keepwalking
asked on
Linux server hardening
I want to create a private shell server, and i will give a few people access, but since it's a shell server, i'd like some help. I don't want anyone to be able to scan nor flood from the server. How can i do this ? Some guys will be using one 2 irc processes, and about that's it ... but i want to be careful, because i do not need any problems ...
snedelchev
http://www.adamantix.com/
> .. don't want anyone to be able to scan nor flood from the server.
hmm, as long as any shell can use whetever they want there is no way to inhibit this.
You need to setup each shell to use allowed (by you) programs and scripts only.
hmm, as long as any shell can use whetever they want there is no way to inhibit this.
You need to setup each shell to use allowed (by you) programs and scripts only.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Addition to last post...
Maybe it's also a good idea to put the server in a DMZ. It's a subnet (zone) on a machine with 3 interfaces. One internal, one Untrusted (The Internet) and one DMZ where you connect the machine.
Even if someone gets hold of the server, as long as the firewall holds stand the intruder won't be able to pass to your internal network. You on the other hand can take backups and stuff from the inside.
Regards,
Maybe it's also a good idea to put the server in a DMZ. It's a subnet (zone) on a machine with 3 interfaces. One internal, one Untrusted (The Internet) and one DMZ where you connect the machine.
Even if someone gets hold of the server, as long as the firewall holds stand the intruder won't be able to pass to your internal network. You on the other hand can take backups and stuff from the inside.
Regards,
after proper hardening, use SUDO, this will control what users can execute(if u need to give them some root rights)
If you don't have dedicated hardware for this, you could also use User Mode Linux to create a virtual server for your guests so they can't break into your "real" system.
What you probably really want to do here is create a special chroot environment for each user. By doing that , you can have a greater degree of control over what they can and can't do to the rest of the system.
Have a read here:
http://www.tjw.org/chroot-login-HOWTO/
Of course they can always download applications that they might wish to abuse, but this provides an excellent start for controlling users.
Have a read here:
http://www.tjw.org/chroot-login-HOWTO/
Of course they can always download applications that they might wish to abuse, but this provides an excellent start for controlling users.
ASKER
ok let me make it more clearly ... rh9, kernel 2.4.29, . already tried grsec, but when setting the security level too high, the system becomes very difficult to use even by me the admin, not to mention the users. i don't want to be paranoid though, i just need some explicit settings, on how to block outgoing dDoS from my machine.
hmm, please re-read http:#13748453
> .. how to block outgoing dDoS from my machine
you could use iptables like
iptable -I OUTPUT 1 -j DROP
but that makes your server unusable, somehow ...
> .. how to block outgoing dDoS from my machine
you could use iptables like
iptable -I OUTPUT 1 -j DROP
but that makes your server unusable, somehow ...
RH is no longer providing security patches for RH 9, so this is not a good platform to base this on.
I would recommend starting with a distro that you find easy to understand. E.g. OpenBSD is credited as being one of the most secure o/s's out-of-the-box, but if you don't know what you're doing, bad security practices will ensue.
LIDS isn't really an IDS, IMHO, but more of a security restriction system. It helps contain damage by processes that have gained root privs.
The #1 thing is to make sure the system isn't running unnecessary services. In short, if you do "ps awwux", you should be able to identify the purpose for every process running, and know that it is needed. Most of these should correspond to scripts in /etc/rc.d/init.d (or other directories, depending on the Linux distro).
Firewall rulesets can also be implemented to limit what traffic is allowed, which would be of primary use to prevent a user from exceeding what's intended... i.e. only allow new outbound connections on ports 20, 21, 22, 6660:6669. Most automated scripts will try to connect on port 80 (web) to a remote host to download an exploit.. if this is a shell box, it probably doesn't need access to the web, and FTP will be sufficient. In short, restrict access to anything until you know it's needed.
LIDS isn't really an IDS, IMHO, but more of a security restriction system. It helps contain damage by processes that have gained root privs.
The #1 thing is to make sure the system isn't running unnecessary services. In short, if you do "ps awwux", you should be able to identify the purpose for every process running, and know that it is needed. Most of these should correspond to scripts in /etc/rc.d/init.d (or other directories, depending on the Linux distro).
Firewall rulesets can also be implemented to limit what traffic is allowed, which would be of primary use to prevent a user from exceeding what's intended... i.e. only allow new outbound connections on ports 20, 21, 22, 6660:6669. Most automated scripts will try to connect on port 80 (web) to a remote host to download an exploit.. if this is a shell box, it probably doesn't need access to the web, and FTP will be sufficient. In short, restrict access to anything until you know it's needed.