Server securing methods
On the top of everthing when it comes to setting up webserver our priority would be Security.Here I will describe the basic steps to secure server.
•
•
•
•
•
•
•
•
Strong password
Always keep a strong password for servers, don't use any default ones or simple dictionary
words. Also make it a habit to change the password frequently.
•
Change ssh port
Change it to anything other than default 22, so that hackers keep guessing. Alter the option 'Port'
in sshd_config file.
Eg:- Port 24825
•
Denying root user login for ssh
Use 'PermitRootLogin no' in sshd_config. Now direct root login via ssh is denied. Instead just
create a normal user say 'admin' using which you can login through ssh and then later 'su -' to become
root. For this make sure that the user 'admin' has ssh access.
•
Allow access to only the limited users via ssh
Use 'AllowUsers and DenyUsers options in sshd_config.
Eg:
AllowUsers admin admin2
DenyUsers user2
•
TCP wrappers
Use host.allow and/or hosts.deny wisely to allow and deny access to particular hosts/IPs.
•
Secure /tmp
/tmp is world writable (chmod 777) so anyone can get a file uploaded to it and execute it. To
prevent this, /tmp must be mounted with noexec; just make sure that fstab entries are as follows and
remount /tmp :
/dev/sdax
/tmp
ext3
noexec,nosuid,rw
0
0
However, this is possible only if /tmp is a separate partition. If not, one will have to go ahead and create
a new loopback device for /tmp; This is how it is:
dd if=/dev/zero of=/dev/TmpFS bs=1024 count=1000000
mkfs.ext3 /dev/TmpFS
cp -rp /tmp /tmp.bak
mount -o loop,noexec,nosuid,rw /dev/TmpFS /tmp
chmod 1777 /tmp
cp -rp /tmp.bak/* /tmp
cp -p /etc/fstab /etc/fstab.bak
; creates a loop device of 1Gb
; format it as ext3
; backup the present /tmp
; mount the new loop device to /tmp
; make its permissions correct
; restore the contents from backup
; backup fstab
add the necessary entry in fstab now, will look as follows:
/dev/TmpFS /tmp
ext3
loop,noexec,nosuid,rw
00
•
Configure firewall (iptables) rules
After adding all the required ACCEPT rules for required services/ports in the server, at the end
add a rule to DROP out all the the connections.
iptables -A INPUT -j DROP
; add this rule
This will DROP all those connections except for the ACCEPT rules. So recheck to make sure your
ACCEPT rules are correct before adding this, or else you may lock out yourselves.
•
Shutdown unwanted services
Any unwanted services that the server in not going to host can be stopped. This will save
resource usage as well.
Reply to this post
Post a Comment