The purpose of syctl hardening is to help prevent spoofing and dos attacks. This short guide will show what I have found to be a good configuration for the sysctl.conf configuration file. The most important of the variables listed below is the enabling of syn cookie protection. Only place the bottom two if you do not want your server to respond to ICMP echo, commonly referred to as ICMP ping or just ping requests.

Backup sysctl.conf :

# mv /etc/sysctl.conf /etc/sysctl.conf.bak

Open to edit the file:

# nano -w /etc/sysctl.conf

Now paste the following into the file, you can overwrite the current information.

#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

After you make the changes to the file you need to run the commands below to enable the changes without a reboot:

# /sbin/sysctl -p

# sysctl -w net.ipv4.route.flush=1

Related posts

• No related posts.

MySQL is one of the most important programs on a server, unfortunately it is also pretty resource intensive. On a server it is not uncommon for a single user or even a query to take up the bulk of the servers CPU cycles. Mytop is a very useful program to see what queries a server is currently processing as well as which user is executing them. Think of mytop as top for mysql. If you see a lot from a user that means they are probably the hog. Mytop can also be useful for figuring out exactly which queries are causing the problem in the case of a self-designed website. The following is how to install mytop on the server and run it.

We are going to install 2 perl modules in addition to mytop to ensure that it will work.

Install TermReadKey:

# cd /usr/local/src
# wget http://search.cpan.org/CPAN/authors/id/J/JS/JSTOWE/TermReadKey-2.30.tar.gz
# tar -zxf TermReadKey-2.30.tar.gz
# cd TermRead*
# perl Makefile.PL
# make test
# make
# make install
# cd ..

Now install DBI:

# wget http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-1.48.tar.gz
# tar -zxf DBI-1.48.tar.gz
# cd DBI*
# perl Makefile.PL
# make test
# make
# make install
# cd ..

Finally install mytop:

# wget http://jeremy.zawodny.com/mysql/mytop/mytop-1.4.tar.gz
# tar -zxf mytop-1.4.tar.gz
# cd mytop*
# perl Makefile.PL
# make test
# make
# make install

Now simply run “mytop” and your done!

Related posts

• No related posts.

Secure and harden your System Configuration File host.conf to prevent DNS lookup poisoning and also provide protection against spoofs.

#nano /etc/host.conf

Lookup names via DNS first then fall back to /etc/hosts

order hosts, bind

We don’t have machines with multiple IP addresses on the same card (like Virtual Servers, IP Aliasing)

multi off

Check for IP address spoofing

nospoof on

Now type Ctrl+X then hit Y and enter

Related posts

• No related posts.

BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at: http://www.rfxnetworks.com/bfd.php

Note: You must have APF installed first before proceeding to install BFD.

Installation:

# cd /root/downloads or another temporary folder where you store your files.

# wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

# tar -xvzf bfd-current.tar.gz

# cd bfd-0.9

Run the install file:

./install.sh

You will receive a message saying it has been installed:

.: BFD installed
Install path:    /usr/local/bfd
Config path:     /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

Lets edit the configuration file:

nano /usr/local/bfd/conf.bfd

Enable brute force hack attempt alerts:

Find: ALERT_USR=”0″   CHANGE TO: ALERT_USR=”1″

Find: EMAIL_USR=”root” CHANGE TO: EMAIL_USR=”your@yourdomain.com”

Save the changes: Ctrl+X then Y

Prevent locking yourself out!

nano -w /usr/local/bfd/ignore.hosts and add your own trusted IPs
Eg: 192.168.1.1

Save the changes: Ctrl+X then Y

++++++

BFD uses APF’ cli insert feature and as such will override any allow_hosts.rules entries users have in-place.

So be sure to add your trusted ip addresses to the ignore file to prevent
locking yourself out.

Run the program!

# /usr/local/sbin/bfd -s

Customize your applicatoins brute force configuration. Check out the rules directory in your /usr/local/bfd

Related posts

• Install or Upgrade Logwatch to 7.3.6 (0)
• How to install webmin on CentOS 4 (0)

APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks: http://www.rfxnetworks.com/apf.php

Installation:

Login to your server through SSH and su to the root user.

