Linux Server Hardening Steps (Secure Linux Server)

Linux Server Hardening Steps:

1./etc/login.defs

This will allow the user’s password minimum 6 characters length.
#vi /etc/login.defs
PASS_MIN_LEN 5 –> change it to PASS_MIN_LEN 6

2./etc/profile
All login sessions on server will expire after 7200 seconds
#vi /etc/profile
add the following line (at the end of file)
TMOUT=7200

3./etc/host.conf
This will prevent the server from spoofing.
#vi /etc/host.conf and add the following lines.
order hosts,bind
nospoof on

4./etc/sysctl.conf
The purpose of syctl hardening is to help prevent spoofing and DoS(Denial of Service) attacks.
#vi /etc/sysctl.conf
Copy and paste (overwrite) the following lines:

#Kernel sysctl configuration file for Red Hat Linux

# For binary values, 0 is disabled, 1 is enabled. See sysctl( 8 ) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

lines taken from : http://kb.actsupport.com/kb/entry/226/
then issue this command to load above given settings,
#sysctl -p

5.Disable Telnet
Telnet sends clear text passwords and usernames through logins and should be disabled on all web servers apf -r (to restart)
apf -f (to stop) and replaced with SSH.
#/etc/xinetd.d/telnet
In this file, find the line for disable and change it from the value “yes” to “no”.
After changing the above value(s), you will need to restart the xinetd deamon. As the root userid, type the following command:
save the changes.
#/etc/init.d/xinetd reload

6.Download and Install APF(advance protection firewall)
Free and stable Linux Iptables based firewall.
Download apf current version:
#cd /usr/local/src/
#wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
#tar -xvzf apf-9.6-5.tar.gz
#cd apf-9.6-5/
#/install.sh
After the installation is completed,

Now edit config file
#vi /etc/apf/conf.apf

Change the following:
USE_DS=”1″
USE_AD=”1″

Scroll down to this section:
# Common ingress (inbound) TCP ports IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096″
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”21,53,465,873″

# Common ICMP (inbound) types
# ‘internals/icmp.types’ for type definition; ‘all’ is wildcard for any
IG_ICMP_TYPES=”3,5,11,0,30,8″

Scroll down a bit then find this section:
EGF=”1″
# Common egress (outbound) TCP ports EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089″
# Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53,123,465,873″

Save the file and start apf via.
apf -s
If everything still works then edit the config file and turn dev mode off.
DEVM=”0″
Now restart APF
#apf -r
Note:
#apf -s (start the apf firewall)
#apf -r (to restart the apf)
#apf -f (to stop the apf)

7.Download and Install BFD (Brute Force Detection)
BFD is a modular shell script for parsing application logs and checking for authentication failures.
Download Current version of BFD:
#cd /usr/local/src/
#wget http://www.r-fx.ca/downloads/bfd-current.tar.gz
#cd bfd-version
#Run the install file: ./install.sh
*******BFD installed**********
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
#vi /usr/local/bfd/conf.bfd
Enable brute force hack attempt alerts:
Find: ALERT_USR=”0″ CHANGE TO: ALERT_USR=”1″
Find: EMAIL_USR=”root” CHANGE TO: EMAIL_USR=”your@yourdomain.com”
Save the changes: :wq
Prevent locking yourself out!
vi /usr/local/bfd/ignore.hosts and add your own trusted IPs
Eg: 192.168.1.1
Run the program!
/usr/local/sbin/bfd -s
Customize your applicatoins brute force configuration
Check out the rules directory in your /usr/local/bfd

8.Libsafe:

Libsafe used to secure Linux from buffer overflows.
Install Libsafe:
#wget http://www.research.avayalabs.com/project/libsafe/src/libsafe-2.0-16.tgz
#tar xpfz libsafe-2.0-16.tgz
#cd libsafe-2.0-16
#make
#make install
# Permanently install libsafe
# —————————
vi /etc/profile

# Installing libsafe
#
export LD_PRELOAD=/lib/libsafe.so.2
#
# unset LD_PRELOAD to unload it
#
# end of file

9.AIDE :
AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more.It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions.

