Tuesday, September 22, 2009

Hardening of LAMP Server; Links

A complete Ubuntu LAMP Server hardening 

http://www.freesoftwaremagazine.com/articles/hardening_linux?page=0%2C0


Hardening the apache LAMP server avoiding attacks

http://secure-ubuntu-server.blogspot.com/2009/07/howto-hardening-your-apache-and-php-on_07.html

Activate the AppArmor for apache2

http://samiux.wordpress.com/2009/06/16/howto-security-enhanced-your-ubuntu-9-04-lamp-server-with-apparmor/

Activating the Chrootkits:

http://samiux.wordpress.com/2009/06/13/howto-make-sure-no-rootkit-on-your-ubuntu-9-04-server/

lamp server security Basics:

https://scifi.homelinux.net/mediawiki/index.php/Hardening_a_LAMP_server



#----------------------------BASIC SECURITY RESTRICTIONS------------------------------------

#Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks
echo 2 > /proc/sys/net/ipv4/conf/all/
rp_filter

#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_
ignore_broadcasts

#Block source routing
echo 0 >/proc/sys/net/ipv4/conf/all/
accept_source_route

#Kill timestamps. These have been the subject of a recent bugtraq
#thread
echo 0 > /proc/sys/net/ipv4/tcp_
timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_
syncookies

#Kill ICMP redirects
echo 0 >/proc/sys/net/ipv4/conf/all/
accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_
ignore_bogus_error_responses

#Allow dynamic ip addresses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#Log martians (packets with impossible addresses)
#RiVaL said that certain NICs don't like this. Comment out if necessary.
# echo 1 >/proc/sys/net/ipv4/conf/all/
log_martians

#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_local_
port_range

#PING OF DEATH
/sbin/iptables -A FORWARD -p icmp --icmp-type 8 -m limit --limit 3/second -j ACCEPT

#SYN-FLOOD PROTECTION
/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#-----------------------------
-------------------------------------------------

#---------------------------
DENIAL OF SERVICE-----------------------------------

#Reduce DoS'ing ability by timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_
timeout
echo 1800 > /proc/sys/net/ipv4/tcp_
keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_
scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_
syn_backlog
#-----------------------------
----------------------------------------------------------------------

No comments:

Post a Comment

tag ur valuable ideas below