Comments on: 20 Linux Server Hardening Security Tips

By: bash_coder

bash_coder — Sun, 22 Jan 2012 20:49:30 +0000

Well , one forgot about 8080 , port needed in some apps like ISPConfig or whatever.
Having ssh server enabled , we can disable 8080 via port forwarding in router, but use a ” backdoor ” aka tunnelling needed ports through ssh :
ssh -D localhost:8080 user@domain.com.
Put firefox using socksV5 127.0.0.1 and voila ! , of course ,port number can vary !
Let Mysql as default to listen only 127.0.0.1 ,enforce apache with mod_security and mod_evasive,check website folders not to be 777,and if using wordpress look for a good firewall or go write yourself a decent one to prevent sql injection.
And keep it in mind ,everything made by humans will be cracked by humans , it is just a matter of time !

Sincerly , Gabriel

By: Robert

Robert — Sat, 14 Jan 2012 04:21:35 +0000

https://help.ubuntu.com/community/LDAPClientAuthentication

Google is your friend. I found the above link in less than 30 seconds. We Linux geeks like to be helpful. Most will tell you how to hunt, but most won’t hunt for you, cook for you, and feed you too. :)

By: nbasileu

nbasileu — Wed, 11 Jan 2012 13:38:34 +0000

#1
7. Nginx SSL
http://wiki.nginx.org/HttpSslModule

Thx to add this :)

By: veeru

veeru — Sun, 08 Jan 2012 14:17:05 +0000

sir,
how to configure LDAP server(server side, client side) in UBUNTU linux plese tell me step by step

By: Matteo "roghan" Cappelli

Matteo "roghan" Cappelli — Wed, 21 Dec 2011 15:10:57 +0000

Very good article!! :-D

By: Kishor

Kishor — Fri, 09 Dec 2011 19:18:49 +0000

Excellent article!

By: Lamont Granquist

Lamont Granquist — Fri, 02 Dec 2011 21:21:58 +0000

You need to triage your recommendations for how much they cost to do (in terms of time):

Sites with thousands of servers and understaffed admins can’t possibly do all of this, and even on smaller sites with only a few dozen boxes, there needs to be some focus on which of these offer the best bang for the amount of time spent.

You must do these:

#1: Encryption – This is good, but the suggestion to remove xinetd wholesale is generally bad, ideally use chef to only enable xinetd where needed.
#3: One service one box – This is a good goal, much more achievable in the virtualization era. Exceptions can be made, particularly with lightweight internal services.
#6: Password policy – Largely you have to do this, auditors expect it. I share the concerns about rotation leading to sickies on monitors, but I know I won’t win that argument with auditors.
#7: Disable root login – Yes, remote root needs to be disabled to prevent non-reputability, I actually agree here.
#9: Disable services – Very good. Do this. Highly likely that unneeded and unmaintained services lead to actual security compromise.
#10: Disable X11 – Yep, unneeded on servers generally, don’t install. Some software installation requires it, which is annoying and you’ll need to make exceptions for on limited case-by-case basis.
#11: Sysctl hardening – Good and reasonably cheap. Use chef.
#15: Disable unwanted SUIDs and SGIDs – I agree, time well spent, reduces attack surface.
#17: Logging and Auditing – Past some point this just becomes using a loghost with enough disk to retain logs, and the noise level becomes insane. I wouldn’t spend too much time watching all the logs all the time, although its nice if you’ve got a junior admin with enough free time to watch for events. In PCI situations you have to not only watch this, but respond and it becomes mandatory.

You should try to do these, but they’re costly:

#4: Kernel upgrades – This is expensive in time, but worthwhile.
#11: Iptables/TCPwrappers – If #9 is done correctly and you’ve got a good corporate border firewall, this is not necessary and can lead to headaches. This is almost in my “do not bother” list, but if you *dont* have a firewall and you’ve just got servers hanging out in the breeze on EC2 this becomes more necessary.
#16: Centralized Auth – I actually like spending the time to do Kerberos

Do not bother with these, your energy is best spent elsewhere:

#2: Removing/auditing RPMs – This became laughable to me a decade ago, nearly a complete waste of time.
#5: SElinux – Also largely a waste of time, and ongoing maintenance nightmare, most actual intrusions would be prevented by getting easier stuff right
#8: Locking down BIOS and Grub – Servers should be secure in datacenters, physical access means a compromise anyway and grub passwords get in the way of administration
#13: Seperate Partitions for Everything – Oh, FFS, I have a job to do. Complete waste of my time.
#14: Turn off IPv6 – this is laughable and becoming more indefensible now
#19: IDS – Also mostly a source of noise. I suggest using fail2ban to automate iptables blocking in response to attacks, which does something useful (e.g. ssh attacks actually chew up your cpu, and fail2ban gets that back).
#20: Encryption of files – largely a waste of time within the enterprise, other than *very* targetted systems that are high-value targets. Just get your account management right.