Download AIDE:
http://sourceforge.net/projects/aide

Install AIDE in Linux
#apt-get install aide
At the time of installation it will ask the following questions and you need to answer as follows
Where should daily reports be mailed?
Daily reports are mailed to root by default. You may change that here or in /etc/default/aide. ok
Initialize aide database? yes
It is advisable for you to first look over /var/lib/aide/aide.db.new file before replacing the existing db. Would you like to replace it anyway?Copy aide.db.new to aide.db? yes
This will complete the installation and the configuration file located at /etc/aide/aide.conf.

To initialize the aide:
# aide –init

The database can now be checked with:
# aide –check.

To update that database after changing a parameter in aide.conf issue the command:
# aide –update

10.Disable unwanted service/daemon:
If the following services are running, stop the services and do chkconfig off.
apmd
atd
autofs
bluetooth
cups
dhcpd
ldap
lpd
ntalk
portmap
pcmcia
telnet
finger
nfs
nfslock
smb
squid
talk
vnc
xfs
yppasswdd
ypbind
ypserv

Example:
#service apmd stop
#chkconfig apmd off

11.Ethtool:
****Note:If you do this on a production server you need to get downtime/approval before move to the steps given below****
ethtool – Used to display or change ethernet card settings
Open the file:
# vi /etc/sysconfig/network-scripts/ifcfg-eth0

If you have 100mbps NIC,Append following line:
# ETHTOOL_OPTS=”speed 100 duplex full autoneg off”

If you have 1000mbps NIC,Append following line:
# ETHTOOL_OPTS=”speed 1000 duplex full autoneg off”

Update: if above command failed to work for 1000Mbps use following command (see below in comment sections for discussion) :
# ETHTOOL_OPTS=”speed 1000 duplex full autoneg on”

After the above changes done once, restart network daemon,

# /etc/init.d/network restart

12.RKHunter
Install RKhunter:
*Login to your server via SSH as root.
Then Type: cd /usr/local/src/

*Download RKHunter Version 1.1.4
Type: wget http://optusnet.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.0.tar.gz

*Extract files
Type: tar -xzvf rkhunter-1.3.0.tar.gz

*Type: cd rkhunter-1.3.0.tar.gz

*Type: ./installer.sh –help
The default should do
./installer.sh –layout /usr/local –install

*Lets setup RKHunter to e-mail you you daily scan reports.
# vi /etc/cron.daily/rkhunter.sh
Add The Following:
#!/bin/bash
(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “RKhunter Scan Details” replace-this@with-your-email.com)
Replace the e-mail above with your e-mail!! It is best to send the e-mail to an e-mail off-site so that if the box IS compromised the hacker can’t erase the scan report unless he hacks another server too.
Type: chmod +x /etc/cron.daily/rkhunter.sh

*Check the system with RKHunter
#rkhunter -c

*you can view the result of RKhunter checkup in logfile,
cat /var/log/rkhunter.log

13. Mod_Security
First we will download and unzip mod_security. This guide compiles for apache1.3.x which is what cPanel currently uses.
#wget http://www.modsecurity.org/download/…y-1.8.4.tar.gz
#tar zxf mod_security-1.8.4.tar.gz
#cd mod_security-1.8.4/apache1

Next compile mod_security at a module:
#/etc/httpd/bin/apxs -cia mod_security.c

Make a backup of your httpd.conf before touching anything so you have something to go back to if it does not work.
#cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-mod_sec

Now edit the httpd.conf
#vi /etc/httpd/conf/httpd.conf

Scroll down below the following line:
AddModule mod_security.c
The rules listed in the text file below can just be pasted in. They are a collection of rules, many of them taken from snort, that block most of the common attacks while still letting normal requests by.
http://eth0.us/faq/modsec.txt

Create the error log file:
#touch /var/log/httpd/audit_log

Restart apache
#service httpd restart

If sites start to have problems look at error log.
/var/log/httpd/audit_log

14.Hardening /tmp folder (world writable):
The /tmp partition is one the common places for script kiddies and crackers alike to place trojans or scripts. Because of that you should have the /tmp partition mounted noexec. First we need to check if your /tmp is secure.
#df -h |grep tmp

