# Securing Servers and Services

## rshadow

I know this has proably been answered about a thousand times, but after reading the Gentoo Security Document I 'm a little bit more confused.

What is the best way to go about securing my servers and services (at present time I only have one machine that runs all services .. dns ..to.. webserver)

Anyways I noticed a lot of people use iptables, but according to the GSG an Application Proxy like Squid is the most secure.

So whats the best way going about it? Will Squid take care of incomming connections as well as outgoing (i.e. firewall)?

Basicly I want to close off my network as much as possible.  Eventulay when I figure out linux networking and add more machines to my network I want to be able to easily secure those as well 

just looking for ideas and/or resources for more information (in "down to earth english" ).

----------

## tumbak

from my limited experience, squid can not replace iptables, its not meant to act as a firewall.

you should get urself familiar with iptables, if you are not offering any services to the public then you should close those ports and not accept any connections to those services from the internet.

just my 2 cents   :Smile: 

----------

## hanj

I would say the first layer of defense.. is a firewall. Iptables is the way to go, if the syntax is too difficult to understand, go with shorewall to manage your iptables.

There are quite a few other options to increase the security:

- Harden your kernel..

	maybe use the grsecurity patch

	Trim your kernel config to only needed options

	Disable module support if possible, and build everything else in

- Keep an eye on /tmp

	Alot of bad things happen in /tmp, you may want to try mounting /tmp as a tmpfs filesystem and not allowing execute there

	edit this in /etc/fstab

```

   none   /tmp   tmpfs   noexec,nosuid   0 0
```

- Tighten the services

APACHE

	Don't expose version or server tokens:

```
ServerTokens Prod

   ServerSignature Off
```

	Don't provide services or features you don't need.. ie(cgi or front page)

	Make sure you log errors and inspect those logs

PHP

	use the hardened flag when emerging

	Edit php.ini to increase security.

	Try to use safe mode if possible.

```

   display_errors = Off

   expose_php = Off

   display_startup_errors = Off

   register_globals = Off

   magic_quotes_gpc = On

   disable_functions = phpinfo
```

	in apache server directives, use the open_basedir to keep files more secure, also log, this would

	be on a per site basis or per virtual host basis

```

   php_admin_value open_basedir /their/own/directory/only

   php_flag log_errors On

   php_value error_reporting 2047

   php_value error_log /some/log/file

   php_flag track_errors On
```

POSTFIX or other MTA

	try to set it up in chroot environment

	try to use virtual users instead of actual system users

DNS

	set it up in chroot environment

FTP

	I like vsftp

	Make sure users are chroot'd

	Disable anonymous access

	User verbose logging with FTP

	Log well, and inspect the logs

SSH

	Don't allow root login

	Set iptables to allow SSH from IPs you trust only

	use scp to copy files from your server

WEBMIN

	I don't like to have webmin running, but understand that benefit of it.. so you may have it

	Set up webmin access only from trusted IPs only

	Set iptables to allow connection on webmin port from trusted IPs only

	change the default port from 10000 to something else

	Set default logout out time of 20 minutes of inactivity

	Don't allow the option to permanently remember you

	Set up webmin to run over SSL only

The other important piece... is to inspect the activity on a schedule:

Logcheck every hour (app-admin/logsentry) 

	this can monitor all of the the logs.. apache, ftp, mail, auth, messages, etc

Logwatch every night (sys-apps/logwatch)

	this can monitor all the logs and summarize it for you nicely

Wasasbi (app-admin/wasabi)

	set this up for real time notification on log activity

	for instance, set wasabi to send emails if login fails, or other errors, etc

Along with firewall... look into IDS (Intrusion Detection System)

	snort and acid - this will inspect all traffic going in/out of your interface(s)

			Snort(net-analyzer/snort) is what actually inspects, and Acid is a frontend to view the output

			Oinkmaster (net-analyzer/oinkmaster) will keep your snort rules updated

	Aide(app-admin/aide) - is a good file integrity checker. It will keep an eye on files, to see if they are changed. It is 

		important to remember to move the aide.db off of the server though

Get familiar with other tools to inspect what is going on your server. Understand the following

	netstat -lnp 	(will show listening ports, etc)

	ps aux 		(show running process)

	w		(show who is logged in on the server)

	last		(show logins and their ips)

	history		(shows history file of the user)

Other tools to get...lsof, chkrootkit

I know I'm forgetting a ton.. but this should get the ball rolling for you. Some of the suggestions may not work for you...depending on your set up, but I just want to throw them out there.

I hope this helps 

hanj

----------

