Linux Server Hardening - Steps by Steps

CI6230 Information Systems Security Assignment2– ServerHardening
Page 1 of 80
Server Hardening
Loo Chia Feng G1301352L
Sunil Paudel G1400834A
Abdul Rachman G1400808F
Wang Bo G1301325H

Page 2 of 80
Table of Contents
1. Keep the server Up-to-date..........................................................................................................4
2. Ports...........................................................................................................................................5
3. Firewall.......................................................................................................................................7
4. Configuring the firewall on Startup ............................................................................................. 12
4.1. Save the firewall rules to a file.................................................................................................12
4.2. Make changes to /etc/network/interfaces................................................................................ 12
5. Set BIOS Password:.................................................................................................................... 15
6. Setting GRUB Password.............................................................................................................. 16
7. Disable Alt+Ctrl+Del................................................................................................................... 18
8. Apache Web Server hardening....................................................................................................19
8.1. Basics of Apache Server in Metasploitable2.............................................................................. 19
8.2. Check if apache web server is running...................................................................................... 19
8.3. Secure and Hardening Apache Web Server............................................................................... 21
8.3.1. Hide Apache Version and OS Identity from Errors............................................................... 21
8.3.2. Restrictaccessto root and othersdirectory,exceptonly1website named“NewWebsite”(Use
Allow and Deny) and disable Overwriting using .htaccess............................................................. 23
8.3.3. Disable DirectoryListing,Apache’sfollowingof SymbolicLinksandOverwritingusing.htaccess
of a “NewWebsite” folder.......................................................................................................... 26
8.3.4. Keep updating Apache Regularly ....................................................................................... 28
8.3.5. Disable Unnecessary Modules........................................................................................... 30
8.3.6. Run Apache as separate User and Group............................................................................ 32
8.3.7. Limit Request Size for “NewWebsite” ................................................................................ 34
8.3.8. Limiting the size of an XML Body ....................................................................................... 35
8.3.9. Turn off Server Side Includes and CGI Execution for “NewWebsite”.....................................36
8.3.10. Protect DDOS attacks and Hardening............................................................................... 37
8.3.11. Enable Apache Logging....................................................................................................38
8.3.12. Protect binary and configuration directory permission for “NewWebsite”.......................... 40
8.3.13. Disable Trace HTTP Request ............................................................................................ 41
8.3.14.RestrictingAccessbyIP (Setonly intranet) canaccess“NewWebsite”–Designedfor
example.com............................................................................................................................. 43
8.3.15. Securing “NewWebsite” with SSL Certificates...................................................................44

Page 3 of 80
9. User and Group hardening ......................................................................................................... 51
9.1. Change msfadmin password and username.............................................................................. 51
9.2. Change password complexity...................................................................................................53
9.3. Add user and group................................................................................................................. 56
9.4. Force users to change their password upon first login............................................................... 58
9.5. Configure Password Aging.......................................................................................................59
9.6. Limit password reuse on Linux.................................................................................................60
9.7. Verify No Accounts Have Empty Passwords .............................................................................. 61
9.8. Make Sure No Non-Root Accounts Have UID Set To 0................................................................ 62
9.9. Restrict User and GroupAccess ............................................................................................... 63
9.9.1. Create and Maintain a Group for All Authorized Users........................................................ 63
9.9.2 Restrict Access .................................................................................................................. 63
9.10. Disable root account ............................................................................................................. 65
10. Secure /etc/fstab ................................................................................................................... 66
10.1. Securing /var/tmp................................................................................................................. 66
10.2. Securing tmpfs...................................................................................................................... 67
11. Encrypt File Systems............................................................................................................... 68
11.1. Encrypt and decrypt file with password.................................................................................. 68
11.2. Encrypt folder or directory.....................................................................................................72
12. Disable the Ipv6 protocol........................................................................................................74
13. Log Files ................................................................................................................................ 75
13.1. Monitor Suspicious Log Messages with Logwatch ...................................................................76
14. Setting AIDE (Advanced Intrusion Detection Environment)....................................................... 78
15. Limitations............................................................................................................................. 79
16. References............................................................................................................................. 80

