09/08/2019 [TuT] Linux how to harden install - AlliedModders

Rules FAQ Members List Search

Register Login

Raised This Month: $52 Target: $400

13%

[TuT] Linux how to harden install

AlliedModders Forum Index > Server Discussion > HL1 Servers (HLDS)

Thread Tools Display Modes

Author Message

Mavrick4283 08-30-2011 , 02:32 [TuT] Linux how to harden install

Veteran Member #1

As i said before in my iptables tut i am making a tut on how to help keep hackers and script kiddie out of
your server. First off i want to say that i am in now way a expert on every thing security tho i like to
think i have advance knowledge. I am in school for network security so the information he is not being
pulled out my ass i am doing my research.

Any talk about exploits // hacks that include download links or tell the players how to use them will be
Join Date: Apr 2010
removed.
Location: 127.0.0.1@root
Also any talk about illegal actions such as DDoS/DoS attacks will also be removed.

Also I do not want this turning in to a thread about how to hack in to other peoples servers, any thing
along that lines will be removed....

That being said if you have a way you use to help protect your servers feel free to post it or PM me it if
you do not want to let people know what community are using what.

There is not one way to protect your servers, it is a combo of things that will help you keep your data
safe. For example just because you are running a firewall that does not allow any traffic but you server
does not mean that your server can not be comprised. But if you are running that firewall and the server
in a jail it will be much harder for a person to damage your server but once again not impossible. What i
am trying to do is give a intro in to security and some concepts that people use to get into your servers.

Basics:
Upates: this one is just common sence keep your server and the running software up to date, not only
does this add new features to them but fix bugs and exploits.
Code:

Red Hat, Fedora, CentOS, and other Red Hat derivatives:

yum upgrade

Debian, Ubuntu, Knoppix, and other Debian derivatives:

apt-get update
apt-get upgrade
apt-get dist-upgrade

Unneeded accounts: As with most OS's linux has extra accounts that do not need to be able to
interactively login, such as www or mysql. This can be done many ways but here are some of the most
common.

Forcing the default shell to nologin

Code:

nano /etc/passwd

Change the default shell from /bin/bash or what ever shell you are using to:

/sbin/nologin

Lock the account

Code:

passwd -l <account name>

Disable ssh access

Code:

nano /etc/ssh/sshd_config

AllowUsers <Accountname1> <Accountname2>

https://forums.alliedmods.net/showthread.php?t=166037 1/4
09/08/2019 [TuT] Linux how to harden install - AlliedModders

SSH: As with updates you want to change this to use a different port and the best authentication //
encryption it can.

Because ssh is a service it simply has a config file to change it around

Quit being lazy and read the man pages so you know every thing it can do...
Code:

http://linux.die.net/man/5/ssh_config

Here are some of the things your should be looking at tho.

Code:

Protocol 2

AllowUsers user1 user2

Ciphers blowfish-cbc,aes256-cbc,aes256-ctr

PasswordAuthentication no

PermitRootLogin no

Subsystem sftp /usr/libexec/sftp-server

Unneeded services: As with all OS's when you install the system there are things that run that you
probably do not need or want such as a web server on your gaming box.

To see what ports are being used and what is using them type:
Code:

lsof -i

You should get a print out like this.

To turn off any services that i do not want to run.

Code:

/etc/init.d/<serivce name> stop

#to stop it from starting with the systems

chkconfig --del <service>

Harden the file system:this is offtion over looked but you want to make sure that your file swaps are
not dynamic and nothing can be exec on it to prevent exploits.

For this we have to make sure there is not X server running. (if you have any problems with the file
systems being in use also do this)
Code:

init 1

https://forums.alliedmods.net/showthread.php?t=166037 2/4
09/08/2019 [TuT] Linux how to harden install - AlliedModders
Now to start editing the file system. It is a RELY good idea to have a full back up before you try this.
Code:

#Clean out /tmp....

rm -r /tmp/.[a-zA-Z]*

#Open / edit /etc/fstab

nano /etc/fstab

#Add this to the file

none /tmp tmpfs rw,noexec,nosuid,nodev,size=100000000 0 0

#Do the same for var,home,usr but use the following flags.
/var nosuid,nodev,noexec

/home nosuid,nodev

/usr nodev

Harden root authentication:Ok even tho you can not login with root directly with ssh you can still use
SU to become root, this is bad you only want 1 or 2 accounts MAX to have rights to become root.

Code:

#Make certain that the file /etc/pam.d/login contains the line:

auth required /lib/security/pam_securetty.so

#Specify that no device is trusted for root login:

cp /etc/securetty /etc/securetty-BACKUP
echo "null" > /etc/securetty

#Now we have to make the wheel account

Code:

#Create a group wheel (and if you already have one, don't worry about any error message at

groupadd -r wheel

#Add the desired users to the group wheel (and you must add at least one!):

usermod -G wheel <account>

#Change the group affiliation of the su command, and make it remain setuid as root and exe

chgrp wheel /bin/su

chmod 4750 /bin/su

#Test to verify that group wheel members can use su to become root BEFORE you close your r

Just because only your user can become root does not mean you can use a simple password for it....

I will be adding more as requested

__________________

https://forums.alliedmods.net/showthread.php?t=166037 3/4
09/08/2019 [TuT] Linux how to harden install - AlliedModders

Mavrick4283 08-30-2011 , 02:33 Re: [TuT] Linux how to harden install

Veteran Member #2

reserved
__________________

Join Date: Apr 2010

Location: 127.0.0.1@root

AlliedModders Forum Index > Server Discussion > HL1 Servers (HLDS)

« Previous Thread | Next Thread »

Posting Rules

You may not post new threads

You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump
Forum Rules
HL1 Servers (HLDS) Go

All times are GMT -4. The time now is 14:28.

DMCA - Archive - Top

Powered by vBulletin®
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Theme made by Freecode

https://forums.alliedmods.net/showthread.php?t=166037 4/4