1. On your firewall (you do have one don t you?

) check
the incoming MySQL port and if 330 i! open" clo!e it#
$f thi! port i! left open it can po!e %oth a !ecurity and
!erver a%u!e threat !ince not only can hacker!
attempt to %reak into MySQL" any u!er can ho!t their
SQL data%a!e on your !erver and acce!! it from
another ho!t and !o (a%)u!e your !erver re!ource!
2. &heck 'tmp permi!!ion!# 'tmp !hould %e chmod ()))
3. &heck 'tmp owner!hip 'tmp !hould %e owned %y
root*root
4. &heck 'etc'cron#daily'logrotate for 'tmp noe+ec
workaround# ,ue to a %ug in logrotate if 'tmp i!
mounted with the noe+ec option" you need to have
logrotate u!e a different temporary directory# $f you
don t do thi! !y!log may not re!tart correctly and will
write to the wrong (older) log file!#
5. &heck 'var'tmp permi!!ion!# 'var'tmp !hould %e
chmod ()))
6. &heck 'var'tmp owner!hip# 'var'tmp !hould %e owned
%y root*root
7. &heck 'var'tmp i! mounted a! a file!y!tem# 'var'tmp
!hould either %e !ymlinked to 'tmp or mounted a! a
file!y!tem
8. &heck 'var'tmp i! mounted noe+ec"no!uid# 'var'tmp
i!n t mounted with the noe+ec"no!uid option!
(currently* none)# -ou !hould con!ider adding a
mountpoint into 'etc'f!ta% for 'var'tmp with tho!e
option!
9. &heck 'u!r'tmp permi!!ion!# 'u!r'tmp !hould %e
chmod ()))
10. &heck 'u!r'tmp owner!hip# 'u!r'tmp !hould %e owned
%y root*root
((# &heck 'u!r'tmp i! mounted a! a file!y!tem or i! a
!ymlink to 'tmp# 'u!r'tmp !hould either %e !ymlinked to
'tmp or mounted a! a file!y!tem
&heck 'etc're!olv#conf for localho!t entry# -ou !hould not
!pecify (.)#0#0#( or localho!t a! a name!erver in
'etc're!olv#conf / u!e the !erver! main $0 addre!! in!tead
11. &heck 'etc'named#conf for recur!ion re!triction!# $f
you have a local ,1S !erver running %ut do not have
any recur!ion re!triction! !et in 'etc'named#conf thi!
i! a !ecurity and performance ri!k and you !hould
look at re!tricting recur!ive lookup! to the local $0
addre!!e! only# 2nre!tricted recur!ive lookup! are a!
good a! a ,,oS attack again!t your !y!tem# 3hey will
eat up all your !y!tem re!ource!
(3# &heck !erver runlevel# 4or a !ecure !erver
environment you !hould only run the !erver at runlevel 3#
-ou can fi+ thi! %y editing 'etc'initta% and changing the
initdefault line to*
id*3*initdefault* and then re%ooting the !erver
(5# &heck no%ody cron# -ou have a no%ody cron log file /
you !hould check that thi! ha! not %een created %y an
e+ploit
(6# &heck Operating Sy!tem !upport# Make certain that
your OS ver!ion i! !till !upported %y the manufacturer and
that upgrade! continue to %e availa%le
(# &heck SS7v( i! di!a%led# -ou !hould di!a%le SS7v(
%y editing 'etc'!!h'!!hd8config and !etting* 0rotocol .
(remove the ha!h 9 from in front of the line and edit out
the (#()
()# &heck SS7 on non:!tandard port# Moving SS7 to a
non:!tandard port avoid! %a!ic SS7 port !can!# ;dit
'etc'!!h'!!hd8config and !etting* 0ort nnnn <here nnnn i!
a port of your choo!ing# ,on t forget to open the port in the
firewall fir!t=
(># &heck SS7 0a!!word?uthentication# 4or ultimate
SS7 !ecurity" you might want to con!ider di!a%ling
0a!!word?uthentication and only allow acce!! u!ing
0u%key?uthentication#
(@# &heck telnet port .3 i! not in u!e# &lo!e thi! port in
your firewall# 3elnet i! an in!ecure protocol and you !hould
di!a%le the telnet daemon if it i! running
.0# &heck !hell re!ource limit!# -ou !hould ena%le !hell
re!ource limit! to prevent !hell u!er! from con!uming
!erver re!ource! / ,OS e+ploit! typically do thi!# $f you
are u!ing c0anel'<7M !et Shell 4ork Aom% 0rotection#
.(# ,i!a%le all in!tance! of $B& / AitchC" %nc" eggdrop"
generic:!niffer!" guard!ervice!" ircd" p!yA1&" ptlink# $f you
are u!ing <7M you can do thi! in the Aackground
0roce!! Diller#
..# &heck apache for mod8!ecurity if not in!talled in!tall it
from !ource
.3# &heck apache for mod8eva!ive# -ou !hould in!tall the
mod8eva!ive apache module from !ource to help prevent
,OS attack! again!t apache# 1ote that thi! module %reak!
4ront0age functionality
.5# &heck apache for BLimit&02# -ou !hould !et a value
BLimit&02 to prevent runaway !cript! from con!uming
!erver re!ource! / ,OS e+ploit! can typically do thi!#
.6# &heck apache for BLimitM;M# -ou !hould !et a value
BLimitM;M to prevent runaway !cript! from con!uming
!erver re!ource! / ,OS e+ploit! can typically do thi!
.# &heck php for ena%le8dl# -ou !hould modify
'u!r'local'li%'php#ini and !et*
ena%le8dl E off 3hi! prevent! u!er! from loading php
module! that affect everyone on the !erver# 1ote that if
u!e dynamic li%rarie!" !uch a! ioncu%e" you will have to
load them directly in php#ini(
.)# &heck php for di!a%le8function!# -ou !hould modify
'u!r'local'li%'php#ini and di!a%le commonly a%u!ed php
function!" e#g#*
di!a%le8function! E !how8!ource" !y!tem" !hell8e+ec"
pa!!thru" e+ec" phpinfo" popen" proc8open Some client
we% !cript! may %reak with !ome of the!e function!
di!a%led" !o you may have to remove them from thi! li!t
.># &heck php!ue+ec# 3o reduce the ri!k of hacker!
acce!!ing all !ite! on the !erver from a compromi!ed 070
we% !cript" you !hould ena%le php!ue+ec when you %uild
apache'php# 1ote that there are !ide effect! when
ena%ling php!ue+ec on a !erver and you !hould %e aware
of the!e %efore ena%ling it