Sunday, January 11, 2015

Server Hardening

Linux  Server Hardening

1. Protect the BIOS with PW
During the boot process you can set the PW by entering in the BIOS.
2. Protect GRUB with PW
# vi boot/grub/grub.conf
passwd=grubpasswd
3. Disable root login: PermitEmptyPasswords no
4. Allow specific user to login: AllowUsers alex
5. Change ss port to 9222: port = 9222 (don't forget to open this port)
6. User ssh protocol 2: Protocol 2
7. Give admin user admin permission
visudo
%wheel ALL=(ALL) ALL
wheel:x:10:alex
8. Disable unused services to start at boot
# ntsysv
9. Disable reboot by Ctrl+Alt+Del
# vi /etc/init/control-alt-delete.conf
#exec /sbin/shutdown -r now "Control-Alt-Delete pressed"
10. Enable firewall
# after checkout with this cmd: iptables -L
11. Set SELinux to enforcing
# setenforce 1
# getenforce
Enforcing
11. Check file system permission and adapt if necessar. Sticky bit should be set on /tmp
drwxrwxrwt. 3 root root 4096 Jul 24 03:30 tmp
drwxr-xr-x. 4 root root 4096 Jul 23 23:58 home
dr-xr-x---. 3 root root 4096 Jul 24 00:03 root
12. Set welcom and prevention message
# cat > /etc/issue
This service is restricted to authorized users only. All activities on this system are logged. Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies. Ctrl+D to quit
13. Disable local login except the root account
touch /etc/nologin
14. lock ssh users after 3 failed login attempts
# echo "auth required pam_tally2.so deny=3 onerr=fail unlock_time=600" >> /etc/pam.d/sshd
pam_tally2.so uses the file /var/log/tallylog as a counter for the failed logis, if you wish to check the counter you can use the command pam_tally2
[root@nuke]# pam_tally2

15. Enforce password policy

Prevent Reusing Old Passwords

sudo vi /etc/pam.d/system-auth
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

Set Minimum Password Length

sudo vi /etc/pam.d/system-auth
password requisite pam_cracklib.so retry=3 difok=3 minlen=10
Set Password Complexity
sudo vi /etc/pam.d/system-auth
password requisite pam_cracklib.so retry=3 difok=3 minlen=10 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1
Set Password Expiration Period

sudo vi /etc/login.defs

It can also be done by per user basis sudo chage -l xmodulo



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)