Welcome to WebmasterWorld Guest from

Forum Moderators: bakedjake

Message Too Old, No Replies

How to secure UNIX server from hackers?

practices & software

5:04 pm on Feb 11, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 26, 2003
votes: 0

Anyone want to take a stab at something like this:


for UNIX?


7:19 pm on Feb 11, 2004 (gmt 0)

Administrator from CA 

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 8, 2003
votes: 61

Note: This is not a canonical list. These is meant to be a guide, but it is by no means a complete list of everything you'll need to do to be 100% secure.

Jake's list:

From the Securing Windows [webmasterworld.com] list, you should do the following:

  • Examine all startup scripts and turn off unnecessary ones
  • Subscribe to Bugtraq (the UNIX counterpart to NTBugtraq)
  • Subscribe to NANOG
  • Get a hardware firewall (yes, I know about ipchains and iptables and ipf - get a hardware firewall)
  • Get a test server
  • Get a monitoring service/server

    Additional things I do on UNIX servers:

    Lock down user accounts - Even though this is in the Securing Windows list, I gave it special mention here. In the old days, most UNIX software was designed to be used from or in conjunction with a shell account. That mentality has held over to today's software in its default state. If you run an FTP or mail service, and that user only needs to access FTP or mail, there's no reason to give them shell access. Keep that in mind when performing your lockdown - no shell access unless necessary!

    Kill X - You don't need a GUI on a server. It's wasteful. Get rid of it.

    Compile services yourself - I generally compile all services myself (such as apache, qmail, djbdns). The benefit here is twofold: one, you completely customize the software to your preferences; and two, since you set the software up to your specifications, you'll have a much easier time indentifying and combatting problems. No packages, no binaries, only source. Note: I consider skeleton source port systems (such as those that Gentoo or the BSDs use) to be okay.

    Install chrootkit [chkrootkit.org] - Run it regularly, and send the output to someone that will read and act upon the reports.

    Install tripwire [sourceforge.net] or aide [sourceforge.net] - Run it regularly, and send the output to someone that will read and act upon the reports.

    Get a package update notification service - This is critical. With so many open source software apps, things change daily. I know that RedHat has a service, Mandrake has a service, and there's a bunch of others. I'm biased, and mainly use FreeBSD, so I use FreshPorts [freshports.org].

    Install nmap [insecure.org] - Run it against your entire network on a regular basis and send the output to someone that will read and act upon the reports. It will tell you immediately if any backdoor is currently running on a server.

    Personal/Political Rant (flamesuit on):

    Don't use BIND, sendmail, or a GUI (web-based or otherwise) control panel - These are the top offenders of UNIX security and good practices.

  • 2:04 am on Feb 12, 2004 (gmt 0)

    Preferred Member

    10+ Year Member

    joined:Dec 30, 2003
    votes: 0

    I respectfully disagree on the BIND and Sendmail parts, but agree with pretty much everything else.

    If you're running a service, know what it does, make sure it's configured the way you need it, and keep on top of updates.

    After years of compiling Apache from scratch every time there is an update, I've gone back to the RPM method. I've saved time, and the updated RPM is available within hours of the patch being released. Anything that I do track the source of, I make into an RPM anyway. Far more efficient to roll out across a dozen servers that way, not to mention ensuring consistency across builds.

    The number one thing about security is that locking down your server is only half the equation. If you don't know when you've been hacked, you may as well not bother spending the time on the patching.


    3:01 pm on Feb 13, 2004 (gmt 0)

    Junior Member

    10+ Year Member

    joined:Sept 19, 2003
    votes: 0

    rfxnetworks has some good scripts also you can use.

    Nice firewall apf:

    and Brute force protection scrittie:

    They have some others. For monitoring I suggest nagios, they have som eplugins that you can use to alert you if someone logs in to your server and such.

    10:57 am on Feb 24, 2004 (gmt 0)

    New User

    10+ Year Member

    joined:Jan 21, 2004
    votes: 0

    I have a step-by-step guide for installing BFD, APF, CHKROOT and many other security software for linux/unix.. but I am unsure if this is considered "promoting" as the site doesn't sell anything, and isn't tied in wtih any sites which I own that do... So will someone let me know if posting the URl is good to do or not?
    6:43 am on Feb 25, 2004 (gmt 0)

    New User

    10+ Year Member

    joined:Feb 24, 2004
    votes: 0

    I think
    posting the URL for a good guide or some technical info is not bad
    7:03 am on Feb 25, 2004 (gmt 0)

    New User

    10+ Year Member

    joined:Jan 21, 2004
    votes: 0

    Ok, well if it's not just delete it.
    Here are some of my step-by-step guides.

    Brute Force Detection [hostinglife.com]

    Advanced Policy Firewall [hostinglife.com]

    CHKROOTKIT [hostinglife.com]

    MailScanner [hostinglife.com]

    Logwatch [hostinglife.com]

    There are lots more, but those were some mentioned here.. the site is great for all Server Help [hostinglife.com]

    9:03 pm on Feb 26, 2004 (gmt 0)

    Junior Member

    10+ Year Member

    joined:June 3, 2003
    votes: 0

    many hacks on UNIX servers come through PHP.
    if you or your users don't require shell access through php then edit the disable_functions variable in php.ini and add thses functions:
    system exec passthru proc_open shell_exec popen

    also if shell access in general is required always use SSH not telnet.

    make sure to have a software firewall.
    Close as many ports as you can. I have a Linux server with ONLY the following ports open:
    22 - SSH for shell and sftp access
    25 - SMTP for email
    80 - HTTP
    443 - HTTPS
    995 - SPOP3

    if possible make sure to have a proper SSL certificate on your server and check your email securely.
    use SFTP through the SSH port 22. there is no need for regular FTP because it sends your password in clear text.

    8:18 pm on Mar 24, 2004 (gmt 0)

    Preferred Member

    10+ Year Member

    joined:Jan 31, 2003
    votes: 0

    I respectfully disagree on the BIND and Sendmail parts...

    Just curious to know why that is? I use to use sendmail/bind but about a year ago switched to qmail/djbdns on *all* my servers.

    I decided this one day after I was faced with another upgrade to sendmail or bind (can't remember which) due to security flaws.

    You know what I'd never go back. They are much leaner. Do everything I need and more and most of all the configuration files are *very* programmer friendly. Ie it's very very easy for me to write a script to add a DNS entry to change my rcpthosts file.

    Just my 2 cents from a convert :)