How To Make Your Linux Server Safe After The Installation

[skiller]

All hack attacks and other rubbish, etc. were we all getting, is from Linux users with an unsafe system. The hacker assume the Linux machine and the owner of the machine

do not realize that. That is the funny thing why we all get attacks.

I am writing here a how to what you have to do first after you finished your Linux installation. This is basic and the first thing what you have to do.

It is easy to understand and for beginners it takes arround 20 minutes. My favourite distri is Debain. I am not using Linux for desktop. I read many posts and saw

many users are using it as a desktop. This guys should follow up this how to, when they have access from the WAN via SSH or Telnet to the local machine.

1. Create a new user, it could be a name and follwed with some digits.

2. Choose a strong password with special charkters like +=% If you choose passwords like: passw0rd or other simple names, you get hacked straight away.

3. Add this new user into the file /etc/sudoers

vi /etc/sudoers

Look for "User privilege specification" below the user "root" you write

Your_new_username ALL=(ALL) ALL

4. Now we change the standard SSH port 22 to another port, I am using the birthday from my wife: 2412

edit the file /etc/ssh/sshd_config

vi /etc/ssh/sshd_config

Please check your firewall settings before you do that, the Port 2412 TCP must be open

Restart the SSH daemon

/etc/init.d/sshd restart

5. Now try and login with your new user and choose the new SSH port

If you are in with your new user, you need to have root permission´s

sudo su -

Enter the PW from the new user. Now you have root permissions!

6. Edit again the file /etc/ssh/sshd_config and look for # Authentication

vi /etc/ssh/sshd_config

Change the PermitRootLogin to:

PermitRootLogin no

Restart the SSH daemon

/etc/init.d/sshd restart

root is a known user on each Linux machine, with PermitRootLogin no we have diabled the user root and it is more secure.

There are many other things to make Linux safe. I am using on my server´s fail2ban too.

I have in my mind this is the basic for everybody and easy to undestand.

Comments are almost welcome....

Cheers

Michael

[ukrules]

This won't solve many problems at all, only weak password based problems.

I use port 22 for ssh and allow direct root shell login using both the username on certain accounts and ssh keys, of course my root password resembles a 10-12 randomised 'key' anyway and I have never had any kind of issue with a login being compromised, not in the last 15 years.

At one point we only allowed logins from pre defined IP addresses via some archaic script but in truth that made things a lot more hassle than it was worth when there was some kind of other problem which required manual intervention.

It's far more likely that people will gain some form of access from a weak script by manipulating the submitted variables (both POST and GET), using strangely formatted URL's or submitting usernames containing malformed commands terminated with mysql comments on the end resulting in a simple kind of exploit which will allow entrance. This is due to the programmers complete lack of experience regarding the most basic of programming security.

The main culprit for these kind of attacks in my experience is badly written open source software.

There's other things you can do to make a brute force attack impossible on your ssh port.

Simply changing the port will make little difference when someone can run a port scanner which checks every possible port number identifying any program that's listening on your server.

[urandom]

@skiller

you may not want to grant access to any user to *anything* with sudo, you can set it up so he can access only specific paths.

good practices WRT ssh are also using AllowUsers so only some of them can get access. you should really consider key authentification also, it is way more secure than password only. in fact in that case, you should disable password auth.

@ukrules

using higher ports does make a difference, port scanners will most likely scan the first 1,000 ports. check your logs and see how many brute force attempts you had on port 22. change to higher ports, all gone.

to allow only specific IPs, you can use hosts.allow instead of archaic scripts

finally, WRT security and FWIW, here are the few things I try to use:

* simple iptables rules (stateful firewall)

* unbound, DNSSEC enabled

* grsec kernel patch (low) when running a stable kernel

* hardened toolchain (relevant if you're using a source based distro)

* using ASCII passwords generated by https://www.grc.com/passwords.htm

* using ssh tunnelling on any hostile networks (i.e. not my network )

* minimal custom kernel with CONFIG_CC_STACKPROTECTOR=y

* privoxy

* as few daemons as possible

[urandom]

[OT]why can't I edit my post anymore, is there any time limit?[/OT]

forgot to add:

* only root has /sbin and /usr/sbin in its $PATH

* i have a few gigs LUKS encrypted partition for my tentacle hentai sensible data.

[skiller]

You both guys are exactly right.

I did not write this to open a discussion how to make a linux server safe. Of cource there are many things, like login only from a specific IP, RSA kyes for SSH, and, and.....

Which kind of answer are you getting, if you ask a linux newbie for iptables?

Please do not missunderstand my post. I said this is the basic.....

Cheers

Michael

[Prasert]

How likely is it that a newbie will build a linux server?

I think that the majority here will use linux with a mouse. Running linux as a server in initlevel 3 and using only the commandline, is not really a newbie thing...

[Cloggie]

Skiller,

If you live in Bangkok, interested in joining our monthly IT meetings - http://www.thaivisa....ntu-it-meeting/

Cheers,

Cloggie

Edited May 16, 2011 by Cloggie

[Crushdepth]

Passwords aren't a good security measure for internet-facing services. It's way better to use key-based authentication for SSH. If you have the option, whitelisting IP addresses that are permitted to connect to SSH is a very effective way to get rid of brute force attacks entirely.