I had to do some maintenance work on a Linux based server

I had to do some maintenance work on a Linux based server. It was mainly just archiving some files around and updating packages and configurations. However, as part of the maintenance I took the opportunity to put in some simple technical security controls in place and documented some of them here for my reference.

MySQL Database There was a MySQL server running that was only needed for the local host, but a “netstat -ltn” indicated that it was not bound to any specific IP, i.e. listening on 0.0.0.0, so I bound it to the localhost IP of 127.0.0.1 by editing the /etc/my.cnf file using the entry bind-address=127.0.0.1

vi /etc/my.cnf

bind-address=127.0.0.1

RKHunter Rootkit Anti-malware I installed the new version of rkhunter and modified the configuration file to suit.

yum install rkhunter

vi /etc/rkhunter.conf

PKGMGR=RPM

ENABLE_TESTS="all"

DISABLE_TESTS="none"

SCAN_MODE_DEV=THOROUGH 

rkhunter --propupd --update --check --sk -l

vi /etc/rkhunter.conf

ALLOWHIDDENDIR=

ALLOWDEVFILE=

IPTables Firewall Strangely enough there was no firewall configured on the host, so I quickly knocked up an script and saved it. Here’s a snippet of the script that simply resets the rules, sets the default policies to drop and allows all local communications. There are additional parts that allow specific traffic through, but I have not put this up here to obscure the services and IP addresses being used.

#!/bin/bash



#

# Global script variables

#



# Commands

IPTABLES=/sbin/iptables



# Network interfaces and addresses

LOOP_IFACE=lo

LAN=192.168.100.0/24

LAN_ADDR=192.168.100.201

LAN_IFACE=eth0



# Port numbers

NAMED_PORT=53

NETFLOW_PORT=9996

NTP_PORT=123

PRIV_PORTS=1:1024

SMB_PORTS=137:139

SSHD_PORT=4022

UNPRIV_PORTS=1025:65535





#

# Manage kernel parameters

#



echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 > /proc/sys/net/ipv4/ip_forward





#

# Configure default table policies

#



$IPTABLES -P INPUT DROP

$IPTABLES -P FORWARD DROP

$IPTABLES -P OUTPUT DROP





#

# Initialise tables - flush rules, remove chains, zero counts

#



$IPTABLES -F

$IPTABLES -F -t mangle

$IPTABLES -F -t nat



$IPTABLES -X

$IPTABLES -X -t mangle

$IPTABLES -X -t nat



$IPTABLES -Z





#

# Allow all local loopback traffic

#



$IPTABLES -A INPUT -i $LOOP_IFACE -j ACCEPT

$IPTABLES -A OUTPUT -o $LOOP_IFACE -j ACCEPT





#

# Allow all traffic that is part of a related or established connection in

#



$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT





#

# Politely reject SMB traffic

#



$IPTABLES -A INPUT -i $LAN_IFACE -p tcp --dport $SMB_PORTS -j REJECT

$IPTABLES -A INPUT -i $LAN_IFACE -p udp --dport $SMB_PORTS -j REJECT





#

# Allow icmp pings

#



$IPTABLES -A INPUT -i $LAN_IFACE -s $LAN -d $LAN_ADDR -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT

$IPTABLES -A OUTPUT -o $LAN_IFACE -s $LAN_ADDR -d $LAN -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT





#

# *** DELETED SERVICES SPECIFIC RULES TO IMPLEMENT SECURITY BY OBSCURITY ***



# 





#

# Debugging - log all other traffic *** DO NOT USE IN PRODUCTION ENVIRONMENT ***

#

#

#$IPTABLES -A INPUT -i $LAN_IFACE -j LOG --log-prefix "rc.firewall "

#

ClamAV Anti-virus ClamAV is an open source anti-virus software for Linux. I installed this using the yum package manager and configured the AV to scan daily, and used freshclam to ensure that the virus definitions are updated hourly.

yum install clamav clamd clamav-db





vi /etc/cron.hourly/freshclam

#!/bin/bash

/usr/bin/freshclam --quiet -l /var/log/clamav/freshclam.log



vi /etc/cron.daily/clamscan

#!/bin/bash

/usr/bin/clamscan -r / --exclude-dir=/proc --quiet --infected --log=/var/log/clamd/clamscan

Fail2Ban Intrusion Prevention fail2ban is an interesting intrusion prevention system that parses system logs to dynamically update firewall rules to stop potential intrusion attempts. It supports several other mechanism, but I was only interested in the firewall and SSH access

yum install fail2ban

vi /etc/ssh/sshd_config

SyslogFacility LOCAL5

LogLevel INFO



vi /etc/syslog.conf

local5.info                                     /var/log/sshd/sshd.log



vi /etc/fail2ban/jail.conf

[ssh-iptables]

enabled  = true

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

           sendmail-whois[name=SSH, dest=*DELTED*, sender=*DELETED*]

logpath  = /var/log/sshd/sshd.log

maxretry = 2

Legal notices The client wanted some legal notices and disclaimers on the host for various reasons, one of them being to notify employees that their usage was being monitored. I stuck the disclaimer from their legal department (it looked pretty generic though) into /etc/issue and created a link from /etc/issue.net to it.


See also