Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

10 Essential Steps For Configuring A New Server

155 views

Published on

That’s a nice new Linux server you got there… it would be a shame if something were to happen to it. It might run okay out of the box, but before you put it in production, there are 10 steps you need to take to make sure it’s configured securely.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

10 Essential Steps For Configuring A New Server

  1. 1. 10 Essential Steps to Configuring a New Server
  2. 2. User Configuration ● To change the root password: log in as root, run passwd, enter the new password, then again to confirm ● Setting up a password policy is fairly complex, full details are here, but essentially: + Install pam_cracklib + Edit the /etc/pam.d/common-password (Debian, Ubuntu, Mint) or /etc/pam.d/system-auth (RHEL, Fedora, CentOS) file + Modify the various attributes in that file for length, complexity, history + Edit the /etc/login.defs file and modify the attributes there for expiration settings ● To create a new user: run useradd [username] as root, then run passwd [username] to set the password for that account. ● To give a user sudo access: run visudo as root, find “root ALL=(ALL) ALL” in the sudoers file, add a new line next to it and add “[username] ALL=(ALL) ALL” Save and close. ● To disable root: run sudo passwd -l root 1. UpGuard.com | @UpGuard
  3. 3. ● To set the hostname and gateway: edit the /etc/sysconfig/network file ● To set the IP, netmask and broadcast: edit the /etc/sysconfig/network-scripts/ifcfg- eth0 file (Must restart the network service for changes to take effect) ● To set DNS servers: edit /etc/resolv.conf ● To disable IPv6: edit /etc/sysctl.conf and add “net.ipv6.conf.all.disable_ipv6 = 1” Network Configuration2. UpGuard.com | @UpGuard
  4. 4. ● To list current packages: run yum list installed or dpkg -l ● To install a package: run yum install [package name] or apt-get install [package name] ● To remove a package: run yum remove [package name] or apt-get remove [package name] Package Management3. UpGuard.com | @UpGuard
  5. 5. ● To update everything: run yum update or apt-get upgrade ● To set up automatic updates: install and use yum-cron or unattended-upgrades (apt) Update Installation and Configuration4. UpGuard.com | @UpGuard
  6. 6. ● To sync with an NTP server: edit the /etc/ntp.conf file NTP and Time Drift5. UpGuard.com | @UpGuard
  7. 7. ● -To show your iptables: run iptables -- list ● -To delete an existing entry: run iptables --delete [chain] [rule number] ● -To insert a new entry: run iptables -- insert [chain] [rule number] ● -Full details can be found here: http: //linux.die.net/man/8/iptables Firewalls and iptables6. UpGuard.com | @UpGuard
  8. 8. ● To disable ssh access for root: edit /etc/ssh/sshd_config, find “#PermitRootLogin no” and remove the comment “#” symbol so the directive takes effect. Restart ssh. ● To restrict ssh by IP: edit the sshd_config file and modify the AllowUsers directive like so: AllowUsers user1@10.10.10.1 user2@10.10.10.2 etc. ● Moving from password authentication to certificate based authentication is fairly involved, requiring the generation of a key pair and several configuration changes. See a detailed guide for your distribution. Securing SSH7. UpGuard.com | @UpGuard
  9. 9. ● To list all services and their status: run systemctl list-unit-files --type=service or chkconfig --list ● To prevent a service from automatically starting: run systemctl disable [service] or chkconfig [service] off ● To set a service to start automatically: run systemctl enable [service] or chkconfig [service] on Systemctl and Service Configuration8. UpGuard.com | @UpGuard
  10. 10. ● To see if SELinux is running (RHEL, CentOS, Fedora): run getenforce or sestatus ● To enable, disable or modify SELinux, edit the /etc/selinux/config file ● Try AppArmor as an SELinux alternative SELinux and Further Hardening9. UpGuard.com | @UpGuard
  11. 11. ● Logs are usually stored in /var/log ● Check the documentation and configuration files of your applications to see what log levels they allow and set the one that is appropriate for your needs. ● Consider a centralized syslog server if your environment warrants one Logging10. UpGuard.com | @UpGuard
  12. 12. Want more tips? Visit UpGuard.com for more technical and how-to articles. UpGuard.com | @UpGuard

×