If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
#cat /etc/fstab |grep tmp

If there is a line that includes /tmp and noexec then it is already mounted as non-executable. You will also want to check if /var/tmp is linked to /tmp.
ls -alh /var/ |grep tmp

If it shows something to the effect of “tmp -> /tmp/” then you are ok. If not go ahead an remove the old /var/tmp and replace it with a sym link to /tmp.
#rm -rf /var/tmp/
#ln -s /tmp/ /var/

If you do not have any /tmp partition you will need to follow the directions below to create and mount a partition.
Create a 190Mb partition
#cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=200000
Format the partion
#mke2fs /dev/tmpMnt
Make a backup of the old data
#cp -Rp /tmp /tmp_backup
Mount the temp filesystem
#mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

Set the permissions
#chmod 1777 /tmp

Copy the old files back
#cp -Rp /tmp_backup/* /tmp/

Once you do that go ahead and start mysql and make sure it works ok. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

Next delete the old /var/tmp and create a link to /tmp
#rm -rf /var/tmp/
#ln -s /tmp/ /var/

If everything still works fine you can go ahead and delete the /tmp_backup directory.
#rm -rf /tmp_backup

15.Secure some other Important files:
Many php exploit scritps use common *nix tools to download rootkits or backdoors. By simply chmod’ing the files so that no none-wheel or root user can use them we can eliminate many possible problems. The downside to doing this is that shell users will be inconvenienced by not being able to use the the commands below. Mod_security really removes the need to chmod this, but it is an added layer of protection.

#chmod 750 /usr/bin/rcp
#chmod 750 /usr/bin/wget
#chmod 750 /usr/bin/lynx
#chmod 750 /usr/bin/links
#chmod 750 /usr/bin/scp

16.MySQL Tweaks:
#vi /etc/my.cnf
Key Buffer
The key buffer holds the indexes of tables in memory and a bigger key buffer results in faster row lookups. Adjust according to your own needs. Bigger is better, but prevent swapping at all costs. A good rule of thumb seems to be to use 1/4 of system memory.

key_buffer = 128M

Query Cache
This is where the magic happens. Well, not magic really, just plain old caching. Keeping the result of queries in memory until they are invalidated by additional writes enhances performance by magnitudes. The query_cache_size, as the name suggests, is the total size of memory available to query caching. The value query_cache_limit is the maximum number of kilobytes one query may be in order to be cached. Setting this value too high might prevent a lot of smaller queries to be cached. Setting it too low will result in bigger queries to never be cached, and the smaller queries not being able to completely fill the cache size, which would be a waste of resources. Adjust according to your own needs and memory available:

query_cache_size = 128MB
query_cache_limit = 4MB

Table Cache
An important variable if your application accesses many tables. It is the number of tables a thread can keep open at the same time. A value of 512 should do no harm.

table_cache = 512

Sort Buffers
sort_buffer_size (the variable previously known as sort_buffer), used for grouping and sorting and is a per-thread buffer. If the buffer can not hold the data to be sorted, a sort is performed on disk. Watch out for making this too large as the buffer is allocated for every thread that needs sorting and with many sorts it can easily consume all your memory.

sort_buffer_size = 32M
myisam_sort_buffer_size = 32M

The InnoDB Engine
Most people do not use the InnoDB engine in MySQL and use MyISAM instead. Since MySQL reserves memory for this engine, you are better off without it. If you need InnoDB, you can find more on it’s settings in the official MySQL docs.

Add `skip-innodb’ to my.cnf to disable the engine.

