2. Hardening the Server
Once the server is built I go though a number of hardening procedures.
I welcome comments if you have hardening procedures you use to make your server harder to hack.
bashrc
sed -ie 's/.*PROMPT_COMMAND='\''echo -ne "\\033]0;\${USER}@\${HOSTNAME%%.*}:\${PWD\/#\$HOME\/~}"; echo -ne "\\007"'\''.*$/ \
PROMPT_COMMAND='\''echo -ne "\\033]0;\${USER}@\${HOSTNAME}:\${PWD\/#\$HOME\/~}"; echo -ne "\\007"'\''/' /etc/bashrc \
&& grep "PROMPT_COMMAND='echo -ne" /etc/bashrc
sed -ie 's/.*PROMPT_COMMAND='\''echo -ne "\\033_\${USER}@\${HOSTNAME%%.*}:\${PWD\/#\$HOME\/~}"; echo -ne "\\033\\\\"'\''.*$/ \
PROMPT_COMMAND='\''echo -ne "\\033_\${USER}@\${HOSTNAME}:\${PWD\/#\$HOME\/~}"; echo -ne "\\033\\\\"'\''/' /etc/bashrc \
&& grep "PROMPT_COMMAND='echo -ne" /etc/bashrc
These two commands changes the way /etc/bashrc places a comment at the title bar of a ssh session, I often have multiple ssh sessions running and this makes it easy to read which session I am currently in.
Shorten history. A hacker will look at all users, if they can.
emacs
let the flame war begin: vi v joe v emacs v nano v pico
echo /usr/bin/emacs \$1> /usr/bin/pico
chmod 777 /usr/bin/pico
dsk
Little utility to list sizes of directories.
/bin/cat << EOF >> /sbin/dsk
ver=2006.12.09
if [ "$1" == "" ]; then
du --max-depth=1 -h
else
du --max-depth=1 -h $1
fi
EOF
chmod 777 /sbin/dsk
Server naming
More important than a childs name: http://xkcd.com/910/
export dname=ai.net.nz
export hname=mail
export addrange=192.168.20
export serverip=1
export mysqlpasswd=
export sambadomain=domain
#Something only for me users and passwds
#If this is going to be a dns server
echo -n resolve.conf #
/bin/rm /etc/resolv.conf
/bin/cat << EOF >> /etc/resolv.conf
nameserver 127.0.0.1
search $hname
EOF
echo -n nsswitch.conf #
/bin/cat << EOF >> /etc/nsswitch.conf
hosts: files dns
EOF
echo -n host.conf #
/bin/rm /etc/host.conf
/bin/cat << EOF >> /etc/host.conf
order bind,hosts
multi on
nospoof on
EOF
#Setting up the network, yours will differ
echo -n ifcfg-eth0 #
/bin/rm /etc/sysconfig/network-scripts/ifcfg-eth0
/bin/cat << EOF >> /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
IPADDR=$addrange.$serverip
NETMASK=255.255.255.0
NETWORK=$addrange.0
BROADCAST=$addrange.255
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
EOF
chkconfig network on
# default gatewayGATEWAY=10.0.0.1
# DNS server's IP addressDNS1=10.0.0.10
echo -n hosts #
/bin/rm /etc/hosts
/bin/cat << EOF >> /etc/hosts
127.0.0.1 localhost localhost.localdomain
$addrange.$serverip $hname.$dname $hname
EOF
echo -n network #
/bin/rm /etc/sysconfig/network
/bin/cat << EOF >> /etc/sysconfig/network
NETWORKING=yes
FORWARD_IPV4=true
HOSTNAME=$hname.$dname
DOMAINNAME=$dname
GATEWAY=$addrange.3
GATEWAYDEV=eth0
EOF
echo -n rc.local #
/bin/cat << EOF >> /etc/rc.d/rc.local
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
EOF
echo -n sysctl.conf #
/bin/cat << EOF >> /etc/sysctl.conf
# ignoring ping request
#net.ipv4.icmp_echo_ignore_all = 1
# ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# IP source routing
net.ipv4.conf.all.accept_source_route = 0
# TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
# always defragging Protection
net.ipv4.ip_always_defrag = 1
# bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Log Spoofed, Source Routed&Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
net.ipv4.conf.eth1.log_martians = 0
# packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.ip_dynaddr = 1
EOF
echo -n hosts.allow #
/bin/cat << EOF >> /etc/hosts.allow
ALL: $addrange.
ALL: your range
EOF
/usr/bin/updatedb &
Go have a coffee.
You may lose your connection with the server if you were coming in via ssh, as it's IP address has changed.
echo "Hardening"
sed -ie 's/.*#PermitRootLogin .*$/PermitRootLogin no/' /etc/ssh/sshd_config \
&& grep PermitRootLogin /etc/ssh/sshd_config
sed -ie 's/.*#Port 22.*$/Port 2022/' /etc/ssh/sshd_config \
&& grep Port /etc/ssh/sshd_config
sed -ie 's/.*ctrlaltdel.*$/ca\:\:ctrlaltdel\:\/sbin\/reboot/' /etc/inittab \
&& grep ctrlaltdel /etc/inittab
sed -ie 's/.*Minimum acceptable password length.*$/# PASS_MIN_LeN Minimum acceptable password length./' \
/etc/login.defs && grep PASS_MIN_L /etc/login.defs
sed -ie 's/.*PASS_MIN_LEN.*$/PASS_MIN_LEN 8/' /etc/login.defs \
&& grep PASS_MIN_LEN /etc/login.defs
sed -ie 's/.*auth required \/lib\/security\/\$ISA\/pam_wheel.so use_uid.*$/auth required \/lib\/security\/\$ISA\/pam_wheel.so use_uid/' \
/etc/pam.d/su && grep pam_wheel.so /etc/pam.d/su
chmod -R 700 /etc/rc.d/init.d/*
sed -ie 's/.*HISTSIZE=1000.*$/HISTSIZE=20/' /etc/profile \
&& grep HISTSIZE /etc/profile
sed -ie 's/.*PATH=.*$/PATH=\$PATH:\$HOME\/bin:\/sbin:\/usr\/sbin:\/usr\/bin/' /home/strider/.bash_profile \
&& grep PATH= /home/strider/.bash_profile
sed -ie 's/.*PATH=.*$/PATH=\$PATH:\$HOME\/bin:\/sbin:\/usr\/sbin:\/usr\/bin/' /home/admin/.bash_profile \
&& grep PATH= /home/admin/.bash_profile
Next Page: Yum Upgrades