Centos Dedicated Server Security [closed]
We have clean CentOS 5.6 setup and virtualmin on it, that's all. What type of security steps would you suggest are appropriate?
http://www.wiredtree.com/supportservices/servershield.php this page have a good summary of checklists i think. which steps on these are required to do? or do you have better suggestions rather then those security hardenings:
(Esspecially ddos and brute force attack protection is a problem it seems)
Firewall Protection:
APF – Configure both ingress and egress firewall protection.
BFD – Detect and prevent brute force attacks.
CPHulk – Detect and prevent brute force attacks.
HTTP Intrusion and DOS Protection:
Mod_security – Install and configure mod_security for Apache with auto-updating ruleset.
Mod_evasive – Install and configure DOS, DDOS, and brute force detection and suppression for Apache.
PHP SuHosin – PHP Hardening through the Hardened PHP Project. Available on request.
Server Hardening:
Disable IP Source Routing – Enable protection against IP source route attacks.
Disable ICMP Redirect Acceptance – Enable protection against ICMP redirect attacks.
Enable syncookie protection – Enable protection against TCP Syn Flood attacks.
Enable ICMP rate-limiting – Enable protection against ICMP flood attacks.
Harden host.conf – Enable spoofing protection and protection against DNS poisoning attacks.
Harden Apache – Prevent module and version disclosure information.
Harden SSH – Allow only SSH version 2 connections.
Harden Named – Enable protection against DNS recursion attacks.
Ensure Filesystem Permissions – Fix permission on world writable directories and prevent against directory-transversal attacks.
Harden temporary directory and shared memory locations – Enforce noexec, nosuid on tmp and shm mounts.
Harden “fetching” utilities - Allows root-only access of wget, curl, and other utilties often used in web-based attacks.
Remove unnecessary packages – removes RPMS which are not needed to prevent against potential vulnerabilities and free up disk space.
Disable unused services – Disable services which are not used.
Disable unneeded processes – Disable processes which are not needed for server operation.
PAM Resource Hardening – Protects against exploits which use core dumps and against user resource exhausting through fork bombs and other shell attacks.
PHP Hardening – Enable OpenBaseDir protection.
Security Audits:
Rootkit Hunter – Nightly scan to detect system intrusions.
Chkrootkit – Nightly scan to detect system intrusions.
Nobody Process Scanner – Scans for unauthorized "nobody" processes.
Solution 1:
This is a wide range question and my first answer may sound rude:
Remove Virtualmin!
Please don't get this wrong, but the possibility to open some doors with some clicks points directly to the biggest security thread: The subject between keyboard and chair.
If you want a secure setup, you should:
- Only install, whats needed
- Only run, whats proper configurated
- Check the security advisorys for all software, you install
- always check the "paranoid" section of software documentation, if you are.
- try to use techniques that are maybe installed (apparmor,SELinux)
If you have a big automated security stack, you don't understand at all, you may have a bigger risk of getting hacked, than you would have with a small stack, you really know.
The biggest common mistakes in hosting environments are the webapps and the db(connection) settings. Take good care of Joomla and friends, make your DB only listen on localhost. Always use settings restrictively as possible. For example: Avoid chmod 777, read your logs. Monitor the machine with nagios. Be paranoid.
I'm really sure, you'll find help in specific cases here. In much cases "secure setup OS APPLICATION" produces a useful search result on a search engine of your choice.
Solution 2:
Along with forcing SSH to version 2, don't forget to disable root logins, and preferably, disable password logins and force key based authentication. Also, its a very good idea to change the default port for SSH.
For the firewall, make sure to set the default rule for each of them to Deny, then specifically allow rules to Accept.
We also use DenyHosts to ban machines that are known attackers, or that fail too many attempted logins.