Secure Linux Servers

Linux – Production Server Setup

The principle of running a server in production is to run only what is needed. This keeps the server load to a minimum and reduces the security footprint.

See also http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers

Setup the Domain Name (DNS)

Point the dns address at the ip address of your server. If the server is rented you should already have a static ip address. If the machine is on your local network you may have to sudo nano /etc/network/interfaces to edit the ip address file. Your setup should be like:

iface eth0 inet static
address 192.168.1.10
network 192.168.1.0
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.254

Setting up the Name Servers

You will also need to sudo nano /etc/resolv.conf to set the dns static IP configuration. The file will look like:

search mydomainname.com
nameserver 192.168.1.254
nameserver 8.8.8.8
nameserver 202.54.2.5

You will then need to restart the server:

sudo /etc/init.d/networking restart

You can verify that it is working by checking:

ifconfig eth0
route -n
ping google.com

Setup the Hostname

You can see your current hostname by running:

sudo /bin/hostname

To set the hostname directly, you can run

sudo /bin/hostname newname

When your system boots next time, it will automatically read the hostname from the file /etc/hostname.

Check to see what services are running

You can check to see what services are running using service --status-all on ubuntu (chkconfig –list on Red Hat). Linux uses the concept of runlevel. The normal runlevel for a non-gui production system is N 3.

$ runlevel
N 3

The default runlevel for Ubuntu/Debian is N 2.

"+" started
"-" stopped
"?" unknown

Remove any services which you don’t need.

Timezone

It is best to set the server timezone to UTC. This eliminates the problem where the time changes in spring and summer (depending on you timezone ie GMT).

$ date
Mon Jun 17 21:02:29 IST 2013

$ sudo rm /etc/localtime
$ sudo ln -s /usr/share.zoneinfo/UTC etc/localtime
$ sudo ln -s /usr/share.zoneinfo/UTC /etc/localtime

$ date
Mon Jun 17 20:04:20 UTC 2013

Time Synchronisation with NTP

NTP is a TCP/IP protocol for synchronising time over a network. Basically a client requests the current time from a server, and uses it to set its own clock.

Ubuntu has two ways of automatically setting your time: ntpdate and ntpd.

ntpdate

Ubuntu comes with ntpdate as standard, and will run it once at boot time to set up your time according to Ubuntu’s NTP server. However, a server’s clock is likely to drift considerably between reboots, so it makes sense to correct the time occasionally. The easiest way to do this is to get cron to run ntpdate every day. With your favorite editor, as root, create a file /etc/cron.daily/ntpdate containing:

ntpdate ntp.ubuntu.com

The file /etc/cron.daily/ntpdate must also be executable.

sudo chmod 755 /etc/cron.daily/ntpdate

ntpd

ntpdate is a bit of a blunt instrument – it can only adjust the time once a day, in one big correction. The ntp daemon ntpd is far more subtle. It calculates the drift of your system clock and continuously adjusts it, so there are no large corrections that could lead to inconsistent logs for instance. The cost is a little processing power and memory, but for a modern server this is negligible.

To set up ntpd:

sudo apt-get install ntp

Changing Time Servers

In both cases above, your system will use Ubuntu’s NTP server at ntp.ubuntu.com by default. This is OK, but you might want to use several servers to increase accuracy and resilience, and you may want to use time servers that are geographically closer to you. to do this for ntpdate, change the contents of/etc/cron.daily/ntpdate to:

ntpdate ntp.ubuntu.com pool.ntp.org 

And for ntpd edit /etc/ntp.conf to include additional server lines (Ubuntu comes with 4 pools already configured already as well as the fallback ntp.ubuntu.com.:

server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org
server ntp.ubuntu.com
Advertisements
Leave a comment

Leave your opinion

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: