linux server hardening - steps by steps

CI6230 Information Systems Security Assignment 2 – Server Hardening S Ser

of 80

Server Hardening

Loo Chia Feng G1301352L

Sunil Paudel G1400834A

Abdul Rachman G1400808F

Wang Bo G1301325H


of 80

Table of Contents 1. Keep the server Up-to-date .......................................................................................................... 4

2. Ports ........................................................................................................................................... 5

3. Firewall ....................................................................................................................................... 7

4. Configuring the firewall on Startup ............................................................................................. 12

4.1. Save the firewall rules to a file ................................................................................................. 12

4.2. Make changes to /etc/network/interfaces................................................................................ 12

5. Set BIOS Password: .................................................................................................................... 15

6. Setting GRUB Password .............................................................................................................. 16

7. Disable Alt+Ctrl+Del ................................................................................................................... 18

8. Apache Web Server hardening.................................................................................................... 19

8.1. Basics of Apache Server in Metasploitable2 .............................................................................. 19

8.2. Check if apache web server is running ...................................................................................... 19

8.3. Secure and Hardening Apache Web Server ............................................................................... 21

8.3.1. Hide Apache Version and OS Identity from Errors ............................................................... 21

8.3.2. Restrict access to root and others directory, except only 1 website named “NewWebsite” (Use

Allow and Deny) and disable Overwriting using .htaccess ............................................................. 23

8.3.3. Disable Directory Listing, Apache’s following of Symbolic Links and Overwriting using .htaccess

of a “NewWebsite” folder .......................................................................................................... 26

8.3.4. Keep updating Apache Regularly ....................................................................................... 28

8.3.5. Disable Unnecessary Modules ........................................................................................... 30

8.3.6. Run Apache as separate User and Group............................................................................ 32

8.3.7. Limit Request Size for “NewWebsite” ................................................................................ 34

8.3.8. Limiting the size of an XML Body ....................................................................................... 35

8.3.9. Turn off Server Side Includes and CGI Execution for “NewWebsite” ..................................... 36

8.3.10. Protect DDOS attacks and Hardening ............................................................................... 37

8.3.11. Enable Apache Logging.................................................................................................... 38

8.3.12. Protect binary and configuration directory permission for “NewWebsite”.......................... 40

8.3.13. Disable Trace HTTP Request ............................................................................................ 41

8.3.14.Restricting Access by IP (Set only intranet) can access “NewWebsite” – Designed for

example.com ............................................................................................................................. 43

8.3.15. Securing “NewWebsite” with SSL Certificates ................................................................... 44


of 80

9. User and Group hardening ......................................................................................................... 51

9.1. Change msfadmin password and username .............................................................................. 51

9.2. Change password complexity................................................................................................... 53

9.3. Add user and group................................................................................................................. 56

9.4. Force users to change their password upon first login ............................................................... 58

9.5. Configure Password Aging ....................................................................................................... 59

9.6. Limit password reuse on Linux ................................................................................................. 60

9.7. Verify No Accounts Have Empty Passwords .............................................................................. 61

9.8. Make Sure No Non-Root Accounts Have UID Set To 0................................................................ 62

9.9. Restrict User and Group Access ............................................................................................... 63

9.9.1. Create and Maintain a Group for All Authorized Users ........................................................ 63

9.9.2 Restrict Access .................................................................................................................. 63

9.10. Disable root account ............................................................................................................. 65

10. Secure /etc/fstab ................................................................................................................... 66

10.1. Securing /var/tmp ................................................................................................................. 66

10.2. Securing tmpfs ...................................................................................................................... 67

11. Encrypt File Systems............................................................................................................... 68

11.1. Encrypt and decrypt file with password .................................................................................. 68

11.2. Encrypt folder or directory..................................................................................................... 72

12. Disable the Ipv6 protocol ........................................................................................................ 74

13. Log Files ................................................................................................................................ 75

13.1. Monitor Suspicious Log Messages with Logwatch ................................................................... 76

14. Setting AIDE (Advanced Intrusion Detection Environment) ....................................................... 78

15. Limitations............................................................................................................................. 79

16. References............................................................................................................................. 80


of 80

1. Keep the server Up-to-date Command: sudo apt-get update


of 80

2. Ports The IP address of the virtual machine is 10.0.2.15.

The ports are scanned using nmap.

