An open relay is “a mail server that does not verify that it is authorised to send mail from the email address that a user is trying to send from. Therefore, users would be able to send email originating from any third-party email address they want.”
Using open relay Someone could use your domain name to send emails from dummy accounts. It is a method of sending spam while ensuring they are neither identified nor blocked from sending future spam messages.
You can easily determine your PostFix mail server is an open relay by using a tool from spamhelp.org. If you found your server working as open relay, you can secure your PostFix mail server by setting proper authentication protocols. Edit PostFix configuration file /etc/mail/main.cf, and search to edit (or add new lines as below, if you don’t find in PostFix configuration file):
smtpd_delay_reject = no disable_vrfy_command = yes
These settings will force incoming requests to stop and identify themselves before accessing the SMTP server. Authenticated users will be allowed to pass through and send mail. Restart PostFix to apply changes:
In a previous post (How to Change Linux Server SSH Port), I write how to change the SSH port on Linux server from the standard port 22. that work fine for most cases, however you may face below error if you apply changes on Red Hat Enterprise Linux 6:
sshd[82123]: error: Bind to port 2222 on 192.168.4.5 failed: Permission denied
If you face above error message, you most likely setup SELinux (Security Enhanced Linux) enabled, as it is a standard feature of RHEL. In this version, SELinux blocks all other ports for access to SSH, except for the standard port 22. Fortunately, it is quite simple to change the settings to allow the port you want (i.e. 2222 in our other article).
Logon to your linux server as root and use “semanage” to display the current port settings. The command is below:
semanage port -l | grep ssh
This command produce output looks like below:
ssh_port_t tcp 22
You can add port 2222 to the list of acceptable ports with the following command:
semanage port -a -t ssh_port_t -p tcp 2222
You should re-check to make sure the changes were saved.
semanage port -l | grep ssh
The output should now look like this:
ssh_port_t tcp 2222,22
Make sure to configure your Linux server firewall rules to allow new SSH port (2222) and to block default SSH port (port number 22).
Verify the settings and restart OpenSSH in order to changes to take effect.
/sbin/service sshd restart
Now you should be able to connect to custom SSH port (2222 for our example).
The Linux SSH server (OpenSSH) listens on port 22. If you have security measures in your mind and willing to change default SSH port to custom follow the steps below in this article.
To change your SSH port, as root, edit the sshd_config file in your /etc/ssh directory.
vim /etc/ssh/sshd_config
Search for a line as below:
Port 22
Change the number 22 to the port number of your choice. You need to make sure your custom port should not used by other service on your server.
Port 2222
Note: you can use other number of your choice.
Make sure to configure your server firewall rules to allow new SSH port (2222) and to block default SSH port (port number 22).
Save the file and then restart sshd:
/etc/init.d/sshd restart
Note: by changing default SSH port, you add a thin layer of security to your Linux server. It will not stop more advanced bots etc…
The default network SMTP port for Postfix, Sendmail and most other mail servers is 25 that is used to send email, and most email clients use port 25 as default port for sending emails. Unfortunately internet service providers (ISP’s) have started to block port 25 to control high volume of spam sent through post 25 and they require their users to use the ISP’s SMTP server.
This is a the major reason why mail server administrators consider to change their default SMTP port from port 25 to someone else. While some server administrators use proxy servers to redirect mail traffic through SPAM and DNS filters before eventually resolving to another port.
To change Postfix SMTP port, you need to have root access to your server. Edit the Postfix configuration file: /etc/postfix/master.cf and comment out the following line:
# smtp innet n - n - - smtpd
Next, add this line:
2525 inet n - n - - smtpd
You can replace “2525″ with port number of your choice to use for your SMTP server.
Finally, restart Postfix:
/etc/init.d/postfix restart OR service postfix restart
You may need to configure your firewall (if you use any) to allow the new port and deny port 25.
PHP is an opensource server side scripting language and it is a widely used. The Apache web server provides access to files and content over HTTP OR HTTPS protocol. A misconfigured server side scripting language can create all sorts of problems. So, PHP should be used carefully. Here are twenty five php security best practices for sysadmins secure PHP configuration.
Sample Tips for PHP Security
DocumentRoot: /var/www/html
Default Web server: Apache ( you can use Lighttpd or Nginx instead of Apache)
Our sample php security config file: /etc/php.d/security.ini (you need to create this file using a text editor)
Operating systems: RHEL / CentOS / Fedora Linux (the instructions should work with any other Linux distributions such as Debian / Ubuntu or other Unix like operating systems such as OpenBSD/FreeBSD/HP-UX).
Default php server TCP/UDP ports: none
Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell: $ php -v
Sample outputs:
PHP 5.3.3 (cli) (built: Oct 24 2011 08:35:41)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
For demonstration purpose I’m going to use the following operating system: $ cat /etc/redhat-release
Sample outputs:
Red Hat Enterprise Linux Server release 6.1 (Santiago)
1: Know Your Enemy
PHP based apps can face the different types of attacks. I have seen the following types of attacks:
XSS - Cross-site scripting is a vulnerability in php web applications which attackers may exploit to steal users’ information. You can configure Apache and write secure code (validating all user input) to avoid xss attacks.
SQL injection - It is a vulnerability in the database layer of an php application. When user input is incorrectly filtered any SQL statements can be executed by the application. You can configure Apache and write secure code (validating and escaping all user input) to avoid SQL injection attacks. A common practice in PHP is to escape parameters using the function called mysql_real_escape_string() before sending the SQL query.
Spoofing
File uploads – It allows your visitor to place files on your server. This can result into to delete your files, database, get user details and much more. You can disable file uploads using php or write secure code (like validate and only allow image file type such as png or gif).
Including local and remote files – An attacker can open files from remote server and execute any PHP code. This allows them to upload file, delete file and install backdoors. You can configure php to disable remote file execution.
eval() - Evaluate a string as PHP code. This is often used by an attacker to hide their code and tools on server itself. You can configure php to disable eval().
Sea-surf Attack (Cross-site request forgery – CSRF) – This attack forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
2: Find Built-in PHP Modules
To see the set of compiled-in PHP modules type the following command, enter: # php -m
Sample outputs:
[PHP Modules]
apc
bcmath
bz2
calendar
Core
ctype
curl
date
dom
ereg
exif
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
imap
json
libxml
mbstring
memcache
mysql
mysqli
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
readline
Reflection
session
shmop
SimpleXML
sockets
SPL
sqlite3
standard
suhosin
tokenizer
wddx
xml
xmlreader
xmlrpc
xmlwriter
xsl
zip
zlib
[Zend Modules]
Suhosin
I recommends that you use PHP with a reduced modules for performance and security. For example, you can disable sqlite3 module by deleting (removing) file , OR renaming (moving) a file /etc/php.d/sqlite3.ini as follows: # rm /etc/php.d/sqlite3.ini
OR # mv /etc/php.d/sqlite3.ini /etc/php.d/sqlite3.disable
Other compiled-in modules can only be removed by reinstallating (reconfigure or rebuild php rpms) PHP with a reduced configuration. You can download php source code and compile it as follows by with GD, fastcgi, and, MySQL support:
To restrict PHP information leakage set expose_php to Off. Edit /etc/php.d/secutity.ini and set the following directive:
expose_php=Off
This option disabled to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (e.g., X-Powered-By: PHP/5.3.3). The PHP logo guids are also exposed, thus appending them to the URL of a PHP enabled site will display the appropriate logo. $ curl -I http://www.cyberciti.biz/index.php
Sample outputs:
Your PHP supports “Dynamic Extensions”. By default, RHEL loads all the extension modules found in /etc/php.d/ directory. To enable or disable a particular module, just find the configuration file in /etc/php.d/ directory and comment the module name. You can also rename or delete module configuration file. For best PHP performance and security, you should only enable the extensions your webapps requires. To disable gd extension, type the following commands: # cd /etc/php.d/
# mv gd.{ini,disable}
# /sbin/service httpd restart
To enable module gd, enter: # mv gd.{disable,ini}
# /sbin/service httpd restart
5: Log All PHP Errors
Do not expose PHP error messages to all site visitors. Edit /etc/php.d/security.ini and set the following directive:
Turn on or off HTTP file uploads (disallow uploading unless necessary). Edit /etc/php.d/security.ini and set the following directive:
file_uploads=Off
If users of your application need to upload files, turn this feature on by setting maximum allowed size for uploaded files:
file_uploads=On
# user can only upload upto 1MB
upload_max_filesize=1M
7: Turn Off Remote Code Execution
The allow_url_fopen option allows PHP’s file functions such as file_get_contents() and the include / require statements, can retrieve data from remote locations, like an FTP or HTTP web site. Programmers frequently forget this and don’t do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. This option should be disabled. Edit /etc/php.d/security.ini and set the following directive:
allow_url_fopen=Off
I also recommend to disable allow_url_include for security reasons:
allow_url_include=Off
8: Enable SQL Safe Mode
Turn on or off SQL safe mode. Edit /etc/php.d/security.ini and set the following directive:
sql.safe_mode=On
If turned On, mysql_connect() and mysql_pconnect() ignore any arguments passed to them. Please note that you may have to make some changes to your code. Third party and open source application such as WordPress, and others may not work at all when sql.safe_mode set it to On. I also recommend that you turn off magic_quotes_gpc for all php 5.3.x installations:
magic_quotes_gpc=Off
9: Control POST Size
The HTTP POST request method is used when the client (browser or user) needs to send data to the Apache web server as part of the request, such as when uploading a file or submitting a completed form. This can be abused or can be used to crash server. Edit /etc/php.d/security.ini and set the following directive:
post_max_size=1K
The 1K sets max size of post data allowed by php apps. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize. I also suggest that you limit available methods using Apache web server. Edit httpd.conf and set the following directive for DocumentRoot /var/www/html:
<Directory /var/www/html>
<LimitExcept GET POST>
Order allow,deny
</LimitExcept>
# Add rest of the config here...
</Directory>
10: Resource Control
You can set maximum execution time of each php script, in seconds. Another recommend option is to set maximum amount of time each script may spend parsing request data and maximum amount of memory a script may consume. Edit /etc/php.d/security.ini and set the following directives:
# set in seconds
max_execution_time = 30
max_input_time = 30
memory_limit = 40M
11: Install Suhosin Advanced Protection System for PHP
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.
PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in /etc/php.d/security.ini using disable_functions directive:
PHP can be run using FastCGI or cgi. The configuration directive cgi.force_redirect prevents anyone from calling PHP directly with a URL like http://www.cyberciti.biz/cgi-bin/php/hackerdir/backdoor.php. Turn on cgi.force_redirect for security reasons. Edit /etc/php.d/security.ini and set the following directive:
cgi.force_redirect=On
14 PHP User and Group ID
PHP can be run as server. mod_fastcgi is a cgi-module for Apache web server. It can connect to php server. You need to make sure php run as non-root user. If PHP is executing as a CGI, look at a method of executing CGIs as a non-privileged user like Apache’s suEXEC ormod_suPHP. In this example, php-cgi is running as phpcgi user: # ps aux | grep php-cgi
Sample outputs:
You can use tool such as spawn-fcgi to start php server as phpcgi user (first, add phpcgi user to the system): # spawn-fcgi -a 127.0.0.1 -p 9000 -u phpcgi -g phpcgi -f /usr/bin/php-cgi
You can configure Apache, Lighttpd, and Nginx web server to use php running on port 9000 at 127.0.0.1 IP address.
NOTE: If you’re using the Apache module, use Apache users and group to run php.
15 Limit PHP Access To File System
The open_basedir directive set the directories from which PHP is allowed to access files using functions like fopen(), and others. If a file is outside of the paths defined by open_basdir, PHP will refuse to open it. You cannot use a symbolic link as a workaround. For example only allow access to /var/www/html directory and not to /var/www, or /tmp:
open_basedir="/var/www/html/"
; Multiple dirs can be set as follows
; open_basedir="/home/httpd/vhost/cyberciti.biz/html/:/home/httpd/vhost/nixcraft.com/html/:/home/httpd/vhost/theos.in/html/"
16 Session Path
Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site. This path is defined in /etc/php.ini file and all data related to a particular session will be stored in a file in the directory specified by the session.save_path option. The default is as follows under RHEL/CentOS/Fedora Linux:
session.save_path="/var/lib/php/session"
; Set the temporary directory used for storing files when doing file upload
upload_tmp_dir="/var/lib/php/session"
Make sure path is outside /var/www/html and not readable or writeable by any other system users: # ls -Z /var/lib/php/
Sample outputs:
Note: Check php.net for the most recent release for source code installations.
18: Restrict File and Directory Access
Make sure you run Apache as a non-root user such as Apache or www. All files and directory should be owned by root user under /var/www/html: # chown -R root:root /var/www/html/
Make sure file permissions are set to 0444 under /var/www/html/: # chmod -R 0444 /var/www/html/
Make sure all directories permissions are set to 0445 under /var/www/html/: # find /var/www/html/ -type d -print0 | xargs -0 -I {} chmod 0445 {}
Make sure httpd.conf has the following directives for restrictive configuration:
<Directory / >
Options None
AllowOverride None
Order allow,deny
</Directory>
You should only grant access when required. Some web applications such as wordpress and others requires caching directories. You need to grant write access to those directroies: # chmod a+w /var/www/html/blog/wp-content/cache
### block access to all ###
# echo 'deny from all' > /var/www/html/blog/wp-content/cache/.htaccess
19: Write Protect Apache, PHP, and, MySQL Configuration Files
Use the chattr command to write protect files: # chattr +i /etc/php.ini
# chattr +i /etc/php.d/*
# chattr +i /etc/my.ini
# chattr +i /etc/httpd/conf/httpd.conf
# chattr +i /etc/
#20: Use Linux Security Extensions (such as SELinux)
Linux comes with various security patches which can be used to guard against misconfigured or compromised programs. If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel and Apache web server. To list all Apache SELinux protection variables, enter: # getsebool -a | grep httpd
Sample outputs:
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
To disable cgi support, enter: # setsebool -P httpd_enable_cgi off
See Red Hat SELinux guide for more information.
## A few Examples ##
# Do not allow to open files in /etc/
SecFilter /etc/
# Stop SQL injection
SecFilter "delete[[:space:]]+from"
SecFilter "select.+from"
22 Run Apache / PHP In a Chroot Jail If Possible
Putting PHP and/or Apache in a chroot jail minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You can use traditional chroot kind of setup with Apache. If possible use FreeBSD jails, XEN, KVM, or OpenVZ virtualizationwhich uses the concept of containers.
23 Use Firewall To Restrict Outgoing Connections
The attacker will download file locally on your web-server using tools such as wget. Use iptables to block outgoing connections from Apache user. The ipt_owner module attempts to match various characteristics of the packet creator, for locally generated packets. It is only valid in the OUTPUT chain. In this example, allow vivek user to connect outside using port 80 (useful for RHN or centos repo access):
/sbin/iptables -A OUTPUT -o eth0 -m owner --uid-owner vivek -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
Here is another example that blocks all outgoing connections from apache user except to our own smtp server, and spam validation API service:
