LinuxServerandHardeningSecurity AmitKNepal

See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/265162827
Linux Server & Hardening Security
Thesis · August 2013

DOI: 10.13140/2.1.5079.2329
CITATIONS READS
0 10,383
1 author:
Amit Nepal
Western Governors University
1 PUBLICATION 0 CITATIONS
SEE PROFILE
All content following this page was uploaded by Amit Nepal on 30 August 2014.
The user has requested enhancement of the downloaded file.

Running head: Linux Server & Hardening Security 1
Linux Server & Hardening Security
Amit K Nepal
Linux Server & Hardening Security 2
Abstract
The purpose of this project is to explore and highlight the basic security configurations
that should be performed in order to harden the security posture of a default Linux Operating
System installation. This document is by no means a complete security guide for Linux operating
system; however it outlines the basic hardening of a Linux System, so that it may not be an easy
target for attacks. Many system administrators do not realize the fact that, a default Linux
installation is vulnerable to variety of attacks. Therefore this document presents the basic
security and industry best practices to secure the Linux Server as well as some most popular
application services that commonly run on a Linux Server.
This research project explores the key weaknesses and default configurations that are
never changed when building a production Linux Server thereby making the server an easy target
to hackers over the internet. By following some industry best practices and tweaking some
security configurations, a Linux Server can be well secured. This research project explores and
suggests best practices for the general hardening for common Linux services such as Secure
Shell (SSH), Apache Web Server, and configuring host based firewall (IPTABLES) to block
connections to unwanted ports and blocking bad traffic. This project also explores and outlines
how an open source host based intrusion detection and prevention tool (OSSEC) can help take
the security, audit and monitoring of the Linux Server to the next level.
The proposed outcome of the project is to identify common mistakes and weaknesses in
configuring a production Linux Server and the result of such weakness. Many businesses are
compromised as a result of such common mistakes, and this project is expected to explore and
suggest best practices to enhance the security posture of Linux Servers.

Table of Contents
Introduction ................................................................................................................................................... 5
Project scope ............................................................................................................................................. 5

Defense of the Solution ............................................................................................................................. 7
Methodology Justification ........................................................................................................................ 7
Organization of the Capstone Report ........................................................................................................ 8
Systems and Process Audit ........................................................................................................................... 9
Audit Details ........................................................................................................................................... 10

Problem Statement .................................................................................................................................. 18
Problem Causes....................................................................................................................................... 18
Business Impacts..................................................................................................................................... 18
Cost Analysis .......................................................................................................................................... 19
Risk Analysis .......................................................................................................................................... 20
Detailed and Functional Requirements ....................................................................................................... 20
Functional (end-user) Requirements ....................................................................................................... 21

Detailed Requirements ............................................................................................................................ 21
Existing Gaps .......................................................................................................................................... 21
Project Design ............................................................................................................................................. 22
Scope ....................................................................................................................................................... 22
Assumptions............................................................................................................................................ 24
Project Phases ......................................................................................................................................... 24
Timelines ................................................................................................................................................ 25
Dependencies .......................................................................................................................................... 25
Resource Requirements .......................................................................................................................... 25
Risk Factors ............................................................................................................................................ 26
Important Milestones .............................................................................................................................. 26
Deliverables ............................................................................................................................................ 27
Methodology ............................................................................................................................................... 27
Approach Explanation ............................................................................................................................ 28

Approach Defense................................................................................................................................... 28
Project Development ................................................................................................................................... 29
Hardware ................................................................................................................................................. 29
Software .................................................................................................................................................. 30
Tech Stack............................................................................................................................................... 30
Phase I: Removing Unwanted Packages & Services .............................................................................. 30
Phase II: Hardening Security .................................................................................................................. 34
Phase III: Configuring Firewall .............................................................................................................. 42
Phase IV: Installing HIDPS .................................................................................................................... 45
Final Output ............................................................................................................................................ 47
Quality Assurance ....................................................................................................................................... 47
Quality Assurance Approach .................................................................................................................. 48

Solution Testing ...................................................................................................................................... 48
Implementation Plan ................................................................................................................................... 50
Strategy for the Implementation ............................................................................................................. 51

Phases of the Rollout .............................................................................................................................. 51
Details of the Go-Live ............................................................................................................................ 52
Dependencies .......................................................................................................................................... 52
Deliverables ............................................................................................................................................ 52
Risk Assessment ......................................................................................................................................... 53
Quantitative and Qualitative Risks ......................................................................................................... 54

Cost/Benefit Analysis ............................................................................................................................. 55
Risk Mitigation ....................................................................................................................................... 56
Post Implementation Support and Issues .................................................................................................... 57
Post Implementation Support .................................................................................................................. 57

Post Implementation Support Resources ................................................................................................ 58
Maintenance Plan .................................................................................................................................... 59
Conclusion, Outcomes, and Reflection ....................................................................................................... 59
Project Summary ..................................................................................................................................... 60