# cd /root/downloads or another temporary folder where you store your files.

# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

# tar -xvzf apf-current.tar.gz

# cd apf-0.9.5-1/ or whatever the latest version is.

Run the install file:

# ./install.sh

You will receive a message saying it has been installed:

Installing APF 0.9.5-1: Completed.

Installation Details:
Install path:         /etc/apf/
Config path:          /etc/apf/conf.apf
Executable path:      /usr/local/sbin/apf

Other Details:

Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306
Listening UDP ports: 53,55880

Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

Lets configure the firewall:

nano /etc/apf/conf.apf

We will go over the general configuration to get your firewall running. This isn’t a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.

We like to use DShield.org’s “block” list of top networks that have exhibited
suspicious activity.

FIND: USE_DS=”0″
CHANGE TO: USE_DS=”1″

Configuring Firewall Ports:

Common ingress (inbound) ports

#Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD

IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500″

# Common ingress (inbound) UDP ports

EG_UDP_CPORTS=”53″

Common egress (outbound) ports

# Egress filtering [0 = Disabled / 1 = Enabled]

EGF=”1″

# Common egress (outbound) TCP ports

EG_TCP_CPORTS=”21,25,80,443,43,2089″

# Common egress (outbound) UDP ports

EG_UDP_CPORTS=”20,21,53″

Starting the firewall

/usr/local/sbin/apf -s

Related posts

• Rkhunter Installation (0)

Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:

- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

++++++

Installation:

# wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz

# tar -zxvf rkhunter-1.2.7.tar.gz

# cd rkhunter

# ./installer.sh

++++++

Run a test scan with the following command:

/usr/local/bin/rkhunter -c

++++++

Setup a daily scan report?

nano /etc/cron.daily/rkhunter.sh

Add the following replacing your email address:

#!/bin/bash
(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “Daily Rkhunter Scan Report” email@domain.com)

Then give it permissions to run:

# chmod +x /etc/cron.daily/rkhunter.sh

++++++

Updating RKhunter:

Get the latest database updates from their central server and matches your OS better to prevent false positives.

# rkhunter –update

Related posts

• How to install APF (Advanced Policy Firewall) (0)

First off by default Logwatch comes installed on CentOS. It might not be the latest version.

This program parses through your server’s logs and reports to you via e-mail on a daily basis with tabulated information.

Initial Install:

# wget ftp://ftp.kaybee.org/pub/redhat/RPMS/noarch/logwatch-7.3.6-1.noarch.rpm

# rpm logwatch-7.3.6-1.noarch.rpm

# nano /etc/logwatch/conf/logwatch.conf

Insert:

MailTo = yourname@yourdomain.com
Archives = Yes
Range = yesterday
Detail = 10
Service = All

++++++

To Upgrade:

# wget ftp://ftp.kaybee.org/pub/redhat/RPMS/noarch/logwatch-7.3.6-1.noarch.rpm

# rpm -Uvh logwatch-7.3.6-1.noarch.rpm

++++++

To complete the process you need to create a cron to run daily:

# crontab -e

# 0 4 * * * /usr/share/logwatch/scripts/logwatch.pl

Related posts

• Upgrade to the Latest Version of AccountLab Plus (0)
• How to install webmin on CentOS 4 (0)
• How to install BFD (Brute Force Detection) (0)

Changing SSH port to a different port number from the default gives you more security and preventing brute force attacks and potential hackers from hitting directly to the default port.

On your linux box login via ssh:

# nano /etc/ssh/sshd_config

• Look for the line that says #Port 22.
• Uncomment this line and change the port number to XXXX so now the line will look like Port XXXX (Change XXXX to your desired port)

Now press Ctrl+X then hit Y and enter

Now restart ssh by typing:

# /etc/init.d/ssh restart

Note: Don’t forget to add the port to your firewall.  

That’s it!

Related posts

• Creating a Welcome message for SSH logins (0)