5 Tips for any Linux administrator

1) Disable users account quickly.

Every administrator at one point or another needs to quickly remove a users access on their Linux servers. We can do the below

usermod -l Johnny

The above will deny Johnny access to login to your Linux system via sshd, etc. What this does is it adds ! in front of the encrypted password in /etc/shadow. Should Johnny decide to behave, and you’re bored enough to unlock him, issue the below:

usermod -U Johnny

The above will removed the ! and Johnny will be able to login to the system again.

2) Disable ICMP Echo Replies (aka stop your Linux server from replying to pings)

Ping? Pong! So you want to stop replying to ICMP echo (ICMP_ECHO) TCP packets. This is often issued in times of DoS, where replying to every packet with an ICMP_ECHO_REPLY quickly satures the pipe. What we can do is disable replies on the system.

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Now ping your system. Get anything back? To re-enable ICMP replies, issue the below.

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

3) Limit your ssh daemon (sshd) to certain IPs.

What we are going to do here is use tcpwrappers to limit access to sshd by certain IP blocks. In this case, we will use your home IP and grant yourself access to sshd. We do this by editing /etc/hosts.allow and /etc/hosts.deny respectively. This is great for stopping brute force attacks, and a general nice bit of security over all.

echo ‘SSHD : YOURIPHERE : ALLOW’ >> /etc/hosts.allow

Now, we’ve granted your home IP access. Make sure this is the correct address!

echo ‘SSHD : ALL : DENY’ >> /etc/hosts.deny

Now you have blocked sshd access to everybody NOT defined in /etc/hosts.allow – be careful!

4) Disabling Trace in Apache. Very common issue of failure in PCI-related scans.

Often times, when doing PCI related webserver scans (or PCI related webserver scams….) you will see that Tracing is enabled in Apache, and now you’ve failed.

echo ‘TraceEnable Off’ >> /etc/httpd/conf/httpd.conf
service httpd restart

You may have to adjust the /etc/httpd/conf/httpd.conf above with your main Apache webserver configuration file. We then reload Apaches configuration so the changes take effect. You can now re-run the test if this is the only issue the scan detected.

5) Disabling SELinux

Bah, SELinux. You want it gone but keeps coming back. Below you will see how to disable SELinux.

Take your favorite Linux text editor (in this case, we will use nano. You can use vi, pico, etc as you wish).

nano /etc/selinux/config

We want to turn “SELINUX=whatever” to SELINUX=disabled – then save changes.

This still isn’t enough. To fully disable SELinux, you need to do one additional step.

echo 0 > /selinux/enforce
reboot

Comments