Page 1 of 1

Securing CentOS

Posted: 2006/09/17 21:41:44
by kanLiDaL
Dear Security,

I am using CentOS 4 x86_64 RAID1 *Power64/Dual64, 6 Gb RAM, 320 Gb HDD, on my server and last time I just got an rootkit on the server by someone who hates me I guess :-). Some friend told me that some kernels are not secure and that they can get rooted in the way that they did with me. I am trying to secure the server, but I need to get more info on how I can handle this the best. I am searching on the internet, but I can’t know for 100% sure that this is the most secure way. Please give me some advise on I can secure the server on never having to deal with this issue, because I needed to reinstall everything and this meant doing a lot.

Please advise on what kernel to install, version, what kind of firewall and settings..., wich services to shut down, optimizing centos for use of websites and also IRC and radio so that it can work in the best optinal way. Also give me some addresses on wich I can fiend some help on optimizing Centos for us. I don’t need the fancy stuff, just need it to work in a very stable and steady way.



Give me the pointers sothat most lamers cann't touch the server as they have done :-(

Please help me with this problem and thanks.

Best regards,

Kanlidal

Re: Securing CentOS

Posted: 2006/09/21 11:06:54
by stephan
If your server got a rootkit, you would be best setting up a new one, as you can't trust the old one.

Sometimes people get in by running an exploit through a PHP script that could be out of date, then if it's an old kernel, can get more access to the server that way.

So I suppose my recommendation would be to setup a new server, check all your scripts are up to date and run "yum update" or "yum upgrade" from time to time. You can also subscribe to the CentOS mailing lists to get informed about any security upgrades.

For a kernel upgrade (if yum upgrade does one), remember to reboot the server afterwards.

"rkhunter" is quite a good tool for finding rootkits as well. If you run it fairly often, perhaps on a cron, that can be quite handy.

For now, while you I guess you are still using the old server, I'd run this:



iptables -I INPUT -s ! YOUR_IP_ADDRESS -p tcp --dport ssh -j DROP
iptables-save

yum upgrade

reboot



(where YOUR_IP_ADDRESS is a static IP of a server you can ssh into the server from).

That will:

Block SSH from everywhere apart from your IP
save the rule
Upgrade CentOS
reboot the server

Re: Securing CentOS

Posted: 2006/10/22 14:18:19
by Drexxor
Hi there, im not going to hijacked this topics but i would like to ask the "My IP address" is the server ip or my ip.
How would i add more ip address to access the server because there one of my friends and me sshing to the server

Thanks,
Drexxor

Securing CentOS

Posted: 2006/10/22 18:01:33
by garskoci
Drexxor: Yeah, you should probably start a new thread. Someone will probably answer your question then.

Re: Securing CentOS

Posted: 2006/12/29 03:57:24
by billwest
Kanlida,

Did you get this resolved?

You can install the package chkrootkit (vailable as an rpm).
Also, have a look at Bastille-Linux, a system hardening tool.

Bill.

Re: Securing CentOS

Posted: 2007/01/04 19:25:41
by jwalden
There's an excellent guide to hardening Linux at

http://www.puschitz.com/SecuringLinux.shtml

but you should wipe your system and start from scratch before beginning hardening, as it's impossible to be 100% certain you removed everything hidden via the rootkit.