Results 1 to 6 of 6

Thread: Simple Strategies to Securing Your Server

  1. #1
    MikeG@Spry
    Guest

    Default Simple Strategies to Securing Your Server

    Here are some very simple steps you can take to beef up security on your VPS, in order to decrease your chances of getting hacked.

    Part 1: SSH

    There are two very critical things we need to do to SSH. SSH is like the drawbridge to your castle. You can make everything else as strong as you like, but if SSH is wide open, anyone can get in.

    We're going to edit the SSHd config file, which is located at /etc/ssh/sshd_config

    The two simplest things we can do to tighten security here is to change the port and protocol version.

    Change the lines:
    Code:
    Port 22
    Protocol 2, 1
    To:
    Code:
    Port 222
    Protocol 2
    Please note that you can change the port to just about anything you like, let's just avoid staying on port 22.

    Now save the file, and restart sshd.
    For RedHat/CentOS VE's:
    Code:
    service sshd restart
    Everyone else:
    Code:
    /usr/sbin/sshd
    Making this one simple change will really throw a monkey wrench in the hackbot brute force tactic.

    Part 2 (Optional):

    The scanscript!

    I use this one on my personal servers.
    Code:
    #!/bin/bash
    rm -f ttt
    touch tmp
    # disabled IPs can be obtained from /etc/sysconfig/iptables
    grep DROP /etc/sysconfig/iptables|awk '{print $5}' >tmp
    # ------------------------ DoS attacks rule -------------------------
    #identity mismatch in secure
    grep Did /var/log/secure|awk '{print $12}' >>tmp
    #Invalid user
    grep "Invalid user" /var/log/secure|awk '{print $10}' >>tmp
    # Maximum login
    grep "Maximum login" /var/log/secure|awk '{print $7}'|sed 's/.*\[\(.*\)\])/\1/g' >>tmp
    #
    # ------------------ reduce redundant IPs from tmp file -------------
    size=`/usr/bin/wc tmp|awk '{print $1}'`
    i=0
    while test $i -lt $size
    do
          us=`sed -n 1p tmp`
          sed /$us/d tmp >tmps
          echo $us >>ttt
          cp -f tmps tmp
          size=`/usr/bin/wc tmp|awk '{print $1}'`
    done
    rm -f tmp tmps temp0 temp
    #
    # ------------------ activate detected IPs --------------------------
    size=`wc ttt|awk '{print $1}'`
    size=`expr $size + 1`
    /sbin/iptables -F
    i=1
    while test $i -lt $size
    do
            ip=`sed -n "$i"p ttt`
            i=`expr $i + 1`
    /sbin/iptables -A INPUT -s $ip -j DROP
    done
    # -----------------end of shell script-------------------------
    This script goes into a file, lets call it scan.sh. Make this file executable:
    Code:
    chmod +x scan.sh
    Now we'll cron it to run every five minutes:
    Code:
    crontab -e
    At the bottom, add a line like:
    Code:
    0-59/5 * * * * /root/scan.sh
    (make this point at your actual script)

    Basically what this does is, it scans your /var/log/secure logfile every 5 minutes, looking for failed logins, dictionary attacks, and some DoS attempts. If it finds any, it adds them to your iptables rules, effectively locking them out for good.

    Part 3: /etc/passwd

    Your /etc/passwd file tells your machine what users exist on your server, what groups they are in, and what shell they are to have access to when logging in.

    In order to seal up another security hole, we're going to make sure only the user accounts YOU select can login via SSH at all. Open up your /etc/passwd in your favourite text editor.

    Every line is going to look something like this:
    Code:
    root:x:0:0:root:/root:/bin/bash
    This tells the machine what account it is, the userid, the groupid, and most importantly, the shell.

    In this case, root gets /bin/bash.

    Any user account you want to be able to login, should end with /bin/bash
    Any other account should get /sbin/nologin.

    This will give any potential hackers even less of a potential chance of breaking into your server.
    Last edited by MikeG@Spry; 10-18-2007 at 05:58 AM.

  2. #2
    Junior Member Newbie
    Join Date
    Oct 2007
    Posts
    10

    Default

    Excellent Information. Much appreciated.

    Only problem is that the scan.sh won't run on my RHEL4 VPS (permissions are correct):

    #upon manual execution:
    -bash: scan.sh: command not found

    #upon cron failure, and email received:
    /bin/sh: /root/scan.sh: /bin/bash: bad interpreter: No such file or directory
    Last edited by PossumX; 10-21-2007 at 07:26 AM.

  3. #3
    MikeG@Spry
    Guest

    Default

    Oh sorry, I forgot to mention that you need to chmod +x that file so the system knows its an executable bash script!

  4. #4
    Junior Member Newbie
    Join Date
    Jan 2007
    Posts
    13

    Default

    Mike,

    When I run scan.sh on my server I get an error:

    grep: /etc/sysconfig/iptables: No such file or directory

    I don't have this file. What can I do about this? Thanks

  5. #5
    Junior Member Newbie
    Join Date
    Aug 2007
    Posts
    26

    Default

    This should take care of it (it worked on my VPS):
    Code:
    if [ -e /etc/sysconfig/iptables ]; then
        grep DROP /etc/sysconfig/iptables|awk '{print $5}' >tmp
    fi

  6. #6
    Junior Member Newbie
    Join Date
    Mar 2008
    Posts
    2

    Default

    Thanks Mike, I used a couple of these! I also just added my own iptables hack to the iptables thread, instead of a five minute cron scan it tails the logs continually using the pop-before-smtp daemon script by Wayne Davison.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •