Linux Server Optimization and Hardening

Everyday we are seeing new malwares infecting all the major operating systems. Being in webhosting industry for more than a decade, we have developed a set of procedures that will act as basic guide to Harden Linux Servers. Server Hardening is the process of enhancing server security through a variety of means which results in a secure server operating environment, by reducing the likelihood of compromise.

1.Enable BIOS password and protect GRUB

Enable BIOS password and protect GRUB with pas tsword to restrict physical access of your server.
You need to login as user root and run below command to encrypt the password using
grub2-mkpasswd-pbkdf2

# grub2-mkpasswd-pbkdf2
Password: ****
Reenter password: ****
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.AA67A74BBC7D59A6BEAF…

Paste the encrypted long string into the file /etc/grub.d/40_custom together with the set superusers command. Remember to keep the commented lines at the beginning:

set superusers=”root”
password_pbkdf2 root grub.pbkdf2.sha512.10000.AA67A74BBC7D59A6BEAF…

Run grub2-mkconfig -o /boot/grub2/grub.cfg to import the changes into the main configuration file.

After you reboot, you will be prompted for username and password when trying to boot any menu entry. Enter root and the password you typed during the grub2-mkpasswd-pbkdf2 command. If the credentials are correct, the system will boot the selected boot entry.

2.Disk Partitions

It’s important to have different partitions to obtain higher data security in case if any disaster happens. When an unexpected accident occurs, only data of that partition will be damaged, while the data on other partitions will remain intact.

3.Secure /tmp

In Linux systems there are few temporary directories used for storage, like /tmp, /var/tmp and /dev/shm. These directories are used to store temporary files from different services such as Apache, MySQL, etc. However, sometimes these directories are also used by hackers to store malicious/malware and virus executables. This malicious scripts can be an open door to send spam, exploit the system as root or spread viruses over the network.
Please note that, default CentOS installations do not mount /tmp directory on its own partition.
Please follow below steps to secure /tmp;
# cd /home/
Create a file in home directory with any name. Here I am using 'systmp' and creating a 2GB file.
# dd if=/dev/zero of=systmp bs=1024 count=2000000

After the file is created, you will need to format the file to ext4 or whatever filesystem you are using for the other directories on the server.
# mkfs.ext4 /home/systmp

Now backup the current /tmp directory using the syntax below which will keep the same permissions for the files currently in /tmp.
# cp -pr /tmp/ /tmp.bkp
After backing up the data you can proceed with mounting the new /tmp directory with the following command;
# mount -o loop,nosuid,noexec,nodev /home/systmp /tmp
Then modify the permissions of the new /tmp directory
# chmod 1777 /tmp
Since the directory is mounted and proper permissions are set you can copy the data from the old /tmp directory into the newly created /tmp directory.
# cd /tmp.bkp/
# cp -pr * /tmp
After verifying the data in new /tmp directory, you should add a line to the end of the /etc/fstab file so the new directory is mounted when the server reboots.
/home/systmp /tmp ext4 loop,nosuid,noexec,nodev,rw 0 0

Please check for any mounting errors with the new boot settings using the following command;
# mount -o remount /tmp
So we made /tmp to be secure now. You could verify it by copying an executable to /tmp and attempt to execute it.
Once it is finished, you can secure /var/tmp which can also be abused and cause issues on your server.
Move /var/tmp directory to a new location first.
# mv /var/tmp/ /var/tmp.bkp
Once it has been moved, you can create a symbolic link to the /tmp directory using the following syntax . Which will make /var/tmp the same as /tmp while keeping the path integrity.
# ln -s /tmp /var/tmp/
Once symlink is created, copy the contents of /var/tmp to /tmp

# cp -pr /var/tmp.bkp/* /tmp

4.Patch the Operating System

Any vulnerability in the operating system could compromise the security of the application.
To perform an update of all packages installed,
RHEL Based OS:
yum update
Debian Based OS:
apt-get update && apt-get upgrade

Check the list of updates to be installed to see if there is a kernel update as this will require a reboot to apply. There are third party options available to avoid system reboot, such as those offered by Ksplice OR KernelCare.

Install Ksplice

To install Ksplice, you’ll first need to register your system for Ksplice and get the activation key.
# wget -N https://www.ksplice.com/uptrack/install-uptrack
# sh install-uptrack YOUR_ACCESS_KEY
# uptrack-upgrade -y

Install KernelCare

Like Ksplice, please register your system for KernelCare first;
# rpm -i https://downloads.kernelcare.com/kernelcare-latest.x86_64.rpm
To check if patches applied:
# /usr/bin/kcarectl --info
The software will automatically check for new patches every 4 hours. If you would like to run update manually:
# /usr/bin/kcarectl –update

5.Turn ON Security-Enhanced Linux (SELinux)

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel.
Note: For cPanel & WHM to run on the server, SELinux must remain disabled.
SELinux provides three basic modes of operation and they are.

• Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.
• Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues.
• Disabled: SELinux is turned off.

You can view current status of SELinux mode from the command line using ‘system-config-selinux‘, ‘getenforce‘ or ‘sestatus‘ commands.
If it is disabled, enable SELinux using the following command.
# setenforce enforcing

6.Minimize Software/Packages to Minimize Vulnerability

Avoid installing unnecessary software to avoid vulnerabilities in software/packages. We have to verify and delete all unwanted packages.
# yum list installed
# yum list packageName
# yum remove packageName

7.Enable and Configure Firewall

It’s highly recommended to enable Linux firewall to secure unauthorised access of your servers. csf,Iptables or firewalld could be used to restrict inbound and outbound traffic to and from your server.
Please follow below steps to install csf in the server;
# cd /usr/src
# rm -fv csf.tgz
# wget https://download.configserver.com/csf.tgz
# tar -xzf csf.tgz
# cd csf
# sh install.sh

Test whether you have the required iptables modules
# perl /usr/local/csf/bin/csftest.pl

8.Brute Force Detection

A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). When an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. In these attacks, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. The most common and easiest to understand example of the brute-force attack is the dictionary attack to crack the password. In this, attacker uses a password dictionary that contains millions of words that can be used as a password. Then the attacker tries these passwords one by one for authentication. If this dictionary contains the correct password, attacker will succeed.
It seems CSF already developed a Login Failure Daemon (lfd) process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called “Brute-force attacks” and the daemon process responds very quickly to such patterns and blocks offending IP’s quickly.

9.Find Listening Network Ports

With the help of following ‘netstat‘ networking command you can list the ports that a process on the server is actively listening for connections on. This can help identify something malicious that is running waiting to accept an external connection, or may show an already established connection that should not be allowed.
# netstat -tulpn