# ....
/sbin/iptables --new-chain apache_user
/sbin/iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables --append OUTPUT -m owner --uid-owner apache -j apache_user
# allow apache user to connec to our smtp server
/sbin/iptables --append apache_user -p tcp --syn -d 192.168.1.100 --dport 25 -j RETURN
# Allow apache user to connec to api server for spam validation
/sbin/iptables --append apache_user -p tcp --syn -d 66.135.58.62 --dport 80 -j RETURN
/sbin/iptables --append apache_user -p tcp --syn -d 66.135.58.61 --dport 80 -j RETURN
/sbin/iptables --append apache_user -p tcp --syn -d 72.233.69.89 --dport 80 -j RETURN
/sbin/iptables --append apache_user -p tcp --syn -d 72.233.69.88 --dport 80 -j RETURN
#########################
## Add more rules here ##
#########################
# No editing below
# Drop everything for apache outgoing connection
/sbin/iptables --append apache_user -j REJECT
24 Watch Your Logs & Auditing
Check the apache log file: # tail -f /var/log/httpd/error_log
# grep 'login.php' /var/log/httpd/error_log
# egrep -i "denied|error|warn" /var/log/httpd/error_log
Check the php log file: # tail -f /var/log/httpd/php_scripts_error.log
# grep "...etc/passwd" /var/log/httpd/php_scripts_error.log
Log files will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present or not. The auditd service is provided for system auditing. Turn it on to audit service SELinux events, authetication events, file modifications, account modification and so on. I also recommend using standard “Linux System Monitoring Tools” for monitoring your web-server.
25 Run Service Per System or VM Instance
For large installations it is recommended that you run static and dynamic content from different servers.
You run different network services on separate servers or VM instance. This limits the number of other services that can be compromised. For example, if an attacker able to successfully exploit a software such as Apache flow, he / she will get an access to entire server including other services such as MySQL, e-mail server and so on. But, in the above example content are served as follows
static.lan.cyberciti.biz - Lighttpd or nginx for static assets such as js/css/images.
phpcgi1.lan.cyberciti.biz and phpcgi2.lan.cyberciti.biz - Apache server with php used for generating dynamic content.
mysql1.lan.cyberciti.biz - Database server.
mcache1.lan.cyberciti.biz - Memcached server is very fast caching system for MySQL. It uses libevent or epoll (Linux runtime) to scale to any number of open connections and uses non-blocking network I/O.
LB01 - It is a nginx web and reverse proxy server. Nginx used in front of Apache Web servers. All connections coming from the Internet addressed to one of the Web servers are routed through the nginx proxy server, which may either deal with the request itself or pass the request wholly or partially to the main web servers.
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.
You can use PHPIDS to detect malicious users, and log any attacks detected for later review. Please note that I’ve personally not used this tool.
PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.
You may come across php scripts or so called common backdoors such as c99, c99madshell, r57 and so on. A backdoor php script is nothing but a hidden script for bypassing all authentication and access your server on demand. It is installed by an attackers to access your server while attempting to remain undetected. Typically a PHP (or any other CGI script) script by mistake allows inclusion of code exploiting vulnerabilities in the web browser. An attacker can use such exploiting vulnerabilities to upload backdoor shells which can give him or her a number of capabilities such as:
Download files
Upload files
Install rootkits
Set a spam mail servers / relay server
Set a proxy server to hide tracks
Take control of server
Take control of database server
Steal all information
Open TCP / UDP ports and much more
Tip: How Do I Search PHP Backdoors?
Use Unix / Linux grep command to search c99 or r57 shell: # grep -iR 'c99' /var/www/html/
# grep -iR 'r57' /var/www/html/
# find /var/www/html/ -name \*.php -type f -print0 | xargs -0 grep c99
# grep -RPn "(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)" /var/www/html/
Conclusion
Your PHP based server is now properly harden and ready to show dynamic webpages. However, vulnerabilities are caused mostly by not following best practice programming rules. You should be consulted further resources for your web applications security needs especially php programming which is beyond the scope of sys admin work.
PHP Security Guide: This guide aims to familiarise you with some of the basic concepts of online security and teach you how to write more secure PHP scripts. It’s aimed squarely at beginners, but I hope that it still has something to offer more advanced users.
Essential PHP Security (kindle edition): A book about web application security written specifically for PHP developers. It covers 30 of the most common and dangerous exploits as well as simple and effective safeguards that protect your PHP applications.
SQL Injection Attacks and Defense This book covers sql injection and web-related attacks. It explains SQL injection. How to find, confirm, and automate SQL injection discovery. It has tips and tricks for finding SQL injection within the code. You can create exploits using SQL injection and design to avoid the dangers of these attacks.
Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for security Linux box. In this first part of a Linux server security series, I will provide 20 hardening tips for default installation of Linux system.
#1: Encrypt Data Communication
All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates.
Use scp, ssh, rsync, or sftp for file transfer. You can also mount remote server file system or your own home directory using special sshfs and fuse tools.
GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories.
Fugu is a graphical frontend to the commandline Secure File Transfer application (SFTP). SFTP is similar to FTP, but unlike FTP, the entire session is encrypted, meaning no passwords are sent in cleartext form, and is thus much less vulnerable to third-party interception. Another option is FileZilla - a cross-platform client that supports FTP, FTP over SSL/TLS (FTPS), and SSH File Transfer Protocol (SFTP).
Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. The common solution to this problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP. Type the following command to delete NIS, rsh and other outdated service: # yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve
#2: Minimize Software to Minimize Vulnerability
Do you really need all sort of web services installed? Avoid installing unnecessary software to avoid vulnerabilities in software. Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages. # yum list installed # yum list packageName # yum remove packageName OR # dpkg –list # dpkg –info packageName # apt-get remove packageName
#3: One Network Service per System or VM Instance
Run different network services on separate servers or VM instance. This limits the number of other services that can be compromised. For example, if an attacker able to successfully exploit a software installed on that server such as Apache flow, he will get an access to entire server including other services such as MySQL, e-mail server etc… You can find details below to install Virtualization software:
Updating latest security patches is an important part for Linux server maintenance. Linux provides all necessary tools to keep your system updated, and also allows for easy upgrades between versions. All security update should be reviewed and applied as soon as possible. Again, use the RPM package manager such as yum and/or apt-get and/or dpkg to apply all security updates. # yum update OR # apt-get update && apt-get upgrade
You can configure Red hat / CentOS / Fedora Linux to send yum package update notification via email. There is alternative option to apply all security updates via a cron job. Under Debian / Ubuntu Linux you can use apticron to send security notifications.
#5: Use Linux Security Extensions
Linux comes with various security patches which can be used to guard against miss-configured or security compromised programs. If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel.
#5.1: SELinux
I strongly recommend using SELinux which provides a flexible Mandatory Access Control (MAC). Under standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has the user’s permissions to objects such as files, sockets, and other processes. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. See the official Redhat documentation which explains SELinux configuration.
#6: User Accounts and Strong Password Policy
Use the useradd / usermod commands to create and maintain user accounts. Make sure you have a good and strong password policy. For example, a good password includes at least 8 characters long and mixture of alphabets, number, special character, upper & lower alphabets etc. Most important pick a password you can remember. Use tools such as “John the ripper” to find out weak users passwords on your server. Configure pam_cracklib.so to enforce the password policy.
#6.1: Password Aging
The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password. The /etc/login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration. To disable password aging, enter: chage -M 99999 userName
To get password expiration information, enter: chage -l userName
Finally, you can also edit the /etc/shadow file in the following fields:
Minimum_days: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password.
Maximum_days: The maximum number of days the password is valid (after that user is forced to change his/her password).
Warn : The number of days before password is to expire that user is warned that his/her password must be changed.
Expire : Days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.
I recommend chage command instead of editing the /etc/shadow by hand: # chage -M 60 -m 7 -W 7 userName
You can prevent all users from using or reuse same old passwords under Linux. The pam_unix module parameter remember can be used to configure the number of previous passwords that cannot be reused.
#6.3: Locking User Accounts After Login Failures
Under Linux you can use the faillog command to display faillog records or to set login failure limits. faillog formats the contents of the failure log from /var/log/faillog database / log file. It also can be used for maintains failure counters and limits.To see failed login attempts, enter: faillog To unlock an account after login failures, run: faillog -r -u userName Note you can use passwd command to lock and unlock accounts: # lock account passwd -l userName # unlocak account passwd -u userName
#6.4: How Do I Verify No Accounts Have Empty Passwords?
Type the following command # awk -F: ‘($2 == “”) {print}’ /etc/shadow Lock all empty password accounts: # passwd -l accountName
#6.5: Make Sure No Non-Root Accounts Have UID Set To 0
Only root account has UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0: # awk -F: ‘($3 == “0″) {print}’ /etc/passwd You should only see one line as follows:
root:x:0:0:root:/root:/bin/bash
If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.
#7: Disable root Login
Never login as root user. You should use sudo to execute root level commands as and when required. sudo does greatly enhances the security of the system without sharing root password with other users and admins. sudo provides simple auditing and tracking features too.
#8: Physical Server Security
You must protect Linux servers physical console access. Configure the BIOS and disable the booting from external devices such as DVDs / CDs / USB pen. Set BIOS and grub boot loader password to protect these settings. All production boxes must be locked in IDCs (Internet Data Center) and all persons must pass some sort of security checks before accessing your server. See also:
Disable all unnecessary services and daemons (services that runs in the background). You need to remove all unwanted services from the system start-up. Type the following command to list all services which are started at boot time in run level # 3: # chkconfig –list | grep ’3:on’
To disable service, enter: # service serviceName stop # chkconfig serviceName off
#9.1: Find Listening Network Ports
Use the following command to list all open ports and associated programs: netstat -tulpn OR nmap -sT -O localhost nmap -sT -O server.example.com Use iptables to close open ports or stop all unwanted network services using above service and chkconfig commands.
X Windows on server is not required. There is no reason to run X Windows on your dedicated mail and Apache web server. You can disable and remove X Windows to improve server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter: # yum groupremove “X Window System”
#11: Configure Iptables and TCPWrappers
Iptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel. Use firewall to filter out traffic and allow only necessary traffic. Also use the TCPWrappers a host-based networking ACL system to filter network access to Internet. You can prevent many denial of service attacks with the help of Iptables:
/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time. Sample /etc/sysctl.conf:
# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1
#13: Separate Disk Partitions
Separation of the operating system files from user files may result into a better and secure system. Make sure the following filesystems are mounted on separate partitions:
/usr
/home
/var and /var/tmp
/tmp
Create septate partitions for Apache and FTP server roots. Edit /etc/fstab file and make sure you add the following configuration options:
noexec - Do not set execution of any binaries on this partition (prevents execution of binaries but allows scripts).
nodev - Do not allow character or special devices on this partition (prevents use of device files such as zero, sda etc).
nosuid - Do not set SUID/SGID access on this partition (prevent the setuid bit).
