Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Need to secure RHEL Server from outside

Posted on 2014-02-10
9
Medium Priority
?
522 Views
Last Modified: 2014-03-07
Hi All ,

I want to secure my server and find lots of solutions but still confuse which one to choose and why ....it has to be secure - so please help with below query:

-      Forbid any changes on network configuration files (set read-only)
-      Send an automatic e-mail when these attributes change or/and network configuration files was changed
-      Send an automatic e-mail when someone use network configuration tools (ifconfig, iproute2, iptables, dns, etc.)
-      Listen ssh connection only on specific administration Lan interface
-      Listen networker connection on backup and administration Lan interfaces

The backup team always use root access, because the backup solution require root privileges. The virtualized storage node is accessible by :
-      Backup team
-      System team

So how can i secure root  access even if i want to give them root access - for example not able to change or edit some files etc.

Really appreciated you - Many thanks in advance
0
Comment
Question by:apunkabollywood
9 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39847302
You will need to configure a combination of iptables, sshd_config, fail2band and sudo.
0
 

Author Comment

by:apunkabollywood
ID: 39849374
Thanks Jesper - It would be great if you could explain little bit more with more specific details on tools and also what could be best to use as per above points.

Thanks in advance
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 1200 total points
ID: 39850103
Use iptables (firewall) to restrict which outside IPs may access which TCP/UDP ports.

Modify sshd_config to restrict which users may ssh to the server.

Use fail2ban to block IP addresses from ssh'ing to the server when they have failed X times in X configured minutes.

Use lshell to restrict the ssh users type of access.

Use sudo to read root privilege files without being able to modify them.

I'm tied up for the new couple of hours.  I'll put something more in detail together when I get back.
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39851514
Why do you have to give root access to so many people? The utilities they need to use could be setuid root, group execute, no world access.
0
 
LVL 31

Assisted Solution

by:serialband
serialband earned 200 total points
ID: 39852236
Do not give the Backup admin or System team root access if you don't want them to have it.  You could do as Duncan Roe suggest or just give them sudo access and restrict the utilities they can run by enumerating them in /etc/sudoers.  Why bother sending email when they can't access the tools in the first place?

There hasn't been a need to give people root in a long time.  Ubuntu already does this by default, by not setting a root password.  You're expected to use sudo for everything.  Redhat still gives you a root account.  This doesn't mean that you're limited to those scenarios.  You could set a root password and use the root account on Ubuntu, and you could also unset root password on Redhat and use sudo everywhere.

Uninstall Network Manager, if it's installed, from the system so they can't access it from the GUI.  While network manager makes it easier for users to make changes even if they aren't root, you don't want that power on a server.
0
 

Author Comment

by:apunkabollywood
ID: 39855491
Thank you so much Jesper and Serialband for you valuable comments.

I have few points which i want but confuse how and what the best way to implement:

- Suppose we have 3 nic cards on a same server - but i want ssh/login from only one specific NIC - how to implement that? using IPTABLE if yes then how to specify nic card in that ? or any other option available?

- I want to trace few files - suppose if any one modifiying those files i shud get an alert by a mail or something else? suppose if user changes any thing in ifcfg-eth0 or resolve.conf then i want to have an alert on our mail?

Any other useful thing i could apply to make it secure would be appreciated ?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39856092
when i configure iptables, i include both source and destination.  so, you can deny ssh to the other nic subnet/mask destination and allow it to the single nic on the server.

if you have configured this correctly with the permissions, no one would be able to make changes.  that's why i suggest lshell in combination with sudo.  in both, you can specify what commands can be run and with sudo you can specify that the commands can be run as root without having to know or provide the root password.
0
 

Author Comment

by:apunkabollywood
ID: 39856588
Okay thank you jesper - but problem is coming i want to dedicate some instances only to one NIC card and not able to find the best secure way ? will IPtables work in this if yes then please be more specific how?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 600 total points
ID: 39872595
Forbid any changes on network configuration files (set read-only)
1) selinux and keep them read-only
2) some integrity checker can notify on change (rkhunter? etckeeper? you choose)
0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month10 days, 8 hours left to enroll

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question