How to harden the Linux server or centos 5 or centos 6.2

 SPRI (Priority Scheduler)
cd /root/
wget http://www.rfxn.com/downloads/spri-current.tar.gz
tar xvfz spri-*.tar.gz
cd spri-*
./install.sh
spri -v

PRM (Process Resource Monitor)
cd /root
wget http://www.rfxn.com/downloads/prm-current.tar.gz
tar xvfz prm-*.tar.gz
cd prm-*
./install.sh
prm -j

Temporary Directory Hardening
—————————–
/bin/cp /etc/fstab /etc/fstab.bak

Use df to check if a /tmp partition is already present.

[if no /tmp partition present]
cd /usr
dd if=/dev/zero of=/usr/tmpMnt bs=1024 count=2000000

mke2fs -j /usr/tmpMntcd / 
cp -R /tmp /tmp_backup 

mount -o loop,noexec,nosuid,rw /usr/tmpMnt /tmp 
chmod 0777 /tmp 
/bin/cp -R /tmp_backup/* /tmp/ 
rm -rf /tmp_backup 

nano -w /etc/fstab 

At the very bottom add 
/usr/tmpMnt /tmp ext3 loop,noexec,nosuid,rw 0 0

nano -w /etc/fstab
change “defaults” to loop,noexec,nosuid,rw
mount /tmp

rm -rf /var/tmp
ln -s /tmp /var/tmp

If a symlink is not possible, then /var/tmp is most likely also a partition. In this case, /var/tmp must be hardened with loop,noexec,nosuid,rw in fstab as well.

IF /tmp is hardened by cpanel’s /scripts/securetmp. Remove the line from /etc/rc.d/rc.local and then reboot. It will come back without a /tmp partition and then you can follow the instructions above

SSH Server Hardening
———————
nano -w /etc/ssh/sshd_config
Uncomment #Protocol 2, 1
Change to Protocol 2

Append these lines to the bottom:
LoginGraceTime 120 
IgnoreRhosts yes 
X11Forwarding no 

/etc/rc.d/init.d/sshd restart
DISABLE DIRECT ROOT LOGIN
If he already has an su user, good. If not:

REPLACE XXX with 3 numbersgroupadd anyuserxxx
useradd anyuserXXX –ganyuserXXX
passwd anyuserXXX
type password

nano -w /etc/group
Search for wheel, then append “anyuserxxx” 
So it should be “root,anyuserXXX”

nano -w /etc/ssh/sshd_config

PermitRootLogin no (and uncomment)

At the bottom add
AllowUsers anyuserXXX

ChkRootKit
————–
cd /root/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
mv chkrootkit.tar.gz /usr/local/src/
cd /usr/local/src/
tar -zxf chkrootkit.tar.gz
cd /usr/local/src/chkrootkit*
make sense
cd /root
mv /usr/local/src/chkrootkit* /usr/local/chkrootkit

cd /etc/cron.weekly

Code: Select all

#!/bin/bash
EMAIL=your@domain.com
/usr/local/chkrootkit/chkrootkit -q | mail -s “ChrootKit Scan Report – $(hostname)” $EMAIL
chmod 755 /etc/cron.weekly/chkrootkit.sh

RkHunter
————
cd /root
wget http://space.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz
wget http://space.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz
tar -zxf rkhunter-1.3.4.tar.gz
cd rkhunter*
./installer.sh –layout default –install

cd /etc/cron.weekly

Code: Select all
#!/bin/bash
EMAIL=your@domain.com
rkhunter  -c –sk –summary -q |  mail -s “Rkhunter Scan Report – $(hostname)” $EMAIL

chmod 755 /etc/cron.weekly/rkhunter.sh

Installing CSF firewall
——
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.shNext, test whether you have the required iptables modules:
perl /etc/csf/csftest.pl

 

Post Views: 154

Leave a Reply