Monday, March 24, 2014

Linux Server Hardening

Harden your linux server

1. Keep Linux Software Up to Date
All security update should be reviewed and applied as soon as possible
yum update
remove unwanted softwares

# yum list installed
# yum list packageName
# yum remove packageName

2. User Accounts and Strong Password Policy

Password Aging       -  /etc/login.defs
Password Complexity  -  /etc/pam.d/system-auth

3. No Non-Root Accounts Have UID Set To 0

awk -F: '($3 == "0") {print}' /etc/passwd 

4. Disable Root Login
5. Disable Unwanted Services 

Following command will list all services which are started at boot time in run level # 3:

# chkconfig --list | grep '3:on'

To disable service, enter:

# service serviceName stop
# chkconfig serviceName off

6. Close not needed open ports
7. Configure Iptables and TCPWrappers
8. /tmp hardening
9. Apache and mysql should run under different owners
10. Find all world-writable files
11. Physical security - enable BIOS and GRUB password
12 . Review Logs Regularly

/var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.

13. Ignore ICMP or Broadcast Request

Add following line in “/etc/sysctl.conf” file to ignore ping or broadcast request.

Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1

Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1

Load new settings or changes, by running following command

#sysctl -p 

No comments:

Post a Comment