Most important completely missed aspect:

USE CHEF, PUPPET OR SOME OTHER CONFIG MANAGEMENT ENGINE TO ENFORCE POLICY

And yes, I wrote that in all CAPS for a reason. That should be policy #0 that comes before all else.

By: layer 3 switch

layer 3 switch — Sat, 19 Nov 2011 12:35:56 +0000

I want to show appreciation to this writer just for bailing me out of this type of issue. Right after searching throughout the world wide web and finding ways which were not helpful, I believed my life was gone. Living without the approaches to the difficulties you have fixed by means of your entire blog post is a crucial case, and those that would have in a negative way damaged my career if I hadn’t encountered your web blog. Your ability and kindness in maneuvering all the details was crucial. I’m not sure what I would have done if I hadn’t come across such a subject like this. It’s possible to at this time relish my future. Thank you very much for the reliable and amazing guide. I won’t be reluctant to refer your web blog to anyone who needs guidelines about this topic.

By: Sankar M

Sankar M — Sat, 12 Nov 2011 05:32:40 +0000

Good work!! Thanks a million for all useful tips.. :)

By: renjith

renjith — Wed, 19 Oct 2011 05:54:28 +0000

Thanks for the gr8 info.

need to know which file we need to edit or how we can set password rules in redhat such as “password should include alphanumeric,special characters,numbers etc.

Thanks
Renjith

By: Rajasekhar

Rajasekhar — Fri, 14 Oct 2011 04:44:00 +0000

ThanQ

By: iasava

iasava — Mon, 12 Sep 2011 10:43:04 +0000

thank for sharing. it the best best practice for me. thank you very much Vivek

By: venkat

venkat — Tue, 06 Sep 2011 12:54:08 +0000

Great work Vivek sir ji…

Venkat

By: michael anderson

michael anderson — Sat, 20 Aug 2011 01:53:02 +0000

Is this hardening checklist good for ALL Linux distributions, such as CentOS, Fedora, Debian, Ubuntu, etc………

thanks,

By: justme19

justme19 — Sat, 06 Aug 2011 15:51:22 +0000

Just another one of those valuable well written article. Thank you vivek for sharing this with the rest of us.

By: Ashok

Ashok — Sun, 24 Jul 2011 05:57:13 +0000

Fantastic Article !! Very useful one.

By: ckdie92hc8899s9

ckdie92hc8899s9 — Wed, 20 Jul 2011 19:31:11 +0000

WARNING to fellow DEBIAN users:

debian apt-get may break system if cannot use /tmp. Tmp may be set noexec, nosuid, etc.
To harden, may need to write pre-process script and post-process scriipt after
apt-get upgrade.

alert: re”: Also, setting the “noexec” flag in fstab
not confirmed and demonstrated and fully tested. sorry.

Linux hostnamm 2.6.39-3.slh.xxx-aptosid-xxx64 #1 SMP PREEMPT Sat Jul xxx 2011 x86_64 GNU/Linux

Great article. Advanced persistent threats and rootkits. Kernel is the last line
of defense.

obviously, strategy involves both HARDENING and SOFTENING. example of softening
is honeypot and other ‘trap doors.’ Basic – set your firefox or google chrome to
send browser message as IE Internet Explorer.

Excellent Article. Intermediate. Highest return on value is getting to known
how to tune the KERNEL. Second highest is learning how to compress data and
‘backup it up’ across the wide spread NET. as well as separate physical devices -
SSD preferred.

By: d0rk-E

d0rk-E — Sat, 28 May 2011 20:56:42 +0000

I have heard the arguments for and against #7, disable root login, and am for it…
But you never tell me HOW to. :D

By: Ramakrishna - Krrish

Ramakrishna - Krrish — Sat, 30 Apr 2011 05:03:53 +0000

Hi Sir,

I have been trying to implement OpenLDAP server in CentOS5.4 for the past 10 months. But, till i haven’t implemented. I studied and gathered so many books and articles.. even though am not succeeded. So, could you send openldap server configuration article in CentOS5. Then i can follow your help to complete the task..And i need exactly what is ldap ? why for Ldap? where to Implement ldap ?
I have so many doubts are there on ldap scenario. And how can join windows client to linux openldap server ? . If joins, how to do that ? .. So, could you explain detailedly…

with best regards..

thanks,

Ramakrishna – krrish

By: Ramakrishna- krrish

Ramakrishna- krrish — Fri, 29 Apr 2011 12:39:18 +0000

Hi Sir, Am fan to your article.. Really these are very excellent sessions.. we never get this from any other books.. Really Am so happy and we are improving our confidential levels by following your articles.. One small request, Why dont you keep an article on Solaris server issues.. Because now a days, both unix and linux are growing popular across the world.. And so many administrators are working in dual modes (LINUX and UNIX) . So, if the send an article based on linux and unix(solaris) then, so many administrators feel much better..

Thanks