Deliverables ............................................................................................................................................ 61
Outcomes ................................................................................................................................................ 62
Reflection ................................................................................................................................................ 62
References ................................................................................................................................................... 64
Introduction
Linux Operating System is widely used as server operating system around the world.
Like other operating systems, it has its own pros and cons. Security is one of the aspects that are
overlooked. Many system administrators assume that Linux itself is secure and they leave many
services at the default configurations leaving the server vulnerable and making an easy target for
the hackers. Therefore this project is intended to outline common default settings for common
services like SSH, FTP, Apache, and IPTABLES etc. that should be changed and configured
properly to harden the server. This project also recommends some additional configurations and
installations that will help enhance the security posture of the server. This project will also cover
the installation and configuration of a HIDPS (Host Based Intrusion Detection and Prevention
System) which will help in better monitoring and preventing intrusions. The project will
additionally outline best practices for enhancing the security of the Operating System and
common services running on the server. The solution to the presented problem will be
implemented in four phases. Phase I will explore the default installation of Linux Operating
system and remove unwanted applications and services, Phase II will cover Hardening Security
using industry best practices, configuration changes and tweaks. Phase III will cover the
installation and configuration of a firewall (IPTABLES). Finally phase IV will cover the
installation of HIDPS (Host Based Intrusion Detection and Prevention System).
Project scope
There are various operating systems that may be used in server systems; however this
project will focus on Linux Operating System, CentOS 5.9 Final is selected as the operating
system for this project. The basic principles, security guidelines and best practices may apply to
other operating systems as well, however this project will only focus on the Linux based
Operating Systems. The security guidelines, configuration and settings explored by this research
project may address the basic security risks of a Linux Server. The project will specifically be
focused on the more widely used Linux based Services not including any custom and 3rd party
applications.
In the scope of this project common services include Secure Shell or SSH which is used
to remotely administer a server, Apache web server used for web application services,
IPTABLES which is used as host based firewall etc. Centos 5.9 are selected as the Linux
Operating System for this project. The project will also cover how a host based intrusion
detection and prevention system can enhance the server security by real-time monitoring and
alerting of any intrusions and changes in important files and binaries in the server operating
system. SSH is the most commonly used tool for remote administration and management of
Linux Servers. Similarly apache is the most widely used web server application in Linux
Operating Systems and IPTABLES is the firewall that ships with Linux Operating System, hence
these are the items of core focus in this project. For the sake of this project, we will explore the
basic installation and configuration of OSSEC, an open source and freely available Host Based
Intrusion Detection and Prevention System, which has the ability to monitor log files in real
time, monitor system files for integrity, and block anything abnormal and also alert the systems
administrators in real time. This project will also explore and guide on checking what services
are running on the server and turning off any unwanted services. We will follow the KISS
principle which says “Keep It as Simple as Possible”. It is my belief that by implementing this
type of monitoring with common best practices and changing default configurations to a more
secure counterpart can highly reduce the risk of easily being compromised.
This project will not address the security and configurations of all the tools and services
available for Linux operating systems and or network security. This project will only cover
Linux operating systems and the most common services on Linux Servers. This study alone will
not make a Linux server completely secure from attacks or vulnerabilities; however it will try to
point out common settings and configurations that will harden the server security.
Defense of the Solution
By taking an approach of keeping the server as simple as possible, the complexity of the
server is reduced. Also a server with less services running is less vulnerable. By exploring the
default installation and removing unwanted applications and services, we reduce the
vulnerabilities in the server. Changing default settings and configurations will cause more effort
on the attacker and may opt to go for another easy target. It is also necessary to have some kind
of restriction on the server such as a firewall to restrict to what ports and what source IP
addresses can connect to the server. Last but not the least, there needs to be some kind of alerting
mechanism, so that an administrator gets notified of any unwanted behavior or intrusions in the
server. As such just by implementing these basic security steps will harden the posture of Linux
server and may protect the server from compromise. This approach of solution is minimally
expensive to implement and requires less time. Thus this solution of hardening the security state
of the server seems to be a very good proactive approach.
Methodology Justification
The project will be carried out in four phases. In the first phase, we will perform some
intrusion attempts like brute force attacks, foot printing etc. and explore the system response.
Also we will explore the commonly installed services and applications and identify what
applications and services we might not need and remove them. In the second phase, we will
actually make the changes to the default configurations; put some restrictions in place with the
common services and operating system. In Third phase, we will configure the firewall
(IPTABLES) to restrict access to certain ports from certain IP Addresses, so that the services to
the server are available only to those who need it. Finally in the fourth phase, we will install and
configure a Host Based Intrusion Detection and Prevention System (OSSEC), which will act as a
proactive monitoring and intrusion preventing system.
I believe that this approach will help us initially identify the issues, by performing some
intrusion attempts and looking at the system response and we check the system response again
after the implementation of the solution. Thus by carrying out the project in this manner, we will
know exactly what was the issue, how it has been mitigated and what would the server respond
in a similar situation after the implementation of the controls.
Organization of the Capstone Report
The remainder of this capstone report is divided into various sections. The systems and
process audit section which will analyze the pre-implementation state of the server and identify
the weaknesses of the server configuration, cause of the problem, the impact of the problem on
the business, cost analysis and risk analysis. Detailed and Functional Requirements section will
outline the end user and other detailed requirements and the existing gaps in the organizations.
The third section consists of project design details including the scope, assumption, phases,
timelines, any dependencies, resource requirements, risks involved, important milestones and the
deliverables of the project. The fourth section describes the methodology, the explanation of the
approach and why this approach was selected. The fifth section is the actual project development
phase describing all the details of implementation, configuration changes and firewall
configuration and HIDPS installation procedures. After the project development we have a
quality assurance section where we perform solution testing and analyze what level of security
we have been able to attain by implementing the solution. Then we have the implementation
plan section where the strategies for implementation, phases of rollout, any details of the go-live,
dependencies and deliverables are covered. After the implementation plan, this paper covers the
risk assessments which include quantitative and qualitative risks, cost/benefit analysis, and risk
mitigation. After Risk Assessment, the project covers the post implementation support and any
issues associated as well as the maintenance plan. Finally, the last section covers the conclusion,
outcomes and reflection of the project.
Systems and Process Audit
In order to properly realize the benefits and enhancements provided by the solution as
well as to identify the weaknesses and business and systems inefficiencies, a pre-implementation
systems audit has been performed. The initial systems and process audit revealed various
weaknesses that could be exploited by the attackers and compromise the servers. The
compromise not only affects the technology but affects the business as a whole. Since the
technology is the driver for the business associated, a severe technological compromise could
produce a greater business impact.
From the technology standpoint, various issues were discovered with respect to the
security configuration of the server. The server had default programs and applications that were
running on the server. Remote administration (SSH) service was found to be running on the
default port. There was no firewall running on the server and no pro-active monitoring or alerting
system was found.

On the business side, policies and procedures were lacking. Since the information
contained on the servers are directly related to business transactions, customer data and so forth,
compromise of the server and the data on them would cause a sever business impact. There were
no defined procedures and policies to ensure the proper configurations on the server, and there
were no maintenance and enhancement policies in place.
By implementing the proposed solution and the changes, the security of both the
infrastructure which constitutes the technology and the information contained there in which
constitute the business asset will have a better protection.
Audit Details
The scope of the audit was limited to exploring and verifying the security of the server
and the business processes associated with the management of the data and information on the
server. An analysis on the system response to various foot printing and brute force attacks was
performed. The server was also audited for any alerting and monitoring system as well as
intrusion prevention system. Following are the areas of audit and the associated discovery.
a. Unwanted Programs and Applications
There are a number of applications that are installed in a Linux Operating system, when one
chooses to perform a default installation which may be a “Server GUI” installation. The list
of programs installed in the server, were retrieved by issuing the following command:
rpm –qa | less
The above command provided a list of all installed packages page by page. The screenshot
below shows a sample of the list of programs.

Figure 1.1: List of default installed programs
The detailed list is not shown in the output, but some applications that were not required for
the server were found to be installed in the system. Some of the applications that can be
removed are listed below:
a) Lftp: lftp is a file transfer program and lftp is not needed because we should use sftp a
secured alternative.
b) Dhcpv6-client: Server does not need to use IP version 6.
c) Tomcat: Tomcat is a java web server. The server uses apache as its web server hence tomcat
is not required.
d) Portmap: portmap is used to map ports for Remote procedure calls, used for NFS and other
services, which we are not intended to use on this server.

e) Squid: Squid is a proxy server and is not required on this server as the role of this server is a
web server.
f) Openoffice , desktop –backgrounds, gimp, evolution : All this applications are desktop GUI
applications and since we don’t need graphical interface at all, these applications are not
required on the server.
Above listed are just a few of the applications that were found installed in the server,
however we do not require any of these applications for the production server and thus keeping
them installed may just provide some additional vulnerabilities. In total 53 unneeded applications
were found installed in the server.
b. Unnecessary Services running
All the services running on the server were listed by issuing the command:
ps aux | less
Figure 1.2 Running Processes

By running the above command, it was found that there were programs like rpc (Remote
Procedure Call), nfslock, portmap which are used for NFS services were running. Cupsd
which is a printer sharing service was also found to be running on the server. These services
are not expected to be provided by the server and again, they may just open doors to some
attackers.
c. Password policy
The system was not setup with any password policy. A user could set the password to as easy
as 123, or dictionary words. There is no minimum length policy and users are not locked for
any number of failed attempts. The screen shot below also displays that there is no password
expiry policy set.
Figure 2.1 Password Policies
d. Secure Shell (SSH) Security
SSH or Secure shell is the most popular means to remotely access and manage a Linux
Server. While it is a great tool for administration and management, it can also be a great way
for attackers to gain full control of a Linux Server. Therefore, it is very important that SSH
be properly secured. On analyzing the configuration file of the default Linux system, the SSH
was found to be set with default options which can be a target of brute force attacks.
Figure 3.1 SSH Configuration
As per the configuration of the SSH, it uses default port 22, which is known to all attackers
out there. Also it is using password authentication, which is prone to brute force attacks, and
if the password happens to be an easy to guess, or a dictionary word, then the risk of SSH
access gained by attackers is very high. Further, root login is enabled by default, which poses
a huge security risk, as attackers can directly attempt to crack root passwords and thus gain
complete access to the server. There were no security controls found which would protect
SSH service from such attacks. As shown in the screenshot below, we were able to crack root
SSH password, by using brute force technique. In order to reduce the time to crack, a simple
password was used.

Figure 4.1 Brute Force Attack
e. Foot printing analysis
As shown in the figure below, just by accessing a bogus URL on the server revealed the
Operating system, Server Type which is Apache in this case and the version of apache. By
accessing this version of software, the attacker could find the vulnerabilities known to that
version exploit them and potentially compromise the server.
Figure 5.1 Apache Error Page
Upon further foot printing analysis, it was also found that it was possible to get PHP version
running on the server.

Figure 6.1 PHP Version Detection
We were also able to identify the operating system, kernel version and open ports and services,
which can be helpful in furthering attacks for the attackers.
Figure 7.1 NMAP Port Scan

f. Open ports and listening services
On checking for all listening ports and services, there were a number of services that were
listening on various ports, even though they are not the services intended to be served by the
server. Those unintended services include portmap, cupsd, rpc.statd etc.
Figure 8.1 Open Network Ports
g. Firewall
On checking the status of the firewall (IPTABLES) that ship with Linux operating system, it
was found to be turned off. Without firewall being turned on and properly configured, the
server is prone to attacks by attackers from any network as there is no restriction in place.
Figure 9.1 Firewall Status
h. Intrusion detection, prevention and alerting system
There was no intrusion detection, prevention or alerting system of any kind installed on
the server.
Problem Statement
From the results of the audit, it is apparent that the default installation of the Linux
Operating system leaves much vulnerability, which needs to be addressed in a timely manner, so
as to minimize the risk of the business and the consumer impact of data theft or compromise as
well as availability of services rendered.
The major security problems discovered during the systems and process audit that need to
be addressed are related to the default settings of the system and the services running on the
server. These services and system settings must be properly configured in order to mitigate the
associated risks.
Problem Causes
The primary cause of the problem described here is the fact that many people have the
attitude of “Let’s get it up and running first, and then we will come back and secure it later” and
then that later never comes back. Yet another cause of the problem discussed here is
inexperienced or unskilled systems administrators who leave the system wide open to attacks
without even being aware of it and the associated risks. A false sense of security just by using a
Linux server is also one of the causes of the problem. Sometimes it could be the management,
who overlook security as not being a core function of their business.
Business Impacts
A Security breach could have a medium to severe impact on a business organization
depending on the nature of the business and the way information system is used. A retail
business using a server just to host a website so that people can browse their homepage may have
less business impact than an online business whose sale solely depends on the availability of
their website. Should any disruption in service occur, or should the website go down, the
business operations cannot continue because the website is the only means of doing business.
Thus the business impact may vary as a result of breach, but in any case, it is necessary that we
minimize these risks.
Linux Operating system holds a major share of the web servers worldwide and even
though it is used only for serving website, it has various other services running, which can be
used to access the machine, retrieve information, shut down the web service and much more.
Furthermore, defacement of homepage may cause lack of customer confidence, or a DOS attack
could leave the website or any other service unavailable to the legitimate users. Thus the security
of the servers has a major business impact in various organizational units.
Cost Analysis
Linux operating system has been a choice of many simply because of the cost, for others
it may be a sense of security. When properly configured, Linux servers are very reliable and
secure. Being open source, Linux Operating system is free. Along with the operating system,
many applications are free to use and open source. Thus Linux has been increasingly becoming
popular among businesses. In the scope of this project, only free and open source software and
guidelines are presented as the solution to the problem. However an organization may choose to
invest in training system administrators, purchasing vendor support subscription or other
commercial counterparts of the solutions suggested.
Hence, the cost of implementation is minimal, as no formal purchase is necessary. All of
the tools and guidelines explored by this project and described here are free to use, however if a
support subscription is required, or professional support and or advise is required, it may incur
some additional costs.
Risk Analysis
Failure to adhere to proper procedures and guidelines is one of the largest risks associated
with security of the server. Just by having a written procedure and best practices cannot provide
real security, rather it may just provide a false sense of security. This is the greatest risk
associated with the information security.
Sometimes, an administrator may just skip some guidelines, to save some time or to get
things going. This is another risk factor involved in setting up a proper information
infrastructure. When there is a rush for getting things up and running, some of the guidelines or
best practices may be skipped to revisit later, but it might never be revisited. An audit policy may
be enforced, so that periodic review if anything was configured as per the set guidelines.
So, in order to minimize such risks, a strict policy and guidelines must be set up and the
policy must be enforced at all times, no matter what the situations are.
Detailed and Functional Requirements
The implementation of the solution presented in this project is best suited to implement in
the initial phase of setting up a server, however the solution may also be applied at a later stage.
The security solutions presented here should be applied before putting the server in production
environment. Linux Operating system installed on the server is the basic requirement for the
implementation of this solution. Also it is required to develop, policy procedures and checklists
to ensure that the appropriate changes has been applied to the server.
Furthermore, experienced and skilled systems administrators with Linux Operating
System knowledge are required to implement the solution.
Functional (end-user) Requirements
The solution presented by the project is mostly on the server side where, very low user
interaction is recommended. Hence the only requirements to be available for the end users would
be proper security awareness training, operating procedures and documentation on security best
practices such as password protection, good passwords, password change policy, non-sharing of
password etc.
Detailed Requirements
The implementation of this project requires Linux Operating System 5.x or greater. Other
software and application required include OpenSSH, IPTABLES 2.x, OSSEC, Apache 2.x,
VSFTPD, and PHP 5.x. These are the commonly used services and applications; however the
other detailed requirement may vary based on the usage and nature of operations of an
organization.
Existing Gaps
In many operational environments with Linux Based operating systems, there is a lack of
proper alerting, proactive monitoring and tuning of the operating system. It is likely assumed in
many cases, that it is secured just by installing a Linux Operating System. This project outlines
those common mistakes, and how those mistakes could leave the system prone to attack and it
will outline the standard procedures and configurations to mitigate those risks.
Project Design
This project consists of four major phases to design, develop, test and implement the
solution. This project combines testing in each phase before and after implementation of each
security control.
The first phase of the project is to explore the default installation of Linux Operating
System, which actually is the audit and risk analysis of a default installation, and remove
unnecessary packages and applications from the server and stop any services. The project will
identify commonly installed applications that may not be required in the production
environments, default settings and security of remote access applications, response of the system
to various intrusions and so forth. In the Second phase “Hardening Security” the basic operating
system and application security configurations will be done. The third phase consists of
installation and configuration of an open source host based firewall IPTABLES. This phase will
cover the implementation of firewall and tuning the firewall to adapt to the environment and
services running on the server. Phase Four “Installing HIDPS” will cover the installation of a
host based intrusion detection system. After the implementation phases are complete, the next
section will perform the quality assurance and analyze the advantages of the solution and the
response of the system to such attacks after the solution has been implemented.
Scope
There are various operating systems that may be used in server systems; however this
project will focus on Linux Operating System (CentOS 5.9). The basic principles, security
guidelines and best practices may apply to other operating systems as well, however this project
will only focus on the Linux based Operating Systems. The security guidelines, configuration
and settings explored by this research project may address the basic security risks of a Linux
Server. The project will specifically be focused on the more widely used Linux based Services
not including any custom and 3rd party applications.
In the scope of this project common services include Secure Shell or SSH which is used
to remotely administer a server, Apache web server used for web application services,
IPTABLES which is used as host based firewall etc. The project will also cover how a host based
intrusion detection and prevention system can enhance the server security by real-time
monitoring and alerting of any intrusions and changes in important files and binaries in the
server operating system. SSH is the most commonly used tool for remote administration and
management of Linux Servers. Similarly apache is the most widely used web server application
in Linux Operating Systems and IPTABLES is the firewall that ships with Linux Operating
System, hence these are the items of core focus in this project. For the sake of this project, we
will explore the basic installation and configuration of OSSEC, an open source and freely
available Host Based Intrusion Detection and Prevention System, which has the ability to
monitor log files in real time, monitor system files for integrity, and block anything abnormal
and also alert the systems administrators in real time. This project will also explore and guide on
checking what services are running on the server and turning off any unwanted services. We will
follow the KISS principle which says “Keep It as Simple as Possible”. It is my belief that by
implementing this type of monitoring with common best practices and changing default
configurations to a more secure counterpart can highly reduce the risk of easily being
compromised.
This project will not address the security and configurations of all the tools and services
available for Linux operating systems and or network security. This project will also not cover
operating systems other than Linux. This project will only cover Linux operating systems and the
most common services on Linux Servers. This study alone will not make a Linux server
completely secure from attacks or vulnerabilities; however it will try to point out common
settings and configurations that will harden the server security.
Assumptions
This project is carried out with the assumption that most of the security breaches and
server compromise are a result of leaving default installation of the Operating System. Also it is
assumed that by Operating System we are meaning Linux Based operating system. Most of these
guidelines may apply to many UNIX like operating systems including Linux, UNIX and other
flavors of UNIX and Linux based operating systems. It is also assumed that any additional
security measures are in place above the Server itself such as Network Firewall, router access
controls etc. and that this project is limited to hardening the security of the server in itself.
Project Phases
The project consists of four major phases. Initially the server is audited and response of
the system to the intrusions is analyzed. After the initial analysis the four major phases of the
project begins. The first phase “Removing unwanted applications and services” will comprise of
exploring what packages and applications are installed on the system, what services are running,
any firewall rules and so forth and removing and stopping unwanted applications and services.
The second phase will include the security hardening of the operating system, common services
and some kernel parameters. The third phase focuses on configuration of the firewall to protect
the server from access to unauthorized ports and services. A restrictive firewall policy will be
implemented. The fourth phase will cover installation of a host based intrusion detection system,
which will alert the system administrator of any intrusion and also block such attacks in a real
time manner.
Timelines
The initial analysis of the server will begin as soon as the project is planned and
procedures outlined. After the completion of the initial analysis, we will step into the first phase
of the project which includes the exploring of the installed applications and services followed by
Hardening security, configuring firewall and Installing intrusion detection and prevention
system. Finally test of the solution will be performed. The total expected time of implementation
of the project is one week, from analysis to implementation and final testing.
Dependencies
The second phase hardening security is dependent on the first phase Exploring default
installation of the operating system and required services and applications on the server.
However configuring firewall and installing intrusion detection and prevention system is
independent. A firewall may be configured before hardening other security or an intrusion
detection system may be installed. However, for the sake of simplicity, this project has been
organized in the manner stated in the project phase section.
Resource Requirements
This project is based on freely available open source tools and applications and thus
requires minimal resources. However, skilled man power and testing personnel’s are required for
the successful implementation of the solution. Penetration testing manpower may be needed if
we wanted to take the implementation to the next level and assess any residual risks with the
server security. Skilled system administrators with sound Linux knowledge are required during
the implementation of the project in the four phases described earlier.
Risk Factors
Availability of skilled system administrator is a major risk that might impact the
situation. Another factor that may impact the situation is the experience level of the system
administrator. Furthermore management support is required for the project and convincing
management for the implementation could be a challenge. Any interruption in business
operations as a result of misconfiguration is another risk involved with the implementation of
changes.
Important Milestones
The most significant and measurable points in the project is the hardening of the initial
security of services and operating system itself. After the hardening of initial security, the next
major milestone is the installation and configuration of firewall to protect the server from
unauthorized service access. Finally installation and configuration of HIDPS (Host Based
Intrusion Detection and Prevention System) and receiving a real time notification of the brute
force attempts on the server was very significant milestone.

