Note : The below artical is written just because of passion for security
################################################## #



Please keep these steps in mind while working on security

1)Create a security policy ( Security policy is created from business requirements and risk analysis ).This is the first step one should follow while working on security.

2) Based on the security policy create a checklist

The check list is created according to the security policy
================check list ================================
Check List
#######################
Software Vulnerabilities
Kernel Upgrades and vulnerabilities
Check For any Trojans
Run chkrootkits
Checks Ports
Check for any hidden process
Use audittools to check system
Check logs
Check Binaries
Check Binaries and RPMS
Check the email relays
Check the cron entries
Check /dev /tmp /var filefolders
Checked whether Backup is maintained
Check for unwanted users,groups etc in the system
Check and Disable unwanted services
Locate malicious scripts
Querylog in DNS
Check whether Backup is maintained
Check for the suid scripts and nouser scripts
Check valid scripts in /tmp
Use intrusion detection tools
Check the system performance
Check memory performance ( conduct memtest)

Note: Please feel free to add the steps which i had missed
================end ===========================

3) With this check list .Please Conduct a security audit

Format of security audit will be like this
=====================Fromat ==========================================
Issues or softwares # Current version ( version used in the server) # Stable Version # Notes :
================================================== =============

In this step we will not do any upgrades or security related work on the box.Just find out the vulnerabilities
Find out the current versions of the software and check if it has any vulnerability .if so please note it down and add it in the notes section of audit report.


Use tools like Nessus, nikto (Audit tool for web server ) , Chkrootkit ,dsa ( dns security audit tool ) ,memtest and find out the vulnerability

Notes: The below section is called Security Implementation stage

4) According to this audit report.We should first correct all software vulnerability ( can use software patches which and eliminate the bugs in the software )

(a)Upgrade kernel if its old and vulnerable.While compiling,please remove all unwanted options and reduce the size of the kernel

(b)Upgrade apache and its related software if its vulnerable

(c)Upgrade php,mysql,proftpd,pure-ftpd,named if its vulnerable.

(d)upgrade mod_ssl,openssh,openssl etc ( can be done manually or through up2date )

(e)If the control panel has any bugs .The software vendores should be contacted and they should be informed about this bug.So that they will provide a fast fix to it.

5) Now the proper security work comes .
Security is divided into two sections host security and network security.And each these sections has 3 parts common

(a )Protection

(b) Detection

(c) Recovery

5.1 )Host Security
==================
(a)Please protect your system with password

(b)Check file systems ( set correct permission and ownerships to files )
eg: chmod -R 700 /etc/rc.d/init.d/*
eg: Use rpm -Va to find out the if the rpm is modified or effect

(c)Apply security patches to vulnerable softwares (eg : patch -p1 < patch file )

(d)Remove all unwanted ttys and console logins by removing the entry from /etc/securetty

(e)Check system logs ( eg : /var/log/messages , /var/log/secure etc )

(f) Set password for boot loaded ( lilo an grub supports it )

(g)Monitor the system ( nagios or big rother )

5.2) Network Security
=====================
(1)Remove all unwanted users,groups

(2)use the below script to mail the sysadmin to when another user with uid 0 is created
=========================================
The below script will mail user when another user with uid 0 is added
-------------------------script----------------------------------
#!/bin/sh
#
# This script must be owned by root or at least setuid 0
# It will scan the system and mail the root user when another user gains uid 0.

for id in `awk 'FS=":" {if(($3 == 0 && $1 != "root" )) \
print $1}' /etc/passwd`
do

echo 'ALERT Login ID' `echo ${id}` 'has uid 0 !!' `date "+Detected On Date :%D Time :%r"` | mail -s "ALERT: User `echo ${id}` has UID O" blessen@blessen.com

done
-----------------------------------------------------------------
================================================== ======

(3) Only allow password with 16 characters ( can be done by making changes in login.def )

(4)Disable unwanted services,use tcp warappers( unwanted service can be disabled through xinet.d or xinetd.cong ).

