Information about starting and operating an ISP or corporate Intranet using Linux servers.

Table of Contents

Gentoo Linux server: Foundation

Building a Hardened Server

This document is divided roughly into policies and procedures. Each of these is loosely organised into general practices that can be applied to any Linux server plus specific practices that apply to certain Linux servers.

Policies

Only stable packages (those tested and certified stable by concensus of the Gentoo community) have been used with only the following exception:

All packages are built from source. No pre-built binaries have been used. All source code installed has been saved in /usr/portage/distfiles.

Kernel

You will want to install a “hardened” kernel, and probably it will make sense to:

  • Set the Grsecurity level to “Server”
  • Remove support for any non-essential functions (e.g., audio, graphics, USB, parallel port, etc.)

Server Software

Software covered in this section are those which have a listening port (i.e., they listen for and answer external connections within certain limits).

Apache and PHP

Refer to the Web Server Guide.

SSH

The following items are changed from the default values in /etc/ssh/sshd_config (for explanations see man sshd_config):

  • PermitRootLogin without-password
    • This restricts root log-ins to only originate from hosts which have an SSH key installed on the server, thus nullifying password guessing.
  • MaxAuthTries 3
    • After 3 attempts the person is disconnected.
  • AuthorizedKeysFile .ssh/authorised_keys
  • ClientAliveInterval 60
  • ClientAliveCountMax 3
    • If no response is received from a client after 3 attempts spaced 60 seconds apart (i.e., if client's connection has been interrupted for this long), the session will be closed. This also has the effect of keeping the connection open as long as a response is received.
  • AllowUsers *.* root
    • Only users root and those whose log-in ID fits the pattern *.* (e.g., first.surname) will be permitted to continue. Any log-in username that doesn't match one of these patterns will be rejected.
  • AllowGroups root wheel
    • Of the users which match the above pattern, only those that are in the root or wheel group will be permitted to log-in. So if there is a “bogus.user” ID that is not in root or wheel, it will not be able to log-in.

Adding and Removing Users

In addition to the AllowUsers and AllowGroups directives, you may also employ the use of SSL keys to further restrict access to a server.

To add a user to a server, you would first have them generate a pair of public and private keys for themselves like so: 

cd ~/.ssh
ssh-keygen
(answer prompts)
scp id_rsa.pub givenname.surname@servername:
ssh givenname.surname@servername
(enter your password)
mv id_rsa.pub .ssh/authorised_keys
exit

This will create a pair of key files in the ~/.ssh directory – a public key (ending in .pub) and a private key. The public key is placed within the server's authorised_keys file for the given user (e.g., if the key is for user “john.doe” then you would place the key in /home/john.doe/.ssh/authorised_keys).

To remove permission for a user, you could just delete the user account with “userdel -r john.doe”, which would remove his entire home directory. Alternately, if keeping the person's home directory is desired, you could do “userdel john.doe” and then (to be extra safe) delete his .ssh/authorised_keys file.

If a user has permission to log-in directly as root, then you would remove his key from root's authorised_keys file (/root/.ssh/authorised_keys).

Procedures

Gentoo Installation

Gentoo Linux is one of the more difficult distributions of Linux to install, but it offers the greatest possible combination of performance, security, and features due to the fact that all software is built from source code for the target server. The advantage Gentoo has over simply compiling all the software manually is the package database (called 'portage') and the package manager (emerge) which largely automate the process of gathering and compiling source code packages.

Documentation Link
The Gentoo web site http://gentoo.org/
Step-by-step installation guide Gentoo/ISPLinux Prep Guide

Server configuration files

Administration &c.

  • Install a monitoring definition in /etc/monitrc to start tracking the new server, for example:
check host newhost with address newhost.ispltd.com
  if failed icmp type echo count 3 with timeout 5 seconds then alert
  if failed url
    https://newhost.ispltd.com/webserver-check.php
      and content == "Server is up"
    then alert
1) Be sure to install /etc/hosts.allow before the /etc/hosts.deny file or you may shut yourself out of the server!

Trace: raid rpm_textfiles usb_boot apache_tips centos db dhcp dns email foundation

Navigation

Welcome
ISP Overview
Server Guides
ISP Software
Cfengine 3
Security
Mini How-Tos
ISP Bookmarks

Linux consulting

Contact Wiki Admin

Print/export
Toolbox