Portal Home > Knowledgebase > Security > General Security
Make sure existing users have decent passwords
– Crack your own users' passwords using JTR, crack
– Preferably run the crackers on a dedicated machine, not the server, due to load
– Any passwords that crack in under a few hours need to have shell access removed until the password can be changed. This should be written into TOS/AUP which is “signed” by the client.
Find locally running processes
– Often script kiddies will launch backdoor scripts on the server using vulnerable php scripts
– Bad clients or hacked accounts will be used to launch IRC bots / bouncers
---`ps auxww`
---`lsof -n`
– Try to find processes hidden by a rootkit, such as
SuckIt
---mpid=`sysctl kernel.pid_max | cut -d " " -f 3`; for i in
`seq 1 $mpid`; do test -f /proc/$i/cmdline && (echo -n
"[$i] "; strings /proc/$i/cmdline; echo); done
Turning off unneeded daemons in xinetd
– Check /etc/xinetd.conf
– Check /etc/xinetd.d/*
---Common ones are cupsd (printing daemon)
---nfs/statd (unless using nfs mounted FS)
Find locally running processes
– Often script kiddies will launch backdoor scripts on the server using vulnerable php scripts
– Bad clients or hacked accounts will be used to launch IRC bots / bouncers
---`ps auxww`
---`lsof -n`
– Try to find processes hidden by a rootkit, such as
SuckIt
---mpid=`sysctl kernel.pid_max | cut -d " " -f 3`; for i in
`seq 1 $mpid`; do test -f /proc/$i/cmdline && (echo -n
"[$i] "; strings /proc/$i/cmdline; echo); done
Setting login access definitions
– /etc/login.defs
---Expire passwords after PASS_MAX_DAYS
---Set minimum password length to PASS_MIN_LEN
---Set number of days before pass expires to send
reminder with PASS_WARN_AGE
---There are more options that are well documented in the default file
– /etc/hosts.allow and /etc/hosts.deny
---Suggest to use firewall instead as it will protect all services, not just the ones written to obey the rules set in the hosts.* files
Setting resource limits for shell accounts
– Set in /etc/security/limits.conf
---Protect against fork bombs and out of control applications, scripts
---Will want to start out very lax, make stricter after testing with current settings; as need arises
---Example settings:
– @users hard nofile 500
– @users hard cpu 30
– @users hard nproc 150
– @users soft nproc 100
– @users hard rss 50000
– @users - maxlogins 3
– nobody hard nofile 16384
Find all world writable files and directories
– find / \( -perm -a+w \) ! -type l >> world_writable.txt
---reveals target locations an attacker can use to store their files
---fixing bad perms breaks some poorly written php/cgi scripts
---leave (/var)/tmp alone, secure it with /scripts/securetmp
Find all setuid/gid files
– find / \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >> suid_files.txt
---Many files need these elevated permissions, do not “fix” without knowing exactly how it will affect the system.
– sudo, su, mount, traceroute, etc
Find all files with no owner/group
– find / -nouser -o -nogroup
Find out what programs are listening on what
ports
---netstat -nap
– Backdoor scripts/irc apps are usually launched from a writable directory, /tmp or in the user's ~ directory.
– Most will bind to a port and wait for connections, some will “call home” in an attempt to get around P/NAT firewalling
tcp syn cookies
– sysctl -w net.ipv4.tcp_syncookies=1
---or
– echo 1 > /proc/sys/net/ipv4/tcp_syncookies
---Helps protect against SYN flood DoS attacks
– echo 999999 > /
proc/sys/net/ipv4/neigh/eth0/locktime
---Exchange eth0 with primary outgoing ethernet device
---Increases the time that ARP caches will expire
– Not needed if setting the ARP cache statically
Add to Favourites 
Print this Article
877-LOGIC-WEB
