What else can I do to secure my Linux server?
Posted
by
eric01
on Server Fault
See other posts from Server Fault
or by eric01
Published on 2012-06-04T02:17:10Z
Indexed on
2012/06/04
4:41 UTC
Read the original article
Hit count: 200
I want to put a web application on my Linux server: I will first explain to you what the web app will do and then I will tell you what I did so far to secure my brand new Linux system.
The app will be a classified ads website (like gumtree.co.uk) where users can sell their items, upload images, send to and receive emails from the admin. It will use SSL for some pages. I will need SSH.
So far, what I did to secure my stock Ubuntu (latest version) is the following:
NOTE: I probably did some things that will prevent the application from doing all its tasks, so please let me know of that. My machine's sole purpose will be hosting the website.
(I put numbers as bullet points so you can refer to them more easily)
1) Firewall
I installed Uncomplicated Firewall. Deny IN & OUT by default
Rules: Allow IN & OUT: HTTP, IMAP, POP3, SMTP, SSH, UDP port 53 (DNS), UDP port 123 (SNTP), SSL, port 443
(the ones I didn't allow were FTP, NFS, Samba, VNC, CUPS)
When I install MySQL & Apache, I will open up Port 3306 IN & OUT.
2) Secure the partition
in /etc/fstab
, I added the following line at the end:
tmpfs /dev/shm tmpfs defaults,rw 0 0
Then in console: mount -o remount /dev/shm
3) Secure the kernel
In the file /etc/sysctl.conf
, there are a few different filters to uncomment. I didn't know which one was relevant to web app hosting. Which one should I activate? They are the following:
A) Turn on Source Address Verification in all interfaces to prevent spoofing attacks B) Uncomment the next line to enable packet forwarding for IPv4 C) Uncomment the next line to enable packet forwarding for IPv6 D) Do no accept ICMP redirects (we are not a router) E) Accept ICMP redirects only for gateways listed in our default gateway list F) Do not send ICMP redirects G) Do not accept IP source route packets (we are not a router) H) Log Martian Packets
4) Configure the passwd file
Replace "sh" by "false" for all accounts except user account and root. I also did it for the account called sshd. I am not sure whether it will prevent SSH connection (which I want to use) or if it's something else.
5) Configure the shadow file
In the console: passwd -l
to lock all accounts except user account.
6) Install rkhunter and chkrootkit
7) Install Bum
Disabled those services: "High performance mail server", "unreadable (kerneloops)","unreadable (speech-dispatcher)","Restores DNS" (should this one stay on?)
8) Install Apparmor_profiles
9) Install clamav & freshclam (antivirus and update)
What did I do wrong and what should I do more to secure this Linux machine?
Thanks a lot in advance
© Server Fault or respective owner