Deliverables
This project starts on top of a hardware baseline, meaning the project is completely
dependent on the software layer, without the need for custom hardware, parts and accessories as
such. Thus there is no hardware deliverable provided by the project directly. The project
deliverable consists of the software to be used in securing a Linux Server, procedures to be
followed in implementing such controls and detailed documentation on implementing those
tools, apply proper configurations to the server settings, summary on how to identify and remove
unwanted applications and services from the server and make the server production ready with
respect to security and performance.
Methodology
This project is implemented in Plan-Do-Check-Act approach. The solution to be
implemented is first planned. Then the initial analysis is performed, where the initial security
state of the server is inspected. In the check phase, we perform some intrusion tests, view the
system response, and then we enhance the server security in the next cycle of the process. Also
this cycle should be continuous. Security is not a onetime goal, it must be continually
maintained. Maintenance plan section of this project will discuss the maintenance in greater
detail. There are other approaches like delta project implementation strategy as well, however in
that approach, we would be implementing security in small increments and that would leave
server vulnerable for a longer period of time. Thus PDCA approach seems to be the best
approach for the implementation of security to the server. Further security needs to be
continually maintained this cycle best fits the need.

Approach Explanation
The implementation has been approached in a two staged manner. First explore and audit
and secondly, implement and audit. So initially we explore the system, identify the weaknesses,
audit system responses to intrusions, and then we implement security controls and verify the
system responses again. By using this approach, we will be able to identify exactly what issues
we had encountered and what we have resolved. Also we would know by this approach, what
would have system responded before and what the system does after implementation of the
solution.
The implementation could have been approached in a more direct manner. By
implementing the firewall and intrusion detection system and then checking to see if there were
vulnerabilities, or test the system for response. However, we would not be able to identify what
security threats exactly have been mitigated and how.
Approach Defense
By using this approach of implementation, it becomes clear to as what the threats to the
server were and what has been taken care of. Also this approach establishes a clear vision on
how to perform such security enhancement if new servers were added or new service were added
to the system. Also in this approach, the system is audited before implementation and the
controls are implemented and the system is tested for the response of the system after
implementation of control. This approach is very scalable as it can be applied to any number of
servers in the network. The whole process can be applied to any number of servers as they are
put into production. This approach of implementation provides a long-term success because the
basic security controls are applied to the servers and it includes continuous monitoring and
adjustment of the security controls. For example, implementing an intrusion detection system
and adjusting firewall rules to block any intrusion detected is a continuous process.
Project Development
The project development phase is the phase where the actual security posture of the
server is evaluated and necessary controls are applied so as to enhance the security posture of the
server. The servers will be evaluated for unwanted applications and services that have been
installed as a part of default installation. The unnecessary packages will be removed and services
will be stopped so as to minimize the complexity of the server and to configure the server in such
a way that it only performs job that it is supposed to.
This section should contain the details on building out your project. Discuss the
development and list the multiple phases (if applicable) and the deliverables. Ensure that you list
all the details of development including any hardware, software, tech stack, and architecture
details. Explain the process for developing your project. Include the following in your
explanation:
Hardware
Since the security controls will be applied on the servers, it does not require specific
hardware accessory as an addition. However if needed to further enhance the security, hardware
firewall, hardware based intrusion detection systems and advanced routers with access control
features may be used.

Software
The project is based on implementation of freely available open source tools and
application and again, to enhance the security further, commercial applications with more
features and support subscription may be used. However, for the sake of this project we will use,
IPTABLES as the firewall software, OSSEC as the Intrusion detection and prevention system
software, APACHE as the web server and VSFTPD (Very Secure FTP Daemon) as the FTP
Server.
Tech Stack
In order to limit the scope of the project, we will assume that the server provides web
service, FTP service and database service. The implementation of the controls presented by this
project will provide layers of security to the services and the operating system as a whole.
Phase I: Removing Unwanted Packages & Services
The first phase of the technical stack of this project is to remove unwanted packages and
services installed in the server. When a type of installation for example, “Desktop GUI” is
chosen, numerous applications and services are installed on the server. The server should be
installed with specifically those applications that are required for proper operation of the services
required from the server. So in order to keep the server simple and mitigate any threats from
vulnerabilities related to applications that are not used, we should remove the unwanted packages
and services.
Figure 10.1 Installed Packages
The above screenshot displays the package groups installed on the server. Packages like DNS
Name Server, Dialup Networking Support, GNOME Desktop Environment, Games and
Entertainment, HyperV, News Server, Printing Support, Office/Productivity, Sound and Video,
X Window System are not needed for the operations of a server. Thus we can safely remove
those programs from the server. The unwanted package groups can be simply removed by
issuing the command:
yum groupremove “Dialup Networking Support”

Figure 11.1 Removal of unwanted Packages
We will run same command for each unwanted package group. However, to ease up the process
we may create a file with the list of package groups to be removed and run command:
while IFS= read -r prog; do yum -y groupremove "$prog";done < "remove.list"
Figure 12.1 List of Programs to remove

Similarly if we wanted to remove a standalone package, we may issue the following command:
yum remove packagename
eg. yum remove zip
The next step is to stop and turn off unwanted services to start on next boot. We have identified
the unnecessary services like rpc.statd, portmap,rawdevices, iscsi, iscsid etc. as unnecessary
service running on the server, so we will stop those unnecessary services. The list of services that
will run on run level 3, which is the default run level for servers can be seen as shown in the
below figure.
Figure 13.1 Active Services

Figure 14.1 Stopping and Turning off Service
The above screenshot shows how to stop and disable portmap service for current session and
subsequent reboots. We run same commands for other services that we do not need running on
the server.
Phase II: Hardening Security
The next phase in securing the server is hardening security. Hardening security consists
of multiple steps like updating the system, enforcing password aging, password complexity
requirements, securing SSH, Kernel security parameters, locking users after multiple failures,
restricting direct root logins, displaying login banners etc.
 Updating the System
The system should be updated on a regular basis. New patches should be applied, as they
roll out. In order to update a Linux system, yum utility can be used.
Figure 15.1 Updating the System
 Password Security & Complexity requirements
In order to ensure that user passwords are secure, a security policy must be
enforced by the management as well as by the system administrators. By configuring the
server for strict password requirements, it will be unavoidable. Thus password security
must be implemented on the server. Password security includes, password aging
requirements, meaning force passwords to expire every 90 days, password complexity

requirements, restricting use of repeated passwords etc. The file /etc/login.defs needs to
be updated to enforce password aging.
Figure 16.1 Password Policy
By editing the above file, we can set the maximum number of days a password is
considered valid (PASS_MAX_DAYS), minimum number of days before a user can change the
password following the recent change (PASS_MIN_DAYS), minimum password length
(PASS_MIN_LENGTH), number of days when the password change reminder is displayed
(PASS_WARN_AGE) etc. /etc/default/useradd needs to be modified to set the number of days
after password expiration when the account is disabled (INACTIVE). This file can also be used
to specifically define when a password will expire (EXPIRE).
Figure 17.1 Password Policies

