Monday, February 29, 2016

Secure Linux server 3

9:44 PM Posted by Dilli Raj Maharjan , No comments

Keep /boot as read-only

/boot contains the kernel, ramdisk images as well as bootloader configuration file and bootloader stages. This partition is not required for normal system operation, but read is required while boot and read and write required while kernel upgrades. It will be safer to mount this partition as read only on production system. We can remount this partition with read write whenever kernel upgrades are required.

By default /boot is mount with read and write option while installation. We can modify /etc/fstab to change the mount option. Execute mount command to view all the partitions mounted.

mount







Modify fstab entry so that boot partition will be mounted read only.

vi /etc/fstab
replace default with default,ro on mount entry.






Remount /boot partition with read only option and verify that boot partition is mount to read only mode.


sudo mount -o remount,ro /boot
mount














Temporary remount /boot on read write mode whenever required(in case of kernel upgrade or boot option changes).


sudo mount -o remount,rw /boot










Mount /tmp and data partition With nodev, nosuid, and noexec Options

By default /tmp directory will be accessible to everyone. That is the reason most of hacker and crackers use /tmp as the storage area to store the malicious code and execute them. We can mount /tmp with nodev, nosuid and noexec to avoid such attempts.

Any user can create file and execute it as below.

cd /tmp/
cat > hello.sh
echo "This is hello message from tmp"
^C
chmod 755 hello.sh 

/tmp/hello.sh 













nosuid: Do not set SUID/SGID access on this partition.
nodev: Do not set character or special devices access on this partition.
noexec: Do not allow direct execution of any binaries on the mounted filesystem.

/dev/sdb1               /tmp                    ext4    defaults,nosuid,nodev,noexec       0 0



noexec can be used on the partition with datafile and execution of the binary file is not required. Lets say we can mount data partition of database with noexec Option. In the case below executable file created on /tmp is not directly executed. We can use sh to execute the binary file.






















Ignore ICMP or Broadcast Request


ICMP packets are used to verify Network connectivity. Sometime it will be used in indirect ICMP flooding, also known as smurfing resulting DoS (Denial of Service) attack. To prevent Linux server from such attack we need to modify some kernel parameters. Add following kernel parameters to /etc/sysctl.conf file.

net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1







Execute sysctl to configure kernel parameters at runtime.

sysctl -p








Implement denyhost to Ban Malicious IP Addresses

Configure denyhost on Linux


Avoid Using FTP, Telnet, And Rlogin / Rsh Services

Verify these services are not running with ps ax command. If any of the services are running and are not required then disable it or remove it.

ps ax | grep -i 'ftp\|telnet\|rsh\|rlogin'







Use sudo instead of root access direct.


sudo(su do) permits user to execute some or all command as super users. Though we can directly modify /etc/sudoers file it is recommended to modify sudo settings with visudo command. 

Alias represent the groups and we have following alias. Host Alias specifies the host names the cmd_alias is valid for. Unless you are sharing a sudoers file among different hosts, this alias does not comes in proper use. Use ALL or  hostname of the server or IP address of the server where sudoers file is located if sudoers file is not shared.

Host Aliases (Also known as host list)
Host_Alias DCLAN = 192.168.0.1/28: DBSERVERS = 192.168.1.250, mylinux








User Aliases (Also known as user list)

User_Alias ADMINS = dilli : BCKADMIN = raju, kamal









Command Aliases (Also known as command list)

Cmnd_Alias CMD_ADMIN = /sbin/poweroff : CMD_BCKADMIN = /bin/rsync : CMD_ORCLBCK = /home/oracle/rman



Runas_Alias (Also known as Operator list)

Runas_Alias RLIST1 = oracle




tag list

Tag_Spec ::= (NOPASSWD: | PASSWD: | NOEXEC: | EXEC: |
                   SETENV: | NOSETENV: | LOG_INPUT: | NOLOG_INPUT: |
                   LOG_OUTPUT: | NOLOG_OUTPUT:)

User Specifications are where the sudoers file sets who can run what as who.
syntax:


ADMINS ALL=(ALL) NOPASSWD:CMD_ADMIN




All user listed on the ADMINS User_Alias are allowed to execute command listed on CMD_ADMIN alias on any server with privileges of any user. In addition to that password will not be prompted
when executing the command listed on the command alias CMD_ADMIN.












sudo /sbin/poweroff

User dilli can execute sudo /sbin/poweroff without password prompt.


BCKADMIN DBSERVERS=(RLIST1) PASSWD:CMD_ORCLBCK







User listed on User Alias BCKADMIN that is raju,kamal are allowed to execute command listed on CMD_ORCLBCK command alias with password prompt for 
hosts defined on the host alias DBA. Users are allowed to run command as user oracle only. Host configuration works if the sudoers file is shared among the servers. Otherwise ALL or hostname of the server where sudoers are applied can be used.

sudo  /home/oracle/rman
This command failed with user raju is not allowed to execute command as user root. 



In this case we have to use option -u and specify the user.
sudo -u oracle /home/oracle/rman










0 comments:

Post a Comment