Category Archives: Linux Security

Linux Security

IRC caused me to use Linux! Quick how to setup a shell server.

Years ago back in the day as they say I was constantly on IRC! I was told try Linux to run several services! That is what got me into to linux. I want to say around 1998! I am sure it was 98! Anyways I started off with Slackware. It might have been Slackware 6! That is what sticks out in the the mind… I setup a shell server today for a customer on CentOS5 64 bit. It is really simple. You just install gcc, screen, glibc, automake, autoconf, oidentd, BitchX and some other packages if needed. Then lock the server down so that shell users can only use what you want them to. Remove unneeded packages. Install a firewall and brute force detection. You might also install malware detection and rootkit detection. Here is a quick and easy setup for a centos5 shell box.

Install CentOS make sure to unselect everything but the base install make sure to customize packages and select nothing but the BASE INSTALL. I cannot count how many times people have told me it needs the SECOND CD! NO it does not if you unselect everything but the base install. You have to choose customize when selecting packages….

After you have CentOS installed update the system with yum.
yum -y update

download the DAG Repository Installer! Super simple! I n my case I used CentOS 5 64bit
rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

Next yum install the packages you require. Here is what i installed.
yum install gcc glibc automake autoconf oidentd BitchX znc gcc-c++ ncurses ncurses-devel glibc-common glibc-devel glibc-headers glibc-utils compat-glibc linx links curl

I also install ncftp as it is an easy to use command line ftp client.
wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/x86_64/RPMS/ncftp-3.2.0-3.el5.kb.x86_64.rpm
rpm -Uvh ncftp-3.2.0-3.el5.kb.x86_64.rpm