Open Ports are shown below:


of 80

These ports and services have to be closed. We need to set up the rules in the firewall to allow only http

and https services to run and close all other services.


of 80

3. Firewall The bash script firewall_rules.sh is created as below.

#!/bin/bash

IPT=/sbin/iptables

$IPT - F #flushes the previously defined script

#write the policies now

$IPT -P OUTPUT ACCEPT # allow the output

$IPT -P INPUT DROP #Default policy for the input chain is drop

$IPT -P FORWARD DROP #Default policy for the forward chain is also drop

#allowed inputs

#$IPT -A INPUT --in-interface lo -j ACCEPT

$IPT -A INPUT -j ACCEPT -p tcp --dport 80

$IPT -A INPUT -j ACCEPT -p tcp --dport 443

#Allow established sessions

$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Anti-spoofing

#$IPT -A INPUT --in-interface!lo --source 127.0.0.0/8 -j DROP

#Blocking spoofed Addresses

$IPT -A INPUT -i external_interface -s 192.168.0.0/24 -j REJECT

#Limit Ping Requests

$IPT -A INPUT -p icmp -m icmp -m limit -limit 1/second -j ACCEPT

# Drop all invalid packets

$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A OUTPUT -m state --state INVALID -j DROP

# Stop smurf attacks

$IPT -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP


of 80

$IPT -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP

$IPT -A INPUT -p icmp -m icmp -j DROP

# Drop excessive RST packets to avoid smurf attacks

$IPT -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Preventing Pings

$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP

Fig: No firewalls set

Now run the bash shell.

Command: sudo bash firewall_rules.sh

After the bash script is run (which contains the firewall rules), firewall rules are set which can be viewed

using the following command:

Command: sudo iptables –L|less

Fig: Run the bash file and set the firewall rules


of 80

Fig: Firewall Rules Set

The ports are scanned again after setting the rules in firewall and only two ports are shown:

Services Port State

http 80 open

https 443 closed


of 80

Fig: nmap after setting the firewall rules

The services telnet and mysql are in filtered state.

Command: nmap -sS -p23 10.0.2.15

Command: nmap -sS -p 3306 10.0.215

If nmap is run to scan the whole port, only two ports (80 and 443) are displayed.

If namp is run to scan the particular port (23 and 3306), it shows that they are filtered.

But if we run netstat, it still shows that the ports (23 and 3306) are listening.

Command: sudo netstat -lpn |grep 23|less


of 80

So we need to stop the services.

Command: sudo /etc/init.d mysql stop

Let’s look at the service (mysql:3306) using netstat.

Command: sudo netstat -lpn |grep 23| less

Fig: after killing the service, mysql is not showing in netstat

Let’s do the nmap.

Command: nmap –sS –p 3306 10.0.2.15|less

The port is still shown as filtered. This proves that no need to kill the services individually even though

they might be shown as LISTENING while finding the services using NETSTAT. The firewall rules take care

of them.


of 80

4. Configuring the firewall on Startup

4.1. Save the firewall rules to a file Command: sudo sh -c “iptables-save > /etc/iptables.rules”

Command: sudo sh -c “iptables-save > /etc/iptables.downrules”

4.2. Make changes to /etc/network/interfaces We need to make changes to the specific interface. The below screen shot shows that our server has

only one interface – eth0 and no wireless.

Command: iwconfig

Now, edit /etc/network/interfaces and add the fol lowing.

pre-up iptables-restore < /etc/iptables.rules

post-down iptables-restore < /etc/iptables.downrules


of 80

Now let's restart the server and check if the iptables are configured on startup.

Let’s do the namp now. (Kindly note that the ip address has been changed as the network adapter has

been changed to “host-only”).


of 80


of 80

5. Set BIOS Password: Setting the Password in BIOS prevents any unauthorized changes in BIOS.

To access the BIOS setup screen, edit the virtual machine’s configuration (.vmx) and add the following:

bios.forceSetupOnce = "TRUE"

BIOS Password: C16230 (for both User Password and Supervisor Password)


of 80

6. Setting GRUB Password Command: grub-md5-crypt | tee password.txt

Password: C16230

Edit /boot/grub/menu.lst and edit the line as below.

Password --md5 $1$XXXXX(the output of md5crypt which is stored in the file password.txt)


of 80

To prevent everyone except root from reading /boot/grub/menu.lst, use the following command.

Command: sudo chmod 600 /boot/grub/menu.lst

Reboot the system to check if the grub is asking for the password.

Type the password, C16230.


of 80

7. Disable Alt+Ctrl+Del Anyone that has the physical access to the keyboard can simply hit Alt+Ctrl+Del and reboot the system.

