Hardening Security in Linux

Restrict access to the server

- Disable all remote connection daemons (telnet, rsh, etc.) except SSHD by issuing commands similar to the following:

/usr/sbin/update-inetd --disable telnet

- Add a non-root user to the system, substituting the username and password where appropriate:

# adduser username
# passwd password

- Disable direct root remote login by editing your "/etc/ssh/sshd_config"

 PermitRootLogin no

Restart ssh by entering either /etc/init.d/ssh restart or service sshd restart (depending on your Linux distribution).

- Add sudo (root) privileges to your non-root user by running "visudo" (which may have to be installed via apt-get or yum) and adding the following line, again substituting the new user for username:

username    ALL=(ALL)       ALL

 This will permit the user to log in as non-root, but will allow the user to elevate their privileges temporarily by by using "sudo my_command" (where my_command is the operation to be executed).

MySQL basic security

Most MySQL server installations come with an empty administrator password, you may want to change it using the command:

$ mysqladmin -u root -p password "newpassword"

Also, if you're running a local MySQL server for your Deki Wiki database, you can restrict access to localhost only. Find your MySQL configuration file (my.cnf), and edit the following line:

bind-address = 127.0.0.1

Restart mysql by entering sudo /etc/init.d/mysql restart.

Using this configuration, no remote MySQL access will be allowed. The Deki Wiki API will use "localhost" to communicate with the database.

if you're running Deki Wiki using a remote MySQL server, you might want to look at using secure connections, and also read this page.

Setting up the IpTables firewall

As default, ipTables is included in the Red Hat distributions (and its configuration is shown here); other firewalls are available for different distributions. For Deki, an incoming HTTP connection and access to localhost are needed. In this example, SSH for remote login and HTTPS is also added.

- Activate IpTables by entering the following:

$ sudo chkconfig iptables on

- Set your (very basic) firewall rules in by editing /etc/sysconfig/iptables:

 *filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Allow stateful mode
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept incoming SSH connections [optional]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
# Accept HTTP connections
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
# Accept HTTPS connections [optional]
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
# Accept all input from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
# Accept pings, but limit it to 1/s
-A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
COMMIT

- Restart the service by typing the following line:

$ sudo service iptables restart

- Check your configuration by entering:

 $ sudo iptables -L -n -v

You should see output similar to this:

Chain INPUT (policy DROP 5 packets, 365 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  199 15987 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    2   160 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
    0     0 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED icmp type 8 limit: avg 1/sec burst 5 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 130 packets, 16163 bytes)
 pkts bytes target     prot opt in     out     source               destination        

- To confirm that you have your firewall configured correctly, use another computer on your network and use NMAP to scan the ports:

$ nmap -A my_server.my_domain

You should see results similar to this:

Starting Nmap 4.20 ( http://insecure.org ) at 2008-04-01 11:40 PDT
Interesting ports on my_server.my_domain :
Not shown: 1694 filtered ports
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 4.3 (protocol 2.0)
80/tcp  open   http    Apache httpd 2.2.3 ((Red Hat))
443/tcp open  ssl/http Apache httpd 2.2.3 ((Red Hat))

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 37.301 seconds

 As you can see, all ports except 22, 80 and 443 are filtered by the firewall.

Using SELinux

SELinux (for Security-Enhanced Linux)  is provided by default on many different Linux systems. Entering grep -v "^#" /etc/selinux/config at the command lin should result in something similar to the following:

SELINUX=enforcing
SELINUXTYPE=targeted
SETLOCALDEFS=0 

SELinux can be quite restrictive, especially with httpd-like daemons. This would prevent Deki from being reachable. If SELinux is enabled on your system, you can run the following:

$ sudo setsebool -P httpd_can_network_connect true 
$ sudo setsebool -P httpd_builtin_scripting true

For more advanced tuning, you may check the httpd_selinux(8) manpage.