Next lock down the server a bit you can always do more than I did this time…
userdel adm
userdel lp
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel games
userdel gopher
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip
chmod 700 /bin/linuxconf
chmod 750 /bin/mt
chmod 750 /bin/setserial
chmod 750 /sbin/badblocks
chmod 750 /sbin/ctrlaltdel
chmod 750 /sbin/chkconfig
chmod 750 /sbin/debugfs
chmod 750 /sbin/depmod
chmod 6750 /sbin/dump
chmod 750 /sbin/dumpe2fs
chmod 750 /sbin/fdisk
chmod 750 /sbin/fsck
chmod 750 /sbin/fsck.ext2
chmod 750 /sbin/fsck.minix
chmod 750 /sbin/ftl_check
chmod 750 /sbin/ftl_format
chmod 750 /sbin/halt
chmod 750 /sbin/hdparm
chmod 750 /sbin/hwclock
chmod 750 /sbin/ifconfig
chmod 750 /sbin/ifdown
chmod 750 /sbin/ifport
chmod 750 /sbin/ifup
chmod 750 /sbin/ifuser
chmod 750 /sbin/init
chmod 750 /sbin/insmod
chmod 750 /sbin/killall5
chmod 750 /sbin/lilo
chmod 750 /sbin/mingetty
chmod 750 /sbin/mkbootdisk
chmod 750 /sbin/mke2fs
chmod 750 /sbin/mkfs
chmod 750 /sbin/mkfs.ext2
chmod 750 /sbin/mkfs.minix
chmod 750 /sbin/mkfs.msdos
chmod 750 /sbin/mkinitrd
chmod 750 /sbin/mkraid
chmod 750 /sbin/mkswap
chmod 750 /sbin/modinfo
chmod 750 /sbin/modprobe
chmod 2750 /sbin/netreport
chmod 750 /sbin/portmap
chmod 750 /sbin/quotaon
chmod 6750 /sbin/restore
chmod 750 /sbin/runlevel
chmod 750 /sbin/stinit
chmod 750 /sbin/swapon
chmod 750 /sbin/tune2fs
chmod 750 /usr/bin/eject
chmod 4750 /usr/bin/gpasswd
chmod 4755 /usr/bin/lpr
chmod 750 /usr/sbin/atd
chmod 750 /usr/sbin/atrun
chmod 750 /usr/sbin/crond
chmod 750 /usr/sbin/edquota
chmod 750 /usr/sbin/exportfs
chmod 750 /usr/sbin/groupadd
chmod 750 /usr/sbin/groupdel
chmod 750 /usr/sbin/groupmod
chmod 750 /usr/sbin/grpck
chmod 750 /usr/sbin/grpconv
chmod 750 /usr/sbin/grpunconv
chmod 750 /usr/sbin/in.identd
chmod 750 /sbin/klogd
chmod 750 /usr/sbin/logrotate
chmod 2750 /usr/sbin/lpc
chmod 740 /usr/sbin/lpd
chmod 755 /usr/sbin/lsof
chmod 550 /usr/sbin/makemap
chmod 750 /usr/sbin/mouseconfig
chmod 750 /usr/sbin/newusers
chmod 750 /usr/sbin/ntpdate
chmod 750 /usr/sbin/ntpq
chmod 750 /usr/sbin/ntptime
chmod 750 /usr/sbin/ntptrace
chmod 750 /usr/sbin/ntsysv
chmod 750 /usr/sbin/pwck
chmod 750 /usr/sbin/pwconv
chmod 750 /usr/sbin/pwunconv
chmod 550 /usr/sbin/quotastats
chmod 750 /usr/sbin/rdev
chmod 550 /usr/sbin/repquota
chmod 750 /usr/sbin/rpc.mountd
chmod 750 /usr/sbin/rpc.nfsd
chmod 750 /usr/sbin/rpc.rquotad
chmod 750 /sbin/rpc.statd
chmod 750 /usr/sbin/rpcinfo
chmod 750 /usr/sbin/setup
chmod 750 /usr/sbin/showmount
chmod 750 /sbin/syslogd
chmod 750 /usr/sbin/tcpd
chmod 750 /usr/sbin/timeconfig
chmod 750 /usr/sbin/tmpwatch
chmod 750 /usr/sbin/tunelp
chmod 750 /usr/sbin/useradd
chmod 750 /usr/sbin/userdel
chmod 4750 /usr/sbin/userhelper
chmod 750 /usr/sbin/usermod
chmod 4750 /usr/sbin/usernetctl
chmod 750 /usr/sbin/vipw
chmod 755 /bin/mount
chmod 755 /bin/umount
chmod 755 /bin/ping
chmod 755 /usr/bin/at
chmod 0 /usr/bin/rcp
chmod 0 /usr/bin/rlogin
chmod 0 /usr/bin/rsh
chmod 750 /usr/sbin/usernetctl
chmod 755 /usr/sbin/traceroute
chmod 500 /usr/bin/lpr
chmod 500 /usr/bin/lprm
chmod 500 /usr/bin/lpq

Remove unneeded packages
Remove what ever is not used these are just some that do not need to be on a shell server.
rpm -ev –nodeps apmd
rpm -ev –nodeps sndconfig
rpm -ev –nodeps aumix
rpm -ev –nodeps cups-devel
rpm -ev –nodeps cups-drivers
rpm -ev –nodeps cups-libs
rpm -ev –nodeps cups
rpm -ev –nodeps kernel-pcmcia-cs
rpm -ev –nodeps LPRng printconf
rpm -ev –nodeps pnm2ppa
rpm -ev –nodeps mpage
rpm -ev –nodeps Omni Omni-foomatic
rpm -ev –nodeps foomatic
rpm -ev –nodeps cdlabelgen
rpm -ev –nodeps cdparanoia-devel
rpm -ev –nodeps cdparanoia
rpm -ev –nodeps cdparanoia-alpha9
rpm -ev –nodeps cpd
rpm -ev –nodeps playmidi
rpm -ev –nodeps talk
rpm -ev –nodeps talk-server
rpm -ev –nodeps inews
rpm -ev –nodeps inn
rpm -ev –nodeps a2ps
rpm -ev –nodeps docbook-utils docbook-utils-pdf
rpm -ev –nodeps docbook-style-dsssl
rpm -ev –nodeps docbook-dtd30-sgml docbook-dtd31-sgml
rpm -ev –nodeps docbook-dtd40-sgml docbook-dtd41-sgml
rpm -ev –nodeps psgml
rpm -ev –nodeps sgml-tools
rpm -ev –nodeps bcm5820
rpm -ev –nodeps efax
rpm -ev –nodeps eject