Finally, we can enforce strong password requirements by modifying /etc/pam.d/system-

auth file.
Figure 18.1 Password Complexity Requirement
In the file /etc/pam.d/system-auth, as shown in the above image, we have to make some
modificaitons to enforce password complexity rqeuirements. For the line above, make it look
like the line below:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit= -1 ucredit= -2
dcredit= -2 ocredit= -1
Where,
minlen = Minimum length of the password
lcredit = Minimum number of lower case letters.
ucredit = Minimum number of upper case letters
dcredit = Minimum number of digits .
ocredit= minimum number of other characters.
Make sure that the content looks like shown in below image after the change.
Figure 19.1 Password Policy Enforced
 Securing SSH
SSH or Secure Shell is the most commonly used remote administration and management
tool for Linux and Unix based operating system. While it provides secured and encrypted
session between the server and the client, if not secured, attackers can gain complete
ownership of the system. SSH hardening is performed by changing various parameters in
the file /etc/ssh/sshd_config. First of all, disable root login via SSH. Any user who needs
root access will have to first login as a normal user and then switch to root. By doing this,
an attacker has to first gain user access and then further gain root access instead of just
having to gain root access, if direct root login were enabled. In order to disable root
login, edit file /etc/ssh/sshd_config and uncomment the line “PermitRootLogin yes”. If
for some reason, direct root login is required and cannot be disabled, it is advised to
enable root login only without password i.e. by using a key. This can be configured by
setting the value “PermitRootLogin without-password” in the sshd configuration file.
By default, SSH service listens on port 22 which is known to any Linux User. Thus
attackers may just scan for servers listening on port 22. In order to bypass such attackers,
changing SSH port is a good idea. It is recommended to change the SSH Port to
somewhere in the range of 1024 to 65535.Disable Password Authentication
If possible, completely disable password authentication and use key based authentication
only. A key is more secure than a password. Further, a key can be restricted to be used
only from certain IP Addresses. Password Authentication can be completedly disabled for
SSH by setting “PasswordAuthentication no” in sshd configuration file. Also you should
use SSH Login Banner to alert the users attempting to login to the system that the system
is private and that the unauthorized access is prohibited. Include the list of users that are
allowed access via SSH in the configuration file, so that accidentally created users, or
unauthorized users cannot login via SSH. This can be done by using the value
“AllowUsers user1 user2 user3”. Below is a screenshot of ssh configuration file with
these security parameters enabled.
Figure 20.1 SSH Security Configuration
 Kernel Security Parameters
Ensure kernel security parameters are properly set. Parameters such as
net.ipv4.tcp_syncookies will protect from SYN Attack which is a denial of service attack,
disable source routing, disable icmp redirect messages, enable IP Spoofing protection,
ignore requests to icmp messages if possible, ignore broadcast requests in icmp , which
protects from ping of death attack, enable bad error message protection and enable
logging of spoofed, source routed and redirect packets for analysis of source of such
attacks. These kernel parameters can be applied by adding the appropriate keyword and
value pairs to /etc/sysctl.conf file. In order to apply changes without restarting the server,
run the command sysctl –p.
net.ipv4.tcp_syncookies = 1 (Protect from SYN Attack)

net.ipv4.conf.all.accept_source_route = 0 (Disable Source Routing)
net.ipv4.conf.all.accept_redirects = 0 (Disable ICMP Redirects)
net.ipv4.conf.all.rp_filter = 1 (Source Address Verification to protect from IP spoofing)
net.ipv4.icmp_echo_ignore_all = 1 (Ignore ICMP requests)
net.ipv4.icmp_echo_ignore_broadcasts = 1 (Ignore broadcast ICMP requests)
net.ipv4.icmp_ignore_bogus_error_responses = 1 (Bad Error Message Protection)
net.ipv4.conf.all.log_martians = 1 (Enables Logging)
 Login Alerts
It is good to know who logs into the server. If an attacker gains access to a server, they
may remove the logs and it may be difficult for an administrator to even know that the
server has been compromised. It comes very handy, if you implement a script that will
notify the administrator of any logins by email. Since the script is executed as soon as the
user logins, the email is sent and thus the attacker may not be able to cover track and an
administrator can promptly know that someone has accessed the server. The path of the
script should be set in /etc/profile.
vi /etc/profile
/usr/scripts/loginnotifier
In the /usr/scripts/loginnotifier, a script may be written to notify the login. Below is a
sample script for the same.
#!/bin/bash
#Author : Amit Nepal
#Email : amit@amitnepal.com
#This script is free to use as long as you have these lines in the
#script.
Logging=true; #true/false
LOG_FILE=/var/log/amit.log #path to log file

SUBJECT="Root Login Alert:`hostname`"
ADMIN="amit@amitnepal.com" #admin email
#known ips if you dont want to receive email for login from known ips
KNOWN_IPS="192.168.100.10 10.10.20.3 172.16.5.1"
loginip=`echo $SSH_CLIENT | awk '{print $1}'`
authorized=false;
function message {
echo "${msgheader}`hostname`"
echo "-----------------------------------------"
echo "Login IP : $loginip"
echo "Login User: `whoami`"
echo "Date-Time:`date`"
echo "-----------------------------------------"
}
for ip in $KNOWN_IPS; do
if [ "$loginip" == "$ip" ]; then
authorized=true;
msgheader="Authorized Login to Server:"
fi
done
if [ ! "$authorized" == "true" ];then
msgheader="Unauthorized Login to Server:"
#message|mail -s "$SUBJECT" "$ADMIN" #Unauthorized
#person logged in..
fi
if [ "$Logging" == "true" ]; then
message >> $LOG_FILE
fi
 TCP Wrappers
“TCP Wrappers add an additional layer of protection by defining which hosts are or are
not allowed to connect to "wrapped" network services” (Centos, TCP Wrappers and
xinetd). TCP wrappers provide an additional layer of security to services using libwrap
library. Services such as SSH, portmap, telnet can be protected using TCP Wrappers. In
additional to proper firewall configuration, use of TCP Wrappers can add an extra layer
of security. With TCP wrappers, we can define the networks or hosts allowed to use
specific service on the server. This is done by denying all hosts in the /etc/hosts.deny file
and selectively allowing hosts and networks in /etc/hosts.allow file.

Figure 21.1 TCP Wrapper
Phase III: Configuring Firewall
Linux operating systems come equipped with a very powerful, stateful packet filtering
application or a firewall known as IPTABLES. IPTABLES when properly configured can
provide a very good security to the server and services. The firewall can be configured to allow
access selectively to certain hosts for certain ports, protocols etc. This firewall can also be
configured to detect intrusions by logging certain types of traffic. Further this firewall also has
the capability to limit the rate of connections from a specific source IP Address. The following
configuration provides a starting point for IPTABLES for basic security.
#Sample IPTABLES Firewall Configuration File -- Amit K Nepal
#Drop all Input and Forward requests which are not allowed in this configuration file.
*filter
:INPUT DROP [0:0]

:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LogAndDrop - [0:0]
#Drop all incoming traffic from private networks on the public interface
#because they must be spoofed to arrive in public interface
-A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
#Drop all traffic from and to multicast addresses
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -j DROP
#Drop bogus and packets with invalid states
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
#Accept traffic that already has established or related connection
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Accept all traffic from loopback interface
-A INPUT -i lo -j ACCEPT
# Disable ICMP messages with additional requests
-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
#Accept Traffic for public Services ( Web & FTP )
-A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
#Allow ftp only from private 10.x network
-A INPUT -p tcp -m multiport --dport 20,21 -s 10.0.0.0/8 -j ACCEPT
#Limit SSH attempts to 3 per seond, 4th attempt will be send to LogAndDrop Chain to log and
then Drop Traffic
-A INPUT -p tcp --dport 2222 -i eth0 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 2222 -i eth0 -m state --state NEW -m recent --update --seconds 60 --
hitcount 4 -j LogAndDrop
#Any Traffic routed to this chain will be logged and then dropped
-A LogAndDrop -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "bruteforce"
-A LogAndDrop -j DROP
COMMIT
Phase IV: Installing HIDPS
“An intrusion detection system (IDS) is a device or software application that monitors network
or system activities for malicious activities or policy violations and produces reports to a
management station” (Wikipedia). There are various types of Intrusion detection and preventions
systems, both hardware and software systems. For the sake of this project, we are considering an
open source Host Based Intrusion Detection and Prevention System called OSSEC.
“OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis,
file integrity checking, policy monitoring, rootkit detection, real-time alerting and active
response” (OSSEC). OSSEC provides very robust features and can greatly enhance the security
of the server. The first step in installing OSSEC is to download the source. The source code is
then extracted, compiled, build and then configured for use in the system.
Figure 22.1 OSSEC Download
In the above figure, we downloaded OSSEC and extracted the source file from a tarball using
wget and tar commands.
wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz
tar –zxvf ossec-hids-2.7.tar.gz

Once extracted, we change directory to the extracted folder and run the install script.
cd ossec-hids-2.7
./install.sh
On executing the script, an installation wizard will ask various questions like email notification,
email address, whether or not to run rootkit detection engine, integrity monitoring and so forth.
Figure 23.1 OSSEC Installation

All the questions are to confirm if you want to enable a specific feature. After going through the
process, the installation will finish and asks to press ENTER to finish. Once finished, we should
run the command to start the Intrusion Detection system or OSSEC HIDS.
/var/ossec/bin/ossec-control start
Now the OSSEC Intrusion detection and prevention system will alert you of any intrusions. It
will also block any intrusion attempts. For example, if there is an attempt to brute force to SSH
service, OSSEC will block that IP Address from making any further requests. OSSEC also
monitors for any changes in important Operating System files and alert you on any changes.
Final Output
As the above phases are completed, the basic security controls have been implemented in
the server. The final output of the implemented solution is that the server is more secure which
will be discussed in the quality assurance section. The server will not be an easy target for simple
attacks and as such will better ensure the security of the information contained in the server and
the services rendered by the server.
Quality Assurance
Quality Assurance is an important aspect of any project. Therefore, this project is
conducted with Quality Assurance in consideration. The approach used in this project for
assuring the quality of the security control is the pre-implementation analysis and the post
implementation analysis. Basic attacks such as brute force attacks are performed on the server
and server before and after implementation of the security controls and guidelines. The
advantage of this approach is that we will be able to directly realize the advantage and the level
of security enhanced by the implementation of the presented solution.

Quality Assurance Approach
This project will not cover the sophisticated level of attacks and security issues, however
it will cover basic brute force attack, foot printing, banner grabbing, and denial of service at a
small scale in order to assure the quality of the presented security guideline.
Solution Testing
The solution was tested in a two phase model. Initial test was performed on the bare
installation of default Linux Operating System and the final test was performed on the secured
server after implementation of the controls and guidelines presented in this project.
The test cases consisted of performing brute force attack on the “root” account and any
other user accounts on the server. Brute force attack was also performed on the FTP accounts on
the server. Banner grabbing was performed to identify the operating system version and the
application version for services like Apache and PHP installed on the server.
 Password Security Test
After implementation of password complexity requirements and password expiration
policy, an easy password “123” was attempted to set, but the system rejected to change
the password to 123.
Figure 24.1 Password Change Test
It was also confirmed that the password expiration policy were properly enforced.
Figure 25.1 Password Expiry Test
 Brute force attacks
It was confirmed that TCP Wrapper provided an extra layer of security by refusing
connections to denied source addresses.
Figure 26.1 Brute Force Test - TCP Wrapper
A brute force attempt was performed after allowing access to the test machine, and upon
re-launching the brute force attack, OSSEC blocked the IP Address from which the attack
was being launched.
Figure 27.1 OSSEC HIDPS

Other tests were also performed, such as firewall test, banner grabbing etc. and it was
found that the firewall was pro-actively blocking any unwanted traffic to the server. Foot
print information was reduced by hiding Operating System version, apache version, PHP
version and so forth.
The acceptance criteria set for the project deliverable was that the implementation would
be able to protect the server form basic forms of attacks and that the server would have necessary
controls and alerting systems in place to block the intrusions and notify systems administrator in
real time. Also the implemented solution provided a real time operating system binaries integrity
monitoring. Thus by performing these tests, it was confirmed that the security hardening
implementation presented in this project, were successful.
Implementation Plan
The project implementation plan, as discussed earlier, is divided in to various phases.
Firstly, the initial assessment of the server is performed, in the second phase the actual controls
and solutions are implemented in various phases and finally quality assurance and acceptance
testing are performed.
The project phases include exploring the default posture of the Operating system,
followed by hardening security by applying security controls, configuration changes and
enforcing policies. After this a firewall is configured and adjusted so as to restrict unauthorized
access to ports and restrict access to trusted IP Addresses only. Finally the Host Based Intrusion
Detection and prevention System is implemented and the server will be considered to be the final
deliverable which will then undergo testing and quality assurance.

Strategy for the Implementation
As an alternative to the approach of securing servers presented in this project, hardware
based appliance solutions could have been implemented. However, implementing hardware
based solutions would pose the necessity to purchase additional hardware and equipment and
also need for extensively training IT personnel to operate the newly acquired hardware. On the
contrary, by using this approach, the additional cost of purchasing the hardware could be utilized
in other business process improvements. Only a portion of the cost, could be used in training the
IT personnel on using the open source tools seems highly beneficial. The other greatest
advantage is that being open source, a large group of brilliant minds, continuously work on
improving the security of the applications, fixing issues and providing documentation and
support to the open source tools and applications. Furthermore, the tools are native to the Linux
Operating system and they are built to protect Linux Servers, as such this approach of
implementation seemed best strategy for implementation of the security to the Linux Server.
Phases of the Rollout
The rollout will constitute of the initial analysis phase, hardening security, configuring
firewall, installation of an intrusion detection system and then final testing of the outcome. The
audit analysis of the initial and final testing will be compared and analyzed for acceptance. At
the very least, the outcome of the implementation is expected to be a server with the ability to
block brute force attacks and alert the system administrator in real time of any intrusions or
malicious behavior in the system. If this level of expected outcome is achieved, then that will
constitute the acceptance of the implementation.

Details of the Go-Live
The server is tested in the same manner as initial tested after the implementation is
completed. The outcome of the post implementation test determines if the project is fully
implemented. After the implementation of the project, the server may be monitored for a week
for intrusions and system response to those intrusions, timely alerts of notifications and the
reduction of intrusion attempts, timely notifications to systems administrators and the proactive
reaction of the server to those attempts can be deemed as successful project implementation. As
mentioned earlier, it is not a one-time solution, hence whenever new services are added to the
server, or applications become outdated, they will have to be updated and new security controls
implemented.
Dependencies
This project is composed of modular components. Being modular, this project can be
implemented in any order. For example an intrusion detection system could be implemented
before the firewall is implemented, or a firewall could be implemented before analyzing the
unwanted applications and services in the system. However, implementing the project in right
order helps tuning the controls and configuration in a right order, so the order of implementation
is outlined as analysis, hardening security, installing firewall and then finally installing intrusion
detection system.
Deliverables
This project starts on top of a hardware baseline, meaning the project is
completely dependent on the software layer, without the need for custom hardware, parts and
accessories as such. Thus there is no hardware deliverable provided by the project directly as we
start implementing the project in an existing hardware. The project deliverable consists of the
software to be used in securing a Linux Server, procedures to be followed in implementing such
controls and detailed documentation on implementing those tools, apply proper configurations to
the server settings, summary on how to identify and remove unwanted applications and services
from the server and make the server production ready with respect to security and performance.
Once the security controls and the guidelines have been implemented, user training
session should be conducted. Users will be made aware of the security changes and their
responsibilities in ensuring the security of the server, services and the information contained in
the servers. No matter how secure the server or the network is, if users are vulnerable, attackers
can by-pass all the controls. Therefore, users should be made aware of their responsibilities and
they should be trained about good password protection, good password policy etc. Users should
be made aware that they should never use easy to guess passwords, never share their passwords
and that they should not install any third party applications without prior approval of the
information security team. Also the implementation of this project will enforce password
complexity requirements and password aging so users should be made aware of that policy as
well.
Risk Assessment
“Risk assessment is a systematic process for identifying and evaluating events (i.e., possible
risks and opportunities) that could affect the achievement of objectives, positively or negatively”
(Price water house Coopers). There may be two types of risk assessments which are Quantitative
and Qualitative risk assessments. Qualitative risk assessment is based on categorizing the risks
based on the likelihood of occurrence and the business impact by the risk factor, whereas
quantitative risk assessment is based on numerical value or the dollar amount associated with
each risk.
By implementing the solutions in this project, we are attempting to mitigate those risks, however
there may be some potential risks associated with the implementation of this project itself which
are analyzed in the sections below.
Quantitative and Qualitative Risks
This project is intended to implement security controls and enhance the security posture
of the server containing information and not as described by the scope of the project, we do not
associate the contained information with specific dollar amount and thus, for the sake of this
project, we perform qualitative risk assessment.
The following table identifies the risks and their likelihood and consequences that might
impact the situation based on the qualitative risk assessment.

