Server Hardening at Auro Infotech

At Auro Infotech, we always perform a task called Server Hardening which involves taking care of certain changes on the server, to make it more secure and efficient.

This post explains the steps involved in the server hardening task carried out at Auro Infotech on all new servers.

New server checklist – General
1. Setting up hostname, add additional ip addresses
2. Setting up of name servers in case of availability of control panel else add it to dnsmadeeasy.
3. Setting highly complex mysql password.
4. Tweaking php.ini values like increasing upload_limit, memory_limit.
5. Tweaking mysql values like log-slow-queries.
6. Tweaking apache values.
7. Checking and installing MRTG graph.
8. Creating Packages for the Accounts.
9. Creating Accounts.
10. Creating a test site and making it work.
11. Adding Server to Monitis/Nagios for internal and external agents.
12. Adding backup if the site is set up.
13. Adding the server to the Systems sheet.
14. Anti Virus and Spam solutions.
15. DO NOT CREATE auroinfotech.com DOMAIN FOR ANY RESELLER ACCOUNTS. THIS IS CREATING ISSUES WITH EMAILS LATER.

Specific to LINUX servers
1. Limit root access using SUDO – This will make sure no one can login to the server directly with the root username. First we should create a user for login. We are using “aiadmin” as primary login on all our servers followed by root password.

2. setting up highly complexity aiadmin / root password

3. Checked password policy inside /etc/login.defs file

4. Configuring Iptables (Firewall).

5. Anti-Virus installation – ClamAV

6. Apache security
a) Make sure only root has read access to apache’s config and binaries
chown -R root:root /usr/local/apache

b) Don’t allow apache to follow symbolic links

This can again can be done using the Options directive inside a Directory tag. Set Options to either None or -FollowSymLinks

Options -FollowSymLinks

7. Remote Access and SSH Basic Settings
It is suggested to run ssh on an alternate port other than 22 .
If we want to deny users from accessing ssh , then we need to add allow and deny entry to that file.

8. Warning Banners
This will be created under /etc/motd file

9. Only allow root to access CRON

The following commands will
Establish root as the only user with permission to add cron jobs.

cd /etc/
/bin/rm -f cron.deny at.deny
echo root >cron.allow
echo root >at.allow
/bin/chown root:root cron.allow at.allow
/bin/chmod 400 cron.allow at.allow

10. Check for security on Key files
a) /etc/fstab: make sure the owner & group are set to root.root and the permissions are set to 0644 (-rw-r–r–)
b) verify that /etc/passwd, /etc/shadow & /etc/group are all owned by ‘root’
c) verify that permissions on /etc/passwd & /etc/group are rw-r–r– (644)
d) verify that permissions on /etc/shadow are r——– (400)

11. Disable any unneccessary sservices.

Windows servers
1. In windows 2003 server, We should run security configuration wizard and configure it accordingly. This will help in configuring all services and disable it if not needed.

2. Rename default administrator username to aiadmin

3. setting up high complexity password.