Sample /etc/fstab entry to to limit user access on /dev/sda5 (ftp server root directory):
Make sure disk quota is enabled for all users. To implement disk quotas, use the following steps:
Enable quotas per file system by modifying the /etc/fstab file.
Remount the file system(s).
Create the quota database files and generate the disk usage table.
Assign quota policies.
See implementing disk quotas tutorial for further details.
#14: Turn Off IPv6
Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and provides many benefits. Currently there are no good tools out which are able to check a system over network for IPv6 security issues. Most Linux distro began enabling IPv6 protocol by default. Crackers can send bad traffic via IPv6 as most admins are not monitoring it. Unless network configuration requires it, disable IPv6 or configure Linux IPv6 firewall:
All SUID/SGID bits enabled file can be misused when the SUID/SGID executable has a security problem or bug. All local or remote user can use such file. It is a good idea to find all such files. Use the find command as follows: #See all set user id files: find / -perm +4000 # See all group id files find / -perm +2000 # Or combine both in a single command find / \( -perm -4000 -o -perm -2000 \) -print find / -path -prune -o -type f -perm +6000 -ls You need to investigate each reported file. See reported file man page for further details.
#15.1: World-Writable Files
Anyone can modify world-writable file resulting into a security issue. Use the following command to find all world writable and sticky bits set files: find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print You need to investigate each reported file and either set correct user and group permission or remove it.
#15.2: Noowner Files
Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group find /dir -xdev \( -nouser -o -nogroup \) -print You need to investigate each reported file and either assign it to an appropriate user and group or remove it.
#16: Use A Centralized Authentication Service
Without a centralized authentication system, user auth data becomes inconsistent, which may lead into out-of-date credentials and forgotten accounts which should have been deleted in first place. A centralized authentication service allows you maintaining central control over Linux / UNIX account and authentication data. You can keep auth data synchronized between servers. Do not use the NIS service for centralized authentication. Use OpenLDAP for clients and servers.
#16.1: Kerberos
Kerberos performs authentication as a trusted third party authentication service by using cryptographic shared secret under the assumption that packets traveling along the insecure network can be read, modified, and inserted. Kerberos builds on symmetric-key cryptography and requires a key distribution center. You can make remote login, remote copy, secure inter-system file copying and other high-risk tasks safer and more controllable using Kerberos. So, when users authenticate to network services using Kerberos, unauthorized users attempting to gather passwords by monitoring network traffic are effectively thwarted. See how to setup and use Kerberos.
#17: Logging and Auditing
You need to configure logging and auditing to collect all hacking and cracking attempts. By default syslog stores data in /var/log/ directory. This is also useful to find out software misconfiguration which may open your system to various attacks. See the following logging related articles:
#17.1: Monitor Suspicious Log Messages With Logwatch / Logcheck
Read your logs using logwatch or logcheck. These tools make your log reading life easier. You get detailed reporting on unusual items in syslog via email. A sample syslog report:
general: info: zone XXXXXX.com/IN: Transfer started.: 3 Time(s)
general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 3 Time(s)
general: info: zone XXXXXX.com/IN: Transfer started.: 4 Time(s)
general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 4 Time(s)
———————- Named End ————————-
——————— iptables firewall Begin ————————
Logged 87 packets on interface eth0
From 58.y.xxx.ww – 1 packet to tcp(8080)
From 59.www.zzz.yyy – 1 packet to tcp(22)
From 60.32.nnn.yyy – 2 packets to tcp(45633)
From 222.xxx.ttt.zz – 5 packets to tcp(8000,8080,8800)
———————- iptables firewall End ————————-
——————— SSHD Begin ————————
Users logging in through sshd:
root:
123.xxx.ttt.zzz: 6 times
———————- SSHD End ————————-
——————— Disk Space Begin ————————
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 450G 185G 241G 44% /
/dev/sda1 99M 35M 60M 37% /boot
———————- Disk Space End ————————-
###################### Logwatch End #########################
(Note output is truncated)
#17.2: System Accounting with auditd
The auditd is provided for system auditing. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. With auditd you can answers the following questions:
System startup and shutdown events (reboot / halt).
Date and time of the event.
User responsible for the event (such as trying to access /path/to/topsecret.dat file).
Type of event (edit, access, delete, write, update file & commands).
Success or failure of the event.
Records events that Modify date and time.
Find out who made changes to modify the system’s network settings.
Record events that modify user/group information.
See who made changes to a file etc.
See our quick tutorial which explains enabling and using the auditd service.
#18: Secure OpenSSH Server
The SSH protocol is recommended for remote login and remote file transfer. However, ssh is open to many attacks. See how to secure OpenSSH server:
A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.
It is a good practice to deploy any integrity checking software before system goes online in a production environment. If possible install AIDE software before the system is connected to any network. AIDE is a host-based intrusion detection system (HIDS) it can monitor and analyses the internals of a computing system.
Snort is a software for intrusion detection which is capable of performing packet logging and real-time traffic analysis on IP networks.
