Server Hardening

Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment. This is due to the advanced security measures that are put in place during the server hardening process.

Disable lamed server logging:
1. Run the commands:
  
  service named stop
  
  nano -w /etc/named.conf
2. Add these lines at the top. Some servers will already have a logging {} section. If so, simply add these lines inside the existing logging section:
  
  logging {
  
  category lame-servers { null; };
  
  };
3. Under the options {} section, add these lines below directory /var/…:
  
  allow-transfer { none; };
  
  version “[null]“;
  
  recursion no;
4. Restart the named service using the command:
  
  service named restart nano /etc/resolv.conf
Note
For BIND, make sure that it is not in a clustered environment or master slave setup.
Disable direct root login:
1. Run the commands below. The third command will prompt you for a password:
  
  groupadd wheelusername
  
  useradd wheelusername -gwheelusername
  
  passwd wheelusername
2. Run the command to add the user to the group:
  
  nano -w /etc/group
  
  Search for wheel and append wheelusername.
3. Run the command:
  
  nano -w /etc/ssh/sshd_config
  
  Uncomment the line,
  
  PermitRootLogin no
  
  and change it to the below:
  
  PermitRootLogin yes
  
  At the end of the file, add the below line:
  
  AllowUsers wheelusername
Change the default SSH port:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup

vi /etc/ssh/sshd_config

Change the port from 22 to any desired port number.

Restart the SSH service:

/etc/init.d/sshd restart
Tweak the TCP stack (sysctl.conf):

mv /etc/sysctl.conf /etc/sysctl.conf.bak

cd /etc

Place the following content in the sysctl.conf: #Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Disables packet forwarding net.ipv4.ip_forward=0 # Disables IP source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.lo.log_martians = 0 net.ipv4.conf.eth0.log_martians = 0 # Disables IP source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # Disables the magic-sysrq key kernel.sysrq = 0 # Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 15 # Decrease the time default value for tcp_keepalive_time connection net.ipv4.tcp_keepalive_time = 1800 # Turn off the tcp_window_scaling net.ipv4.tcp_window_scaling = 0 # Turn off the tcp_sack net.ipv4.tcp_sack = 0 # Turn off the tcp_timestamps net.ipv4.tcp_timestamps = 0 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 # Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable bad error message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 1 # Increases the size of the socket queue (effectively, q0). net.ipv4.tcp_max_syn_backlog = 1024 # Increase the tcp-time-wait buckets pool size net.ipv4.tcp_max_tw_buckets = 1440000 # Allowed local port range net.ipv4.ip_local_port_range = 16384 65536
Install Rkhunter and setup weekly cron:

cd /root

wget https://sourceforge.net/projects/rkhunter-1.3.4.tar.gz/download

tar -zxf rkhunter-1.3.4.tar.gz

cd rkhunter*

./installer.sh –layout default –install

cd /etc/cron.weekly

#!/bin/bash

EMAIL=your@domain.com

rkhunter -c –sk –summary -q | mail -s “Rkhunter Scan Report – $hostname” $EMAIL

chmod 755 /etc/cron.weekly/rkhunter.sh
Install chkrootkit and setup weekly cron:

cd /root/

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

mv chkrootkit.tar.gz /usr/local/src/

cd /usr/local/src/

tar -zxf chkrootkit.tar.gz

cd /usr/local/src/chkrootkit*

cd /root

mv /usr/local/src/chkrootkit* /usr/local/chkrootkit

cd /etc/cron.weekly

#!/bin/bash

EMAIL=your@domain.com

/usr/local/chkrootkit/chkrootkit -q | mail -s “ChrootKit Scan Report – $(hostname)” $EMAIL
Disable PHP functions that might pose a risk:

vi /usr/local/lib/php.ini

disable_functions = symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd,ini_set,phpinfo
Install and configure Mod_security to prevent web based attack:

cPanel Server
1. Login to your WHM as root.
2. Click on EasyApache (Apache Update) under the Software section.
3. While selecting modules in the Short Options List, select Mod Security.
4. Select Start customizing based on profile.
Now, the Wizard will start recompiling Apache. Monitor the screen carefully and note down if there are any error messages being shown. When the build is complete, verify that the PHP pages are loading correctly.

Plesk Server
1. Since Plesk is fully rpm based, you can just install the mod_security module. Since mod_secuirty is not available in the common rpm repos, you can use the below script to install module:
  
  wget -q -O - https://www.atomicorp.com/installers/atomic.sh | sh
  
  yum install mod_security
2. Unlike other Apache modules rpm installation, this process will not add LoadModule in the httpd.conf file by default. Edit the httpd.conf file and add the following lines below the LoadModule section:
  
  vi /etc/httpd/conf/httpd.conf
  
  LoadFile /usr/lib/libxml2.so
  LoadModule security2_module modules/mod_security2.so
  Include conf/mod_security.d/*.conf
3. Create mod_security.d under the /etc/httpd/conf/ folder to download and setup the mod_security rule-set:
  
  mkdir /etc/httpd/conf/mod_security.d
  
  cd /etc/httpd/conf/mod_security.d
4. Download the rule-set from https://www.modsecurity.org/download/ and make sure that you are extracting the file inside the /etc/httpd/conf/mod_security.d directory:
  
  wget https://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.3.tar.gz
  
  tar zxf modsecurity-core-rules_2.1-1.4.3.tar.gz
  
  rm -f modsecurity-core-rules_2.1-1.4.3.tar.gz
5. Restart the web server:
  
  service httpd restart
Note
Rules may block the web application throwing access denied errors. Keep monitoring the /etc/httpd/logs/error_logs file and remove the rules which you do not require. If you are getting the ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). warning in your error logs, it may eat up all your CPU and memory resources by creating around 100 to 150 MB of RSS memory per pid and you will see an unusual usage of locale-archive around 60 MB in pmap. To solve this problem, create the file pcre_modsecurity_exceeded_limits.conf inside the /etc/httpd/conf folder:

vi /etc/httpd/conf/pcre_modsecurity_exceeded_limits.conf

Add the below lines:

SecPcreMatchLimit 150000 SecPcreMatchLimitRecursion 150000

Restart Apache and monitor the Apache error logs.
Setup root login alert script:

vi .bashrc

echo ‘ALERT – Root Shell Access (hostname) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” mailto:you@domain.com
Upgrade the kernel:

Check for kernel update:

yum check-update | grep kernel

If kernel update is available:

yum update kernel

Edit grub.conf to modify the default value to newly updated kernel and then reboot the server.

vi /boot/grub/grub.conf

After server reboot, check the kernel version by using the command:

uname -r
Configure both local and remote backup.
Change the permission of /bin/ln to 760.
Do the basic package updates using yum commands.

Note
Exclude the packages that may possibly break the setup of the server by entering it in the yum.conf file.
Complete scan of the server and perform corrective actions needed. Scan the complete server. Install Maldet if not present in the server:

mkdir tmp

cd tmp

wget https://www.rfxn.com/downloads/maldetect-current.tar.gz

tar xf maldetect-current.tar.gz && cd maldetect-*

./install.sh
Temporary Directory Hardening:

/bin/cp /etc/fstab /etc/fstab.bak

Use df to check if a /tmp partition is already present.
- If /tmp partition does not exist: Run the commands.
  
  cd /usr
  
  dd if=/dev/zero of=/usr/tmpMnt bs=1024 count=2000000
  
  mke2fs -j /usr/tmpMnt
  
  cd /
  
  cp -R /tmp /tmp_backup
  
  mount -o loop,noexec,nosuid,rw /usr/tmpMnt /tmp
  
  chmod 0777 /tmp
  
  /bin/cp -R /tmp_backup/* /tmp/
  
  rm -rf /tmp_backup
  
  nano -w /etc/fstab
- If /tmp partition exists: At the end, add the below.
  
  /usr/tmpMnt /tmp ext3 loop,noexec,nosuid,rw 0 0
  
  nano -w /etc/fstab
  
  mount /tmp
  
  rm -rf /var/tmp
  
  ln -s /tmp /var/tmp
Disable remote MySQL:

Check the status of skip-networking parameter in MySQL configuration:

mysql -e "show variables like %networking%"

It is recommended to disable this parameter.
Install a software firewall such as CSF (ConfigServer) firewall or Advanced Policy Firewall (APF)(for Plesk).