| Home Profile Fun |
#157 Linux 07.01.2008
Linux Server HardeningIn this article I want to give you an overview about the various software packages available to harden a Linux system. The possibilities are almost endless and operate on different levels of the operating system. One has to decide which level of security of the Linux system shall be achieved. The list is neither complete nor is it advisable to try to realise all measures at once. The first step is always to analyse the actual threads. After that chose the appropriate software packages. The following list is ordered by complexity. It begins with easy to realise methods and ends with sophisticated software. For the latter you may need weeks or months to familiarize yourself with. Subscribe to all security mailinglists of all applications you run on the system Keep your system and all applications up-to-date Avoid default configuration like www.domain.xyz/phpmyadmin Control all logs on a regular basis Don't work as root, use sudo instead Disable all unneeded services, run all others as non-root Chose a secure configuration for all running services Run rkhunter and chkrootkit every once in a while Use a safe php.ini, use PHPsuexec and suhosin Use denyhosts to block SSH attacks Disable SSH login, use certificate based authentication or public key authentication instead Use AIDE to check the integrity of important system binaries Chose a secure kernel configuration Use mod_security (web application firewall) Use ACLs (access control lists) Monitor the server with Nagios and Cacti Configure iptables properly Use sandboxing/virtualization: chroot environment, vserver or XEN Use Bastille Linux Use SNORT as an IDS/IPS to detect/prevent intrusions USE RSBAC and GRSecurity for kernel level security Use SELinux ... Apache hardening IDS/IPS systems with Snort SELinux Training |