# hardening server

## diebels

I'm trying to harden my server. It act as gateway for my lan and serving web and ssh. Only me and a couple of friends have ssh access for sharing music. Also have mail running, but not using it much.

So far I've set the hardened use flag, reemerged gcc glibc binutils gcc. After this I reemerged all server software: apache openssh postfix courier-imapd mysql php mod_php. Tested for stack smashing protection with this program:

```
#include <stdio.h>

int main() {

                char bof[2]; 

                printf("Hit me: "); 

                gets(bof); 

                printf("You typed, %s\n"); 

                return 0; 

}
```

run it and type in more than 2 characters, like "hello":

```
 stack smashing attack in function main()

Terminated
```

so PAX is working. Also set up mod_security for apache. Enabled tcp_syncookies.

```
/etc/conf.d/local.start:

echo 1 >/proc/sys/net/ipv4/tcp_syncookies
```

Running gentoo-sources:

```
uname -r

2.4.26-gentoo-r9
```

with grsecurity set to high level. Also looked at the hardened sources, but couldn't find more security options in those. Are there?

I'm a bit lazy and not got around to learn iptables yet, so running this firewall script:

```
cat /etc/init.d/rc.firewall:

#!/bin/bash

# rc.firewall Linux Firewall version 2.0rc9 -- 05/02/03

# [................]
```

http://projectfiles.com/firewall/

seems to work well.

So do you have any more suggestions on hardening this server?

Will selinux be useful? And what about all the stuff in /proc/sys/net/ipv4/, do you know any documentation for this, other than the kernel help? What is the point of FreeS/Wan ipsec? I left it at the defaults for gentoo-sources. The syncookies will only protect against most common DoS attacks. Are there any other DoS attack protection methods?

----------

## steveb

did you switched the profile as well? where does /etc/make.profile point to?

cheers

steve

----------

## steveb

btw. the c code is not complete. you missed the bof variable in the printf statement:

```
#include <stdio.h>

int main() {

        char bof[2];

        printf("Hit me: ");

        gets(bof);

        printf("You typed, %s\n", bof);

        return 0;

}
```

cheers

SteveB

----------

## diebels

nope

```
/etc/make.profile -> ../usr/portage/profiles/default-x86-1.4
```

so switching to 

```
/usr/portage/profiles/hardened-x86-2004.0
```

or 

```
/usr/portage/profiles/hardened/x86
```

or if using 2.6 kernel

```
/usr/portage/profiles/hardened/x86/2.6
```

is smart?

 *Quote:*   

> btw. the c code is not complete. you missed the bof variable in the printf statement:

 ok, was compiling and running without it too.

----------

## steveb

i used up to now the /usr/portage/profiles/hardened-x86-2004.0 profile. but maybe the other one with 2.6 is okay if you use 2.6?

----------

## diebels

Ok, thanks. Changed to hardened-x86-2004.0 now.

```
emerge world
```

give me chpax, so I installed that. Have you seen the /etc/conf.d/chpax file. Only desktop programs, exept for java maybe?? What's the use for this on my server? Looks like pax relaxation for compability with these programs. Right?

----------

## schachti

What's the difference between /usr/portage/profiles/hardened-x86-2004.0 and /usr/portage/profiles/hardened/x86/2.6? Which one is newer/better and should be used?

----------

## schachti

ok, solved it by trial and error: /usr/portage/profiles/hardened-x86-2004.0 is deprecated and should not be used any more.

----------

