IMPORTANT NOTE: Never assume the directory structures exist in your system as written in the document. Never blindly follow security instructions — read, review, compare, apply as it fits your system.,
Update your server as necessary
As its nature, Linux is a multi-developer operating system and you might see an update on any package everyday, an updater like YUM if you don’t change it’s default behavior hosts the most recent stable versions of each package that you install on your server.
Compared to other operating systems, updating Linux is easy as writing a command to terminal, the rest will be automated by YUM. Yum can be extended by independent software repositories like Repoforge. RPMforge is a collaboration of Dag and other packagers. They provide over 5000 packages for CentOS, including wine, vlc, mplayer, xmms-mp3, and other popular media tools. It is not part of Red Hat or CentOS but is designed to work with those distributions.
To install Rpmforge, run;
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.rf.src.rpm
If you get an error with the command, check the web site for a recent version. If you are using a control panel like Directadmin you better exclude the packages below from yum as they are maintained by the control panel updater;
exclude=apache* httpd* mod_* mysql* MySQL* da_* *ftp* exim* sendmail* php* bind-chroot*
and the last thing you should do is to type
yum upgrade
We suggest you to run the update at least every once a month.
Disable Telnet
Nowadays, Telnet is mostly given its role to SSH; more secure remote shell client, because Telnet is sending the passwords in readable clear text. Also SSH have many abilities that you can use such as private-keys that you can use to log in to the server without writing down a password. Public key is mostly used when you need root access even you don’t know the root password (root password might be changed by the system administrator or by your client which you install the system for).
Connect to the server and edit /etc/xinetd.d/telnet by typing;
vi /etc/xinetd.d/telnet
if exists disable = no change to disable = yes
save & exit (SHIFT + ZZ)
Restrict Access to applications that can directly connect to the Internet
Even an attacker leak into your server, it is better to give him no chance to download his applications to the server, don’t give run permission to following applications except root user by typing;
chmod 700 /usr/bin/wget
chmod 700 /usr/bin/telnet
chmod 700 /usr/local/bin/lynx
chmod 700 /usr/bin/links
chmod 700 /usr/bin/bcc
chmod 700 /usr/bin/byacc
chmod 700 /usr/bin/cc
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/perlcc
chmod 700 /usr/bin/yacc
chmod 0700 /usr/bin/curl
chmod 700 /usr/bin/lwp-*
chmod 700 /usr/bin/*ncftp*
Also please note that, if you are taking backups of your domains/dbs to the same server, be aware that a directory created without explicit permission will be readable by all users, to make the directory readable only by root, type;
chmod 600 /backups
Restrict OS level function calling to PHP
In a shared hosting environment, even a customer of yours may try to explore your server. If you don’t have any reason to call the functions below, restrict them;
edit /etc/php.ini (or whereever it is, for directadmin you can check /usr/local/lib/php.ini) and find the line disable_functions and replace with the below line:
disable_functions = apache_get_modules,apache_get_version,apache_getenv,apache_note, apache_setenv,disk_free_space,diskfreespace,dl, highlight_file,ini_alter,ini_restore,openlog,passthru,phpinfo, proc_nice,shell_exec,show_source,symlink,system, exec,popen,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_ put,fpassthru
Block executing commands on the /tmp Partition
Several script languages like PHP, holds temporary files like session,upload and cache on the /tmp partition on Linux systems. İf the attacker has an access to this folder then those scripts can be run from this point so with this way, all system files can be reached or accessed by root. To block running of files which are in the /tmp partition, it must not be given run permission while mounting /tmp partition.
To do this process, you have to choose /tmp partition as seperate partition while installaing the system. Enter this command in the command line to check this setting:
df -h # or
mount
Enter this command:
[root@xxx ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00 2.9G 820M 1.9G 30% /
/dev/mapper/VolGroup00-LogVol02 2.9G 288M 2.4G 11% /tmp
/dev/mapper/VolGroup00-LogVol04 7.8G 3.8G 3.7G 51% /var
/dev/mapper/VolGroup00-LogVol05 44G 35G 6.6G 85% /hsphere
/dev/mapper/VolGroup00-LogVol03 4.8G 908M 3.6G 20% /usr
/dev/sda1 99M 36M 58M 39% /boot
tmpfs 2.0G 0 2.0G 0% /dev/shm
If you can not see a seperate /tmp partition like in the example, create a new 3 GB /tmp partition by applying steps below. If there is a /tmp partition then follow with the step 2:
Step 1:
cd /dev/
dd if=/dev/zero of=Tmp bs=1024 count=3000000
mkfs -t ext3 /dev/Tmp
cd /
cp -aR /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /dev/Tmp /tmp
cp -aR /tmp_backup/* /tmp/
chmod 0777 /tmp
chmod +t /tmp
Add information of the newly created partition into the /etc/fstab in order to make it available after next boot.
/dev/Tmp /tmp ext3 loop,rw,nosuid,noexec 0 0
If you already have /tmp partition, please apply the below steps.
Step 2:
change “defaults” in the line starting with /tmp in /etc/fstab to restrict running applications such as
/dev/VolGroup00/LogVol02 /tmp ext3 defaults 1 2
to
/dev/VolGroup00/LogVol02 /tmp ext3 rw,nosuid,noexec 1 2
Change defaults region as rw,nosuid,noexec then save and exit. Remount /tmp partition in order to make changes available immediately by typing;
mount -oremount loop,rw,nosuid,noexec /tmp
..
note: Some parts of this document inspired from the documentation of dynamicnet.net
[…] copy php.ini-production to /etc/php.ini and edit the file based on your performance requirements, please have a look at our security pages to secure your php configuration from the link. […]