Page 4 of 80
1. Keep the server Up-to-date
Command: sudoapt-getupdate

Page 5 of 80
2. Ports
The IP addressof the virtual machine is10.0.2.15.
The ports are scannedusingnmap.
OpenPortsare shown below:

Page 6 of 80
These portsand serviceshave tobe closed.We needtosetup the rulesinthe firewall toallow onlyhttp
and httpsservicestorun andclose all otherservices.

Page 7 of 80
3. Firewall
The bash scriptfirewall_rules.shiscreatedasbelow.
#!/bin/bash
IPT=/sbin/iptables
$IPT - F #flushesthe previouslydefinedscript
#write the policiesnow
$IPT -P OUTPUT ACCEPT # allowthe output
$IPT -P INPUTDROP #Defaultpolicyforthe inputchainisdrop
$IPT -P FORWARDDROP #Defaultpolicyforthe forwardchainisalsodrop
#allowedinputs
#$IPT -A INPUT--in-interface lo-j ACCEPT
$IPT -A INPUT -j ACCEPT -ptcp --dport80
$IPT -A INPUT -j ACCEPT -ptcp --dport443
#Allowestablishedsessions
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED-j ACCEPT
#Anti-spoofing
#$IPT -A INPUT--in-interface!lo --source 127.0.0.0/8 -j DROP
#BlockingspoofedAddresses
$IPT -A INPUT -i external_interface-s192.168.0.0/24 -j REJECT
#LimitPingRequests
$IPT -A INPUT -p icmp-micmp -mlimit-limit1/second -j ACCEPT
# Drop all invalidpackets
$IPT -A INPUT -m state --state INVALID-j DROP
$IPT -A OUTPUT -m state --state INVALID-j DROP
# Stopsmurf attacks
$IPT -A INPUT -p icmp-micmp --icmp-typeaddress-mask-request-j DROP

Page 8 of 80
$IPT -A INPUT -p icmp-micmp --icmp-typetimestamp-request-j DROP
$IPT -A INPUT -p icmp-micmp -j DROP
# Drop excessive RSTpacketstoavoidsmurf attacks
$IPT -A INPUT -p tcp -mtcp --tcp-flagsRSTRST -mlimit--limit2/second --limit-burst2-j ACCEPT
# PreventingPings
$IPT -A INPUT -p icmp--icmp-typeecho-request-j DROP
Fig: No firewalls set
Nowrun the bash shell.
Command: sudobashfirewall_rules.sh
Afterthe bashscript isrun (whichcontainsthe firewall rules),firewall rulesare setwhichcanbe viewed
usingthe followingcommand:
Command: sudoiptables –L|less
Fig: Run the bash file and set the firewall rules

Page 9 of 80
Fig: Firewall Rules Set
The ports are scannedagainaftersettingthe rulesinfirewallandonlytwoportsare shown:
Services Port State
http 80 open
https 443 closed

Page 10 of 80
Fig: nmap after setting the firewall rules
The services telnetandmysql are infilteredstate.
Command: nmap-sS -p23 10.0.2.15
Command: nmap-sS -p3306 10.0.215
If nmap isrun to scan the whole port,onlytwoports (80 and 443) are displayed.
If namp isrun to scan the particularport (23 and 3306), itshowsthat theyare filtered.
But if we run netstat,itstill showsthatthe ports (23 and 3306) are listening.
Command: sudonetstat-lpn|grep23|less

Page 11 of 80
So we needtostop the services.
Command: sudo/etc/init.dmysqlstop
Let’slookat the service (mysql:3306) usingnetstat.
Command: sudonetstat-lpn|grep23| less
Fig:afterkillingthe service,mysql isnotshowinginnetstat
Let’sdo the nmap.
Command: nmap–sS –p 3306 10.0.2.15|less
The port is still shownasfiltered.Thisprovesthatnoneedtokill the servicesindividuallyeventhough
theymightbe shownas LISTENINGwhile findingthe services usingNETSTAT.The firewall rulestake care
of them.

Page 12 of 80
4. Configuring the firewall on Startup
4.1. Save the firewall rules to a file
Command: sudosh -c “iptables-save >/etc/iptables.rules”
Command: sudosh -c “iptables-save >/etc/iptables.downrules”
4.2. Make changes to /etc/network/interfaces
We needtomake changesto the specificinterface.The below screenshotshowsthatourserverhas
onlyone interface –eth0 and nowireless.
Command: iwconfig
Now,edit/etc/network/interfacesandaddthe following.
 pre-upiptables-restore </etc/iptables.rules
 post-downiptables-restore </etc/iptables.downrules

Page 13 of 80
Now let's restart the server and check if the iptables are configured on startup.
Let’sdo the namp now.(Kindlynote thatthe ipaddresshas beenchangedasthe networkadapterhas
beenchangedto“host-only”).

Page 14 of 80

Page 15 of 80
5. Set BIOS Password:
Settingthe PasswordinBIOSpreventsanyunauthorizedchangesinBIOS.
To access the BIOSsetupscreen,editthe virtual machine’sconfiguration(.vmx)andaddthe following:
 bios.forceSetupOnce ="TRUE"
 BIOS Password: C16230 (forboth User Password and SupervisorPassword)

Page 16 of 80
6. Setting GRUBPassword
Command: grub-md5-crypt|tee password.txt
 Password:C16230
Edit/boot/grub/menu.lstandeditthe line asbelow.
 Password --md5$1$XXXXX(the outputof md5cryptwhichis storedinthe file password.txt)

Page 17 of 80
To preventeveryoneexceptrootfromreading/boot/grub/menu.lst,use the followingcommand.
Command: sudochmod600 /boot/grub/menu.lst
Rebootthe systemtocheck if the grub isaskingfor the password.
Type the password,C16230.

Page 18 of 80
7. Disable Alt+Ctrl+Del
Anyone thathas the physical accesstothe keyboardcan simplyhitAlt+Ctrl+Del andrebootthe system.
So editthe file /etc/event.d/control-alt-delete
Command: sudovi /etc/event.d/control-alt-delete
Uncommentthe belowline.
 exec/sbin/shutdown -rnow"Control-Alt-Deletepressed"

Page 19 of 80
8. Apache Web Server hardening
8.1. Basics of Apache Server in Metasploitable2
 DocumentrootDirectory:/var/www
 Newwebsite Directory: /var/www/NewWebsite
 Main Configurationfile: /etc/apache/apache2.conf
 DefaultHTTPPort: 80 TCP
 DefaultHTTPSPort: 443 TCP
 Testyour Configurationfile settingsandsyntax: apache2–t
 Checkapache version: apache2 -v
 AccessLog filesof WebServer: /var/log/apache2/access_log
 Error Log filesof WebServer: /var/log/apache2/error_log
 Adda sample index.html intoNewWebsite folderonce serverhardenfortesting
8.2. Check if apache web server is running
Command: ifconfig
The IP addressof current machine showedasbelow.

Page 20 of 80
Openbrowserandenterhttp://your_ip_address
Apache webserverrunningsuccessfully

Page 21 of 80
8.3. Secure and Hardening Apache Web Server
8.3.1. HideApacheVersionandOS Identity fromErrors
Before
Openbrowserandenterhttp://your_ip_address/abcdef
Implementation
Command: nano/etc/apache2/apache2.conf
Modifythe followingsettings:
 ServerSignature=Off
 ServerTokens=Prod
Command: apache2ctl restart

Page 22 of 80
Verification
Refreshthe websiteandmissinginformationwill be shownasshowninFigure.

Page 23 of 80
8.3.2. Restrictaccessto rootand othersdirectory,exceptonly1 websitenamed
“NewWebsite”(UseAllowandDeny)anddisableOverwritingusing.htaccess
Before
Openbrowserandenterhttp://your_ip_address
Implementation
# cd /var/www
# mkdirNewWebsite
# cd NewWebsite
# touchhelloworld

Page 24 of 80
Command: nano/etc/apache2/sites-enabled/000-default
Modifythe followingsettingsunder<Directory/>and<Directory“var/www”>
 Options None
 Orderdeny,allow
 AllowOverride None
 Deny from all
 Make sure there isa Directorysettingsfor“var/www/NewWebsite”
Descriptionof the settings
 Options“None” – Thisoptionwill notallow userstoenable anyoptional features.
 Order deny,allow – This isthe order inwhichthe “Deny” and “Allow”directiveswillbe
processed.Here itwill “deny”firstand“allow” next.
 AllowOverride “None” –Thisoptiondisable the overridinganyoptionsusing.htaccess
 Deny from all – Thiswill denyrequestfromeverybodytothe rootdirectory, nobodywill be able
to access rootdirectory.

Page 25 of 80
Verification
Refreshthe websiteand youwill notbe able tothe view the filesinthe rootfolder.

Page 26 of 80
8.3.3. DisableDirectoryListing,Apache’sfollowingofSymbolicLinksandOverwritingusing
.htaccess ofa “NewWebsite”folder
Before
Openbrowserandenterhttp://your_ip_address/NewWebsite
Implementation
Modifythe followingsettingsunder<Directory“/var/www/NewWebsite”>
 Options -Indexes-FollowSymLinks
 AllowOverride None
# apache2ctl restart

Page 27 of 80
Verification
Refreshthe websiteand youwill notbe able tothe view the filesinthe folder.
Place an index.html file insideNewWebsitefolder

Page 28 of 80
8.3.4. KeepupdatingApacheRegularly
Before
Command: apache2 -v
Implementation
Command: apt-getinstall apache2

Page 29 of 80
Verification
Command: apache2 -v

Page 30 of 80
8.3.5. DisableUnnecessaryModules
Before
Findout the modulesloadedintoapache anddisableit
Command: apache2ctl -M
Implementation
Disable mod_imap, mod_include,mod_info,mod_userdir,mod_status,mod_cgi, mod_autoindex (if
exist) byrunningthe command a2dismod<module name>
Command: a2dismod<module name>
Command: apache2ctrl restart (Execute onlyonce all the modulesare disabled)

Page 31 of 80
Verification
For Ubuntuv8.04, mod_imap, mod_include,mod_info,mod_userdir,mod_status, mod_cgi,
mod_autoindex are notpreloaded,sonodisable of thisisrequired.

Page 32 of 80
8.3.6. RunApacheas separateUserand Group
Before
Defaultapache userandgroup is www-data
Implementation
 APACHE_RUN_USER = http-web
 APACHE_RUN_GROUP= http-web
Command: groupaddhttp-web
Command: useradd -d/var/www/ -ghttp-web-s/bin/nologinhttp-web
Command: nano/etc/apache2/envvars

Page 33 of 80
Verification
Proceedagainto checkif apache webserverisrunning.

Page 34 of 80
8.3.7. LimitRequest Sizefor“NewWebsite”
By defaultApache hasnolimitonthe total size of the HTTP requesti.e.unlimitedandwhenyouallow
large requestsona webserverit’spossiblethatyoucouldbe a victimof Denial of service attacks. We
can limitthe requestssize of anApache directive “LimitRequestBody”withthe directorytag.
You can setthe value inbytesfrom0 (unlimited) to2147483647 (2GB) that are allowedinarequest
body.You can setthislimitaccordingto yoursite needs,suppose youhave asite where youallows
uploadsandyouwant to limitthe uploadsize foraparticulardirectory.
In thishardeningprocess,we are puttingalimitof 500K for this.
Implementation
Addin the followinglinesto000-default.

Page 35 of 80
8.3.8. Limitingthe sizeofan XML Body
The LimitXMLRequestBody directive defaultvalue is1millionbytes(approx 1mb).
Implementation
 LimitXMLRequestBody10485760

Page 36 of 80
8.3.9. TurnoffServerSideIncludesandCGIExecutionfor“NewWebsite”
To preventfromclientinjectionusingscriptsviabrowser.
Implementation
 Options -Includes-ExecCGI
Command: apache2ctrl restart

Page 37 of 80
8.3.10. Protect DDOS attacks andHardening
Implementation
Findthe followingsettingsandmodifyaccordingly.
 TimeOut: By defaultApache timed-outvalue is300 seconds,whichcanbe victimof Slow Loris
attack and DoS.To mitigate thisyoucanlowerthe timeoutvalue tomaybe 60 seconds.
 KeepAlive:SettoOff to make it a requestperconnectionwouldpreventfromsingle PC
connection DoSattacking.
 MaxClients: Thisdirective allowsyoutosetthe limitonconnectionsthatwill be served
simultaneously.Everynewconnectionwill be queuedupafterthislimit. Itisavailablewith
PreforkandWorkerboth MPM. The defaultvalue of itis256. To mitigate thisyoucan lowerthe
MaxClientsvalue tomaybe 20.
 KeepAliveTimeout:It’sthe amountof time the serverwill waitforasubsequentrequestbefore
closingthe connection.Defaultvalue is15secs.To mitigate thisyoucanlowerthe
KeepAliveTimeoutvalue tomaybe 5.
 Error responses:By default,apache doesnotturnonerror responses.Inthe processtoharden,
thisshouldbe turnoff to preventattackersfromknowingwhatexacterrortheyencountered.

Page 38 of 80
8.3.11. EnableApacheLogging
Apache allowsyoutologgingindependentlyof yourOSlogging.Itiswise toenable Apache logging,
because itprovidesmore information,suchasthe commandsenteredbyusersthathave interactedwith
your Webserver.
Implementation
 LogLevel = debug
Logs Description
 emerg:Emergencysituationswhere the systemisinanunusable state.
 alert:Severe situationwhere actionisneededpromptly.
 crit: Importantproblemsthatneedtobe addressed.
 error: AnError has occurred.Somethingwasunsuccessful.
 warn: Somethingoutof the ordinaryhappened,butnota cause for concern.
 notice:Somethingnormal,butworthnotinghashappened.
 info:Aninformational message thatmightbe nice toknow.
 debug:Debugginginformationthatcanbe useful topinpointwhereaproblemisoccurring.

Page 39 of 80
Verification
Visitthe newwebsiteagain,logscanbe foundat
Command: cd /var/log/apache2
Command: nanoaccess.log(ForWebsite AccessLog)
Command: nanoerror.log(WebServerError Log)
Command: nanoerror.log.1(ForWeb ServerError Log) – Whenfile isfull,itwill autocreate with
numeric+1 incremental numberingof the logfile

Page 40 of 80
8.3.12. Protect binaryandconfigurationdirectorypermissionfor“NewWebsite”
Website executablesare placedinbinandconfigurationsettingsare placedinconf.Toprotectfrom
modificationfromattackers,we will ownerof the folder.
Implementation
Command: cd /var/www/NewWebsite
Command: mkdirbin
Command: mkdirconf
Command: chown-R 750 binconf
Verification

Page 41 of 80
8.3.13. DisableTraceHTTPRequest
Before
Command: telnetlocalhost80
TRACE / HTTP/1.1
Host: test
Enter <twice>here
Implementation
Addthe followingsettings:
 TraceEnable off

Page 42 of 80
Verification
Command: telnetlocalhost80
TRACE / HTTP/1.1
Host: test
Enter <twice>here

Page 43 of 80
8.3.14.RestrictingAccessbyIP (Set onlyintranet) can access“NewWebsite” – Designedfor
example.com
Before
Implementation
 Deny from all
 Allowfrom 172.0.0.1
Verification
Runningfromoutside external network

Page 44 of 80
8.3.15. Securing“NewWebsite”withSSLCertificates
Before
Implementation
Command: a2enmodssl
Command: openssl genrsa-des3-outexample.com.key1024
Command: openssl req -new -keyexample.com.key -outexample.csr
Command: openssl x509-req-days365 -inexample.csr-signkey example.com.key -outexample.crt
Remarks:Followthe instructionstofill inthe detailsof yourcompanyetc.

Page 45 of 80
SSL certificationcreatedsuccessfully.
Addin the followinglinesto000-default.
 ServerName localhost
 SSLEngine on
 SSLCertifcateFile /etc/apache2/example.crt
 SSLCerificateKeyFile /etc/apache2/example.com.key

Page 46 of 80
Remarks:Enterpass phrase whichiscreatedduringcertificate creation

Page 47 of 80
Verification
- Not added to trusted exception

Page 48 of 80
- Addedto securitytrusted exception
- Certificate Information

Page 49 of 80

Page 50 of 80

Page 51 of 80
9. User and Group hardening
9.1. Change msfadmin password and username
Command: passwdmsfadmin
 Enter new UNIX password: Supply a new password
 Retype new UNIX password: Supply the same new password
 Change username of msfadmin to suadm
Command: usermod -l suadmmsfadmin

Page 52 of 80

Page 53 of 80
9.2. Change password complexity
Install libpam-cracklibPAMmodule toenable cracklibsupport.
Command: apt-getinstall libpam-cracklib
Command: nano/etc/pam.d/common-password

Page 54 of 80
Change the linesashighlightedinbelow screenshot.
Put followingtwolinesintothe file.
 Passwordrequiredpam_cracklib.soretry=3 minlen=10 difok=3ucredit=1 dcredit=1 ocredit=1
 Passwordrequiredpam_unix.souse_authokunlloksha512
Description
 retry=3 : Prompt user at most 3 times before returning with error
 minlen=10 : minimum length allowed for an account password is set to 10 characters. This is
the minimum simplicity count for a good password. And you are allowed only 2 times using
retry option.
 difok=3: How many characters can be the same in the new password relative to the old.
User will see error - BAD PASSWORD: is too similar to the old one
 dcredit=1 : At least contains1 digits character
 ucredit=1 : At least contains 1 upper character
 ocredit=1 : At least contains 1 other character

Page 55 of 80
The screenshotafterchanges applied:

Page 56 of 80
9.3. Add user and group
Command: adduser<username>
 New UNIX password: Supply a password
 New UNIX password: Supply the same password
List all groups
Command: cat /etc/group

Page 57 of 80
List the usersina group,
Command: members<groupname>

Page 58 of 80
9.4. Force users to change their password upon first login
Use chage commandto force userstochage theirpassworduponfirstlogin
Command: chage -d 0 jacklee
Now,loginas“JackLee”and force to change the password.

Page 59 of 80
9.5. Configure Password Aging
Run followingcommandtochange the passwordagingof user“jacklee”
Command: chage -M 60 -m7 -W 7 jacklee
 -m: The minimumnumberof daysrequiredbetweenpasswordchangesi.e.the numberof
daysleftbefore the useris allowedtochange his/herpassword.
 -M: The maximumnumberof daysthe passwordisvalid(afterthatuserisforcedto change
his/herpassword).
 -W : The numberof daysbefore passwordistoexpire thatuseriswarnedthat his/her
passwordmustbe changed.
To listcurrentaging type chage commandas follows:
Command: chage -l jacklee

Page 60 of 80
9.6. Limit password reuse on Linux
Openyour/etc/pam.d/common-password file
Command: nano/etc/pam.d/common-password
Edit/addpasswordline andappendremember=13topreventa userfromre-usingany of hisor her last
13 passwords
Command: passwordsufficientpam_unix.souse_authtokmd5shadow remember=13

Page 61 of 80
9.7. Verify No Accounts Have Empty Passwords
Command: awk-F: ‘($2 == “”) {print}’/etc/shadow
Lock all emptypasswordaccounts
Command: passwd -l accountName

Page 62 of 80
9.8. Make Sure No Non-Root Accounts Have UID Set To 0
Onlyroot accounthas UID 0 withfull permissionstoaccessthe system.Type the followingcommandto
display all accountswithUID setto 0.
Command: awk–F: ‘($3 == “0”) {print}’/etc/passwd
You shouldonlysee one line asfollows:
 root: x:0:0:root:/root:/bin/bash
If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.

Page 63 of 80
9.9. Restrict User and Group Access
9.9.1. CreateandMaintaina Group forAll AuthorizedUsers
Create a group named“normalusers”
Command: groupaddnormalusers
Addall authorizeduserstoappsonly
Command: usermod -aG{ groupName } {username}
 -a : Addthe userto the supplemental group(s) i.e.appendsthe usertothe current
supplementarygrouplist.
 -G : A listof supplementarygroupswhichthe userisalsoamemberof
9.9.2 Restrict Access
Nowa group of user hadbeencreated.Next,use the chgrpcommand to change the groupof
/opt/apps/starttonormalusers group
Command: chgrp normalusers/opt/apps
Disable the file permissionforothers
Command: chmod0640 /opt/apps

Page 64 of 80

Page 65 of 80
9.10. Disable root account
Disable rootlogin
Command: sudopasswd -l root
Disable rootloginoverSSH
Editfile /etc/ssh/sshd_config change PermitRootLogintono

Page 66 of 80
10. Secure /etc/fstab
Temporarystorage directoriessuchas/tmp,/var/tmp,and/dev/shmprovidestorage place forthe
hackersto execute the maliciouscodes. Sowe have tosecure them.
10.1. Securing /var/tmp
Command: sudovi /etc/fstab
Appendthe followingline:
/tmp/var/tmpnone rw,noexec,nosuid,nodev,bind00
Meanings:
noexec– Do notset executionof anybinariesonthispartition
nodev - Do notallow character or special devicesonthispartition
nosuid – Do not setSUID/SGID accesson thispartition(preventthe setuidbit)

Page 67 of 80
10.2. Securing tmpfs
Command: Sudovi /etc/fstab
Appendthe following:
tmpfs /dev/shmtmpfsdefaults,nodev,nosuid,noexec0 0

Page 68 of 80
11. Encrypt File Systems
11.1. Encrypt and decrypt file with password
Showingthe contentof the file
Command: more test.txt
openssl
Used 256-bit AES in CBC mode with password for this sample and the command will create new file
called test.out
Command: sudoopenssl enc–aes-256-cbc–salt –in test.txt–outtest.out

Page 69 of 80
mcrypt
Command iscreateda newfile withextension.ncandrequiredpassword
Command: sudomcrypt test.out
gnupg
Encrypt data and create digital signature.Thiscommandiscreatedanew file withextension.gpg
Command: sudogpg -c test.out.nc

Page 70 of 80
Afterall encryptionthe file isshowinglike this
Command: ls isto showall file inthe currentdirectory.
Deletingoriginal file andunneceseryfile priviouslyif needed.Inthissamplewe usedthree stepsto
delete all previousfile.
Command: rm filename

Page 71 of 80
Decryptlast extensionfile withopenssl,mcryptandgnupg command.To openone file we needto
decryptthree times.Don’tforgettorememberthe passwordwhenyouencryptthe file.

Page 72 of 80
11.2. Encrypt folder or directory
In thisscreenshot,the folderstill can accessbyusingcommandcd
To encryptfolderordirectory,we needtoinstall encfs
Command: sudoapt-get install encfs
Selectfolderandstartencryptthe folderafterinstall encfs,thisrequiredpasswordtoencrypt.Inthis
sample foldertesting2isthe target
Command: sudoencfs~/.testing1~/testing2
checkingif we can still accessthe folderafterencryptandthe resultinpermissiondenied

Page 73 of 80
In orderto access thi folderagainwe can use this.
Command: fusermount–u~/testing2

Page 74 of 80
12. Disable the Ipv6 protocol
To increase browsingspeedandsecurityyouneedtodisable the Ipv6protocol because bydefaulton
LINUX isenable.
Command: sudovi /etc/modprobe.d/aliases
Findthe line called“aliasnet-pf-10ipv6”andreplace with“aliasnet-pf-10off”and“aliasipv6 off”after
that save and close the file.

Page 75 of 80
13. Log Files
You needtoconfigure loggingandauditingtocollectall hackingandcrackingattempts.Bydefaultsyslog
storesdata in/var/log/directory. Itisalsorequiredtofindanysoftware misconfiguration.
Common Linuxlog filesnamesand usage
 /var/log/messages :General messageandsystemrelatedstuff
 /var/log/auth.log:Authenicationlogs
 /var/log/kern.log:Kernel logs
 /var/log/cron.log:Crondlogs(cron job)
 /var/log/maillog:Mail serverlogs
 /var/log/qmail/ :Qmail logdirectory(more filesinsidethisdirectory)
 /var/log/httpd/ :Apache accessanderror logsdirectory
 /var/log/lighttpd/ :Lighttpdaccessand errorlogsdirectory
 /var/log/boot.log:Systembootlog
 /var/log/mysqld.log :MySQL database serverlogfile
 /var/log/secureor/var/log/auth.log:Authenticationlog
 /var/log/utmp or/var/log/wtmp :Loginrecordsfile
 /var/log/yum.log:Yumcommandlog file.

Page 76 of 80
13.1. Monitor Suspicious Log Messages with Logwatch
Install logwatchusing“sudoapt-getinstalllogwatch”.
Configurationshouldn'tbe editedinthe installdirectory(/usr/share/logwatch).Copylogwatch.confto
/etc/logwatchbeforeediting:
Command: sudocp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/

Page 77 of 80
Editlogwatch.conf toput inthe e-mail where youwantthe reportsent:
MailTo = group10@c16230.com

Page 78 of 80
14. Setting AIDE (Advanced IntrusionDetectionEnvironment)
It providessoftware integritycheckinganditcan detectthat intrusions(systembinariesmodification)
have takenplace.Itis a replacementforthe well-knownTripwire integritychecker.
Install AIDEusingthe followingcommand:
Command: sudoapt-getinstall aide
The defaultconfigurationisacceptableformanyenvironments.
 /etc/aide/aide.confand/etc/aide/aide.conf.d/ - DefaultAIDEconfigurationfiles.
 /var/lib/aide/aide.db - DefaultlocationforAIDEdatabase.
 /var/lib/aide/aide.db.new- Defaultlocationfornewly-createdAIDEdatabase.

Page 79 of 80
15. Limitations
 Metasploitable2is basedonUbuntu 8.04 –Hardy Version
 Grub is 1.5

Page 80 of 80
16. References
 http://www.tecmint.com/apache-security-tips/
 http://www.themiddlewareshop.com/2013/09/30/apache-web-server-hardening-and-
security/
 http://www.petefreitag.com/item/505.cfm
 http://www.cyberciti.biz/tips/linux-security.html

Linux Server Hardening - Steps by Steps

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Linux Server Hardening - Steps by Steps

Similar to Linux Server Hardening - Steps by Steps (20)

Recently uploaded

Recently uploaded (20)

Linux Server Hardening - Steps by Steps