Table 1.1 Risk Register
Likelihoo Seve
Risk Description Consequences d rity
In order to M H
Skilled System implement the Improper changes may be applied to
Administrator security settings and the system, leaving the system more
controls, a skilled vulnerable to the attacks
system administrator
is required
Management Management support is L H
Support required in order to The project may not be given a go
implement the changes ahead if management support is not
and enforce policy obtained.
Security Misconfigurations may Additional vulnerabilities may arise, or H H
Misconfiguration occur while making service interruption may occur
changes to the
configuration files.
Network Changing firewall Services may not be available over the L M
Interruption configuration, HIDS network.
may cause network
interruption.
Firewall Improper configuration Some services may not be available or M M
Misconfiguration of firewall may cause may not be fully functional.
some services to not
function properly.
Unsupervised Lack of supervision to Interruption in services, risk of loss of M M
implementation during implementation configurations.
may lead to errors and
interruptions.
Unanticipated If the plan is not Unpredicted and unwanted situation M H
Changes followed properly, may arise, such as loss of network
unanticipated changes connectivity, availability of services.
may be applied to the
server.
Configuration Failure to backup No backup will be available if the H H
Backup and configuration before configurations need to be restored to
Recovery applying changes may the previous state.
cause problems, if the
configuration needs to
be restored.
Cost/Benefit Analysis
The following points highlight the cost/benefit analysis of the project implementation.
 The implementation of this project is expected to reduce the risks of malicious attacks by
80%. If the risks of attack were not lowered, the risks of impact on the business, its
credibility would be very high.
 The project makes good use of open source software and tools there by reducing the cost of
implementation to a minimal level and thus it is very beneficial for an organization to adapt
to this solution and overrun the risk of malicious attacks and intrusions into the system.
 The lower cost of implementation means, there are no chances of cost overrun which could
result in reduced staffing. Additionally, it may provide the advantage of being able to hire
additional personnel for maintaining the security of the infrastructure as a result of high
availability and security of the infrastructure.
Risk Mitigation
We have identified potential risks to the implementation of the proposed solution and
thus in order to mitigate these risks; we have to consider appropriate risk mitigation strategy. In
order to combat the risk of management support to the implementation, we will present the
cost/benefit analysis to the management. Since the cost of implementation is very low and the
advantage of implementation is high, we should be able to convince the management. To
mitigate the risk of unskilled system administrator, security misconfiguration and network
interruption as a result of improper firewall configuration, we will follow specific procedures,
perform the appropriate tests in development or cloned environment and proceed with caution. A
proper backup and recovery mechanism will be implemented and tested prior to implementation
so that we can promptly rollback to the previous state if necessary. Also there may occur some
unanticipated changes as a result of installation of applications and changes in configuration,
which should be taken care by a proper backup and recovery mechanism. The proper testing and
implementation in a similar environment combined with a good backup and recovery mechanism
should be a good mitigation of the potential pitfalls with the implementation of the solution.
If we encounter any issues with the implementation we will be able to roll back the
configuration to the original state from backup performed before the implementation. Another
alternative is that since we will implement the solution in phases, only the problematic change
may be rolled back to the previous state. However, with the rollback and recovery, we will have
both advantages and disadvantages. The advantage being that we will be promptly able to restore
the operations to previous state; however we will be leaving the system vulnerable for a longer
time which is a greater risk to the business.
Post Implementation Support and Issues
As discussed earlier throughout this document, security is an ongoing process and just by
implementing this solution once, it cannot be expected to maintain the security forever, thus we
need to consider post implementation plan for support and other issues that may appear as a
result of the implementation.
Post Implementation Support
The enhanced system will be supported by skilled system administrators. If the system
administrators are not readily skilled or experienced, proper trainings should be provided to the
system administrators. Since the new system is equipped to respond to any threats or intrusions,
it is possible that some false positives may arise in the system and a legitimate user may be
blocked access. In such cases, a trained administrator is required to analyze the event, unblock
access to the user and fine tune the system so that it does not happen. The server needs to be
continually updated, tuned and maintained. If necessary professional support may be obtained by
hiring consultants or third party services may be obtained for maintaining the system.
Post Implementation Support Resources
After the implementation of this solution, various support resources are required to
maintain and enhance the security of the server. Any changes in regulations or business
processes, may lead to change in the usage of server. There may be additional services deployed
to the server, modifications may be required to the configurations and there may also be
employee turnover. In order to support the security in the long run, the required resources
include qualified and skilled system administrator, periodic training programs to maintain the
knowledge of systems administrators, period audit process and policies and plans to react to the
outcome of the audit.
Third party consulting services may be contracted to perform periodic assessments,
penetration testing and trainings to the IT staffs. The currently implemented software may
become inefficient with the rapidly growing technology and the tactics used by the attackers, in
that case new software may need to be implemented to ensure the security of the system.
Additional hardware firewall or intrusion detection system may also become necessary in the
long run.
Maintenance Plan
For the short term maintenance of the Information System, systems administrators should
be trained to operate the firewall and the intrusion detection system. They should be able to
perform daily operations on the firewall and the intrusion detection system. They must be trained
to respond to the alerts, read and understand the notifications sent by the intrusion detection
system and make necessary changes to the configurations. System users must be trained and
made aware of their responsibilities in ensuring security and best practices and that they must
adhere to the newly developed security policy.
For the long term, the organization should hire additional skilled system administrators
and servers for implementation of high availability and failovers. Stand by servers should be
built for combating the unexpected situations that may occur. Hardware crash, network problems
and data loss could pose serious threats to the business operations. An Information Security
Manager or Chief Information Security officer should be hired to direct and supervise the system
administrators as well as other staffs so as to maintain the enforcement of security policies at all
times. Proper backup and recovery procedures, disaster recovery plans and business continuity
plans must be developed to countermeasure the unwanted and unexpected situations that may
affect the continuity of business.

