# System configuration best practices for server security

## Amity88

Hi,

   Could you guys help guide me on the things that I need to look into and the critical settings that needs to be set in order to end up with a computer that is relatively safe from being broken into. Here are the things I already do:

1) Monitoring

    1.1) Set up Syslog-ng (but the information in the logs seem insufficient)

    1.2) Set up AIDE to checksum system files (but I'm not really able to separate expected changes from the unexpected ones)

2) Defense

    2.1) IPtables are configured to block all incoming except the ones I specifically allow and packets that are a part of an existing connection.

    2.2) efi and boot partitions are set to not auto mount because in the past my computer had abruptly erased the boot sector after leaving it on overnight.

    2.3) running certain applications (like irssi) as a user with minimal rights

----------

## augustin

A related question, in passing:

is there a wiki page somewhere with a checklist for the above?

----------

## ct85711

well, 2 more things you may want to do, is first setup some kind of backup routine (a raid setup is not a backup).

The other item, to help provide some protection, is setting up like Snort, while Aide is nice for monitoring file integrity, it doesn't really monitor for other issues.

----------

## mvaterlaus

hi,

have you looked at the gentoo security handbook [1]? It has a lot of information about about securing gentoo. Also, there are a lot of advanced topics. If you would tell us, what services you are running on that host, we could help you better. 

Further questions are:

* What kernel sources do you use? hardened-sources? do you have grsec or SELinux enabled?

* What libc do you use? There are more security focused glib implementations than glibc (like musl)

[1]https://wiki.gentoo.org/wiki/Security_Handbook

----------

## cboldt

use a strong password for root

do not run telnetd

secure each service you allow

I wrote a homebrew script that takes advantage of syslog-ng's ability to direct log messages to a program.  The script watches for errors in sshd, mail, dovecot, and certain activity logged by iptables.  I am amazed at the amount of probing that comes from the outside.

https://forums.gentoo.org/viewtopic-t-1017864-start-0.html

You don't need the complication of the script and its dynamic banning.  You will learn quite a bit if you use syslog-ng to direct certain program output to a file that is monitored.

```

filter f_sshd_warn { program(sshd) and message("Failed "); };

log { source(src); filter(f_sshd_warn); destination(watch-logs); };

filter f_imap_warn { program(dovecot) and message("no auth attempts "); };

log { source(src); filter(f_imap_warn); destination(watch-logs); };

filter f_mail      { facility(mail); };

filter f_warn     { level(warn); };

log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); destination(watch-logs); };
```

In my case, "destination(watch-logs)" is a script that reacts to input on stdin.  But "destination(watch-logs)" could more easily be a logfile.  It would contain a mix of warnings from sshd, dovecot, and mail.

----------

## Amity88

@mvaterlaus,

            I'm running vsftpd and sshd inside a VM, both of them configured to listen on different interfaces. One of the interfaces is open to the internet while the other one faces the LAN. It's a personal file server of sorts and I'm using hardened kernel. However, I haven't enabled any MAC yet. I feel that SELinux is too fine grained, complex and prone to misconfiguration.

            I was hoping that the virtualization would give an additional layer of protection but a few days ago my efi partition got corrupted somehow and the disk looked okay when I checked it offline. The recent logs were missing also, so I'm not entirely sure what happened.

            I'm chasing the fundamentals though, like proper log configurations etc. The stuff @ct85711 suggested sounds good, I'm gonna look into using Snort and also the watch-logs.sh that @cboldt mentioned.

----------

## NeddySeagoon

Amity88,

SELinux and Grsecurity have different aims.

SELinux assumes that everything is working perfectly and only authorised users have access to the system.

It aims to prevent these authorised users doing things that they are not authorised to do.

Grsecurity assumes that everything is not working perfectly and aims to limit the damage caused by potential exploits.

That's an over simplification but the broad brush is correct.

e.g. grsecurity will add 'canary values' to stacks and check that they are still there later.  If not, there has been a buffer overflow and the app will be killed.

You need an entire hardened install, not just a hardened kernel and yes, there is a performance impact.  Security comes at a price.

Security is like the layers of an onion, the more you add, the 'better' your security and the more invasive your security measures become.

You need to choose the layers to guard against your threat model.

----------

## Hu

Your remark about irssi is a good start.  In general, you want as many things as possible to run with the bare minimum permissions necessary for them to do their jobs.  High risk processes that have no business writing to certain filesystems can be in a chroot with those filesystems mounted read-only.

Every filesystem that can be mounted noexec,nodev without breaking something should be.  Any filesystem that cannot be mounted noexec, but can be mounted nosuid, should be.  (Caution: improper use of these options can break the running system in ways that may require a reboot to recover; if you have the option set to activate on boot, you might need a recovery environment to undo the change.  Learn exactly what these do and test carefully before scheduling any changes to activate on boot.)

Every process that has no business running privileged children should have enabled PR_SET_NO_NEW_PRIVS (see man prctl for what this is; use /usr/bin/setpriv --no-new-privs to run child processes with the flag enabled), so that any children it runs cannot elevate through execve (barring a kernel bug, of course).

----------

## mvaterlaus

 *Amity88 wrote:*   

> 
> 
> I'm running vsftpd and sshd inside a VM, both of them configured to listen on different interfaces.
> 
> 

 

Since you didn't mention which service listens on WAN, I will suggest the following:

* Make sure to use certificate based authentication for ssh when this service is exposed to the WAN interface. When certificate based authentication is running, disable password logins to ssh.

* If vsftpd is facing the WAN interface, make sure you have enabled ssl (only the tls option)  and regenerated the certificate as described in [1]

Also, as mentioned by NeddySeagoon, GRSecurity will add some overhead and needs a hardened profile to be selected. But since it is a personal fileserver, I would look in into that, because I suppose you can live with a little performance impact.

[1]http://wiki.vpslink.com/Configuring_vsftpd_for_secure_connections_%28TLS/SSL/SFTP%29

[edit]formatting[/edit]

----------

## Ordinateur91

I agree with NeddySeagoon, SELinux and Grsecurity are both good, however used for different purposes. SELinux is more for when everything works, and Grsecurity is for when it doesn't work perfectly and there might be potential exploits. On an additional note, does anybody have experience with Fail2ban as a security framework? Apparently it can be used on all Linux systems. I stumbled upon this article about it: https://www.1and1.com/digitalguide/server/security/securing-servers-with-fail2ban/. It would be great if someone has experience with it and could share with us.

----------

