• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 531
  • Last Modified:

Need to secure RHEL Server from outside

Hi All ,

I want to secure my server and find lots of solutions but still confuse which one to choose and why ....it has to be secure - so please help with below query:

-      Forbid any changes on network configuration files (set read-only)
-      Send an automatic e-mail when these attributes change or/and network configuration files was changed
-      Send an automatic e-mail when someone use network configuration tools (ifconfig, iproute2, iptables, dns, etc.)
-      Listen ssh connection only on specific administration Lan interface
-      Listen networker connection on backup and administration Lan interfaces

The backup team always use root access, because the backup solution require root privileges. The virtualized storage node is accessible by :
-      Backup team
-      System team

So how can i secure root  access even if i want to give them root access - for example not able to change or edit some files etc.

Really appreciated you - Many thanks in advance
0
apunkabollywood
Asked:
apunkabollywood
3 Solutions
 
Jan SpringerCommented:
You will need to configure a combination of iptables, sshd_config, fail2band and sudo.
0
 
apunkabollywoodAuthor Commented:
Thanks Jesper - It would be great if you could explain little bit more with more specific details on tools and also what could be best to use as per above points.

Thanks in advance
0
 
Jan SpringerCommented:
Use iptables (firewall) to restrict which outside IPs may access which TCP/UDP ports.

Modify sshd_config to restrict which users may ssh to the server.

Use fail2ban to block IP addresses from ssh'ing to the server when they have failed X times in X configured minutes.

Use lshell to restrict the ssh users type of access.

Use sudo to read root privilege files without being able to modify them.

I'm tied up for the new couple of hours.  I'll put something more in detail together when I get back.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Duncan RoeSoftware DeveloperCommented:
Why do you have to give root access to so many people? The utilities they need to use could be setuid root, group execute, no world access.
0
 
serialbandCommented:
Do not give the Backup admin or System team root access if you don't want them to have it.  You could do as Duncan Roe suggest or just give them sudo access and restrict the utilities they can run by enumerating them in /etc/sudoers.  Why bother sending email when they can't access the tools in the first place?

There hasn't been a need to give people root in a long time.  Ubuntu already does this by default, by not setting a root password.  You're expected to use sudo for everything.  Redhat still gives you a root account.  This doesn't mean that you're limited to those scenarios.  You could set a root password and use the root account on Ubuntu, and you could also unset root password on Redhat and use sudo everywhere.

Uninstall Network Manager, if it's installed, from the system so they can't access it from the GUI.  While network manager makes it easier for users to make changes even if they aren't root, you don't want that power on a server.
0
 
apunkabollywoodAuthor Commented:
Thank you so much Jesper and Serialband for you valuable comments.

I have few points which i want but confuse how and what the best way to implement:

- Suppose we have 3 nic cards on a same server - but i want ssh/login from only one specific NIC - how to implement that? using IPTABLE if yes then how to specify nic card in that ? or any other option available?

- I want to trace few files - suppose if any one modifiying those files i shud get an alert by a mail or something else? suppose if user changes any thing in ifcfg-eth0 or resolve.conf then i want to have an alert on our mail?

Any other useful thing i could apply to make it secure would be appreciated ?
0
 
Jan SpringerCommented:
when i configure iptables, i include both source and destination.  so, you can deny ssh to the other nic subnet/mask destination and allow it to the single nic on the server.

if you have configured this correctly with the permissions, no one would be able to make changes.  that's why i suggest lshell in combination with sudo.  in both, you can specify what commands can be run and with sudo you can specify that the commands can be run as root without having to know or provide the root password.
0
 
apunkabollywoodAuthor Commented:
Okay thank you jesper - but problem is coming i want to dedicate some instances only to one NIC card and not able to find the best secure way ? will IPtables work in this if yes then please be more specific how?
0
 
gheistCommented:
Forbid any changes on network configuration files (set read-only)
1) selinux and keep them read-only
2) some integrity checker can notify on change (rkhunter? etckeeper? you choose)
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now