« Home | Install the Microsoft Loopback Adapter in Windows ... » | How To Install Microsoft Loopback Adapter in Windo... » | How to install the Microsoft Loopback adapter in W... » | Microsoft Unveils Robotics Studio » | IBM runs frozen chip at 500GHz » | How to secure windows 2000 server » | 'Spy' revealed in Microsoft security tool » | Fujitsu spins 1.8 inch monster » | Australia's meteoric rise from Gondwana » | 3G Embedded Modems the Latest Craze in Wireless » 

Thursday, June 22, 2006 

How to harden your Unix Server

Mask Apache Server Information

Server headers and directory defaults usually show Apache server information. This information can be used by hackers to learn about vulnerabilities on your server if the system is not updated. You can mask server information as follows:

1. Log into server as root.

2. Open /etc/httpd/conf/httpd.conf with an editor.

3. Change the line ServerSignature on to
ServerSignature Off

4. Find the line "HostnameLookups off"
After that line, add "ServerTokens Prod"

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]

5. Save and exit.

6. Restart Apache with /etc/rc.d/init.d/httpd restart



Install System Integrity Monitor

System Integrity Monitor (SIM) monitors system services and provides a clean and information representation of system status. It is an essential tool for server admins to monitor servers. SIM has several modules that can be installed to help admin with common system processes. SIM will verify that system and services are online, check load averages, and maintain log files.

1. Login to server and su to root.

2. go to /usr/local 3. Get source file wget http://www.r-fx.org/downloads/sim-current.tar.gz

4. Untar file with tar -xzvf sim-current.tar.gz

5. cd sim-2.5-3 (or latest version of SIM)

6. Type ./setup -i

7. Enter and spacebar to continue.

8. Finally, get to auto-configuration script for SIM. Select options you want to install.




Security: Use SSH protocol 2

The old SSH Protocol 1 has several security leaks and faces many automated "root kits". Protocol 2 is an improvement to plug the holes. All servers with SSH 1 should use SSH 2.

1. Open /etc/ssh/sshd_config with an editor.

2. Find the line "#Protocol 2, 1".

3. Uncomment (remove #).

4. Save and exit.

5. Restart SSH with /etc/rc.d/init.d/sshd restart


: Disable direct root login

Root user is the most important account on a server. The root user has access to any file/program/application running on a server. By default, terminal services would allow the root user to login. This is a major threat to security as hackers can try to guess at the root password to gain access.

Disabling direct root login will create an extra user account before changing to root user. This will force a hacker to have try and guess 2 seperate passwords to become root user.

cPanel users/servers must add the user to 'wheel' group so that the user is allowed to su to root. Failure to do so would cause a lock out of the root account.

* A user with SSH access must already be created.

1. SSH into server as user and gain root access by 'su -'

2. Open /etc/ssh/sshd_config with an editor.

3. Find line PermitRootLogin yes

4. Uncomment it. Put no so thatPermitRootLogin no

5. Save the file and exit.

6. Restart SSH with "/etc/rc.d/init.d/sshd restart"




Security: Disabling Telnet

Telnet is a threat to server security. The protocol communicates on port 23 for both incoming and outgoing messages. Passwords and usernames are sent as clear text during logins, giving hackers the chance to tap the traffic between client and server and then gaining access. Telnet should always be disabled on web servers and replaced with a more secure platform like SSH.


To disable telnet on your server, follow these steps:

1. Login as root.

2. Open the file /etc/xinetd.d/telnet with your editor (pico/vi).

3. Find the line "disable = no" ,
replace with "disable = yes".

4. Restart the inetd service with command /etc/rc.d/init.d/xinetd restart

5. Do a quick scan to make sure port 23 telnet is closed.
nmap -sT -O localhost


Our server-side PDF to Word converter and PDF to DOC converter will help you edit your PDF's. Wehave a PDF to Excel converter too. Try our PDF converters at Investintech.com.

Add to Google

The Author

  • Nick Perrydoo
  • Spawn at Philippines
My profile

Links


Read Ons

Article of the Day

This Day in History

Today's Birthday

In the News

Quotation of the Day

Word of the Day


Powered by Blogger
and Blogger Templates
© Copyright 2006 Ba-zoo-ra - All Rights Reserved.