Secure SSH
1. Setup Custom SSH port :
Edit the "Port" value in file /etc/ssh/sshd_config and restart SSH. Please note, you should open the custom port in firewall before the SSH restart, otherwise you may lost access to SSH.
2. Disable Direct SSH access for root user :
Allowing the root user to login directly is a major security issue, because a brute force attack can use the known username ‘root’ and concentrate on password variations. By using a unique username we can reduce the chance of a brute force attack.
Add the custom user to wheel group
[root@sherinsha ~]# grep wheel /etc/group wheel:x:10:newsshuser
Edit the file /etc/ssh/sshd_config and modify the PermitRootLogin value to no
vi /etc/ssh/sshd_config PermitRootLogin no
[root@sherinsha ~]# /etc/init.d/sshd restart
From now onwards, we can access root SSH by login as normal user and then use ‘su’ command to switch to root user.
login as: newsshuser Access denied tecmint@104.255.67.38's password: Last login: Tue Oct 24 17:37:56 2016 from 104.255.67.38 [newsshuser@server24~]$ su - Password: [root@server24~]#
3. Password protect GRUB
Please refer Secure Linux GRUB
Extended Binary Hardening
chmod 700 /usr/bin/wget
chmod 700 /usr/bin/lynx
chmod 700 /usr/bin/bcc
chmod 700 /usr/bin/byacc
chmod 700 /usr/bin/cc
chmod 700 /usr/bin/gcc
Inetd hardening
rm -rf /etc/xinetd.d/telnet
/etc/rc.d/init.d/xinetd restart
Secure /tmp partition
Most attacks and exploits use /tmp to work out of any propagate themselves. By mounting /tmp with noexec and nosuid (meaning executables cannot be run from /tmp nor with escalated privileges), this stops many of these exploits from being able to do any harm.
You can do it by adding following entry in “/etc/fstab”
| tmpfs /tmp tmpfs nodev,nosuid,noexec 0 0 |
save the file and execute below command to get /tmp mounted with “nosuid” and “noexec”
mount -o remount tmpfs
If the server is cPanel installed, skip above steps and execute script “/scripts/securetmp” to secure /tmp
Shell fork bomb protection
Fork Bombs are scripts that create many processes very fast by using fork(). By doing this, they are able to make our system freeze by filling up the processtable. To prevent this we can setup the limit in “/etc/security/limits.conf”.
Format: <domain> <type> <item> <value>
<domain> Means : User, Group, Wildcard *, Wildcard %
<type> “soft” or “hard”
<item> can be one of the following:
core – limits the core file size (KB)
data – max data size (KB)
fsize – maximum filesize (KB)
memlock – max locked-in-memory address space (KB)
nofile – max number of open files
rss – max resident set size (KB)
stack – max stack size (KB)
cpu – max CPU time (MIN)
nproc – max number of processes
as – address space limit
maxlogins – max number of logins for this user
maxsyslogins – max number of logins on the system
priority – the priority to run user process with
locks – max number of file locks the user can hold
sigpending – max number of pending signals
msgqueue – max memory used by POSIX message queues (bytes)
nice – max nice priority allowed to raise to
rtprio – max realtime priority
chroot – change root to directory (Debian-specific)
<value>
Optimize kernel setting with Sysctl
Please find important sysctl settings below. If you are not sure how this change affect the server please leave it as is.
# Disables packet forwarding net.ipv4.ip_forward=0 # Disables IP source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.lo.log_martians = 0 net.ipv4.conf.eth0.log_martians = 0 # Disables IP source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # Disables the magic-sysrq key kernel.sysrq = 0 # Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 15 # Decrease the time default value for tcp_keepalive_time connection net.ipv4.tcp_keepalive_time = 1800 # Turn off the tcp_window_scaling net.ipv4.tcp_window_scaling = 0 # Turn off the tcp_sack net.ipv4.tcp_sack = 0 # Turn off the tcp_timestamps net.ipv4.tcp_timestamps = 0 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 # Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable bad error message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 1 # Increases the size of the socket queue (effectively, q0). net.ipv4.tcp_max_syn_backlog = 1024 # Increase the tcp-time-wait buckets pool size net.ipv4.tcp_max_tw_buckets = 1440000 # Allowed local port range net.ipv4.ip_local_port_range = 16384 65536
After making necessary changes use below command to apply the changes,
sysctl -w
Following is the command to find current sysctl parameters
sysctl -a
Ensure the network connectivity status
Use below command to check NIC speed,
ethtool eth0
Here NIC is labeled with ‘eth0’. If it is another name like eth1 or em1, use it instead of eth0
Recommended Values:
Speed: 1000Mb/s (1Gbps)
Duplex: Full (It should be Full)
Auto-negotiation: on
mii-tool -v em1
Result is something like below , which means server connect with connected to a 100 Mbit Full Duplex
em1: negotiated 100baseTx-FD flow-control, link ok
Optimize Disk I/O
Mount partitions with “noatime” to reduce the I/O usage and lead to significant performance gain. Add the value “noatime” in /etc/fstab like below
/tmp /var/tmp ext3 defaults,commit=30,bind,noauto,noatime,nosuid 0 0
We have to reboot the server or at-least re-mount the partition to make apply this change. Below command will remount /tmp patition
mount -o -remount /tmp