Turn off service you do not use an easy way to do this is to type ntsysv and hit space bar on services you do not want to run on start up. If there is an X the run on started..

Install a firewall and brute force detection I used APF and BFD
Find ports you need to open. 22 for SSH is open by default and the firewall is in development mode be default as well.

Download APF and BFD (Advanced Policy Firewall and Brute Force Detection)
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

Install APF
Extract it
tar xvzf apf-current.tar.gz
Go into the extracted directory
cd apf-0.9.7-1
Install APF
sh install.sh
Edit the conf.apf
vi /etc/apf/conf.apf

For inbound ports edit these lines.
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=22
and
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=

also turn OFF devmode when you are done opening ports
# Set firewall dev cronjob
# 1 = enabled / 0 = disabled
DEVM=

Save the file
In vi hit esc then :wq to save the file
service apf restart to restart the firewall
or /etc/init.d/apf restart

Install BFD
Extract it
tar xvzf bfd-current.tar.gz
Go into the extracted directory
cd bfd-1.4
Install BFD
sh install.sh
You can edit the conf file but it is ready to go out of the box you dont have to edit it.
vi /usr/local/bfd/conf.bfd
You might want to set it up to email the root user when the server is brute force attacked.

After that install some kind of malware and rootkit detection the two I used today are Linux Malware Detect and chkrootkit.

Download Linux Malware Detect and install it.
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar xvzf maldetect-current.tar.gz
cd maldetect-1.4.0/
sh install.sh

Edit the conf for your needs.
vi  /usr/local/maldetect/conf.maldet

Next download and install chkrootkit.

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
mv chkrootkit-0.49 chkrootkit
mv chkrootkit /usr/local
cd chkrootkit
make sense
Create chkrootkit.sh with the following settings
nano chkrootkit.sh

#!/bin/sh
(
/usr/local/chkrootkit/chkrootkit
) | /bin/mail -s ‘CHROOTKIT Daily Run (servername)’ emailaddress

Now setup a cronjon to run chkrootkit nightly
crontab -e
0 15 * * 0 /usr/local/chkrootkit.sh

There is a whole lot more you can do but this is a quick and easy how to on how to setup a shell server quickly. I hope you learned something or found it useful!

Quick RAID0 and Drive Encryption on CentOS command line How To.

list drives by typing fdisk -l
create a primary partition and make it Linux Raid Auto partition for each drive.
fd = Linux raid auto

fdisk /dev/sdb
1. type n for new
n
2. type p for primary
p
2. 1 for first partition
1
3. T for type
t
4. fd for Linux Raid Auto
fd

5. do this for all the drives you want to include.

6. fdisk /dev/sdc
then follow the steps above
7. fdisk /dev/sdd
then follow steps above.

Create the raid0 partition (Raid0 is no redundancy but adds the space together.
mdadm –create –verbose /dev/md0 –level=0 –raid-devices=3 /dev/sdb1 /dev/sdc1 /dev/sdd1

setup the encryption and the encryption password.
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/md0 cryptsetup luksOpen /dev/md0 burn

Format the newly created raid0 partition
mkfs -t ext3 /dev/mapper/burn

Make directory to mount new partition
mkdir /raid0
Mount the new raid0 partition.

mount /dev/mapper/burn /raid0

Done deal! Your now have setup a drive with encryption and a Raid0 partition. It does require a password to mount the drive.