Basic Server Hardening

Ok, here is a list of a few programs I’d advise anyone to use who is running a server on the internet (or thinking of doing so).

  • aide or tripwire (they can check and report if files on your system get changed, configurable levels). If you use tripwire, don’t forget a “tripwire –check -I” after you do any updates.
  • logcheck will check your system logs, and report anything out of the ordinary (“ordinary” is defined by a list of ‘normal’ rules, and anything you add)
  • tiger goes farther than logcheck, it actively checks your system and reports anything strange (files not belonging to packages, users or groups that got added, …)
  • grsecurity adds more security features to your kernel (at least use the basic features and the possibility to turn off module loading after boot)
  • rkhunter, chkrootkit scan the system for signs of rootkits or other malware. just install, make sure they are executed daily by cron, possibly tweak rkhunters config a bit (I had problems with unhide and current kernel versions)

I’m not saying that setting up and tweaking all this software and actually reading the emails they generate will make your server super-duper secure, but they will reduce the risk of running a server open to the internet and alarm you if somthing strange is happening. It is important to read and understand what theese programs mail you. Yes, you will get false positives from time to time. And yes, you will have to adjust the config now and then due to package updates; but I get about 3-4 mails a week, and that is definatly ok considering the amount of data that gets checked.

rkhunter and linux kernel 2.6.26-3

The combination of rkhunter and the latest stable Linux kernel has been giving me problems the last few days. Considering that I couldn’t find anything about this on the Internet, I guess it must be something special about my box. rkhunter makes my server hang when it gets to the part where it checks for hidden processes if I use the 2.6.26-3 kernel. If I use the same .config and make myself a 2.6.25-16 (the latest stable 2.6.25) rkhunter runs without problems.

While it is nice that I found the problem, it was a pain narrowing down the culprit. The last few days I had noticed that my server was dead in the water every morning and had at first suspected vmware, since I had installed that a few days ago on the server (and had to make a new kernel to get it running). Well, everything is fine now. Next time I have to update my kernel, I’ll remember to do a test run of /etc/cron.daily