Solved

Need to secure RHEL Server from outside

Posted on 2014-02-10
9
511 Views
Last Modified: 2014-03-07
Hi All ,

I want to secure my server and find lots of solutions but still confuse which one to choose and why ....it has to be secure - so please help with below query:

-      Forbid any changes on network configuration files (set read-only)
-      Send an automatic e-mail when these attributes change or/and network configuration files was changed
-      Send an automatic e-mail when someone use network configuration tools (ifconfig, iproute2, iptables, dns, etc.)
-      Listen ssh connection only on specific administration Lan interface
-      Listen networker connection on backup and administration Lan interfaces

The backup team always use root access, because the backup solution require root privileges. The virtualized storage node is accessible by :
-      Backup team
-      System team

So how can i secure root  access even if i want to give them root access - for example not able to change or edit some files etc.

Really appreciated you - Many thanks in advance
0
Comment
Question by:apunkabollywood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39847302
You will need to configure a combination of iptables, sshd_config, fail2band and sudo.
0
 

Author Comment

by:apunkabollywood
ID: 39849374
Thanks Jesper - It would be great if you could explain little bit more with more specific details on tools and also what could be best to use as per above points.

Thanks in advance
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 300 total points
ID: 39850103
Use iptables (firewall) to restrict which outside IPs may access which TCP/UDP ports.

Modify sshd_config to restrict which users may ssh to the server.

Use fail2ban to block IP addresses from ssh'ing to the server when they have failed X times in X configured minutes.

Use lshell to restrict the ssh users type of access.

Use sudo to read root privilege files without being able to modify them.

I'm tied up for the new couple of hours.  I'll put something more in detail together when I get back.
0
Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39851514
Why do you have to give root access to so many people? The utilities they need to use could be setuid root, group execute, no world access.
0
 
LVL 30

Assisted Solution

by:serialband
serialband earned 50 total points
ID: 39852236
Do not give the Backup admin or System team root access if you don't want them to have it.  You could do as Duncan Roe suggest or just give them sudo access and restrict the utilities they can run by enumerating them in /etc/sudoers.  Why bother sending email when they can't access the tools in the first place?

There hasn't been a need to give people root in a long time.  Ubuntu already does this by default, by not setting a root password.  You're expected to use sudo for everything.  Redhat still gives you a root account.  This doesn't mean that you're limited to those scenarios.  You could set a root password and use the root account on Ubuntu, and you could also unset root password on Redhat and use sudo everywhere.

Uninstall Network Manager, if it's installed, from the system so they can't access it from the GUI.  While network manager makes it easier for users to make changes even if they aren't root, you don't want that power on a server.
0
 

Author Comment

by:apunkabollywood
ID: 39855491
Thank you so much Jesper and Serialband for you valuable comments.

I have few points which i want but confuse how and what the best way to implement:

- Suppose we have 3 nic cards on a same server - but i want ssh/login from only one specific NIC - how to implement that? using IPTABLE if yes then how to specify nic card in that ? or any other option available?

- I want to trace few files - suppose if any one modifiying those files i shud get an alert by a mail or something else? suppose if user changes any thing in ifcfg-eth0 or resolve.conf then i want to have an alert on our mail?

Any other useful thing i could apply to make it secure would be appreciated ?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39856092
when i configure iptables, i include both source and destination.  so, you can deny ssh to the other nic subnet/mask destination and allow it to the single nic on the server.

if you have configured this correctly with the permissions, no one would be able to make changes.  that's why i suggest lshell in combination with sudo.  in both, you can specify what commands can be run and with sudo you can specify that the commands can be run as root without having to know or provide the root password.
0
 

Author Comment

by:apunkabollywood
ID: 39856588
Okay thank you jesper - but problem is coming i want to dedicate some instances only to one NIC card and not able to find the best secure way ? will IPtables work in this if yes then please be more specific how?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 150 total points
ID: 39872595
Forbid any changes on network configuration files (set read-only)
1) selinux and keep them read-only
2) some integrity checker can notify on change (rkhunter? etckeeper? you choose)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question