1. Software Firewall
For security purposes, the software-based firewall that is included in all freshly deployed dedicated server operating system has been enabled and configured to allow on the minimal amount of connectivity required for you to access and configure your server. For Linux/UNIX users, this means that port 22 is permitting SSH connections. Port 80 (HTTP/Web) and port 443 (HTTPS/SSL Web) have been opened to allow all standard web traffic. In addition, the required ports for control panel access have been opened if you have ordered a control panel from ServePath. Finally, ICMP Ping has been permitted to allow our monitoring services the necessary access to aid in managing out network.
2. File Permission
There are certain files whose presence in the Linux file system can present a security risk and should be remedied as soon as possible. When the SUID (set user ID) or SGID (set group ID) bits are set on an executable, that program executes with the UID or GID of owner of the file as opposed to the user executing it. This means that all executables with SUID bit set and are owned by root are executed with the UID of root. This situation is a security risk and should be minimized unless the program is designed for this risk. To find all files on your file system that have the SUID or SGID bit set, execute the command:
# find / -path /proc –prune –o –type f –perm +6000 –ls
It is good practice to generate a list of SUID or SGID files on your server as soon as possible and re-run the above command on a regular basis to ensure new binaries with unsafe permissions are not being added to your server. World-writable files are a security risk as well. World-writable files and directories are dangerous since it allows anyone to modify them. World-writable directories allow anyone to add or delete files. To find all world-writable files and directories, execute the command:
# find / -path /proc –prune –o –perm -2 ! –type 1 –ls
# find / -path /proc –prune –o –perm -2 ! –type l –ls
Another file permission issue is when files are not owned by any user or group. While this is not technically a security vulnerability, an audited system should not contain any unowned files. This is to prevent the situation where a new user is assigned a previous user’s UID so that the previous owner’s files, if any, are all owned by the new user. To find all files that are not owned by any user or group, execute the command:
# find / -path /proc –prune –o –nouser –o –nogroup\
# find / -path /proc –prune –o –nouser –o –nogroup
3. Listening Ports
It is very important to ensure that all listening ports on your server are limited to only those that are necessary for you’re your server and its applications. To get a list of listening network ports, run the following command:
# netstat –tulp
Disable any ports that are not necessary. To do so, kill the PID (process ID) shown by netstat. The only port that your server must be listening on is SSH (port 22/tcp). Other ports that will need to be listening depend upon the specific purpose of your dedicated server. Note that by killing the PID of the process you are not preventing your server from starting the same service again on bootup. In order to see what programs your server is launching on startup, execute the following command:
# chkconfig –list grep on (Red Hat systems)
# chkconfig –list grep on (Red Hat systems)
# ls -l /etc/rc2.d/S* cut -d/ -f6 (Debian systems)
This command will show you which programs are to be executed in which run levels. In Red Hat, full multi-user mode is 3. To disable a service permanently, issue the following command:
# chkconfig
To disable any service in Debian, simply execute the following command:
# rm –f /etc/rc2.d/S*
Please note that the above commands do not actually disable the service, they simply prevent the service from being executed on startup.
4. Unlocked User Accounts
The first thing you should take stock of on a new server are the users with unlocked accounts. Users with unlocked accounts are allowed to login if assigned a valid shell, and should be kept to a minimum. To get a list of unlocked users, execute the following command:
# egrep –v ‘.*:\*:!’ /etc/shadowawk -F: ‘{print $1}’
# egrep –v ‘.*:\* :!’ /etc/shadow awk -F: ‘{print $1}’
If you do not recognize any user returned by the above command, check to see if that user owns any files by executing the command:
# find / -path /proc -prune -o -user
If the user does not own any files, or files that will not hinder the stability of your server, delete the user by executing the command:
# userdel –r
5. Enable/Disable Features
All of the following lines and values should be added to the file /etc/sysctl.conf if you want to enable or disable the feature mentioned. You will need to restart your system for these changes to take effect:
TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1
Disable IP Source Routing net.ipv4.conf.all.accept_source_router = 0Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0IP Spoofing Protection net.ipv4.conf.all.rp_filter = 1Ignoring Broadcasts Request net.ipv4.icmp_echo_ignore_broadcasts=1Bad Error Message Protection net.ipv4.icmp_ignore_bogus_error_response = 1
ليست هناك تعليقات:
إرسال تعليق