http://www.
Hardening the apache LAMP server avoiding attacks
http://secure-ubuntu-server.
Activate the AppArmor for apache2
http://samiux.wordpress.com/
Activating the Chrootkits:
http://samiux.wordpress.com/
lamp server security Basics:
https://scifi.homelinux.net/
#----------------------------BASIC SECURITY RESTRICTIONS------------------------------------
#Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps. These have been the subject of a recent bugtraq
#thread
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill ICMP redirects
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Allow dynamic ip addresses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#Log martians (packets with impossible addresses)
#RiVaL said that certain NICs don't like this. Comment out if necessary.
# echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range
#PING OF DEATH
/sbin/iptables -A FORWARD -p icmp --icmp-type 8 -m limit --limit 3/second -j ACCEPT
#SYN-FLOOD PROTECTION
/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#------------------------------------------------------------------------------
#---------------------------DENIAL OF SERVICE-----------------------------------
#Reduce DoS'ing ability by timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
#---------------------------------------------------------------------------------------------------
#Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks
echo 2 > /proc/sys/net/ipv4/conf/all/
#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_
#Block source routing
echo 0 >/proc/sys/net/ipv4/conf/all/
#Kill timestamps. These have been the subject of a recent bugtraq
#thread
echo 0 > /proc/sys/net/ipv4/tcp_
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_
#Kill ICMP redirects
echo 0 >/proc/sys/net/ipv4/conf/all/
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_
#Allow dynamic ip addresses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#Log martians (packets with impossible addresses)
#RiVaL said that certain NICs don't like this. Comment out if necessary.
# echo 1 >/proc/sys/net/ipv4/conf/all/
#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_local_
#PING OF DEATH
/sbin/iptables -A FORWARD -p icmp --icmp-type 8 -m limit --limit 3/second -j ACCEPT
#SYN-FLOOD PROTECTION
/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#-----------------------------
#---------------------------
#Reduce DoS'ing ability by timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_
echo 1800 > /proc/sys/net/ipv4/tcp_
echo 1 > /proc/sys/net/ipv4/tcp_window_
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_
#-----------------------------
No comments:
Post a Comment
tag ur valuable ideas below