community.riocities.com
  • Home
  • Categories
  • Tags
  • Archives

HardeningHowTo

Simple checklist for hardening a server

HardeningHowTo.txt download
inetd - We do not use inetd. 
=====
more /etc/inetd.conf
	for each service that are enabled
		update-inetd --disable <service>
		( update-inetd --disable discard daytime time )
/etc/init.d/inetd stop
vi /etc/init.d/inetd
	Add the following after /bin/sh
		# Do not use inetd
		exit 0
		
# If you really have to use inetd, use xinetd instead.

PAM (only allow one user to su root)
---
vi /etc/pam.d/su
	auth       required   pam_wheel.so group=wheel
addgroup --system wheel
adduser root wheel
adduser bengt wheel

# Make sure root can only login from console (have to su to become root)
vi /etc/security/access.conf
	-:wheel:ALL EXCEPT LOCAL

# Make sure root can not SSH directly
vi /etc/ssh/sshd_config
	PermitRootLogin No

Harden tools
============
apt-get install harden harden-servers harden-clients harden-tools harden-nids harden-environment  
apt-get install logcheck samhain sash osh john gnupg tiger chkrootkit acct host whois lsof psad
	* Create sashroot account - Yes
	* Clone root password
	* Purge sashroot account when purging
	Default answers on evertything.

## Snort is installed by default???
	echo -e 'kern.info\t|/var/lib/psad/psadfifo' >> /etc/syslog.conf

# If you need to run a dangerous service, do not install the hardening packages, but check which 
#  packages should be removed and remove all except the ones you have to have.

configure samhain
-----------------
vi /etc/samhain/samhainrc
	LoginCheckActive=1
	file=/etc/postfix/prng_exch
	file=/etc/postfix/helo_checks.db
	file=/etc/postfix/sender_checks.db
	file=/etc/postfix/client_checks.db
	file=/etc/postfix/tls_per_site.db
	file=/etc/postfix/relay_certs.db
	file=/etc/postfix.outgoing/prng_exch
	file=/etc/postfix.outgoing/helo_checks.db
	file=/etc/postfix.outgoing/sender_checks.db
	file=/etc/postfix.outgoing/client_checks.db
	file=/etc/postfix.outgoing/tls_per_site.db
	file=/etc/postfix.outgoing/relay_certs.db


configure tiger
---------------
vi /etc/tiger/tigerrc
# Observe that you might have other running processes
	Tiger_Listening_Every=N
	Tiger_Running_Procs='syslogd cron atd klogd postfix cyrus '
#	Tiger_Listening_ValidProcs='imapd smtpd'
vi /etc/cron.d/tiger
	... > /dev/null 2>&1

fix logcheck
------------
vi /etc/logcheck/ignore.d.server/MOLLIE
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Detected HTML-specific exploits in [:alnum:]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Detected and will disarm HTML message in [:alnum:]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Filename Checks: Windows/DOS Executable
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Found [0-9]+ problems
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Saved infected [":alnum:]+ to
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Silent: Delivered [0-9]+ messages containing silent viruses
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Notices: Warned about [0-9]+ messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus Scanning: [-:alnum:]+ found virus
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus Scanning: [-:alnum:]+ found [0-9]+ infections
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus Scanning: Found [0-9]+ viruses
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Other Checks: Found [0-9]+ problems
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Infected message [:alnum:]+ came from [.0-9]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ClamAV-autoupdate\[[0-9]+\]: ClamAV updated
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ F-Prot autoupdate\[[0-9]+\]: F-Prot successfully updated.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Using locktype = flock
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: message-id=<([^[:space:]]+|)> \(added by ([^[:space:]]+|)\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam\_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ F-Prot autoupdate\[[0-9]+\]: F-Prot did not need updating
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ClamAV-autoupdate\[[0-9]+\]: ClamAV did not need updating
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: New Batch: Found [0-9]+ messages waiting
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: New Batch: Scanning [0-9]+ messages, [0-9]+ bytes
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus and Content Scanning: Starting
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Uninfected: Delivered [0-9]+ messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Spam Checks: Found [0-9]+ spam messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Using locktype = flock
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Postfix queue structure is depth [0-9]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [[:alnum:]]+: MailScanner setting (UID|GID) to postfix \([0-9]+\)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: MailScanner E-Mail Virus Scanner version [0-9]+.[0-9]+.[0-9]+ starting...
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: MailScanner child dying of old age
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: SpamAssassin timed out and was killed, consecutive failure [1-4] of [0-9]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Spam Checks: Starting
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ fetchmail\[[0-9]+\]: +[0-9]+ +messages \([0-9]+ seen\)? for
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/[a-zA-Z0-9_]+\[[0-9]+\]: +SQUAT returned [0-9]+ messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/lmtpd\[[0-9]+\]: DBERROR db3: [0-5] lockers
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam\_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam\_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: reject: RCPT from [^[:space:]]+: [0-9]+ [^[:space:]]+: User unknown in local
recipient table; from=[^[:space:]]+ to=[^[:space:]]+ proto=(ESMTP|SMTP) helo=[^[:space:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:alnum:]]+: to=[^[:space:]]+, orig_to=[^[:space:]]+, relay=[^[:space:]]+, delay=[0-9]+, st
atus=deferred \(deferred transport\)

NARC
====
?????
?????
?????

Hardening checks
================
netstat -pn -l -A inet
nmap -sT <IP>
nmap -sU <IP>
lsof -i | grep LISTEN #(on the local computer)
lsof -i :<port#>

nmap
====
From another computer 
	nmap -p 22,25,80,143,443,465,993,995 denton   # 143 should be close
	nmap -sT <IP>			--> fast
		Interesting ports on  (192.168.20.50):
		(The 1546 ports scanned but not shown below are in state: closed)
		Port       State       Service
		22/tcp  open  ssh
		25/tcp  open  smtp
		80/tcp  open  http
		143/tcp open  imap
		443/tcp open  https
		465/tcp open  smtps
		993/tcp open  imaps
		995/tcp open  pop3s
	nmap -sU 192.168.20.50		--> takes long time though.

  • « Openbsd on net4801
  • ExtraIgnore4LogCheck »

Published

Oct 9, 2005

Author

bengt

Category

HOWTOs

Social

  • atom feed
  • rss feed
  • ipv6 ready
  • Powered by Pelican. Theme: Elegant by Talha Mansoor