Binary Logging
MySQL has a few powerful features. Replicating data changes to a second server is one of them. MySQL keeps a log file of data changes which is used for this purpose. If you do not use replication or use the file as incremental backup, you can disable it. This will save you expensive disk write actions for every change to your data. For applications that have a lot of frequently updated data, this can be quite a performance boost. According to the official docs, this will generally result in just a 1% boost but it’s an easy gain if you do not need the log. Read more about the binary log here. Comment the following line:

log-bin = /var/log/mysql/mysql-bin.log

Temporary Tables
Temporary tables are used for sorting and grouping. The buffer is created on demand so watch out for setting this too high here as well. If the buffer cannot accomodate the data, a temp file is used on disk instead.

tmp_table_size = 64MB

Delayed Writing
This setting can greatly improve writing or updating data to a table. Instead of directly committing data to the disk, MySQL queues writes and returns write queries immediately. Be very very careful with this, because this also means that in case of a power failure or crash, you lose data. You can use this for logging if you don’t mind losing a couple of rows in case of a crash.

delay_key_write = 1

Connection Timeout
This is a little tweak that determines the closing of sleeping connections. The default is one hour and is often too long for practical purposes. I often set this at one minute instead (60).

wait_timeout = 60

The above settings are just to make mysql a little faster in general. You can get much better speed improvements by optimizing the database itself. Setting the correct indexes on tables can be a live-saver.

17.Fix Open DNS resursion:
DNS recursive
For who have recently notice that now DNSreport do verify if your DNS is recursive lookup or not, here is the tip on how to set it up.

open you named.conf and add before options { the follow lines:

acl “trusted” {
xxx.xxx.xxx.xxx;
yyy.yyy.yyy.yyy;
};

where xxx.xxx.xxx.xxx is your ip address same for yyy.yyy.yyy.yyy.
for cpanel users, you can find yours ips in the follow file: /etc/nameserverips

after that, inside the options add after the line “// query-source address * port 53;” the follow:
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

also uncomment the line “// query-source address * port 53;” “to query-source address * port 53;” with out the ” (double-quotes).

restart your service,
#/etc/init.d/named restart

Verify again your status with DNSreport.

Observation: you can also set up a version line it should be like:
version “Oh come on why do you want to know witch version my DNS server is ?”;

this line can be add iside your named.conf

18.Secure cpanel/whm:
Login to WHM on your server as root:

https://SERVERIP:2087 or https://SERVERIP/whm

Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

On “Server Setup” ——–> “Tweak Settings”
– Check the following items…

On “Mail” section:
– Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts – blackhole
(according to ELIX – set this to FAIL, which is what I am going to do to reduce server load)

“System” section:
Use jailshell as the default shell for all new accounts and modified accounts

On “Server Setup” ——–> “Tweak Security”
– Enable php open_basedir Protection
– Enable mod_userdir Protection
– Disabled Compilers for unprivileged users.

“Server Setup” ——–> “Manage Wheel Group Users”
– Remove all users except for root and your main account from the wheel group.

“Server Setup” ——–> “Shell Fork Bomb Protection”
– Enable Shell Fork Bomb/Memory Protection

“Resellers” ——–> “Reseller Center”
Privileges should be always disabled. Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

“Service Configuration” ——–> “FTP Configuration”
– Disable Anonymous FTP

“Account Functions” ——–> “Manage Shell Access”
– Disable Shell Access for all users (except yourself)

“Mysql” section ——–> “MySQL Root Password”
– Change root password for MySQL

19.Kernel Security-Tuning with gresecurity:
Compiling 2.6.10 Kernel + Grsecurity
Posted April 2nd, 2005 by eth00
* Advanced Guides
* Kernel upgrading

How-To: Compile a monolithic 2.6.10 kernel with grsecurity and secfix patch

Note 2.6.10 is an old version of the kernel however, this guide will work with the latest 2.6.11.7 and grsecurity if you get those instead of the files described. If you go that route the patch described below for a specific vulnerability is not requied.

This guide was designed for the ev1 configurated poweredge servers. I have tested it on the the 2.0 and 2.4 Ghz Xeons, and 2.0 and 3.0 Ghz celeron. It should also work fine with the P4 2.0 Ghz + but I have personally not tested one yet. I do not have any plans to test this kernel on any older systems though as long as they network card support is built in it will probably work. If you post here with specific problems on boot I can try to add the needed modules to my config. I started this as a project to increase the performance and security of my servers. The 2.6.x kernel has many improvements that have dramatically dropped the load on the servers I have tested this on so far. In addition to that the kernel does not support loadable modules, the definiation of monolithic, which removes one method of possible vulnerabilities as well as more efficient. Though there are no studies directly linking grsecurity to increased security it only adds additional security to your system with very few negative drawbacks. I think that is worth the extra time to configure in grsecurity in the chance that it may possibly block a possible cracker.

