devnull

So today my dedicated server (running RH9) was shut down by my host. They pulled the plug after seeing an insane amount of UDP traffic slamming this one IP. Now, I unfortunately don't have much experience with this at all. I've tried to do my best to keep the box secure and tied down as best as possible.

What I'd like to try and get from the community here is tips on what to look for on my server when my host brings the server back up for me during business hours. Ways to detect things that would be abnormal and how to track down where on the server it is coming from (what script is generating the traffic?). Things like that. Any help would be GREATLY appreciated.

Thank you now for any time and effort you put forth.

jonjon42

change your passwords....root user everything
then use chkrootkit to scan if you got rooted (just in case)
make sure you have a solid set of firewall rules
update packages that have had security vulnerabilities
and browse your logs a bit to see if you can figure out what happened from their.
if you want extra security run a scanner like snort

__________________
A damn dirty hippie without the dirty part....

bendsley

* Log in as root.
* Run /usr/sbin/visudo. Add your account. We recommend you use this sudoers template:

# Sample Linux sudoers file
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
# http://www.sudo.ws/
############################
# User alias specification #
############################
# put users into groups here
User_Alias ROOTNOPASSWD =
User_Alias ROOTPASSWD =
User_Alias ROOTRESTRICTED =
############################
# Cmnd alias specification #
############################
# define command aliases here
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /bin/bash2, /bin/ash, /bin/bsh, /bin/tcsh, /bin/csh, /bin/ksh
Cmnd_Alias SU = /bin/su
Cmnd_Alias PASSWD = /bin/passwd
Cmnd_Alias VISUDO = /usr/sbin/visudo

######################
# User specification #
######################
# root can run anything as any user
root ALL = (ALL) ALL

# ROOTNOPASSWD users can run anything without a password
ROOTNOPASSWD ALL = (ALL) NOPASSWD: ALL
# ROOTPASSWD USERS may run anything but need a password
ROOTPASSWD ALL = (ALL) ALL
# ROOTRESTRICTED users may run anything besides a shell, su, passwd, or visudo
ROOTRESTRICTED ALL = ALL, !SHELLS, !SU, !PASSWD, !VISUDO

* Log out from the root account
* Log in as yourself
* Run sudo /usr/sbin/setup.
* Enter "System Services" and disable everything you don't need. This may include:
o apmd
o gpm
o isdn
o kudzu
o lpd
o nfslock
o pppoe
o pcmcia
o portmap
o rawdevices
o rhnsd
* Note that you will need pcmia if you have a laptop and wish to use PC Card devices, and you will need portmap if you need to connect to and/or serve NFS shares
* As root, edit /etc/ntp.conf to set up NTP servers. Use the 'setup' utility to ensure that ntpd is starting at boot. Here is a sample configuration file that will operate with Penn's NTP daemons:

driftfile /var/ntp/ntp.drift
server timeserver1.upenn.edu version 3
server timeserver2.upenn.edu version 3
server timeserver3.upenn.edu version 3

* Make sure the /etc/services has the following entries for POP and IMAP service:
o time 37/tcp
time 37/udp
* Be sure to modify /etc/ipfw.conf rules to allow the new services:

add allow tcp from any to any ntp out keep-state
add allow udp from any to any ntp out keep-state

* Edit /etc/issue and /etc/issue.net to say: UNAUTHORIZED ACCESS PROHIBITED
* Edit /etc/motd to look like this:

This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by properly authorized system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored by properly authorized personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.

* Install rhupdate:
o lynx http://www.jjminer.org/rhupdate/
o Download the latest rhupdate
o Expand the file: tar -xzlf rhupdate-whatever.tar.gz
o Install: cd rhupdate-whatever/; ./configure; sudo make install
o Delete what's left: cd ..; rm -rf rhupdate-whatever*
* Download and install updates:
o Create a download directory: mkdir /tmp/updates
o Download the updates: /usr/local/bin/rhupdate --download /tmp/updates --server mirror.services.wisc.edu --dir /mirrors/linux/distributions/redhat/updates/ --hash
o Install the updates: sudo rpm -Uvh /tmp/updates/*.rpm
o Delete the updates: rm -f /tmp/updates/*
* Prevent some DoS-denial attacks. Add the following lines to the end of /etc/rc.d/rc.local:

##### Begin DoS Prevention #####
# shut some DoS stuff down
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# increase the local port range
echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range

# increase the SYN backlog queue
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog

echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

echo 64000 > /proc/sys/fs/file-max

ulimit -n 64000

# stop source routing
for i in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $i
done

# enable reverse-path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $i
done

##### End DoS Prevention #####

* Edit /etc/logrotate.conf for the proper settings (compress, etc).
* Edit /etc/sysctl.conf and change kernel.sysrq to equal 1
* Edit /etc/hosts.{allow,deny}
o You will need to configure the hosts files to meet the needs of each individual server. As a rule, only allow what you need from where you need it. The best thing to do is start off denying everything and allow only sshd and then add services as you go. For more information see "man 5 hosts_access"
* Edit /etc/ssh/sshd_config:
o Change "PermitRootLogin yes" to "PermitRootLogin no"
o Change "Protocol 1,2" to "Protocol 2"
* Reboot the machine: sudo /sbin/shutdown -r now

-----------------------------------------------------------
You might also look at Nessus and as mentioned above, chkrootkit.
Please note that these are suggestions as I am not proficient with Redhat at all, although Debian is another story.

Also, please make sure your root passwords are at least 8 characters, contain numbers, UPPER and lowercase letters, and any special characters (!@#$%^&*().

Example of a good password: x7z3GnaX>l2X#%_|t]Fx\D<_-H2q~

Hope this helps.

__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."