Security Tips

From LinodeWiki

Jump to: navigation, search


Note: Not much of this will actually help you.


Tip 1: install mod_security to help protect Apache from many common attacks

Tip 2: install mod_evasive to help protect Apache from denial-of-service attacks

Tip 3: install syslog-ng to replace syslogd and offload some logging to a remote server. syslog-ng is highly recommended even if you don't do remote logging.

Tip 4: replace inetd with:

  1. xinetd and/or
  2. /services (like qmail). see http://www.thedjbway.org/ --you'll either hate it or love it

I use both xinetd and /services 'thedjbway'. Both offer different features so I control several services with xinetd and all others using /services.

Tip 5: install bastille linux, a simple question-and-answer script to secure your linux distro and educate you in the process--highly recommended.

Tip 6: install shorewall firewall or alternatively firehol. Both are much better than hand-crafting iptables 99% of the time. I chose shorewall, others may like firehol. Try both and decide, both are very good.

Tip 7: change the SSH port from 22 to a non-standard port number and disable ssh protocol 1. if you don't need to run sshd, then don't because you can access your linode using lish.

Tip 8: replace sendmail (unsecure, D-) with either qmail (most secure, A+), postfix (2nd most secure, A), or exim4 (3rd most secure, A-). Security was evaluated based on design and history of discovered vulnerabilities (quantifiable). Any of these 3 are great sendmail replacements. I chose qmail and am happy with the decision because of ease-of-maintenance/reliability, but if you hate doing things 'thedjbway' or having to install from source, then Postfix and Exim are excellent choices for replacing sendmail. We're lucky to have 3 great mail servers to replace sendmail.

Note: qmail is both not free software and has been abandoned by the author. If security is your goal, you should choose a currently maintained (and free) mail server.

Tip 9: disable all unused services. use the 'netstat -a' command to view open ports.

Tip 10: keep your system up-to-date. check for new versions of installed applications at least once per week, preferably every day.

Tip 11: install logcheck to get hourly automated email alerts based on your log files

Tip 12: install portsentry but keep in mind that if you dynamically block attacking ip addresses, an attacker can spoof a bunch of valid ones and fill up your iptables rules. portsentry is great when configured to send email alerts--provided you rate-limit your emails so it can't be used against you.

I use shorewall to redirect bad requests to a single port. I use portsentry to only listen to that one port and send email alerts using a rate-limiting script so I don't get hammered with alerts. If I choose, I can deny/allow access to specific ip addresses using 'shorewall deny [ip]' or 'shorewall allow [ip]'. Or view a report of hits using 'shorewall hits' which can be parsed hourly for alerts as well.

Retrieved from "http://www.linode.com/wiki/index.php/Security_Tips"
Personal tools