#20: Protecting Files, Directories and Email
Linux offers excellent protections against unauthorized data access. Filepermissions and MAC prevent unauthorized access from accessing data. However, permissions set by the Linux are irrelevant if an attacker has physical access to a computer and can simply move the computer’s hard drive to another system to copy and analyze the sensitive data. You can easily protect files, and partitions under Linux using the following tools:
To encrypt and decrypt files with a password, use gpg command.
Backups - It cannot be stressed enough how important it is to make a backup of your Linux system. A proper offsite backup allows you to recover from cracked server i.e. an intrusion. The traditional UNIX backup programs are dump and restore are also recommended.
Hardening Linux - Hardening Linux identifies many of the risks of running Linux hosts and applications and provides practical examples and methods to minimize those risks.
In the next part of this series I will discuss how to secure specific applications (such as Proxy, Mail, LAMP, Database) and a few other security tools. Did I miss something? Please add your favorite system security tool or tip in the comments.
After five years of planning and design, GNOME 3.0 has been officially released. The totally rewritten desktop has had its share of both praise and condemnation in recent months due to what the project describes as “its most significant redesign of the computer experience in nine years.” They further say, the “revolutionary new user interface and new features for developers make this a historic moment for the free and open source desktop.”
The main idea in the redesign was to allow “users to focus on tasks while minimizing distractions such as notifications, extra workspaces, and background windows. Jon McCann is quoted as saying, “we’ve taken a pretty different approach in the GNOME 3 design that focuses on the desired experience and lets the interface design follow from that. With any luck you will feel more focused, aware, effective, capable, respected, delighted, and at ease.” GNOME 3.0 aims to “help us cope with modern life in a busy world. Help us connect, stay on track, feel at ease and in control.” In summary, GNOME 3.0 helps users stay “informed without being disrupted.”
Matt Zimmerman, Ubuntu CTO, said, “In the face of constant change, both in software technology itself and in people’s attitudes toward it, long-term software projects need to reinvent themselves in order to stay relevant. I’m encouraged to see the GNOME community taking up this challenge, responding to the evolving needs of users and questioning the status quo.”
GNOME founder, Miguel de Icaza adds, “GNOME continues to innovate in the desktop space. The new GNOME Shell is an entire new user experience that was designed from the ground up to improve the usability of the desktop and giving both designers and developers a quick way to improve the desktop and adapt the user interface to new needs. By tightly integrating Javascript with the GNOME platform, designers were able to create and quickly iterate on creating an interface that is both pleasant and exciting to use. I could not be happier with the results.”
Some of the new features include:
Activities Overview at a Glance
Built-in Messaging
Redesigned System Settings
Side-by-side window tiling
Redesigned file manager
Faster performance
Beautiful interface
The official press release:
Groton, MA, April 6 2011: Today, the GNOME Desktop project released GNOME 3.0, its most significant redesign of the computer experience in nine years. A revolutionary new user interface and new features for developers make this a historic moment for the free and open source desktop.
Within GNOME 3, GNOME Shell reimagines the user interface for the next generation of the desktop. This innovative interface allows users to focus on tasks while minimizing distractions such as notifications, extra workspaces, and background windows.
Jon McCann, one of GNOME Shell’s designers, says of the design team, “we’ve taken a pretty different approach in the GNOME 3 design that focuses on the desired experience and lets the interface design follow from that.” The result: “With any luck you will feel more focused, aware, effective, capable, respected, delighted, and at ease.” GNOME Shell aims to “help us cope with modern life in a busy world. Help us connect, stay on track, feel at ease and in control.” GNOME Shell, he says, will keep users “informed without being disrupted.”
The GNOME 3 development platform includes improvements in the display backend, a new API, improvements in search, user messaging, system settings, and streamlined libraries. GNOME 2 applications will continue to work in the GNOME 3 environment without modification, allowing developers to move to the GNOME 3 environment at their own pace. The GNOME 3 release notes include further details.
Matt Zimmerman, Ubuntu CTO at Canonical, praises GNOME 3: “In the face of constant change, both in software technology itself and in people’s attitudes toward it, long-term software projects need to reinvent themselves in order to stay relevant. I’m encouraged to see the GNOME community taking up this challenge, responding to the evolving needs of users and questioning the status quo.”
Miguel de Icaza, one of GNOME’s founders, celebrates the new release: “GNOME continues to innovate in the desktop space. The new GNOME Shell is an entire new user experience that was designed from the ground up to improve the usability of the desktop and giving both designers and developers a quick way to improve the desktop and adapt the user interface to new needs. By tightly integrating Javascript with the GNOME platform, designers were able to create and quickly iterate on creating an interface that is both pleasant and exciting to use. I could not be happier with the results.”
GNOME 3 is the cumulative work of five years of planning and design by the GNOME community. McCann notes: “Perhaps the most notable part of the design process is that everything has been done in the open. We’ve had full transparency for every decision (good and bad) and every change we’ve made. We strongly believe in this model. It is not only right in principle — it is just the best way in the long run to build great software sustainably in a large community.”
In partnership with Novell, Red Hat, other distributors, schools and governments, and user groups, GNOME 3 will reach millions of users around the world. Over 3500 people have contributed changes to the project’s code repositories, including the employees of 106 companies. GNOME 3 includes innumerable code changes since the 2.0 release 9 years ago.
Users and fans of GNOME have planned more than a hundred launch parties around the world. Users can download GNOME 3 from http://gnome3.org to try it immediately, or wait for distributions to carry it over the coming months. GNOME 3 continues to push new frontiers in user interaction.
—–
The GNOME Project was started in 1997 by two then-university students, Miguel de Icaza and Federico Mena Quintero. Their aim: to produce a free (as in freedom) desktop environment. Since then, GNOME has grown into a hugely successful enterprise. Used by millions of people across the world, it is the most popular desktop environment for GNU/Linux and UNIX-type operating systems. The desktop has been utilised in successful, large-scale enterprise and public deployments, and the project’s developer technologies are utilised in a large number of popular mobile devices. For further comments and information, contact the GNOME press contact team atgnome-press-contact@gnome.org.
More people than ever are using wireless networks as their primary networking medium. Great programs are available under X11 that give users a graphical interface to their wireless cards. Both GNOME and KDE include network management utilities, and a desktop-environment-agnostic utility called wicd also offers great functionality. But, what if you aren’t running X11 and want to manage your wireless card? I don’t cover how to install and activate your card here (for that, take a look at projects like madwifi or ndiswrapper). I assume your card is installed and configured properly, and that it is called wlan0. Most of the utilities mentioned below need to talk directly to your wireless card (or at least the card driver), so they need to be run with root privileges (just remember to use sudo). The first step is to see what wireless networks are available in your area. A utility called iwlist provides all sorts of information about your wireless environment. To scan your environment for available networks, do the following:
sudo iwlist wlan0 scan
You’ll see output resembling:
Cell 01 – Address: 00:11:22:33:44:55
ESSID:”network-essid”
Mode:Master
Channel:11
Frequency:2.462 GHz (Channel 11)
Quality=100/100 Signal level:-47dBm Noise level=-100dBm
Encryption key:off
The details (address and essid) have been changed to protect the guilty. Also, the … represents extra output that may or may not be available, depending on your hardware. You will get a separate cell entry for each access point within your wireless card’s range. For each access point, you can find the hardware address, the essid and the channel on which it’s operating. Also, you can learn in what mode the access point is operating (whether master or ad hoc). Usually, you will be most interested in the essid and what encryption is being used.Once you know what’s available in your immediate environment, configure your wireless card to use one of these access points using the iwconfig utility to set the parameters for your wireless card. First, set the essid, which identifies the network access point you want:
sudo iwconfig wlan0 essid network-essid
Depending on your card and its driver, you may have the option to set the essid to the special value “any”. In this case, your card will pick the first available access point. This is called promiscuous mode. You also may need to set the mode to be used by your wireless card. This depends on your network topology. You may have a central access point to which all of the other devices connect, or you may have an ad hoc wireless network, where all of the devices communicate as peers. You may want to have your computer act as an access point. If so, you can set the mode to master using iwconfig. Or, you simply may want to sniff what’s happening around you. You can do so by setting the mode to monitor and passively monitor all packets on the frequency to which your card is set. You can set the frequency, or channel, by running:
sudo iwconfig wlan0 freq 2.422G
Or by running:
sudo iwconfig wlan0 channel 3
You can set other parameters, but you should consider doing so only if you have a really good reason. One option is the sensitivity threshold, which defines how sensitive the card is to noise and signal strength, and you can set the behavior of the retry mechanism for the wireless card. You may need to play with this in very noisy environments. Set the maximum number of retries with:
sudo iwconfig wlan0 retry 16
Or, set the maximum lifetime to keep retrying to 300 milliseconds with:
sudo iwconfig wlan0 retry lifetime 300m
In a very noisy environment, you also may need to play with packet fragmentation. If entire packets can’t make it from point to point without corruption, your wireless card may have to break down packets into smaller chunks to avoid this. You can tell the card what to use as a maximum fragment size with:
sudo iwconfig wlan0 frag 512
This value can be anything less than the size of a packet. Some cards may not apply these settings changes immediately. In that case, run this command to flush all pending changes to the card and apply them:
sudo iwconfig wlan0 commit
Two other useful commands are iwspy and iwpriv. If your card supports it, you can collect wireless statistics by using:
sudo iwspy wlan0
The second command gives you access to optional parameters for your particular card. iwconfig is used for the generic options available. If you run it without any parameters (sudo iwpriv wlan0), it lists all available options for the card. If no extra options exist, you will see output like this:
Now that your card is configured and connected to the wireless network, you need to configure your networking options to use it. If you are using DHCP on the network, you simply can run dhclient to query the DHCP server and get your IP address and other network settings. If you want to set these options manually, use the ifconfig command (see the man page for more information).
Tips:
You can also change the MAC address with ifconfig if need be.
$ ifconfig wlan0 down
$ ifconfig wlan0 hw ether 00:11:22:33:44:55
$ ifconfig wlan0 up
OR
Use macchanger
You will probably want to look into wpa_supplicant for all your WPA etc needs (I typed in the status command):
An open relay is “a mail server that does not verify that it is authorised to send mail from the email address that a user is trying to send from. Therefore, users would be able to send email originating from any third-party email address they want.”
The Linux SSH server (OpenSSH) listens on port 22. If you have security measures in your mind and willing to change default SSH port to custom follow the steps below in this article. 
