Linux security – Server Hardening

Since i have to manage a lot of linux boxes in our network i was looking for a way to secure all of these boxes against the ‘basics’ and i made noted (yea, really!) of this. Here you will find some of the basic security tips.

Audit your server
In my search i found that ‘Tiger’ was a great way to audit a linux box. On debian you can install this packages by using the apt system (apt-get install tiger) and then run tiger with the -E flag (tiger -E). The -E stands for explanation report which can be very since the output generally is a but cryptic.

Tiger also comes with a cron version that you can run every night and make it e-mail you the outcome!

Password audit
i recently found the tool called ‘john’, also known as ‘John the Ripper’, and i loved it right-away. John is a password cracker that reads hashed passwords and tries to crack them. On one of our web servers it cracked several password combinations within hours!

If you find a user with a cracked password but you can’t reset it (or the user won’t listen to you) then try to use chroot. Please find a manual here.

Mounting /tmp
Most systems come with there /tmp folder placed under the root filesystem /. This is not a very good idea, sorry to tell you. This would mean that all files in the /tmp could also be executed and this is a serious problem. If you don’t know why or what i mean please refer to the Debian security manual page 1 (RTFM!)

If you have the possibility, create a new disk/partition specially for tmp and remove all execution rights through fstab with the ‘noexec’ option.

Anti-DDOS / mod_evasive
For small attacks this apache mod is very useful. All you have to do on debian is ‘apt-get install libapache2-mod-evasive’ and you are good to go. To take precautions against syn flooding you could also use the sysctl option ‘sysctl -w net.ipv4.tcp_syncookies=1’

Some general stuff to remember
– If you don’t need it, delete it. Stuff like FTP/Telnet/Inetd etc. Minimize all the software/open ports
– Check your open ports with nmap (nmap or netstat -a
– Configure the network with VLAN’s per client so you can see very quickly who is doing what
– Keep software up to date
– Make sure you have a strong password policy (even if the client doesn’t like it!)
– Disable SSH root login

  1. Don’t do difficult stuff like creating a new partition for /tmp. Files in here are small and MySQL uses it for tmp tables when using the optimize_table statement. You want your /tmp to be safe and fast, so use tmpfs in memory!

    tmpfs /tmp tmpfs defaults,noatime,noexec,nosuid,size=1g 0 0


    1. Yes, thats a great alternative. Thank you for the addition!


Geef een reactie

%d bloggers liken dit: