I had to do some maintenance work on a Linux based server. It was mainly just archiving some files around and updating packages and configurations. However, as part of the maintenance I took the opportunity to put in some simple technical security controls in place and documented some of them here for my reference.
MySQL Database There was a MySQL server running that was only needed for the local host, but a “netstat -ltn” indicated that it was not bound to any specific IP, i.e. listening on 0.0.0.0, so I bound it to the localhost IP of 127.0.0.1 by editing the /etc/my.cnf file using the entry bind-address=127.0.0.1
vi /etc/my.cnf bind-address=127.0.0.1
RKHunter Rootkit Anti-malware I installed the new version of rkhunter and modified the configuration file to suit.
yum install rkhunter vi /etc/rkhunter.conf PKGMGR=RPM ENABLE_TESTS="all" DISABLE_TESTS="none" SCAN_MODE_DEV=THOROUGH rkhunter --propupd --update --check --sk -l vi /etc/rkhunter.conf ALLOWHIDDENDIR= ALLOWDEVFILE=
IPTables Firewall Strangely enough there was no firewall configured on the host, so I quickly knocked up an script and saved it. Here’s a snippet of the script that simply resets the rules, sets the default policies to drop and allows all local communications. There are additional parts that allow specific traffic through, but I have not put this up here to obscure the services and IP addresses being used.
#!/bin/bash # # Global script variables # # Commands IPTABLES=/sbin/iptables # Network interfaces and addresses LOOP_IFACE=lo LAN=192.168.100.0/24 LAN_ADDR=192.168.100.201 LAN_IFACE=eth0 # Port numbers NAMED_PORT=53 NETFLOW_PORT=9996 NTP_PORT=123 PRIV_PORTS=1:1024 SMB_PORTS=137:139 SSHD_PORT=4022 UNPRIV_PORTS=1025:65535 # # Manage kernel parameters # echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/ip_forward # # Configure default table policies # $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP # # Initialise tables - flush rules, remove chains, zero counts # $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat $IPTABLES -Z # # Allow all local loopback traffic # $IPTABLES -A INPUT -i $LOOP_IFACE -j ACCEPT $IPTABLES -A OUTPUT -o $LOOP_IFACE -j ACCEPT # # Allow all traffic that is part of a related or established connection in # $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # # Politely reject SMB traffic # $IPTABLES -A INPUT -i $LAN_IFACE -p tcp --dport $SMB_PORTS -j REJECT $IPTABLES -A INPUT -i $LAN_IFACE -p udp --dport $SMB_PORTS -j REJECT # # Allow icmp pings # $IPTABLES -A INPUT -i $LAN_IFACE -s $LAN -d $LAN_ADDR -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $LAN_IFACE -s $LAN_ADDR -d $LAN -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT # # *** DELETED SERVICES SPECIFIC RULES TO IMPLEMENT SECURITY BY OBSCURITY *** # # # Debugging - log all other traffic *** DO NOT USE IN PRODUCTION ENVIRONMENT *** # # #$IPTABLES -A INPUT -i $LAN_IFACE -j LOG --log-prefix "rc.firewall " #
ClamAV Anti-virus ClamAV is an open source anti-virus software for Linux. I installed this using the yum package manager and configured the AV to scan daily, and used freshclam to ensure that the virus definitions are updated hourly.
yum install clamav clamd clamav-db vi /etc/cron.hourly/freshclam #!/bin/bash /usr/bin/freshclam --quiet -l /var/log/clamav/freshclam.log vi /etc/cron.daily/clamscan #!/bin/bash /usr/bin/clamscan -r / --exclude-dir=/proc --quiet --infected --log=/var/log/clamd/clamscan
Fail2Ban Intrusion Prevention fail2ban is an interesting intrusion prevention system that parses system logs to dynamically update firewall rules to stop potential intrusion attempts. It supports several other mechanism, but I was only interested in the firewall and SSH access
yum install fail2ban vi /etc/ssh/sshd_config SyslogFacility LOCAL5 LogLevel INFO vi /etc/syslog.conf local5.info /var/log/sshd/sshd.log vi /etc/fail2ban/jail.conf [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=*DELTED*, sender=*DELETED*] logpath = /var/log/sshd/sshd.log maxretry = 2
Legal notices The client wanted some legal notices and disclaimers on the host for various reasons, one of them being to notify employees that their usage was being monitored. I stuck the disclaimer from their legal department (it looked pretty generic though) into /etc/issue and created a link from /etc/issue.net to it.