# How do you secure your server box

## sg313

I am running a server on gentoo (for severaly years now, I am quite happy with it), and was wondering how you guys secure your boxes? What I do at the moment is

 hardened kernel without module loading support

 keeping the open ports to a minimum (only ssh/http/https) using iptables

In particular does it make sense to use something like a virus scanner?

----------

## Gentoo64

The virus scanner should only be for scanning Windows viruses if you will transfer files to Windows computers.

I think as you're running hardened etc (make sure you use the hardened toolchain as well) and minimal services you should be ok as long as the services are setup securely themselves. Make sure ssh has decent password with some sort of rate limiting, or maybe use key only auth if it's not inconvenient.

You could have a go with RBAC if you haven't already as that will turn root into a pretty limited user- I found it much easier to setup and work with than selinux, and it can be very powerful.

Keep the system up to date... not really sure what else to suggest :s

----------

## tel

Mine might be a bit of an overkill, but it's all automated, so what the heck.

1.  No root login on ssh

2.  Strong passwords

3.  Non-standard ssh ports (debatable method)

4.  I use fail2ban to limit ssh attempts

5.  ClamAV as an antivirus, as my server also backs up local Windows machines

6.  Daily chkrootkit with daily output emailed to me

7.  Limited permissions for all my users

8.  Daily email of all ssh attempted and actual logins

I don't use:

1.  Key authentication for ssh, because users may log in from a variety of different machines

2.  Local encryption, because if someone breaks in and steals stuff, I've got other things to worry about

----------

## sg313

Thanks for the replies, since I am not handling email or windows user data, I will not install a virus scanner. I've set up chkrootkit and denyhosts. My ssh system already forbid root login, but I have to check the password strength for the user accounts somehow (at least those which can su).

I've also skimmed the grsecurity and RBAC howto on gentoo, but I'll leave it for the weekend  :Smile: 

----------

## Hu

Analyzing the password strength for users who are permitted to run /bin/su is a good step, but you should be aware that even users who cannot su to root can still run setuid binaries.  Certain bugs can permit a malicious user to step up to the privileges of any setuid binary that he can execute.  As far as I know, there are no publicly known unfixed bugs of this type in the latest kernels, but that is one more vector you should consider.  Therefore, you should verify security on all users with login rights, even ones who are only guests on the system.  Ideally, use the sshd Match directives to grant password-based login only to those users who cannot or will not use key-only login.

----------

## cach0rr0

 *sg313 wrote:*   

> Thanks for the replies, since I am not handling email or windows user data, I will not install a virus scanner. I've set up chkrootkit and denyhosts. My ssh system already forbid root login, but I have to check the password strength for the user accounts somehow (at least those which can su).
> 
> I've also skimmed the grsecurity and RBAC howto on gentoo, but I'll leave it for the weekend 

 

dont know if you've already stumbled onto this

http://www.gentoo.org/doc/en/security/security-handbook.xml?full=1

it's more general best practice than it is specific hardening, but some useful bits in there nonetheless. Some I agree with, some I disagree with, take it with a grain of salt. 

That combined with the Hardened doc and you should be squared away.

----------

## sg313

Thanks again, I looked at the tutorial, and will see what I can implement on the box!

----------

