IMPORTANT NOTE: Never assume the directory structures exist in your system as written in the document. Never blindly follow security instructions — read, review, compare, apply as it fits your system.,

Update your server as necessary

As its nature, Linux is a multi-developer operating system and you might see an update on any package everyday, an updater like YUM if you don’t change it’s default behavior hosts the most recent stable versions of each package that you install on your server.

Compared to other operating systems, updating Linux is easy as writing a command to terminal, the rest will be automated by YUM. Yum can be extended by independent software repositories like Repoforge. RPMforge is a collaboration of Dag and other packagers. They provide over 5000 packages for CentOS, including wine, vlc, mplayer, xmms-mp3, and other popular media tools. It is not part of Red Hat or CentOS but is designed to work with those distributions.

To install Rpmforge, run;

 rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.rf.src.rpm

If you get an error with the command, check the web site for a recent version. If you are using a control panel like Directadmin you better exclude the packages below from yum as they are maintained by the control panel updater;

exclude=apache* httpd* mod_* mysql* MySQL* da_* *ftp* exim* sendmail* php* bind-chroot*

and the last thing you should do is to type

yum upgrade

We suggest you to run the update at least every once a month.

Disable Telnet


Nowadays, Telnet is mostly given its role to SSH; more secure remote shell client, because Telnet is sending the passwords in readable clear text. Also SSH have many abilities that you can use such as private-keys that you can use to log in to the server without writing down a password. Public key is mostly used when you need root access even you don’t know the root password (root password might be changed by the system administrator or by your client which you install the system for).

Connect to the server and edit /etc/xinetd.d/telnet by typing;

vi /etc/xinetd.d/telnet

if exists disable = no change to disable = yes

save & exit (SHIFT + ZZ)

Restrict Access to applications that can directly connect to the Internet


Even an attacker leak into your server, it is better to give him no chance to download his applications to the server, don’t give run permission to following applications except root user by typing;

chmod 700 /usr/bin/wget
chmod 700 /usr/bin/telnet
chmod 700 /usr/local/bin/lynx
chmod 700 /usr/bin/links
chmod 700 /usr/bin/bcc
chmod 700 /usr/bin/byacc
chmod 700 /usr/bin/cc
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/perlcc
chmod 700 /usr/bin/yacc
chmod 0700 /usr/bin/curl
chmod 700 /usr/bin/lwp-*
chmod 700 /usr/bin/*ncftp*

Also please note that, if you are taking backups of your domains/dbs to the same server, be aware that a directory created without explicit permission will be readable by all users, to make the directory readable only by root, type;

chmod 600 /backups

Restrict OS level function calling to PHP


In a shared hosting environment, even a customer of yours may try to explore your server. If you don’t have any reason to call the functions below, restrict them;

edit /etc/php.ini (or whereever it is, for directadmin you can check /usr/local/lib/php.ini) and find the line disable_functions and replace with the below line:

disable_functions = apache_get_modules,apache_get_version,apache_getenv,apache_note, apache_setenv,disk_free_space,diskfreespace,dl, highlight_file,ini_alter,ini_restore,openlog,passthru,phpinfo, proc_nice,shell_exec,show_source,symlink,system, exec,popen,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_ put,fpassthru

 Block executing commands on the /tmp Partition


Several script languages like PHP, holds temporary files like session,upload and cache on the /tmp partition on Linux systems. İf the attacker has an access to this folder then those scripts can be run from this point so with this way, all system files can be reached or accessed by root. To block running of files which are in the /tmp partition, it must not be given run permission while mounting /tmp partition.

To do this process, you have to choose /tmp partition as seperate partition while installaing the system. Enter this command in the command line to check this setting:

df -h # or
mount

Enter this command:

[root@xxx ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00 2.9G  820M  1.9G  30% /
/dev/mapper/VolGroup00-LogVol02 2.9G  288M  2.4G  11% /tmp
/dev/mapper/VolGroup00-LogVol04 7.8G  3.8G  3.7G  51% /var
/dev/mapper/VolGroup00-LogVol05 44G   35G  6.6G  85% /hsphere
/dev/mapper/VolGroup00-LogVol03 4.8G  908M  3.6G  20% /usr
/dev/sda1              99M   36M   58M  39% /boot
tmpfs                 2.0G     0  2.0G   0% /dev/shm

If you can not see a seperate  /tmp partition like in the example, create a new 3 GB /tmp partition by applying steps below. If there is a /tmp partition then follow with the step 2:

Step 1:

cd /dev/
dd if=/dev/zero of=Tmp bs=1024 count=3000000
mkfs -t ext3 /dev/Tmp
cd /
cp -aR  /tmp  /tmp_backup
mount  -o  loop,noexec,nosuid,rw  /dev/Tmp  /tmp
cp -aR /tmp_backup/* /tmp/
chmod 0777 /tmp
chmod +t  /tmp

Add information of the newly created partition into the /etc/fstab in order to make it available after next boot.

/dev/Tmp          /tmp          ext3          loop,rw,nosuid,noexec     0 0

If you already have  /tmp partition, please apply the below steps.

Step 2:

change “defaults” in the line starting with /tmp in /etc/fstab to restrict running applications such as

/dev/VolGroup00/LogVol02 /tmp                    ext3    defaults 1 2

to

/dev/VolGroup00/LogVol02 /tmp                    ext3     rw,nosuid,noexec 1 2

Change defaults region as rw,nosuid,noexec then save and exit. Remount /tmp partition in order to make changes available immediately by typing;

mount -oremount loop,rw,nosuid,noexec /tmp

..

note: Some parts of this document inspired from the documentation of dynamicnet.net

Leave a Reply

Your email address will not be published. Required fields are marked *