East-Tec DiskSanitizer for Linux
East-Tec DiskSanitizer for Linux is designed to prevent the recovery of sensitive data that you wish to be deleted from a hard disk. Neither simple file deletion, formatting the disk, nor using fdisk is enough to foil attempts to recover previously recorded data from a hard disk. East-Tec DiskSanitizer overwrites every sector of data on a disk to remove all traces of data. Data is removed according with U.S. Department of Defense standards or custom user security levels. East-Tec DiskSanitizer can be operated from a floppy disk to sanitize any drive from the computer, regardless of the file system or the operating system. It also features verification capabilities and full user control during the sanitizing process.
The program can now sanitize independent partitions on your hard drive without affecting other partitions.
To retire servers with sensitive data, it is important to ensure that data cannot be recovered from the hard disks. To ensure that all traces of data are removed, the DiskSanitizer tool can be used. This tool can be operated from a floppy disk and it removes data according with the U.S. Department of Defense (DoD) standards.
DiskSanitizer is available at http://freshmeat.net/projects/disksanitizer.
Resources available for OpenVZ containers.
Resources that can be set, include disk space usage, memory usage, CPU usage, and more.
Restricting and setting hard limits of what is permitted in a container ensures that no tasks within the container can get greedy and steal resources from other containers or the host system itself.
First, look at the vzlist tool. This will provide information on any installed containers which makes managing them simpler vzlist tool
This will provide information on any installed containers which makes managing them simpler:
How to increase the available disk space from 1GB to something more useful like 10GB.
Check disk space.
The above increases the default 1GB drive space available to a barrier of 10GB and a maximum limit of 11GB.
# vzctl set 101 –diskspace 10G:11G –save
# vzctl exec 101 df -hT
There are two ways to change settings for containers. The first is using vzctl as above (remember to use the -save option to make the changes persistent). The second is to edit the configuration file for the container. For a container with a CTID of 101, the file would be /etc/sysconfig/vz-scripts/101.conf.
Protect a server within a network by using a TCP Wrapper.
The Xinetd super server that comes with most Linux distributions includes a built-in TCP wrapper.
It can be used to explicitly define network services to accept incoming connections from specified servers and networks.
The TCP wrappers implements access control through the use of two files, /etc/hosts.allow and /etc/hosts.deny
A recommended security-strategy is to block all incoming requests by default, but allow specific hosts or networks to connect.
To deny everything by default, add the following line to /etc/hosts.deny:
To accept incoming SSH connections from e.g. nodes lab1, lab2 and lab3, add the following line to /etc/hosts.allow
To accept incoming SSH connections from all servers from a specific network, add the name of the subnet to /etc/hosts.allow.
For example:
sshd: lab1 lab2 lab3 .subnet.lab.com
To accept incoming ssh connections from IP address 192.168.0.1 and subnet 192.168.5, add the following line to /etc/hosts.allow:
sshd: 192.168.0.1 192.168.5.
You can even tell xinetd to limit the rate of incoming connections. The TCP wrapper is quite flexible. And xinetd provides its own set of host-based and time-based access control functions.
Detect and close network ports that are not needed.
To get a list of listening network ports (TCP and UDP sockets), you can run the following command:
# netstat -tulp
# netstat -tulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost.locald:domain *:* LISTEN 4521/named
tcp 0 0 localhost.localdoma:953 *:* LISTEN 4521/named
tcp6 0 0 [::]:ssh [::]:* LISTEN 4553/sshd
tcp6 0 0 ::1%134628752:953 [::]:* LISTEN 4521/named
udp 0 0 *:domain *:* 4521/named
udp 0 0 localhost.locald:domain *:* 4521/named
udp 0 0 *:bootpc *:* 4884/dhclient
udp 0 0 *:34787 *:* 4574/avahi-daemon:
udp 0 0 *:mdns *:* 4574/avahi-daemon:
udp6 0 0 [::]:38224 [::]:* 4521/named
Using nmap
# nmap -sTU [remote_host]
# nmap -sTU 127.0.0.1
Starting Nmap 4.53 ( http://insecure.org ) at 2009-10-18 04:55 IST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 3196 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
953/tcp open rndc
53/udp open|filtered domain
68/udp open|filtered dhcpc
5353/udp open|filtered zeroconf
Nmap done: 1 IP address (1 host up) scanned in 1.608 seconds
If you remove the UDP port scan (without the option “-U”), then nmap will finish the port scan immediately. If you run it on the local machine it will also complete very fast.
Also note that nmap might not show all listening network sockets if a firewall is being used to block ports.
Another method to list all of the TCP and UDP sockets to which programs are listening is lsof:
# lsof -i -n | egrep ‘COMMAND|LISTEN|UDP’
# lsof -i -n | egrep ‘COMMAND|LISTEN|UDP’
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
named 4521 bind 20u IPv4 12381 TCP 127.0.0.1:domain (LISTEN)
named 4521 bind 21u IPv4 12392 TCP 127.0.0.1:953 (LISTEN)
named 4521 bind 22u IPv6 12393 TCP [::1]:953 (LISTEN)
named 4521 bind 512u IPv4 12380 UDP 127.0.0.1:domain
named 4521 bind 513u IPv4 12382 UDP *:domain
named 4521 bind 514u IPv6 12383 UDP *:38224
sshd 4553 root 3u IPv6 12423 TCP *:ssh (LISTEN)
avahi-dae 4574 avahi 14u IPv4 12466 UDP *:mdns
avahi-dae 4574 avahi 15u IPv4 12467 UDP *:34787
dhclient 4884 dhcp 6u IPv4 13547 UDP *:bootpc
One of the most important tasks is to remove any network services from the system startup process that are not needed.
On Red Hat systems you can list all services which are started at bootup using the following command:
To permanently disable e.g. the runlevel service nfs, run:
To immediately disable the runlevel service nfs, run:
Removing Unnecessary Software Packages (RPMs)
It is a good practice not to have development packages, desktop software packages (e.g. X Server) etc. installed on production servers. Other packages like FTP and Telnet daemons should not be installed as well unless there is a justified business reason for it (SSH/SCP/SFTP should be used instead).
One of the first action items should be to create a Linux image that only contains RPMs needed by the applications, and needed for maintenance and troubleshooting purposes.
A good approach is to start with a minimum list of RPMs and then add packages as needed. It may be time-consuming but worth the efforts.
To get a list of all installed RPMs you can use the following command:
If you want to know more about a particular RPM, run:
To check for and report potential conflicts and dependencies for deleting a RPM, run:
rpm -e –test [package_name]
A very important step in securing a Linux system is to determine the primary function or role of the Linux server.