(5)Set timeout ,so that the ideal users will be logged out after a certain amount of time

(6)Disable all console program acess
(eg : rm -rf /etc/security/console.app/<service name > )

(7) Enable nospoof option in /etc/host.conf

( Specify the oder in which the domain name should be resolved ( eg : order bind hosts )

(9) Lock the /etc/service files so that no one modifies it

(10)Restrict direct root login ( comment the PermitRootLogin login option in sshd_config )

(11)Restrict su ,so that only wheel group members are able to su.
(can use pam or disable the permission of other for the su binary )

(12)Limits users resources ( can use pam,specify the limits for each user in /etc/security/limit.conf )

(13) Secure /tmp ( mount /tmp with noexec,nodev,nosuid )

(14) Hide the server details.For that removes /etc/issues and /etc/issues.net

(15) Disable unwanted suid and sgid files
find -type -perm -04000 -o perm 02000

eg : gpasswed,wall,traceroute etc....

(16)Allow only ping from a specified location( for monitoring systems to work ).Use iptables for that

(17) Take preventive measures against DOS,ping to death etc..Use the below script for that
http://www.webhostingtalk.com/showth...hlight=blessen

(1Install firewall ( eg apf and iptables )

(policy-->allow the ports which the box needs and block all other ports )
Eg: http://www.rfxnetworks.com/
Eg: http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html

(19) Install intrustion detection ( eg install tripwaire or aide )

eg: http://www.cs.tut.fi/~rammer/aide.html
eg:http://www.redhat.com/docs/manuals/l...-tripwire.html

(20) Install sxid to keep an eye on suid and sgid script.
Link: http://linux.cudeso.be/linuxdoc/sxid.php

(21) Restrict ssh to specific ips and and user ( i suggest go for key authentication using passphrase)

(22)Install logcheck to check the logs

(23) Install tmpwatch to delete the unused files from /tmp directory

(24) Install and setup portsentry and configure it to use iptables to block ips

(25)Install mod_security and mod_dosevasive to safe gurad apache

(26) Delete files with nouser and nogroup

(27) Deleted unwanted files/folders in htdocs, disable directory indexing

(2Check for unwanted scripts in /root

(29) Disable open relay

6) Submit a Status report
Notes: It will contain what all you have done on the server to secure it as per audit

7) Testing and Optimization phase

Use the tools likes nessus ,nikto,nmap etc to do a penetration test and see how well your server is .Also do a stress test etc.

################################################3
Optimization
==========
1) Harddisk -->enable DMA for faster disk read

2) Limit user process

3) For mysql use these settings for good performance
=======================mysql settings in my.cnf======================
port = 3306 -- i would always suggest to change the port
skip-locking
set-variable = max_connections=100
set-variable = max_user_connections=20
set-variable = key_buffer=16M
set-variable = join_buffer=4M
set-variable = record_buffer=4M
set-variable = sort_buffer=6M
set-variable = table_cache=1024
set-variable = myisam_sort_buffer_size=32M
set-variable = interactive_timeout=100
set-variable = wait_timeout=100
set-variable = connect_timeout=10
set-variable = thread_cache_size=128
==============================================

4) For proftpd use this settings
==========================ftp settings in proftpd.conf=======================

TimeoutIdle 600
TimeoutNoTransfer 600
TimeoutLogin 300
MaxInstances 30
MaxClientsPerHost 2
================================================== ================

5) Disabling the logging of access time in partition where access time always changes ( eg /var) will improve performance
for thst just mount that partition with noatime )

6) Do not create latge firewall policies ,it will delay packets.

7)Setting file sytem parameters to correct values will often provide good performance.

While compiling always use these options
for i686
CFLAG=-09 -for best optimization
-funroll-loops
-ffast-math
-mcpu=< your processor type >
-march=< your processor type >
-fomit-frame-pointer

For i586
======
CFLAG=-03
-funroll-loops
-ffast-math
-mcpu=< your processor type >
-march=< your processor type >
-fomit-frame-pointer