So edit the file /etc/event.d/control-alt-delete

Command: sudo vi /etc/event.d/control-alt-delete

Uncomment the below line.

exec /sbin/shutdown -r now "Control-Alt-Delete pressed"


of 80

8. Apache Web Server hardening

8.1. Basics of Apache Server in Metasploitable2 Document root Directory: /var/www

New website Directory: /var/www/NewWebsite

Main Configuration file: /etc/apache/apache2.conf

Default HTTP Port: 80 TCP

Default HTTPS Port: 443 TCP

Test your Configuration file settings and syntax: apache2 –t

Check apache version: apache2 -v

Access Log files of Web Server: /var/log/apache2/access_log

Error Log files of Web Server: /var/log/apache2/error_log

Add a sample index.html into NewWebsite folder once server harden for testing

8.2. Check if apache web server is running Command: ifconfig

The IP address of current machine showed as below.


of 80

Open browser and enter http://your_ip_address

Apache web server running successfully

http://your_ip_address/


of 80

8.3. Secure and Hardening Apache Web Server

8.3.1. Hide Apache Version and OS Identity from Errors

Before

Open browser and enter http://your_ip_address/abcdef

Implementation

Command: nano /etc/apache2/apache2.conf

Modify the following settings:

ServerSignature = Off

ServerTokens = Prod

Command: apache2ctl restart

http://your_ip_address/abcdef


of 80

Verification

Refresh the website and missing information will be shown as shown in Figure.


of 80

8.3.2. Restrict access to root and others directory, except only 1 website named

“NewWebsite” (Use Allow and Deny) and disable Overwriting using .htaccess

Before

Open browser and enter http://your_ip_address

Implementation

# cd /var/www

# mkdir NewWebsite

# cd NewWebsite

# touch helloworld

http://your_ip_address/


of 80

Command: nano/etc/apache2/sites-enabled/000-default

Modify the following settings under <Directory /> and <Directory “var/www”>

Options None

Order deny,allow

AllowOverride None

Deny from all

Make sure there is a Directory settings for “var/www/NewWebsite”

Description of the settings

Options “None” – This option will not allow users to enable any optional features.

Order deny, allow – This is the order in which the “Deny” and “Allow” directives will be

processed. Here it will “deny” first and “allow” next.

AllowOverride “None” – This option disable the overriding any options using .htaccess

Deny from all – This will deny request from everybody to the root directory, nobody will be able

to access root directory.


of 80

Verification

Refresh the website and you will not be able to the view the files in the root folder.


of 80

8.3.3. Disable Directory Listing, Apache’s following of Symbolic Links and Overwriting using

.htaccess of a “NewWebsite” folder

Before

Open browser and enter http://your_ip_address/NewWebsite

Implementation

Command: nano/etc/apache2/sites-enabled/000-default

Modify the following settings under <Directory “/var/www/NewWebsite”>

Options -Indexes -FollowSymLinks

AllowOverride None

# apache2ctl restart

http://your_ip_address/NewWebsite


of 80

Verification

Refresh the website and you will not be able to the view the files in the folder.

Place an index.html file inside NewWebsite folder


of 80

8.3.4. Keep updating Apache Regularly

Before

Command: apache2 -v

Implementation

Command: apt-get install apache2


of 80

Verification

Command: apache2 -v


of 80

8.3.5. Disable Unnecessary Modules

Before

Find out the modules loaded into apache and disable it

Command: apache2ctl -M

Implementation

Disable mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex (if

exist) by running the command a2dismod <module name>

Command: a2dismod <module name>

Command: apache2ctrl restart (Execute only once all the modules are disabled)


of 80

Verification

For Ubuntu v8.04, mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi,

mod_autoindex are not preloaded, so no disable of this is required.


of 80

8.3.6. Run Apache as separate User and Group

Before

Default apache user and group is www-data

Implementation


APACHE_RUN_USER = http-web

APACHE_RUN_GROUP = http-web

Command: groupadd http-web

Command: useradd -d /var/www/ -g http-web -s /bin/nologin http-web

Command: nano /etc/apache2/envvars



of 80

Verification

Proceed again to check if apache web server is running.


of 80

8.3.7. Limit Request Size for “NewWebsite”

By default Apache has no limit on the total size of the HTTP request i.e. unlimited and when you allow

large requests on a web server it’s possible that you could be a victim of Denial of service attacks. We

can limit the requests size of an Apache directive “LimitRequestBody” with the directory tag.

You can set the value in bytes from 0 (unlimited) to 2147483647 (2GB) that are allowed in a request

body. You can set this limit according to your site needs, suppose you have a site where you allows

uploads and you want to limit the upload size for a particular directory.

In this hardening process, we are putting a limit of 500K for this.

Implementation

Command: nano /etc/apache2/sites-enabled/000-default

Add in the following lines to 000-default.



of 80

8.3.8. Limiting the size of an XML Body

The LimitXMLRequestBody directive default value is 1 million bytes (approx 1mb).

Implementation



LimitXMLRequestBody 10485760



of 80

8.3.9. Turn off Server Side Includes and CGI Execution for “NewWebsite”

To prevent from client injection using scripts via browser.

Implementation



Options -Includes -ExecCGI

Command: apache2ctrl restart


of 80

8.3.10. Protect DDOS attacks and Hardening

Implementation


Find the following settings and modify accordingly.

TimeOut : By default Apache timed-out value is 300 seconds, which can be victim of Slow Loris

attack and DoS. To mitigate this you can lower the timeout value to maybe 60 seconds.

KeepAlive: Set to Off to make it a request per connection would prevent from single PC

connection DoS attacking.

MaxClients : This directive allows you to set the limit on connections that will be served

simultaneously. Every new connection will be queued up after this limit. It is available with

Prefork and Worker both MPM. The default value of it is 256. To mitigate this you can lower the

MaxClients value to maybe 20.

KeepAliveTimeout : It’s the amount of time the server will wait for a subsequent request before

closing the connection. Default value is 15 secs. To mitigate this you can lower the

KeepAliveTimeout value to maybe 5.

Error responses: By default, apache does not turn on error responses. In the process to harden,

this should be turn off to prevent attackers from knowing what exact error they encountered.



of 80

8.3.11. Enable Apache Logging

Apache allows you to logging independently of your OS logging. It is wise to enable Apache logging,

because it provides more information, such as the commands entered by users that have interacted with

your Web server.

Implementation



LogLevel = debug

Logs Description

emerg: Emergency situations where the system is in an unusable state.

alert: Severe situation where action is needed promptly.

crit: Important problems that need to be addressed.

error: An Error has occurred. Something was unsuccessful.

warn: Something out of the ordinary happened, but not a cause for concern.

notice: Something normal, but worth noting has happened.

info: An informational message that might be nice to know.

debug: Debugging information that can be useful to pinpoint where a problem is occurring.


of 80

Verification

Visit the new website again, logs can be found at

Command: cd /var/log/apache2

Command: nano access.log (For Website Access Log)

Command: nano error.log (Web Server Error Log)

Command: nano error.log.1 (For Web Server Error Log) – When file is full, it will auto create with

numeric +1 incremental numbering of the log file


of 80

8.3.12. Protect binary and configuration directory permission for “NewWebsite”

Website executables are placed in bin and configuration settings are placed in conf. To protect from

modification from attackers, we will owner of the folder.

Implementation

Command: cd /var/www/NewWebsite

Command: mkdir bin

Command: mkdir conf

Command: chown -R 750 bin conf

Verification


of 80

8.3.13. Disable Trace HTTP Request

Before

Command: telnet localhost 80

TRACE / HTTP/1.1

Host: test

Enter <twice> here

Implementation


Add the following settings:

TraceEnable off



of 80

Verification

Command: telnet localhost 80

TRACE / HTTP/1.1

Host: test

Enter <twice> here


of 80

8.3.14.Restricting Access by IP (Set only intranet) can access “NewWebsite” – Designed for

example.com

Before

Implementation



Deny from all

Allow from 172.0.0.1

Verification

Running from outside external network


of 80

8.3.15. Securing “NewWebsite” with SSL Certificates

Before

Implementation

Command: a2enmod ssl


Command: openssl genrsa -des3 -out example.com.key 1024

Command: openssl req -new -key example.com.key -out example.csr

Command: openssl x509 -req -days 365 -in example.csr -signkey example.com.key -out example.crt

Remarks: Follow the instructions to fill in the details of your company etc.


of 80

SSL certification created successfully.


Add in the following lines to 000-default.

