Solved

Need to secure RHEL Server from outside

Posted on 2014-02-10
9
505 Views
Last Modified: 2014-03-07
Hi All ,

I want to secure my server and find lots of solutions but still confuse which one to choose and why ....it has to be secure - so please help with below query:

-      Forbid any changes on network configuration files (set read-only)
-      Send an automatic e-mail when these attributes change or/and network configuration files was changed
-      Send an automatic e-mail when someone use network configuration tools (ifconfig, iproute2, iptables, dns, etc.)
-      Listen ssh connection only on specific administration Lan interface
-      Listen networker connection on backup and administration Lan interfaces

The backup team always use root access, because the backup solution require root privileges. The virtualized storage node is accessible by :
-      Backup team
-      System team

So how can i secure root  access even if i want to give them root access - for example not able to change or edit some files etc.

Really appreciated you - Many thanks in advance
0
Comment
Question by:apunkabollywood
9 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39847302
You will need to configure a combination of iptables, sshd_config, fail2band and sudo.
0
 

Author Comment

by:apunkabollywood
ID: 39849374
Thanks Jesper - It would be great if you could explain little bit more with more specific details on tools and also what could be best to use as per above points.

Thanks in advance
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 300 total points
ID: 39850103
Use iptables (firewall) to restrict which outside IPs may access which TCP/UDP ports.

Modify sshd_config to restrict which users may ssh to the server.

Use fail2ban to block IP addresses from ssh'ing to the server when they have failed X times in X configured minutes.

Use lshell to restrict the ssh users type of access.

Use sudo to read root privilege files without being able to modify them.

I'm tied up for the new couple of hours.  I'll put something more in detail together when I get back.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39851514
Why do you have to give root access to so many people? The utilities they need to use could be setuid root, group execute, no world access.
0
 
LVL 29

Assisted Solution

by:serialband
serialband earned 50 total points
ID: 39852236
Do not give the Backup admin or System team root access if you don't want them to have it.  You could do as Duncan Roe suggest or just give them sudo access and restrict the utilities they can run by enumerating them in /etc/sudoers.  Why bother sending email when they can't access the tools in the first place?

There hasn't been a need to give people root in a long time.  Ubuntu already does this by default, by not setting a root password.  You're expected to use sudo for everything.  Redhat still gives you a root account.  This doesn't mean that you're limited to those scenarios.  You could set a root password and use the root account on Ubuntu, and you could also unset root password on Redhat and use sudo everywhere.

Uninstall Network Manager, if it's installed, from the system so they can't access it from the GUI.  While network manager makes it easier for users to make changes even if they aren't root, you don't want that power on a server.
0
 

Author Comment

by:apunkabollywood
ID: 39855491
Thank you so much Jesper and Serialband for you valuable comments.

I have few points which i want but confuse how and what the best way to implement:

- Suppose we have 3 nic cards on a same server - but i want ssh/login from only one specific NIC - how to implement that? using IPTABLE if yes then how to specify nic card in that ? or any other option available?

- I want to trace few files - suppose if any one modifiying those files i shud get an alert by a mail or something else? suppose if user changes any thing in ifcfg-eth0 or resolve.conf then i want to have an alert on our mail?

Any other useful thing i could apply to make it secure would be appreciated ?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39856092
when i configure iptables, i include both source and destination.  so, you can deny ssh to the other nic subnet/mask destination and allow it to the single nic on the server.

if you have configured this correctly with the permissions, no one would be able to make changes.  that's why i suggest lshell in combination with sudo.  in both, you can specify what commands can be run and with sudo you can specify that the commands can be run as root without having to know or provide the root password.
0
 

Author Comment

by:apunkabollywood
ID: 39856588
Okay thank you jesper - but problem is coming i want to dedicate some instances only to one NIC card and not able to find the best secure way ? will IPtables work in this if yes then please be more specific how?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 150 total points
ID: 39872595
Forbid any changes on network configuration files (set read-only)
1) selinux and keep them read-only
2) some integrity checker can notify on change (rkhunter? etckeeper? you choose)
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question