Securing a Linux server

[Boar-Ral]

Hello,

I have a friend who has requested I assist him at his workplace because they are laying off their IT Manager under less than amiable terms. Essentially, he is afraid that he might have arranged some ways for him to get in after he is gone, and he wants me to see what I can do to secure things as best I can.

I have several years experience with Linux, but more from a casual standpoint. I have a Linux server, but my role is usually to add and remove users and install security updates as they come out. Another friend of mine who is really into Linux does most of the other work on my server.

What I am wondering is if you guys could give me a general idea of several of the most important things to check. I already plan on checking out /etc/passwd to see if there is anything unusual there. (Though I'm not even sure what sort of items should be considered acceptable and what ones not!) They also want me to remove his e-mail account, though I think I would like to keep it as an alias and maybe forward it to the company manger or owner. Problem is, I can't even remember how to setup aliases, it has been so long since I have done much like this. (On my server, we are using ISPMAN, so account creation is all menu-driven, it's been years since I've added users, removed users, configured e-mail, setup aliases, etc. from the command line.)

I do not expect to immediately become a Linux expert, but I am hoping that a lot of this will come back to me. I am working on getting a Linux desktop ready to experiment on tonight -- I don't want to toy with my server as I require it for many things -- so I hope to get a refresher course, as I go in tomorrow morning to get this stuff done.

In addition, they're running a GNATbox firewall, and I haven't even seen these things since they first came out 11 years ago. Fortunately, it's mainly web-based, so any obvious holes in the firewall should be easy to fix up.

I tried searching online for this sort of thing, but haven't come up with much, which is why I thought I'd say something here. Don't mean to let my newbie show through! Any help would be appreciated! Thanks in advance.

 

[Boar-Ral]

Sorry, I should have mentioned that as far as I am aware, this server is handling just e-mail, but it might also be a web server and a file server -- I highly doubt the latter though, especially on a server on the internet. I'm just pulling my hair out trying to catch up on what has changed in Linux in the past several years and I'm scared, to be honest.

 

[Flak Pyro]

Ill take a stab at this..im comming at this from a Redhat/Fedora perspective since that whats i deal with most often.

change all the passwords on the server, for all the user accounts and mysql if its running, install deny hosts to protect against ssh attacks, maybe change the port sshd listens on or disable it all together if you don't need it. Run rkhunter and chkrootkit, go though the services (run the 'setup' command on redhat/fedora) and disable anything not being used. Check /var/www for any weird scripts (cgi or otherwise) make sure any CMS or other web apps are up to date.

Make sure the box is up to date.


All i can think of for now anyways..

 

[Bones]

Build security in depth.

1. You should consider hardening any outward-facing server. Check out grsecurity. It's more useful than SELinux, IMO.

2. Use tripwire or something similar.

3. Send the logs from any outward-facing server to a separate, locked-down logging server.

#1 is more of a second layer of defense. It helps out when a cracker has already used an exploit to circumvent the security of your web/ftp/whatever server application.

#2 and #3 aren't defensive measures, but rather alert the admin that a server has been breached. #3 is convenient anyway, having all of the logs in one place for perusal.

 

[Boar-Ral]

Thank you for all of your suggestions! It was not as bad as I expected. I was mainly apprehensive because I did not know all of the details and with numerous Linux distributions, I did not even know what they were running until I sat down. (It turns out they were running Mandriva on their workstations and Red Hat on their servers.)

I had to login to single user mode on the former employee's workstation in order to gain access to it and what made it complicated is that he had a non-standard keyboard layout configured so I had to use trial and error to type anything. I managed to change the keyboard layout in KDE but logging in was still a painful process until KDE loaded and the keyboard layout was configured properly. Where would I look to change the keyboard layout to a standard 101-key at the console so it would be setup correctly on boot?

I spent an hour going through their GNATbox, looking for inbound and outbound ports that should not be there, and then started poking at the servers themselves. Before we started anything, we pulled internet access to the building for fear that he would come in from outside and be either malicious or circumvent what I was doing.

In the end, it took about three hours to lock everything down. I went home and everything was good until that evening. My friend called me in a panic. Apparently, the former employee somehow got his hands on a working keycard and got into the building. He basically did what I did to get root access, using single user mode, and went to work. Fortunately, he seemed more intent on changing passwords and deleting his personal home account than doing anything malicious. Fortunately, I had archived his home account when I was there earlier in the day, but never really poked at it to see what he might be so keen on deleting. I didn't realize until after I got home the second time that all of his personal effects were also gone. I guess he realized it was his last kick at the dog and even though he was employeed until Wednesday that he probably wasn't going to be welcomed back.

There are still a couple things that I would like to do, now that I have read your suggestions, and I will be going back later. I was told two weeks ago that I would be laid off in one month, and the good news is that now these people are looking at hiring me to replace this former employee. I'm keeping my fingers crossed!

Thanks again for the help, guys.