Securing your Linode
by Craig Spurrier of Craigweb


Have your server e-mail you every time someone logs in as root
Edit the root .bash_profile

joe /root/.bash_profile
 

Add the following line to the end:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Login from `who | awk '{print $6}'`" youremailaddresshere
 

Save(Ctrl-K S) and Exit(Ctrl-C).

Disable Ping
The effectiveness of this is debatable but some people insists it helps.

Run

 echo 1 >> /proc/sys/net/ipv4/icmp_echo_ignore_all 1 

Keep up to date

Red Hat 9 Only (Very important):
Add to your Apt sources list theFedora Legacy Project updates.

joe /etc/apt/sources.list

Add

rpm http://download.fedoralegacy.org/apt redhat/9/i386 os updates legacy-utils

to /etc/apt/sources.list

Save(Ctrl-K S) and Exit(Ctrl-C).

Setup a cron job to download but not install new updates and e-mail you.

Log into Webmin
Click "System>>Scheduled Cron Jobs"
Click "Create a new scheduled cron job"
Chose Execute cron job as "root"
In the command box enter in

(apt-get update && apt-get -dy upgrade)  | mail -s "Server update" youraddresshere

Select a time for it to run, be nice to the other people on your Linode, select a random time.
Click Save.

This will run at the time you chose and e-mail you the results, when it says updates are available, just run apt-get upgrade .

To have it upgrade automatically (not recommended) change "apt-get -dy upgrade" to apt-get -y upgrade


This is very incomplete so far as I have more time I will add to it.

* install and run Bastille to harden your linux distro

I've used Bastille on RHEL3, Centos and Debian Sarge. When run, it displays a series of pages, each page asking a YES/NO question on whether you want to implement the change described. Very user-friendly, educational and practical. See:

http://www.bastille-linux.org/

* install shorewall to control iptables rules. This is the best iptables rules generator I've ever evaluated and I'll never go back to hand-crafting iptables again (except QOS and traffic-shaping stuff). A close 2nd was firehol, an alternative to shorewall. There are many others but these 2 were the best I've evaluated.

* install mod_security to help protect Apache

* install mod_dosevasive to help protect Apache from denial-of-service attacks

* replace inetd with xinetd. also consider 'the djb way' of doing things at:

http://www.thedjbway.org

The djbway uses /services, supervise and optionally tcpserver to make sure your important services are always up. xinetd is a no-brainer decision, while thedjbway is more controversial due to nonstandard directory locations--I use both xinetd and thedjbway. For djbway I use svc-add [svcname], svc-start [svcname], svc-stop [svcname], svc-status [svcname], etc. from supervise-scripts at:

http://untroubled.org/supervise-scripts/

* replace syslogd with syslog-ng. This modern syslogd replacement is easier to configure and much more powerful.

* replace sendmail(D- in security) with any one of: qmail (A+), postfix(A), or exim(A-). All 3 of these mail servers are better than sendmail for security. Only consider qmail if you don't mind installing from source and doing things 'thedjbway'. I found maintaining virtual email domains super-easy with qmail + vpopmail:

http://www.inter7.com/index.php?page=vpopmail

* don't run your own dns servers unless you know what you are doing. Use one of the free services like www.zoneedit.com

* don't run sshd unless you must (because you can logon using lish). if you run sshd, then use a non-standard port instead of port 22.

* install logcheck to get notified of security alerts by email every hour.

* don't mess with file or directory permissions in /var/log/... unless you are a security expert. You might be surprised how changing permissions on Apache log files incorrectly for example, can allow hackers to gain root access to your server.

Also, use tcp-wrappers -- /etc/hosts.allow and /etc/hosts.deny.
There is plenty of documentation for this on the Net.

-John

Great suggestion. tcp-wrappers is very useful.

When using thedjbway (daemontools and ucspi-tcp), tcpserver is one alternative to tcp-wrappers. Useful if you need to modify rules while the service is running (without restarting the service). Also pretty good at dealing with thousands of entries (since it uses cdb format instead of plain text).

Here's another collection of Linux security tips:

Securing Linux Production Systems,
A Practical Guide to Basic Security in Linux Production Environments

http://www.puschitz.com/SecuringLinux.shtml

.