Harden your linux server
1. Keep Linux Software Up to Date
All security update should be reviewed and applied as soon as possible
yum update
remove unwanted softwares
1. Keep Linux Software Up to Date
All security update should be reviewed and applied as soon as possible
yum update
remove unwanted softwares
# yum list installed
# yum list packageName
# yum remove packageName
2. User Accounts and Strong Password Policy
Password Aging - /etc/login.defs
Password Complexity - /etc/pam.d/system-auth
3. No Non-Root Accounts Have UID Set To 0
awk -F: '($3 == "0") {print}' /etc/passwd
4. Disable Root Login5. Disable Unwanted Services Following command will list all services which are started at boot time in run level # 3:
# chkconfig --list | grep '3:on'
To disable service, enter:
# service serviceName stop
# chkconfig serviceName off
6. Close not needed open ports7. Configure Iptables and TCPWrappers8. /tmp hardening9. Apache and mysql should run under different owners10. Find all world-writable files11. Physical security - enable BIOS and GRUB password12 . Review Logs Regularly
/var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.13. Ignore ICMP or Broadcast Request
Add following line in “/etc/sysctl.conf” file to ignore ping or broadcast request.
Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1
Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Load new settings or changes, by running following command
#sysctl -p
No comments:
Post a Comment