Securing Your Server HOWTO

Table of Contents

 

Information used here will be from some of the programs listed at http://www.rfxn.com/projects/

The programs used here will be LES, SPRI, LSM, and PRM.

This is not for the weak hearted and you must know how to edit files and understand how perl works

LES

LES was originally written for RPM based systems but it can be used on any distro regardless. I use it on RPM and DEB systems.

Linux Environment Security is intended as a facility to quickly & easily secure RedHat/RPM based environments (i.e: turbo linux, open linux). It does such by enforcing root-only permissions on system binaries (binaries that have no place being executed by normal users), enforcing root-only path traversal on system paths, enforcing immutable bit on essential rpm package contents (i.e: coreutils), and enforcing immutable bit on shell profile scripts.

LES is really cool because it will actually stop the use of dd, w, who and all those other server only commands.

First install LES -- it will be installed under /usr/local/les by default so I just recommend that it be left there.

Second edit opt.dat -- this file contains what will be protected from non root logins.

What I edited in mine was 3 sections...

sec_profgrp
sec_deva
sec_bins

In sec_bins add or remove any program you wish to prevent the user from having any access to. Only root will have access to those files after this program runs.

For sec_deva these are all the development prgrams used to compile programs which will also prevent hackers from creating a new binary to trick your system. Add ANY and ALL programs like cc, gcc , g++, c++ and so on that are on your box. Only people in the group "deva" and root will be allowed to use these programs. Make sure you add the new group required which is "deva", groupadd deva. Then add any user that will be allowed to use to that group.

For sec_profgrp that holds the groups that will have there login stuff protected from editing like .bashrc and .bash_login and .csh and so on. The group I used is "users" but this might different on your system depending on how you have it setup in VM. Only YOU know what to put there !! So don't ask me. This uses the command chattr +i file to set the immune bit and -i un-set's it.

Now edit the cron job for LES.

/etc/cron.daily/les

#!/bin/sh
# les
/usr/local/sbin/les --secure-bin 1
/usr/local/sbin/les --secure-path 1
/usr/local/sbin/les --secure-prof 1
/usr/local/sbin/les --secure-devel 1

The run chmod 755 /etc/cron.daily/les

This will protect the server. What --secure-prof does is set chattr +i which prevents ANY editing or deleting on the files.

To see the help for LES type "/usr/local/les/les --help'

To unsecure everything in one command /usr/local/les/les -ea

SPRI

To be edited

 

LSM (Linux Socket Monitor)

This one is really important ! This one can email you when a new program opens a socket such as a BNC.

Just install it normally and let it work for you. There is nothing to configure unless you want emails sent to a different user.

NSIV

To be edited

 

Secure /tmp /var/tmp and /dev/shm

This is a working script but you will need to manually edit some things on your server as well......

secure-tmp.sh

#!/bin/sh
#
# This is a sample script to secure your server.
# You will probably want to edit certain steps for your taste
#
# !!!!!!!!Some parts require YOU to do manually!!!!!!!
#
# Written by Scott Grayban
#
echo "Setup 1: Make a 1GB file for /tmp parition and an ext3 filesystem for tmp:"
dd if=/dev/zero of=/var/tmpFS bs=1024 count=1000000
/sbin/mkfs.ext3 /var/tmpFS
echo ""

echo "Create a backup copy of your current /tmp drive:"
cp -Rpf /tmp /tmpbackup
echo ""
echo "Mount our new tmp parition and change permissions:"
mount -o loop,noexec,nosuid,rw /var/tmpFS /tmp
chmod 1777 /tmp
echo ""
echo "Copy the old data:"
cp -Rpf /tmpbackup/* /tmp/
echo ""
echo "If you run the mount command and you should get something like this:"

echo "/var/tmpFS on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)"
echo ""
echo "Edit /etc/fstab and add this:"
echo "/var/tmpFS /tmp ext3 loop,nosuid,noexec,rw 0 0"
echo ""
echo "Remount tmp"
echo "mount -o remount /tmp"

echo ""
echo "You can test it runnig a script on /tmp partitio, if you get "permission denied" it is fine :)"
echo ""
echo ""
echo "2. Secure /var/tmp:"
echo ""

echo "It should be done because some applications use /var/tmp as the temporary folder, and anything that's accessible by all, needs to be secured."
echo ""
echo "Rename it and create a symbolic link to /tmp:"
mv /var/tmp /var/tmp1
ln -s /tmp /var/tmp
echo ""
echo "Copy the old data back:"
cp /var/tmp1/* /tmp/
echo ""
echo "Note: you should restart and services that uses /tmp partition"

echo ""
echo "3. Securing /dev/shm:"
echo ""
echo "To get all the work well done, you should secure /dev/shm to stop rootkits running here."
echo ""
echo "Edit your /etc/fstab:"
echo "pico /etc/fstab"

echo ""
echo "change:"
echo "none /dev/shm tmpfs defaults,rw 0 0"
echo "to"
echo "none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"
echo "If you don't have the first line then just add it"

echo ""
echo "Remount /dev/shm:"
echo "mount -o remount /dev/shm"
echo ""
echo "Remove the old backup directories"
rm -fr /var/tmp1/ /tmpbackup/
echo "done"
 

At console type mount and you should see:

/var/tmpFS on /tmp type ext3 (rw,noexec,nosuid)

The output line should contain the two words 'noexec,nosuid' in it. If this is in place then you're covered.

The only problem now is that when apt-get upgrades your system it will sometimes place scripts inside the temp directory which will now not be executable.

The fix for this is to temporarily make the temporary directory executable before running apt-get and then remove the execution bits afterwards. This would be a troublesome thing to remember doing ourselves - but thankfully we can set it up to be automatic.

Add the 2 lines below to the top of your /etc/apt/apt.conf file:

DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};

This contains two lines, one running before any packing installation and one afterwards. They merely execute the commands required to add and remove the execute permissions on the /tmp

Was this answer helpful?

 Print this Article

Also Read

How to be PCI Compliant

Ok I have been through this a few times already so I figured I would share this knowledge to...