Solved

Need to secure RHEL Server from outside

Posted on 2014-02-10
9
504 Views
Last Modified: 2014-03-07
Hi All ,

I want to secure my server and find lots of solutions but still confuse which one to choose and why ....it has to be secure - so please help with below query:

-      Forbid any changes on network configuration files (set read-only)
-      Send an automatic e-mail when these attributes change or/and network configuration files was changed
-      Send an automatic e-mail when someone use network configuration tools (ifconfig, iproute2, iptables, dns, etc.)
-      Listen ssh connection only on specific administration Lan interface
-      Listen networker connection on backup and administration Lan interfaces

The backup team always use root access, because the backup solution require root privileges. The virtualized storage node is accessible by :
-      Backup team
-      System team

So how can i secure root  access even if i want to give them root access - for example not able to change or edit some files etc.

Really appreciated you - Many thanks in advance
0
Comment
Question by:apunkabollywood
9 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39847302
You will need to configure a combination of iptables, sshd_config, fail2band and sudo.
0
 

Author Comment

by:apunkabollywood
ID: 39849374
Thanks Jesper - It would be great if you could explain little bit more with more specific details on tools and also what could be best to use as per above points.

Thanks in advance
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 300 total points
ID: 39850103
Use iptables (firewall) to restrict which outside IPs may access which TCP/UDP ports.

Modify sshd_config to restrict which users may ssh to the server.

Use fail2ban to block IP addresses from ssh'ing to the server when they have failed X times in X configured minutes.

Use lshell to restrict the ssh users type of access.

Use sudo to read root privilege files without being able to modify them.

I'm tied up for the new couple of hours.  I'll put something more in detail together when I get back.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39851514
Why do you have to give root access to so many people? The utilities they need to use could be setuid root, group execute, no world access.
0
 
LVL 28

Assisted Solution

by:serialband
serialband earned 50 total points
ID: 39852236
Do not give the Backup admin or System team root access if you don't want them to have it.  You could do as Duncan Roe suggest or just give them sudo access and restrict the utilities they can run by enumerating them in /etc/sudoers.  Why bother sending email when they can't access the tools in the first place?

There hasn't been a need to give people root in a long time.  Ubuntu already does this by default, by not setting a root password.  You're expected to use sudo for everything.  Redhat still gives you a root account.  This doesn't mean that you're limited to those scenarios.  You could set a root password and use the root account on Ubuntu, and you could also unset root password on Redhat and use sudo everywhere.

Uninstall Network Manager, if it's installed, from the system so they can't access it from the GUI.  While network manager makes it easier for users to make changes even if they aren't root, you don't want that power on a server.
0
 

Author Comment

by:apunkabollywood
ID: 39855491
Thank you so much Jesper and Serialband for you valuable comments.

I have few points which i want but confuse how and what the best way to implement:

- Suppose we have 3 nic cards on a same server - but i want ssh/login from only one specific NIC - how to implement that? using IPTABLE if yes then how to specify nic card in that ? or any other option available?

- I want to trace few files - suppose if any one modifiying those files i shud get an alert by a mail or something else? suppose if user changes any thing in ifcfg-eth0 or resolve.conf then i want to have an alert on our mail?

Any other useful thing i could apply to make it secure would be appreciated ?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39856092
when i configure iptables, i include both source and destination.  so, you can deny ssh to the other nic subnet/mask destination and allow it to the single nic on the server.

if you have configured this correctly with the permissions, no one would be able to make changes.  that's why i suggest lshell in combination with sudo.  in both, you can specify what commands can be run and with sudo you can specify that the commands can be run as root without having to know or provide the root password.
0
 

Author Comment

by:apunkabollywood
ID: 39856588
Okay thank you jesper - but problem is coming i want to dedicate some instances only to one NIC card and not able to find the best secure way ? will IPtables work in this if yes then please be more specific how?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 150 total points
ID: 39872595
Forbid any changes on network configuration files (set read-only)
1) selinux and keep them read-only
2) some integrity checker can notify on change (rkhunter? etckeeper? you choose)
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question