, open-source GNU/Linux operating system is getting better each year for desktop use, but it's been a major contender for server use since the late 1990s. With popularity, however, it has become profitable for thieves to break into Linux servers and use them for spamming, scams, and serving pornography, among other things. Here are some ways you can protect your server from such a fate.
Steps
ns003:~# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
named 17829 root 4u IPv6 12689530 UDP *:34327
named 17829 root 6u IPv4 12689531 UDP *:34329
named 17829 root 20u IPv4 12689526 UDP ns003.unternet.net:domain
named 17829 root 21u IPv4 12689527 TCP ns003.unternet.net:domain (LISTEN)
named 17829 root 22u IPv4 12689528 UDP 209.40.205.146:domain
named 17829 root 23u IPv4 12689529 TCP 209.40.205.146:domain (LISTEN)
lighttpd 17841 www-data 4u IPv4 12689564 TCP *:www (LISTEN)
sshd 17860 root 3u IPv6 12689580 TCP *:ssh (LISTEN)
sshd 17880 root 3u IPv6 12689629 TCP *:8899 (LISTEN)
sshd 30435 root 4u IPv6 74368139 TCP 209.40.205.146:8899->dsl-189-130-12-20.prod-infinitum.com.mx:3262 (ESTABLISHED)
- Copy the sshd_config file to root_sshd_config, and change the following items in the new file:
- Port from 22 to some other number, say 8899 (don't use this! make up your own!)
- PermitRootLogin from "no" (you were supposed to set it to "no" for port 22, remember?) to "yes"
- AllowUsers root add this line, or if it exists, change it to allow only root logins on this port
- ChallengeResponseAuthentication no uncomment this line if it's commented out, and make sure it says "no" instead of "yes"
- Test this command:
sshd -D -f /etc/ssh/root_sshd_configand see if it works correctly -- try logging in from another computer (you must have already set up shared-key authentication between the two computers) using:
ssh -p8899 root@my.remote.serverand if so, control-C at the above (sshd) command to stop the sshd daemon, then add this to the end of /etc/inittab:
rssh:2345:respawn:sshd -D -f /etc/ssh/root_sshd_config - Restart the init task: # init q This will run your "root ssh daemon" as a background task, automatically restarting it in case of failure.
Video
Tips
- Check your log files regularly to see what types of attacks are being run against your server./var/log/auth or /var/log/auth.log is a typical place to find attempted logins:
Jan 18 10:48:46 ns003 sshd[23829]: Illegal user rosa from ::ffff:58.29.238.252
Jan 18 10:48:49 ns003 sshd[23833]: Illegal user rosemarie from ::ffff:58.29.238.252
Jan 18 10:48:51 ns003 sshd[23838]: Illegal user ruth from ::ffff:58.29.238.252
Jan 18 10:48:54 ns003 sshd[23840]: Illegal user sabine from ::ffff:58.29.238.252
Jan 18 10:48:57 ns003 sshd[23845]: Illegal user sandra from ::ffff:58.29.238.252 - Regularly upgrade your operating system to add security fixes. On Debian: apt-get upgrade
- Monitor news on vulnerabilities at http://www.securityfocus.com/ and related websites.
- Try installing grsecurity and/or SELinux and/or AppArmour and/or PaX.
Warnings
- Nothing you can do will make your server completely secure. Have backups of all important files, and a backup plan in place in case the worst happens.
- Never trust a server that has been cracked. A cracker has access to 100% of the system once they have root access.
No comments:
Post a Comment