ServerName localhost

SSLEngine on

SSLCertifcateFile /etc/apache2/example.crt

SSLCerificateKeyFile /etc/apache2/example.com.key


of 80


Remarks: Enter pass phrase which is created during certificate creation


of 80

Verification

- Not added to trusted exception


of 80

- Added to security trusted exception

- Certificate Information


of 80


of 80

9. User and Group hardening

9.1. Change msfadmin password and username

Command: passwd msfadmin

Enter new UNIX password: Supply a new password

Retype new UNIX password: Supply the same new password

Change username of msfadmin to suadm

Command: usermod -l suadm msfadmin


of 80


of 80

9.2. Change password complexity

Install libpam-cracklib PAM module to enable cracklib support.

Command: apt-get install libpam-cracklib

Command: nano /etc/pam.d/common-password


of 80

Change the lines as highlighted in below screenshot.

Put following two lines into the file.

Password required pam_cracklib.so retry = 3 minlen = 10 difok=3 ucredit =1 dcredit =1 ocredit =1

Password required pam_unix.so use_authok unllok sha512

Description

retry=3 : Prompt user at most 3 times before returning with error

minlen=10 : minimum length allowed for an account password is set to 10 characters. This is

the minimum simplicity count for a good password. And you are allowed only 2 times using

retry option.

difok=3: How many characters can be the same in the new password relative to the old.

User will see error - BAD PASSWORD: is too similar to the old one

dcredit=1 : At least contains1 digits character

ucredit=1 : At least contains 1 upper character

ocredit=1 : At least contains 1 other character


of 80

The screenshot after changes applied:


of 80

9.3. Add user and group

Command: adduser <username>

New UNIX password: Supply a password

New UNIX password: Supply the same password

List all groups

Command: cat /etc/group


of 80

List the users in a group,

Command: members <group name>


of 80

9.4. Force users to change their password upon first login

Use chage command to force users to chage their password upon first login

Command: chage -d 0 jacklee

Now, login as “JackLee” and force to change the password.


of 80

9.5. Configure Password Aging

Run following command to change the password aging of user “jacklee”

Command: chage -M 60 -m 7 -W 7 jacklee

-m: The minimum number of days required between password changes i.e. the number of

days left before the user is allowed to change his/her password.

-M: The maximum number of days the password is valid (after that user is forced to change

his/her password).

-W : The number of days before password is to expire that user is warned that his/her

password must be changed.

To list current aging type chage command as follows:

Command: chage -l jacklee


of 80

9.6. Limit password reuse on Linux

Open your /etc/pam.d/common-password file

Command: nano /etc/pam.d/common-password

Edit/add password line and append remember=13 to prevent a user from re-using any of his or her last

13 passwords

Command: password sufficient pam_unix.so use_authtok md5 shadow remember=13


of 80

9.7. Verify No Accounts Have Empty Passwords

Command: awk -F: ‘($2 == “”) {print}’ /etc/shadow

Lock all empty password accounts

Command: passwd -l accountName


of 80

9.8. Make Sure No Non-Root Accounts Have UID Set To 0

Only root account has UID 0 with full permissions to access the system. Type the following command to

display all accounts with UID set to 0.

Command: awk –F: ‘($3 == “0”) {print}’ /etc/passwd

You should only see one line as follows:

root: x:0:0:root:/root:/bin/bash

If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.


of 80

9.9. Restrict User and Group Access

9.9.1. Create and Maintain a Group for All Authorized Users

Create a group named “normalusers”

Command: groupadd normalusers

Add all authorized users to appsonly

Command: usermod -aG { groupName } {username}

-a : Add the user to the supplemental group(s) i.e. appends the user to the current

supplementary group list.

-G : A list of supplementary groups which the user is also a member of

9.9.2 Restrict Access

Now a group of user had been created. Next, use the chgrp command to change the group of

/opt/apps/start to normalusers group

Command: chgrp normalusers /opt/apps

Disable the file permission for others

Command: chmod 0640 /opt/apps


of 80


of 80

9.10. Disable root account

Disable root login

Command: sudo passwd -l root

Disable root login over SSH

Edit file /etc/ssh/sshd_config change PermitRootLogin to no


of 80

10. Secure /etc/fstab Temporary storage directories such as /tmp, /var/tmp, and /dev/shm provide storage place for the

hackers to execute the malicious codes. So we have to secure them.

10.1. Securing /var/tmp Command: sudo vi /etc/fstab

Append the following line:

/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0

Meanings:

noexec – Do not set execution of any binaries on this partition

nodev - Do not allow character or special devices on this partition

nosuid – Do not set SUID/SGID access on this partition(prevent the setuid bit)


of 80

10.2. Securing tmpfs Command: Sudo vi /etc/fstab

Append the following:

tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0


of 80

11. Encrypt File Systems

11.1. Encrypt and decrypt file with password Showing the content of the file

Command: more test.txt

openssl

Used 256-bit AES in CBC mode with password for this sample and the command will create new file

called test.out

Command: sudo openssl enc –aes-256-cbc –salt –in test.txt –out test.out


of 80

mcrypt

Command is created a new file with extension .nc and required password

Command: sudo mcrypt test.out

gnupg

Encrypt data and create digital signature. This command is created a new file with extension .gpg

Command: sudo gpg -c test.out.nc


of 80

After all encryption the file is showing like this

Command: ls is to show all file in the current directory.

Deleting original file and unnecesery file priviously if needed. In this sample we used three steps to

delete all previous file.

Command: rm filename


of 80

Decrypt last extension file with openssl, mcrypt and gnupg command. To open one file we need to

decrypt three times. Don’t forget to remember the password when you encrypt the file.


of 80

11.2. Encrypt folder or directory In this screenshot, the folder still can access by using command cd

To encrypt folder or directory, we need to install encfs

Command: sudo apt-get install encfs

Select folder and start encrypt the folder after install encfs, this required password to encrypt. In this

sample folder testing2 is the target

Command: sudo encfs ~/.testing1 ~/testing2

checking if we can still access the folder after encrypt and the result in permission denied


of 80

In order to access thi folder again we can use this.

Command: fusermount –u ~/testing2


of 80

12. Disable the Ipv6 protocol To increase browsing speed and security you need to disable the Ipv6 protocol because by default on

LINUX is enable.

Command: sudo vi /etc/modprobe.d/aliases

Find the line called “alias net-pf-10 ipv6” and replace with “alias net-pf-10 off” and “alias ipv6 off” after

that save and close the file.


of 80

13. Log Files You need to configure logging and auditing to collect all hacking and cracking attempts. By default syslog

stores data in /var/log/ directory. It is also required to find any software misconfiguration.

Common Linux log files names and usage

/var/log/messages : General message and system related stuff

/var/log/auth.log : Authenication logs

/var/log/kern.log : Kernel logs

/var/log/cron.log : Crond logs (cron job)

/var/log/maillog : Mail server logs

/var/log/qmail/ : Qmail log directory (more files inside this directory)

/var/log/httpd/ : Apache access and error logs directory

/var/log/lighttpd/ : Lighttpd access and error logs directory

/var/log/boot.log : System boot log

/var/log/mysqld.log : MySQL database server log file

/var/log/secure or /var/log/auth.log : Authentication log

/var/log/utmp or /var/log/wtmp : Login records file

/var/log/yum.log : Yum command log file.


of 80

13.1. Monitor Suspicious Log Messages with Logwatch Install logwatch using “sudo apt-get install logwatch”.

Configuration shouldn't be edited in the install directory (/usr/share/logwatch). Copy logwatch.conf to

/etc/logwatch before editing:

Command: sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/


of 80

Edit logwatch.conf to put in the e-mail where you want the report sent:

MailTo = [email protected]

mailto:[email protected]


of 80

14. Setting AIDE (Advanced Intrusion Detection Environment) It provides software integrity checking and it can detect that intrusions (system binaries modification)

have taken place. It is a replacement for the well-known Tripwire integrity checker.

Install AIDE using the following command:

Command: sudo apt-get install aide

The default configuration is acceptable for many environments.

/etc/aide/aide.conf and /etc/aide/aide.conf.d/ - Default AIDE configuration files. /var/lib/aide/aide.db - Default location for AIDE database. /var/lib/aide/aide.db.new - Default location for newly-created AIDE database.


of 80

15. Limitations Metasploitable 2 is based on Ubuntu 8.04 –Hardy Version

Grub is 1.5


of 80

16. References http://www.tecmint.com/apache-security-tips/

http://www.themiddlewareshop.com/2013/09/30/apache-web-server-hardening-and-

security/

http://www.petefreitag.com/item/505.cfm

http://www.cyberciti.biz/tips/linux-security.html

http://www.tecmint.com/apache-security-tips/

http://www.themiddlewareshop.com/2013/09/30/apache-web-server-hardening-and-security/

http://www.themiddlewareshop.com/2013/09/30/apache-web-server-hardening-and-security/

http://www.petefreitag.com/item/505.cfm

http://www.cyberciti.biz/tips/linux-security.html

linux server hardening - steps by steps

Technology