Ok..

So far this is my line of defense against our powerful enemy (Hackers, crackers, spam, viruses, etc…):

I have installed:

Chkrootkit
APF
SIM (System Integrity Monitor)
MailScanner
Clam Antivirus
Logwatch
RKHunter
Snort with Acid (Testing stage)

I have implemented:

Updated to latest Kernel
Updated Apache
Disabled direct root login
Disabled Telnet
Hide Apache and other services info
Forced SSH2 login
Two different passwords. One for admin and One for root. (They are modified every week)
/tmp secured (noexec)

I am paranoiac about security.. So I wonder what else everybody use in reality to secure their server. (web hosting purposes)

i did some posts on linux-noob.com for a few extra things.

Hiding Apache Version Number:

http://www.linux-noob.com/forums/index.php?showtopic=765

Securing your /tmp directory (no exec)

http://www.linux-noob.com/forums/index.php?showtopic=766

you should also secure the su binary, and all your compiler binaries (unless your clients need them) - if you need help with this let me know. i disabled from normal user access: wget, ftp, telnet, gcc, cc, make, lynx, fetch among some others.

also rkhunter is very nice too

http://www.rootkit.nl/


oh yeah READ EVERYTHING in /var/log at any time you can

You may want to change your SSH port, then install some port scan detection software such as portsentry.

Besides that, changing permissions binaries and having tmp mounted with noexec / nosuid as vandal suggested.

Also, ALL software accessable externally needs to be updated, and if the system is on a local network theres even more to ensure you update. - Simple rule is update everything that can be updated to the latest stable version, especially if there are known security problems between the current release and the release you are using.

Chris

you should also secure the su binary, and all your compiler binaries (unless your clients need them) - if you need help with this let me know. i disabled from normal user access: wget, ftp, telnet, gcc, cc, make, lynx, fetch among some others.

Not sure about how to do this guys...

the /tmp folder was secured, i just forgot to mention it :D


also rkhunter is very nice too

Reading and installing it as we speak ;)

Thanks

You may want to change your SSH port, then install some port scan detection software such as portsentry.

Excellent idea.. Any How to for Portsentry? :D

Thanks

Just found this: http://linux.cudeso.be/linuxdoc/portsentry.php

Chris

any1 have some more tips?
i did the /tmp and hide versions

yeah you can put SSH to like 6000 or something high like that :)

snort is also an IDS but i have never used it.

so to secure your binaries do this:

first allow root in your sshd config and test it (just for now)

pico /etc/group

add your username to this line(in this case, I added the user admin):

wheel:x:10:root,admin

then make the binary usable by root or the wheel group only

chmod 4750 /bin/su

chgrp wheel /bin/su

do that for wget, cc, gcc, lynx, ftp, telnet, make and anything else you want to deny normal users access. (to find their binaries try 'locate wget' for example.)

now only root or a user in the wheel group can access this stuff.

log in as admin, try su - you should have access. log in as a regular user and try, you should get permission denied.

if all is well, disable root ssh access on the box again.

oh yeah, what os and version are you running?

oh yeah, what os and version are you running?

Running Fedora core 1


Just found this: http://linux.cudeso.be/linuxdoc/portsentry.php

Thanks Chris.. i'll look into this!


Vandal:
RKhunter---> Excellent presentation and functionallity. It runs really smooth and really easy to install.. Thanks

Vandal:
RKhunter---> Excellent presentation and functionallity. It runs really smooth and really easy to install.. Thanks

anytime :)

Chris..

It looks like i have Portsentry already installed as a service in my system.

/etc/log.d/conf/services/portsentry.conf
/etc/log.d/scripts/services/portsentry

But, the configuration file does not give me the option to specify the ports or configure it like in the tutorial you suggested.

Any Ideas...?

check if its an rpm,

rpm -q portsentry

if it is, remove it

rpm -e portsentry

and download the source and follow that tutorial above.

Now i am not sure if i want porsentry installed... There are some big cons about portsentry..

Take a look at this article:

http://www.linux.ie/articles/portsentryandsnortcompared.php

Let me know what you think

Dec

Originally posted by vandal
check if its an rpm,

rpm -q portsentry

if it is, remove it

rpm -e portsentry

and download the source and follow that tutorial above.

It says portsentry is not installed..

I think this files may have something to do with logwatch

Dec

Originally posted by vandal
you should also secure the su binary, and all your compiler binaries (unless your clients need them) - if you need help with this let me know. i disabled from normal user access: wget, ftp, telnet, gcc, cc, make, lynx, fetch among some others.
[/B]

How can I do this?

Matt

Originally posted by thoroughfare
How can I do this?

Matt

Couple of posts up ;)

Chris

Any comments about the article above?

Dec

Originally posted by dec
Any comments about the article above?

Dec

It's correct, but I dont agree with everything it says - it tries to point out that you install it and never check the block list - you need to do a bit of house-keeping yourself to make it work.. but the general idea works..

As for much of it, it all depends on your configuration (for example, "if a user was a checking if you had a service on a particular port" - if there is no common service on the ports you have monitored why would they be scanning it?!)

Chris

Originally posted by ProWebUK
It's correct, but I dont agree with everything it says - it tries to point out that you install it and never check the block list - you need to do a bit of house-keeping yourself to make it work.. but the general idea works..

As for much of it, it all depends on your configuration (for example, "if a user was a checking if you had a service on a particular port" - if there is no common service on the ports you have monitored why would they be scanning it?!)

Chris

Hi Chris,

Do you use Snort? Do you recommend it over portsentry?

I have never use both of them before, so to me they are all the same. I just want to know what to use base in others experience and learn and configure whatever i picked.

Dec

Hi all,

Anyway to disable the apache login cause i wanted to create my own login screen for the user.

Plus another problem is i can't retrieve the username after i login.


Im a noob of php, need some advice from you all
Thanks all

Originally posted by Gpro
Anyway to disable the apache login cause i wanted to create my own login screen for the user.

Plus another problem is i can't retrieve the username after i login.

not sure what you mean with either... what apache login? and login where... what do you mean cant retrieve the username?

Chris (who is very confused :p )

i am also confused with what you mean by your question...

Originally posted by vandal
i disabled from normal user access: wget, ftp, telnet, gcc, cc, make, lynx, fetch among some others.

Couldn't a client upload (via FTP) their own copies of binaries onto the server?