Thursday, October 20, 2011


SkyHi @ Thursday, October 20, 2011
# -------------------------------------------------------
# Some common sense basics to secure Debian Linux servers

# installing extra security packages

apt-get install denyhosts tiger rkhunter chkrootkit snort oinkmaster checksecurity logcheck logwatch fcheck logcheck-database syslog-summary tripwire

# after downloading and installing, build the tripwire database:

tripwire --init

# most of the tools send e-mail to root@localhost, make sure to redirect this to a working e-mail address:

echo "root:" >> /etc/aliases

# Download the 'sysctl.conf' provided here, place it in /etc and run:

wget -O /etc/sysctl.conf
sysctl -e -p /etc/sysctl.conf

# Download the 'rc.iptables' save it to /etc/init.d and edit it to only open the desired ports for your server you really need, after that do:

wget -O /etc/init.d/rc.iptables
chmod 755 /etc/init.d/rc.iptables
update-rc.d rc.iptables defaults
/etc/init.d/rc.iptables start &

# Get automatic security updates

apt-get install cron-apt unattended-upgrades

# Do some virusscanning to make sure there are no unwanted files on your server system:

apt-get install clamav clamav-daemon clamav-freshclam
clamscan --infected --recursive --no-summary /

# You could also do this on a daily basis and add it as cronjob:

echo "13 5 * * * clamscan --infected --recursive --no-summary /" >> /var/spool/cron/crontabs/root

# remove or take away permissions of all system tools that can be used to download files at the command-line (like lynx and wget)

chmod 700 /usr/bin/wget /usr/bin/curl /usr/bin/GET /usr/bin/ftp /usr/bin/telnet
dpkg -P lynx links

# Search for other installations of these tools and remove or disable them for normal users

whereis wget curl GET links lynx ftp telnet

# Monitor your user cron-jobs and look for suspicious commands

cat /var/spool/cron/crontabs/*

# In case you do not want your users to use cron-jobs, you can disable them all (exept for the root user) using the following commands

echo root > /etc/cron.allow
/etc/init.d/cron restart

# Let the server fix it's filesystem automatically when errors are found

echo "FSCKFIX=yes" >> /etc/defaults/rcS

# --------------------------------------------------
# Adding webserver software specific security tweaks:

# use apache mod_security (

# use the suexec tool to limit permissions of CGI scripts

# use SuPHP to limit permissions of PHP scripts

# For PHP edit php.ini and set the following options:

allow_url_fopen = Off
allow_url_include = Off
register_globals = Off

# PHP safe_mode will add some extra limitations, see
# use PHP option safe_mode = On , or disable a list of common abused php functions that are rarely used by legitimate php software packages:

disable_functions = dl,system,exec,passthru,shell_exec,proc_open,proc_get_status,proc_terminate,proc_close,dir,readfile,virtual,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

# install the php hardening patch available at and you might also try the suhosin patch available at the same website.

# set php option open_basedir for every website limiting them to their own user home-dir to prevent php scripts get access to other users and websites at the system.

# Your server is now a bit more secure, but you still have to keep an eye at your users and make sure they do not upload and use insecure/buggy/old software packages