Security

SSH is a great way to remotely administer a server. However, it still has a number of issues when you open it up to the world. The server and client communications are secure but that doesn’t mean the hosts involved are. Opening an SSH service to the world allows for brute force attacks and means that the carbon interface is still the weakest link.

Full Story

These are some services I would normally turn off on web servers.
NOTE: usage may vary.

1. gpm -- mouse
   
2. mdmonitor -- monitor raid devices
   
3. netfs -- nfs, samba etc...
4. autofs -- automount, nfs, cd etc...
5. kudzu -- detect new hardware
6. restorecond -- monitor selinux file context
7. mcstrans -- mandatory access control selinux translation

There may be more, but if you've cleaned up your rpm packages, it would probably not exist.

Below is a list of rpm packages that are not necessary on a web server. Use it as a reference starting point for cleaning up servers. You may also want to make sure not to run services not required by the server.
NOTE: usage may vary and removal should be in the order listed:

1. redhat-lsb cups system-config-printer-libs system-config-printer paps -- printer support
   
2. system-config-soundcard  -- gui for sound setup
   
3. system-config-securitylevel-tui -- gui for setting up security
   
4. nfs-utils system-config-nfs nfs-utils-lib -- nfs server
   
5. portmap -- manage RPC connections
6. ypbind yp-tools -- NIS client binding
7. htmlview  -- view webpages via gui
   
8. system-config-services system-config-samba pinfo system-config-users system-config-date -- gui configs
   
9. samba samba-client samba-common -- samba support
   
10. oprofile oprofile-devel oprofile-gui qt
11. vnc
12. libglade2 libgnomecanvas usermode-gtk libbonoboui libgnomeui libglade-java pygtk2-libglade system-config-httpd system-config-network gnome-mount libgnome-java gnome-python2-bonobo gnome-python2-canvas gnome-python2 authconfig-gtk system-config-lvm authconfig-gtk pirut gnome-vfs2 gnome-python2-gnomevfs gnome-python2-gconf libgnome libgsf librsvg2 librsvg2
    ImageMagick
13. gnome-mime-data gnome-keyring  notify-python
    
14. GConf2 notification-daemon bluez-gnome libgconf-java libnotify bluez-utils
15. libgtk-java libvte-java
16. pygtk2 system-config-language system-config-rootpassword
17. vte
18. libwnck
19. glib-java cairo-java frysk
20. libwmf
21. gtk2
22. cups-libs
    
23. ghostscript ghostscript-fonts
    
24. avahi avahi-glib
25. wpa_supplicant NetworkManager
26. system-config-rootpassword
27. system-config-language
    
28. system-config-keyboard
29. system-config-network-tui firstboot-tui
30. system-config-securitylevel-tui
31. dhcpv6_client dhcdbd dhclient -- dhcp support
    
32. irda-utils -- Infra Red communications
33. isdn4k-utils -- ISDN
34. apmd -- laptop power management
35. cpuspeed -- dynamically changing cpu speed
36. bluez-libs -- bluetooth
37. irqbalance -- irq load balancing on multi-cpus
38. rsh -- unsecure remote access
39. talk -- internet talk protocol
40. foomatic -- printer driver database
41. finger -- finger client
42. eject -- eject removable media
43. cvs -- concurrent version control
    
44. rcs -- revision control system
45. dosfstools mkbootdisk -- bootdisk
46. redhat-menus desktop-file-utils startup-notification -- desktop
47. ppp rp-pppoe wvdial -- dialup
48. esound -- sound daemon
49. pcmciautils -- PCMCIA Cardbus
50. pcsc-lite coolkey ifd-egate ccid
51. OpenIPMI net-snmp-libs
52. ImageMagick-devel -- ImageMagick development package
53. xorg-x11-devel -- X server development package
54. acpid -- power management

chkrootkit is a tool to locally check your system for signs of a compromise via rootkits. It contains a shell script that checks system binaries for rootkit modification, signs of LKM trojans, interface modes and lastlog, wtmp, utmp deletions.

Install via:

Make sure to check the md5sum of the download as well.

Put the below into "/etc/cron.daily/chkrootkit.sh" to run a daily report:

The cron script will only output an email if it detects anything suspicious.

Note, that bindshell port 465 infection is a false alarm as in my case EXIM uses port 465 for secure connections. So, you could similarly grep out any such false alarm and adjust the cron script.

lftp ftp client support tls/ssl so why not use a secure connection for ftp.

Insist on your host to serve up ftp with tls/ssl support so all data is secured.

If using proftpd server, tls/ssl can be configured via "/etc/proftpd.conf":

The certificate can be generated to be used on the ftp server via:

Reference:

• ProFTPD mini HOWTO TLS

If you need to flush your firewall iptables rules, do not do a direct `iptables --flush` from a remote machine if the default policy is set to DROP packets, you will lock yourself out.

Run the below script instead:

or set the default policy to ACCEPT before flushing.

To find the default policy:

These are notes, I had taken down while setting up ISPConfig Hosting Control Panel on LayeredTechs Grid. Most of the steps were referenced via howtoforge and ispconfig installation notes. There were some gotchas to look out for and has bee noted below:

转载请

rkhunter (or Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and local exploits. It does this by comparing MD5 hash of important files with known good ones in an online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules. It should run on almost every Unix clone.

Installation notes: