• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 312
  • Last Modified:

Linux server hardening

I want to create a private shell server, and i will give a few people access, but since it's a shell server, i'd like some help. I don't want anyone to be able to scan nor flood from the server. How can i do this ? Some guys will be using one 2 irc processes, and about that's it ... but i want to be careful, because i do not need any problems ...
0
keepwalking
Asked:
keepwalking
  • 2
  • 2
  • 2
  • +5
1 Solution
 
snedelchevCommented:
0
 
ahoffmannCommented:
> .. don't want anyone to be able to scan nor flood from the server.
hmm, as long as any shell can use whetever they want there is no way to inhibit this.
You need to setup each shell to use allowed (by you) programs and scripts only.
0
 
gert5142Commented:
When you install a linux-machine (eg a GNU/Debian distro) with the minimal features (kernel, networking, ssh, ...) it IS already quiet secure.

Escpecially when you keep it up to date with new Debian Packages and more importantly Security packages. This is quiet easy since eg Debian has APT (Advanced Packaging Tool) which you can run daily with a cronjob and it keeps all packages up-to-date.

When your server is either publically exposed, highly visible or prone to attacks you put it of course behind a firewall whick only allows port 22 (ssh-access) and you can additionally do some of the following:
- install one of the available kernel-patches that hardens your kernel during ssh-user acccess [http://www.grsecurity.net/]
- use the scripts from Bastille Linux [http://www.bastille-linux.org/]
- choose an ultra secure linux distro like eg SE Linux [http://www.nsa.gov/selinux/] or [http://www.openwall.com/]
- installing an Intrusion Detection System like LIDS [http://www.lids.org/] or SNORT [www.snort.org]
- Tools like Tripwire monitor changes in files and can be used to detect installations of rootkits etc.

I would say with SE Linux you get more than you would want, I think.

interesting links:
http://www.securityfocus.com/infocus/1539
http://www.sans.org/rr/whitepapers/linux/1294.php

On all the topics they have excellent HOWTO docs on www.tldp.org.
Hope this helps.

Regards,
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
gert5142Commented:
Addition to last post...

Maybe it's also a good idea to put the server in a DMZ. It's a subnet (zone) on a machine with 3 interfaces. One internal, one Untrusted (The Internet) and one DMZ where you connect the machine.

Even if someone gets hold of the server, as long as the firewall holds stand the intruder won't be able to pass to your internal network. You on the other hand can take backups and stuff from the inside.

Regards,
0
 
Darshan_JadavCommented:
after proper hardening, use SUDO, this will control what users can execute(if u need to give them some root rights)
0
 
chris_calabreseCommented:
If you don't have dedicated hardware for this, you could also use User Mode Linux to create a virtual server for your guests so they can't break into your "real" system.
0
 
pjedmondCommented:
What you probably really want to do here is create a special chroot environment for each user. By doing that , you can have a greater degree of control over what they can and can't do to the rest of the system.

Have a read here:

http://www.tjw.org/chroot-login-HOWTO/

Of course they can always download applications that they might wish to abuse, but this provides an excellent start for controlling users.
0
 
keepwalkingAuthor Commented:
ok let me make it more clearly ... rh9, kernel 2.4.29,  . already tried grsec, but when setting the security level too high, the system becomes very difficult to use even by me the admin, not to mention the users. i don't want to be paranoid though, i just need some explicit settings, on how to block outgoing dDoS from my machine.
0
 
ahoffmannCommented:
hmm, please re-read http:#13748453

> .. how to block outgoing dDoS  from my machine
you could use iptables like

   iptable -I OUTPUT 1 -j DROP

but that makes your server unusable, somehow ...
0
 
chris_calabreseCommented:
RH is no longer providing security patches for RH 9, so this is not a good platform to base this on.
0
 
macker-Commented:
I would recommend starting with a distro that you find easy to understand.  E.g. OpenBSD is credited as being one of the most secure o/s's out-of-the-box, but if you don't know what you're doing, bad security practices will ensue.

LIDS isn't really an IDS, IMHO, but more of a security restriction system.  It helps contain damage by processes that have gained root privs.

The #1 thing is to make sure the system isn't running unnecessary services.  In short, if you do "ps awwux", you should be able to identify the purpose for every process running, and know that it is needed.  Most of these should correspond to scripts in /etc/rc.d/init.d (or other directories, depending on the Linux distro).

Firewall rulesets can also be implemented to limit what traffic is allowed, which would be of primary use to prevent a user from exceeding what's intended... i.e. only allow new outbound connections on ports 20, 21, 22, 6660:6669.  Most automated scripts will try to connect on port 80 (web) to a remote host to download an exploit.. if this is a shell box, it probably doesn't need access to the web, and FTP will be sufficient.  In short, restrict access to anything until you know it's needed.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now