Server Hardening
by Shad Rich
ISQS 6342
Spring 2004
Prerequisites
Implement and enforce internal security
policy
Determine risk
Place server in an appropriate physical
location
Server OS
This presentation will concentrate on Linux
servers.
There are several documents available at
www.microsoft.com describing hardening of
Windows XP and 2003.
OS Hardening Basics
Install bare necessities
Keep all system software up-to-date
Delete/disable unnecessary user accounts
Do not grant shell access unless needed
Run public services in chrooted file
systems
Remove SUID bits
OS Hardening Basics cont…
Configure logging and review the logs
regularly
Every host should be its own firewall
Check systems with security scanners
Document configurations for later use
Before Installation
Set BIOS password
Plan partitioning scheme
place /var, /opt, /usr/local on separate partitions
OS Installation
If possible, do not connect to the internet to
install.
Do a very basic install.
Do not install the X Window System or any
desktop managers unless absolutely
necessary.
Install the latest versions if possible…if not,
upgrade.
Post Install
Set a boot loader password
/etc/lilo.conf
image=/boot/2.2.14-vmlinuz # Kernel location
label=Linux # Arbritrary kernel label
read-only
password=hackme restricted # Sets password
/boot/grub/menu.lst
timeout 3
password hackme # Sets password
Post Install cont…
Remove root prompt on the kernel
/etc/mkinitrd/mkinitrd.conf
# DELAY The number of seconds the linuxrc script should wait
# to allow the user to interrupt it before the system is brought
# up
DELAY=0
Regenerate your ramdisk image
cd /boot
mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7
Kernel Download
Download the latest kernel source from
www.kernel.org or another mirror
Many distributions make the kernel source
available through their package managers,
e.g. rpm, apt-get, emerge
Extract Kernel Source
Move the kernel source to an appropriate
directory, e.g. /usr/src
Extract the kernel source:
For tar.gz files:
tar –zxvf kernel-source-file.tar.gz
For bz2 files
tar –jxvf kernel-source-file.bz2
Configure Kernel Source
cd /usr/src/kernel-source-dir/
make config, make menuconfig
Select only the most basic options needed
to run the server.
Do not enable sound, usb, serial, or parallel
port drivers if not needed for server
functionality
Compile Kernel and Modules
Generic:
su
make dep
make clean
make bzImage modules modules_install
make bzlilo (if using lilo boot loader)
Debian:
su
make-kpkg clean
make-kpkg –append-to-version=. kernel_image
modules_image
dpkg –i ../kernel-image.date.deb
Edit /etc/lilo.conf or /boot/grub/menu.lst to boot new kernel
Common Unneeded Services
rpc services – nfsd, nfsclient
r-services – rsh, rlogin, rcp
inetd
linuxconfd
sendmail
telnet, FTP, POP
Identify Unneeded Services
What’s running?
ps aux | less
What ports are open?
nmap localhost
What is started on boot?
ls –la /etc/rc#.d/ (anything starting with “S”)
What is inetd running?
chkconfig –list (RedHat)
netstat -pn -l -A inet
/usr/sbin/lsof -i | grep LISTEN
grep -v "^#" /etc/inetd.conf | sort -u
Remove Unneeded Services
chkconfig –level 2 linuxconf off
rm /etc/rc#.d/S20ssh
comment out services in /etc/inetd.conf on
Debian systems
Automated Hardening
Bastille Linux
original was going to be a secure distribution
instead became a set of scripts for hardening
existing distributions
packages for multiple platforms
RedHat/Mandrake
Debian
Mac OS X
HP-UX
Bastille Screenshot
Keeping Software Updated
Subscribe to distribution-specific security
lists
Automated updates
Red Hat – up2date
Debian – apt-get update; apt-get upgrade
Delete Unnecessary User Accounts
Directly read /etc/passwd to identify
unnecessary accounts
Use find to locate user files
find / -user username –print
Minimize Use of SUID=root
Use find to locate violating files
find / -perm +4000 –user root –type f –print
find / -perm +2000 –group root –type f –print
Change permissions on the violating files
chmod u-s /full/path/to/filename
chmod g-s /full/path/to/filename
Run Services In chrooted File System
chrooted file systems prevent hijacked
daemons from accessing the entire file
system.
Move service’s file structure to an isolated
directory.
Change ownership from root to an arbitrary
owner and group (Ex. named)
Change file permissions.
Normal File Structure
Example of a normal BIND install:
/
/etc
/usr
/usr/bin
/var
/var/run
/var/named
chrooted File Structure
/chroot
/chroot/named
/chroot/named/dev
/chroot/named/etc
/chroot/named/etc/namedb
/chroot/named/etc/namedb/slave
/chroot/named/var/
/chroot/named/var/run
Individual Host Firewalls
Use ipchains on 2.2 and earlier kernels
Use iptables on 2.4 and later kernels
Kernel options to be selected:
Connection Tracking
FTP Protocol Support
IP Tables Support
IRC Protocol Support
Any other desired modules
Using iptables
Create a new chain (-N).
Delete an empty chain (-X).
Change the policy for a built-in chain (-P).
List the rules in a chain (-L).
Flush the rules out of a chain (-F).
Zero the packet and byte counters on all
rules in a chain (-Z).
Manipulate Rules Inside Chains
Append a new rule to a chain (-A).
Insert a new rule at some position in a
chain (-I).
Replace a rule at some position in a chain
(-R).
Delete a rule at some position in a chain,
or the first that matches (-D).
Example Firewall Script
http://www.faqs.org/docs/iptables/examplec
ode.html
System Loggers
klogd – does kernel logging
syslogd – does system logging
/etc/syslog.conf
facility.selector /var/log/logfile
syslog-ng – “syslog new generation”
more advanced than syslogd
/etc/syslog-ng.conf
Log Maintenance/Monitoring
logrotate – automatically rotates specified
log files
swatch – configured to alert system admin
through e-mail or echo with system bell
Security Scanning
To be done later in the semester…
References
Bauer, Michael D. (2003). Building Secure
Servers with Linux. Sebastobol: O’Reilly &
Associates, Inc.
Fenzi, Kevin (2001). Linux Security
HOWTO. Linux Documentation Project.
Burgess, Hal (2002). Security Quick-Start
HOWTO for Linux. Linux Documentation
Project.