Conclusion, Outcomes, and Reflection
In conclusion, the project provided a detailed insight to the security posture of a default
installation of Linux Operating System and that we must apply some changes and controls, in
order to bring the server to production environment. The project also helped understand various
open source tools and how low cost solutions can protect and provide greater assistance in
maintaining and enhancing the security of a server. It is also apparent that by implementing basic
controls, proper guidelines and a proper combination of freely available application software a
server can be secured greatly. Most of the attacks start with the information gathering or the
scanning phases, where they normally run a scan through a range of random IP Addresses. The
result of the scan is the deciding factor for malicious attackers on which IP Address to include
for next phase or which ones to exclude. Just by changing some default ports and implementing
firewalls, we can present our servers in the exclude list. It should be noted however that, a
targeted attack goes much more beyond just scan and these controls may not be enough to
protect against a targeted attack, but will definitely make us appear as a hard target and some
newbie hackers may just opt to ignore and move on to the next and easy target. The project also
enabled a real time notification and monitoring of any intrusions in the server so that a system
administrator may respond quickly which can be helpful in targeted attacks as well.
Project Summary
In summary this project was a great exploration of a Linux Operating system, its default
installation and security posture at the install time. This project covered a lot of basic installation
defaults and operating system configuration changes that should be made in order to make the
server production ready. The project walked through various security controls, securing common
services and applications like Apache, VSFTPD, and PHP etc. and also provided an insight to
firewall configuration and Intrusion Detection and Prevention system installation and Operation.
Even though the project is not a complete security solution to a Linux Server, it is a good
starting place towards a secure server. The security issues covered by the project are the basic
weaknesses which when left vulnerable makes the server an easy target and the attackers may
enjoy the vulnerabilities and compromise the server there by impacting business operations,
confidentiality, integrity and availability of data and information contained in the server as well
as pose a threat to consumer’s personal information.
Thus in summary, this project presents a good starting point for security of Linux Server
and a complete real-time monitoring and intrusion detection system as well as firewall
configuration to protect the server and ensure availability of services and information served and
contained by the server.
Deliverables
In a nutshell the deliverables of this project are the security configuration details, shell
script for login notification on a server, firewall configuration guide, Host based intrusion
detection and prevention system installation guide. The project described various settings that
could be changed to enhance the security of the Linux Server. These are the starting point for
securing the server from the baseline. With these guidelines and following a proactive and
periodic approach, the servers are expected to be secured in the long term. This project
deliverable are the security guidelines and best practices, which will help secure Linux servers
which run 24/7 to provide information and services to the businesses and to the end users.
Outcomes
The outcome of this project was a production ready, secured Linux Server with hardened
security. The resulting server was ready to react to intrusions, it was tweaked to be stealth
enough to hide from basic attackers and also react to the basic forms of attacks like brute force
attacks, ping attacks and low scale denial of service attacks.
I actually rented a server with a default Centos 5.9 Final which is a freely available
version of Red hat Linux and applied all the solution presented in this project. I left the server
over the internet for two days before implementing the controls and stored the log files. After
collecting log files for two days, I applied the controls and solutions presented in this project to
the server and collected log files again after two days. The comparison of two log files showed
approximately 80% reduction in SSH brute force attacks. Also turning off ping response reduced
the vulnerability scans by almost 50%.
I am really glad that I chose this topic, which aligns with my everyday work as well as
the degree program I am pursuing and that this project really helped me explore much more
details in the Linux Operating system, perform penetration testing and analyze situations before
and after implementation of security and tools and thus I realized the importance of this controls.
I am excited that this project will provide guidelines and serve as a starting point for securing
Linux servers to all my friends and colleagues.
Reflection
During the course of this project, I applied numerous skills and tools that I had learned
during the whole degree program. Using the tools and skills learned, I was able to analyze and
mitigate the security issues that would leave the server vulnerable to basic forms of attacks and
attracting attackers for performing various attacks on the servers. I learned about various open
source tools which are freely available but also help a great deal on securing Linux servers. I
came across and explored a lot of other tools, even though they were out of the scope of this
project.
The major areas of learning during this project were the architecture of the Linux
Operating System, working model and the response of the system to various attacks. I also
learned tuning various kernel parameters and actually performed basic penetration testing of the
server. The entire tests were performed in Virtual Machine environment, which actually provided
a production environment insight to the threats and attacks. During the project I also learned the
importance of using real-time alerting and notification system as well. Also the HIDPS was a
great tool as an outcome of this project. I believe that I will apply the knowledge, skills gained
through this project and my entire course of study as well as the security guidelines and solutions
presented by this project in my everyday work and my future endeavors.

References
Centos, TCP Wrappers and xinetd, retrieved 14th Aug from
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-tcpwrappers.html
Email Notification on Login on Linux Machines, retrieved 14th Aug from
http://www.amitnepal.com/email-notification-on-root-login-on-linux-machines/
H. Jeffrey, how to Block SSH Brute Force Attacks, retrieved 13th Aug from
http://www.rackaid.com/resources/how-to-block-ssh-brute-force-attacks/
Install OSSEC on Centos, retrieved 14th Aug from http://www.amitnepal.com/install-ossec-on-
centos/
Introduction to Risk Analysis, retrieved 11th Aug from http://www.security-risk-
analysis.com/introduction.htm
L. Jeff, Risk Analysis, Sep 4 2008, retrieved Aug 10th from
http://www.bloginfosec.com/2008/09/04/the-difference-between-quantitative-and-qualitative-
risk-analysis-and-why-it-matters-part-1/
C. Gene, Minimal Services on CentOS 5 Mini-HowTo, retrieved 12th Aug from
http://www.sonoracomm.com/support/18-support/114-minimal-svcs
OSSEC, Open Source Security, retrieved 14th Aug from http://www.ossec.net/
OSSEC: FAQ, retrieved 13th Aug from http://www.ossec.net/doc/faq/ossec.html
Price Water House Coopers, A practical guide to risk assessment, retrieved 13th Aug from
http://www.pwc.com/en_US/us/issues/enterprise-risk-
management/assets/risk_assessment_guide.pdf
P.Werner, Securing and Hardening Red Hat Linux Production Systems, retrieved 8th Aug from
www.puschitz.com/SecuringLinux.shtml
References
Securing CentOS 6 installation, retrieved Aug 12th from
http://bkraft.fr/articles/Securing_CentOS_6_installation/
Stripping CentOS 5.6, retrieved 13th Aug from http://myoss.belgoline.com/snippets/stripping-
centos-5.6
W. Dave, Network Security with /proc/sys/net/ipv4 retreived 12th Aug from
http://www.linuxsecurity.com/content/view/111337/65/
View publication stats

LinuxServerandHardeningSecurity AmitKNepal

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

LinuxServerandHardeningSecurity AmitKNepal

Загружено:

Авторское право:

Доступные форматы

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

Linux Server & Hardening Security

Thesis · August 2013

The user has requested enhancement of the downloaded file.

Linux Server & Hardening Security

application services that commonly run on a Linux Server.

suggest best practices to enhance the security posture of Linux Servers.

Project scope ............................................................................................................................................. 5

Audit Details ........................................................................................................................................... 10

Functional (end-user) Requirements ....................................................................................................... 21

Approach Explanation ............................................................................................................................ 28

Quality Assurance Approach .................................................................................................................. 48

Strategy for the Implementation ............................................................................................................. 51

Quantitative and Qualitative Risks ......................................................................................................... 54

Post Implementation Support .................................................................................................................. 57

Project Summary ..................................................................................................................................... 60

installation of HIDPS (Host Based Intrusion Detection and Prevention System).

Defense of the Solution

of the server seems to be a very good proactive approach.

proactive monitoring and intrusion preventing system.

in a similar situation after the implementation of the controls.

Organization of the Capstone Report

outcomes and reflection of the project.

Systems and Process Audit

produce a greater business impact.

system was found.

were no maintenance and enhancement policies in place.

constitute the business asset will have a better protection.

a. Unwanted Programs and Applications

rpm –qa | less

below shows a sample of the list of programs.

Figure 1.1: List of default installed programs

removed are listed below:

b) Dhcpv6-client: Server does not need to use IP version 6.

services, which we are not intended to use on this server.

required on the server.

were found installed in the server.

b. Unnecessary Services running

Figure 1.2 Running Processes

expiry policy set.

Figure 2.1 Password Policies

d. Secure Shell (SSH) Security

Figure 3.1 SSH Configuration

password was used.

Figure 4.1 Brute Force Attack

e. Foot printing analysis

version exploit them and potentially compromise the server.

Figure 5.1 Apache Error Page

running on the server.

Figure 6.1 PHP Version Detection

which can be helpful in furthering attacks for the attackers.

Figure 7.1 NMAP Port Scan

f. Open ports and listening services

server. Those unintended services include portmap, cupsd, rpc.statd etc.

Figure 8.1 Open Network Ports

Figure 9.1 Firewall Status

h. Intrusion detection, prevention and alerting system

well as availability of services rendered.

who overlook security as not being a core function of their business.

A Security breach could have a medium to severe impact on a business organization

minimize these risks.

of the servers has a major business impact in various organizational units.

invest in training system administrators, purchasing vendor support subscription or other