Security (Wheezy)
Security is a process, not a state. On the plus side, a lot of stuff from my earlier documentation on this has become the default in Wheezy. It is certainly made easier by not being the only one doing it.
/etc/inittab
# Since we're not using X, can enable all ttys, or alternately prep # them all and comment most out. # Each one takes up about ~160kb of RAM while idle, so not a huge # drain, and is the sort of thing swap is actually for on a server. 1:2345:respawn:/sbin/getty 38400 tty1 2:23:respawn:/sbin/getty 38400 tty2 3:23:respawn:/sbin/getty 38400 tty3 4:23:respawn:/sbin/getty 38400 tty4 5:23:respawn:/sbin/getty 38400 tty5 6:23:respawn:/sbin/getty 38400 tty6 7:23:respawn:/sbin/getty 38400 tty7 8:23:respawn:/sbin/getty 38400 tty8 9:23:respawn:/sbin/getty 38400 tty9 10:23:respawn:/sbin/getty 38400 tty10 11:23:respawn:/sbin/getty 38400 tty11 12:23:respawn:/sbin/getty 38400 tty12
# ... # You can disable ctrl+alt+del from console. Note that this might block # remote soft reboot software. # What to do when CTRL-ALT-DEL is pressed. #ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
/etc/securetty
# /etc/securetty: list of terminals on which root is allowed to login. # See securetty(5) and login(1). # I end up deleting the vast majority of these, leaving only the ones below.
console
# Virtual consoles tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10 tty11 tty12
/etc/security/limits.conf
#<domain> <type> <item> <value> # The main thing to note here are the core dumps # and mysql's memory access. The latter is a # legacy element. # * soft core 0 * hard core - * - maxlogins 3 * - memlock 2048 * - msgqueue 1048576 * - nofile 8192 * - nproc 256 * - sigpending 16384 * - stack 8192 mysql - maxlogins 0 mysql - memlock 33554432 root - maxlogins - root - memlock 33554432 root - nproc -
/etc/host.conf
Read hosts first, then try a domain lookup if that fails. I am far more likely to be trying to override something when I put something in my hosts file.
order hosts,bind multi on nospoof on spoofalert on
/etc/login.defs
- LOG_OK_LOGINS yes
- SULOG_FILE /var/log/sulog
- CHFN_RESTRICT frwh
- Don't ask me why I bother with this, I could not tell you : p
- SHA_CRYPT_MIN_ROUNDS 65536
- Or higher. Just remember what you are setting it to.
PAM
- Install the libpam-tmpdir package, if you have not already.
- /etc/pam.d/common-auth
- Remove nullok_secure from the auth line
- /etc/pam.d/su
- Uncomment and add group=wheel:
- auth required pam_wheel.so group=wheel
- Make sure root is part of the wheel group as precaution
- /etc/pam.d/common-password
- add 'rounds=65536' to the password line:
- password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=65536
- Regenerate root, administrator passwords
Directory and file Permissions
find / -perm -2000 -group 0
This should only return directories. /var/cache/man in particular.
chmod 0700 /root /lost+found chmod 0751 /etc /home /etc/ssh/ chmod 0750 /mnt /boot /etc/rsyslog.d/ /etc/cron.d/ /etc/cron.hourly/ /etc/cron.daily/ /etc/cron.weekly/ /etc/cron.monthly/ chmod 0750 /storage /innodb
Or whatever you choose your database/general directories to be. I dislike /opt and /srv, at least for things that I will be dedicating entire hard drives to (or most of them).
chgrp staff /storage
Or whatever again.
chmod 0640 /etc/crontab /etc/fstab /etc/inittab /etc/securetty /etc/ssh/sshd_config /etc/rsyslog.conf
Clear out unnecessary setuid binaries:
find / -perm -4000 -user 0
Only /bin/su is absolutely necessary.
- /sbin/pam-tmpdir-helper is needed if you are using the pam tmpdir module above
- suexec if you are still using Apache
- screen needs setuid if using in multi-user mode.
- sudo if you use that. Since this is a server, I find the idea of typing 'sudo' before a million commands highly annoying, personally. sudo is very much a thing for work/home machines, in my opinion.
- ping and ping6 are somewhat annoying to leave as non-suid, but see below.
On a default Wheezy install:
chmod u-s /usr/bin/passwd /usr/bin/chsh /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/chfn /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /bin/mount /bin/umount
and
chmod u-s /sbin/mount.nfs
If using nfs
To let a specific group of users (staff, here) use ping and ping6
chmod 4750 /bin/ping /bin/ping6 chgrp staff /bin/ping /bin/ping6
Remove sound support
If much of the above straddles the 'security' line this probably crosses it. Still, if I hear my server that means something bad has happened.
To get sound modules:
lsmod | grep snd
Blacklist these, along with pcspkr, in a file like /etc/modprobe.d/blacklist.conf:
# /etc/modprobe.d/sound-blacklist.conf # Hear no evil. blacklist pcspkr blacklist snd_pcm blacklist snd_timer blacklist snd_page_alloc blacklist snd blacklist snd-pcsp blacklist soundcore
ninja
ninja is a nifty little package that kills things that inappropriately escalate to root. It is far from perfect, but I have tried to hone my configuration over the years.
/etc/ninja/whitelist
/bin/su:wheel: /usr/bin/sudo:wheel: /usr/bin/sudoedit:wheel: /usr/bin/screen:mcusers:
Obviously, set screen to whomever is going to be using it accordingly. I use it for Minecraft, personally.
/etc/ninja/ninja.conf
- group = 70
- Your wheel group
- interval = 0
- You may wish to set interval to 1 as it does use some cpu. This likely renders it pointless, however.
- proc_scan_offset = 300
- no_kill = yes
- no_kill_ppid = yes
- above two are for during testing only.
Run
ps --ppid 1
to get init ids. Still haven't figured out how to whitelist rc, debian-start or ntpdate, unfortunately, so I have not been able to force this system-wide yet.
ninjalert.sh
#!/bin/sh mail -s "ninja triggered by user $1" root vekseid@gmail.com <<EOF ninja activated on process escalation by user $1 EOF
Add to ninja.conf
rkhunter
As of Wheezy, the only one that has been updated.
- Install rkhunter and unhide
- In /etc/rkhunter.conf
- MAIL-ON-WARNING - add email addresses
- DISABLE_TESTS - reenable hidden_procs, suspscan
- We've installed unhide and /tmp and /var/tmp should be mounted tmpfs
- SCRIPTWHITELIST=/sbin/chkconfig
- False positive.