This kernel is patched against the following vulerability: http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt. This is the root level exploit that was release January 7th. It is *HIGHLY* suggested that you upgrade ASAP. This particular exploit along with a worm much like the phpBB worm could be disasterous yeilding full root access.

***This guide is to be used completely at your own risk! ***

I have tested it on three different systems and all came up without any problems. If the server does not come up you can simply reboot it and it will come back online with an older version that works. If you have any comments about the .config posted please post them I am always interested in making improvements!

Now that is done the guide is below, good luck!

Unlike the other kernel the module-init tools are not needed because there are no modules to be loaded.

First we will check the server has the correct modules. Changes are very good that if it has the correct ethernet drives your system will be able to boot up even if it is not a system posted above. Please post if you try it and it works on other configurations.

Look at the loaded modules for your current kernel
—–command—–
cat /etc/modules.conf |grep eth
—–command—–
If you have any one of the lines below you should be fine. The eth* does not mater as long as it matches. A lable of eth0 means it is the main NIC while eth1 refers to the pnet NIC. *WARNING* If you do not have one of the modules listed below for your network card your server is not going to boot! Please post what you have below and I can try to help you out or you can look on google for the correct module.

alias eth0 8139too
alias eth0 e1000
alias eth0 e100
alias eth0 tg3
alias eth0 eth100
alias eth0 natsemi

Now we will download the 2.6.10 kernel along with the grescurity patch and apply the patch.

—–command—–
cd /usr/local/src/
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.10.tar.gz
tar -zxf linux-2.6.10.tar.gz
wget http://grsecurity.net/grsecurity-2.1.0-2.6.10-200501071049.patch
patch -p0 < grsecurity-2.1.0-2.6.10-200501071049.patch
wget http://grsecurity.net/linux-2.6.10-secfix-200501071130.patch
patch -p0 < linux-2.6.10-secfix-200501071130.patch
—–command—–

If you are already running one of my 2.6.9 kernels run the following command to copy the old config to your new kernel to ensure you have the same configuration:
—–command—–
cp linux-2.6.9/.config linux-2.6.10/
cd linux-2.6.10
—–command—–
When you run make it will ask some questions, just press and hold enter for them as you do not need any of the modules it asks about.

you do not have one of my kernels running run this command.
—–command—–
cd linux-2.6.10
wget http://eth0.us/2.6.10/.config
—–command—–

At this stage you can configure the kernel how you like it. By running “make menuconfig” you will be presented by a huge menu of options that you can try to comile into your kernel. After you do your changes click exit and continue. I have already removed just about everything extra and no changes are necessary. Please note that if you do add features you need to add them statically into the kernel as this kernel does not support loadable modules. If you do add module support and modules your server will not boot using the directions below. If you add anything but module support it will automatically be added statically in menuconfig.

Now to actually compile the kernel.
—–command—–
make
—–command—–
Make sure there are *NO* errors after this! If you do get errors the below is not going to work.

If you go back and try to recompile your kernel after you have copied the files to /boot you will first need to delete or overwrite the files the files. Go ahead and delete them.
—–command—–
rm -rf /boot/config-2.6.10-grsec-eth00
rm -rf /boot/vmlinuz-2.6.10-grsec-eth00
rm -rf /boot/System.map-2.6.10-grsec-eth00
—–command—–

Copy the new files into your /boot directory.
—–command—–
cp .config /boot/config-2.6.10-grsec-eth00
cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.10-grsec-eth00
cp System.map /boot/System.map-2.6.10-grsec-eth00
—–command—–

To boot the server a bootloader must be used. The two major bootloaders are grub and lilo. If you do not appear to not have any you may not…some datacenters do not install any which makes it a pain to upgrade the kernel. For the most part if you have an ev1 box you have lilo but if you have any other datacenter grub is usually used. As of right now grub is the default bootloader for RHEL.

To check which you have type
—–command—–
dd if=/dev/hda bs=512 count=1 2>&1 | grep GRUB
dd if=/dev/hda bs=512 count=1 2>&1 | grep LILO
—–command—–
One of those should return something, that is your bootloader.

If you have lilo follow the below, if you do not skip down to the grub section.

All of he ev1 servers I have worked on have lilo installed so below is what you need to add to the file to allow you to boot. The append elavator deadline should help with the IO of your server which will in turn lower your server loads. If after recompiling you have trouble with the IO remove the line and reboot to see if that is what is causing the trouble.
—–command—–
vi /etc/lilo.conf
—–command—–

Now scroll to the bottom and add these lines:

image=/boot/vmlinuz-2.6.10-grsec-eth00
label=2.6.10-eth00
append=”root=/dev/sda3 elevator=deadline”
read-only

Note where it says sda3 you need to replace with your / partition. If you look at df -h you will see something like this:

Filesystem Size Used Avail Use% Mounted on
/dev/hda3 72G 15G 54G 22% /

That shows that /dev/hda3 is the / and in this instance we would put root=/dev/hda3

Make sure when you run this lilo command that you can see no errors. If there are something is configured wrong and the server is not going to boot.
—–command—–
lilo -v -v
—–command—–
If you do not see “Writing boot sector.” after this command something is wrong!

Now we are going to set the server to reboot into the kernel. By using -R the server will only try to boot once into the new kernel. If any problems are encountered the server will boot to your old kernel the next time it is rebooted.

—–command—–
lilo -R 2.6.10-eth00
—–command—–

If you have grub you are going to want to read this section.
—–command—–
vi /etc/grub.conf
—–command—–

If you look there are a series of repeated lines. Each one of these is a different kernel that can be booted. Paste the above into the top section of the grub config. ***PLEASE NOTE*** You need to modify the root (hdx,x) and root=/dev/sda1 to look like the previous configs. The drive will be different depending on the individual server drive and partition configuration. Make sure and change the default= one number higher then before since you added one at the very top. If it is 0 and you leave it at 0 and you have trouble with your server you will not be able to boot it.

title Red Hat Linux (2.6.10)
root (hd0,0)
kernel /vmlinuz-2.6.10-grsec-eth00 ro root=/dev/sda1

After that save out and run grub
—–command—–
grub
—–command—–
Once it is done probing the drives enter:
savedefault –default=0 –once
quit

That will make the new kernel boot once and reboot into the old kernel if you have any issues on the reboot. Once you are done rebooting and the new kernel comes up fine you can edit the /etc/grub.conf again and change the default to 0 so you will keep booting to 2.6.10.

Ok you are ready to reboot and test it out. Go ahead and shutdown via “shutdown -r now”. If it does not come up after 10 minutes you are going to have to get the server rebooted. Since we used the -R it will boot back to the old kernel last time. If it fails you can check the logs to see if anything is shown but many times nothing does and the only way to do it is have a tech look at the screen or use a kvm/drac. If it does work for you change the default= in the lilo.conf to your new kernel.

Save and you are all done.

One *VERY IMPORTANT* thing to know is that if you are using APF firewall it will not function correctly unless you reconfigure it. This kernel does not support loadable modules which is a good thing for security. However, by default APF does not know how to work with a kernel that does not support loadable modules. Edit the /etc/apf/conf.apf file and change
MONOKERN=”0″
to
MONOKERN=”1″

Save and then APF will start correctly.

If you are running Redhat 9 (RH9) you are going to have to upgrade your version of rpm. Simply run:
export LD_ASSUME_KERNEL=2.4.1; rpm -Uvh ftp://ftp.rpm.org/pub/rpm/dist/rpm-4.2.x/rpm-4.2-1.i386.rpm
The export command is a workaround so you can actually install the rpm. If you still have trouble you can use the export command to allow rpm to function.

– Jayachandran Palanisamy.

chandranjoy@gmail.com

+91 98944 97649

Advertisements

1 Comment

  1. April 27, 2009 at 10:14 am

    […] Linux Server Hardening Steps (Secure Linux Server) By chandranjoy Click here to view “Linux Server Hardening Steps (Secure Linux Server)” […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: