Simple checklist for hardening a server
inetd - We do not use inetd.
=====
more /etc/inetd.conf
for each service that are enabled
update-inetd --disable <service>
( update-inetd --disable discard daytime time )
/etc/init.d/inetd stop
vi /etc/init.d/inetd
Add the following after /bin/sh
# Do not use inetd
exit 0
# If you really have to use inetd, use xinetd instead.
PAM (only allow one user to su root)
---
vi /etc/pam.d/su
auth required pam_wheel.so group=wheel
addgroup --system wheel
adduser root wheel
adduser bengt wheel
# Make sure root can only login from console (have to su to become root)
vi /etc/security/access.conf
-:wheel:ALL EXCEPT LOCAL
# Make sure root can not SSH directly
vi /etc/ssh/sshd_config
PermitRootLogin No
Harden tools
============
apt-get install harden harden-servers harden-clients harden-tools harden-nids harden-environment
apt-get install logcheck samhain sash osh john gnupg tiger chkrootkit acct host whois lsof psad
* Create sashroot account - Yes
* Clone root password
* Purge sashroot account when purging
Default answers on evertything.
## Snort is installed by default???
echo -e 'kern.info\t|/var/lib/psad/psadfifo' >> /etc/syslog.conf
# If you need to run a dangerous service, do not install the hardening packages, but check which
# packages should be removed and remove all except the ones you have to have.
configure samhain
-----------------
vi /etc/samhain/samhainrc
LoginCheckActive=1
file=/etc/postfix/prng_exch
file=/etc/postfix/helo_checks.db
file=/etc/postfix/sender_checks.db
file=/etc/postfix/client_checks.db
file=/etc/postfix/tls_per_site.db
file=/etc/postfix/relay_certs.db
file=/etc/postfix.outgoing/prng_exch
file=/etc/postfix.outgoing/helo_checks.db
file=/etc/postfix.outgoing/sender_checks.db
file=/etc/postfix.outgoing/client_checks.db
file=/etc/postfix.outgoing/tls_per_site.db
file=/etc/postfix.outgoing/relay_certs.db
configure tiger
---------------
vi /etc/tiger/tigerrc
# Observe that you might have other running processes
Tiger_Listening_Every=N
Tiger_Running_Procs='syslogd cron atd klogd postfix cyrus '
# Tiger_Listening_ValidProcs='imapd smtpd'
vi /etc/cron.d/tiger
... > /dev/null 2>&1
fix logcheck
------------
vi /etc/logcheck/ignore.d.server/MOLLIE
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Detected HTML-specific exploits in [:alnum:]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Detected and will disarm HTML message in [:alnum:]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Filename Checks: Windows/DOS Executable
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Found [0-9]+ problems
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Saved infected [":alnum:]+ to
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Silent: Delivered [0-9]+ messages containing silent viruses
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Notices: Warned about [0-9]+ messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus Scanning: [-:alnum:]+ found virus
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus Scanning: [-:alnum:]+ found [0-9]+ infections
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus Scanning: Found [0-9]+ viruses
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Other Checks: Found [0-9]+ problems
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Infected message [:alnum:]+ came from [.0-9]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ClamAV-autoupdate\[[0-9]+\]: ClamAV updated
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ F-Prot autoupdate\[[0-9]+\]: F-Prot successfully updated.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Using locktype = flock
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: message-id=<([^[:space:]]+|)> \(added by ([^[:space:]]+|)\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam\_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ F-Prot autoupdate\[[0-9]+\]: F-Prot did not need updating
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ClamAV-autoupdate\[[0-9]+\]: ClamAV did not need updating
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: New Batch: Found [0-9]+ messages waiting
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: New Batch: Scanning [0-9]+ messages, [0-9]+ bytes
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus and Content Scanning: Starting
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Uninfected: Delivered [0-9]+ messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Spam Checks: Found [0-9]+ spam messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Using locktype = flock
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Postfix queue structure is depth [0-9]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [[:alnum:]]+: MailScanner setting (UID|GID) to postfix \([0-9]+\)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: MailScanner E-Mail Virus Scanner version [0-9]+.[0-9]+.[0-9]+ starting...
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: MailScanner child dying of old age
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: SpamAssassin timed out and was killed, consecutive failure [1-4] of [0-9]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Spam Checks: Starting
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ fetchmail\[[0-9]+\]: +[0-9]+ +messages \([0-9]+ seen\)? for
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/[a-zA-Z0-9_]+\[[0-9]+\]: +SQUAT returned [0-9]+ messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/lmtpd\[[0-9]+\]: DBERROR db3: [0-5] lockers
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam\_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam\_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: reject: RCPT from [^[:space:]]+: [0-9]+ [^[:space:]]+: User unknown in local
recipient table; from=[^[:space:]]+ to=[^[:space:]]+ proto=(ESMTP|SMTP) helo=[^[:space:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:alnum:]]+: to=[^[:space:]]+, orig_to=[^[:space:]]+, relay=[^[:space:]]+, delay=[0-9]+, st
atus=deferred \(deferred transport\)
NARC
====
?????
?????
?????
Hardening checks
================
netstat -pn -l -A inet
nmap -sT <IP>
nmap -sU <IP>
lsof -i | grep LISTEN #(on the local computer)
lsof -i :<port#>
nmap
====
From another computer
nmap -p 22,25,80,143,443,465,993,995 denton # 143 should be close
nmap -sT <IP> --> fast
Interesting ports on (192.168.20.50):
(The 1546 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
80/tcp open http
143/tcp open imap
443/tcp open https
465/tcp open smtps
993/tcp open imaps
995/tcp open pop3s
nmap -sU 192.168.20.50 --> takes long time though.