Security and compliance efforts don’t have to be back-breaking. A few tweaks in the right places can go a long way to improving your overall security and compliance posture.
Spend a little time working through PCI DSS and you quickly realize that much of the focus is on understanding and reducing risk. This often means efforting to keep sensitive info on a need-to-know. Here are just a few ways you can improve your Linux security:
- Tell Apache to stop giving out so much information!
By default, Apache will happily give its version, what modules are loaded (and their versions), and even the operating system you are running. This is pretty easy to fix. Change the ServerTokens directive in your Apache configuration file (httpd.conf) to “ServerTokens Prod” and restart Apache.Before: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.7e-p1 After: Apache Tip: It’s not a bad idea to disable ServerSignature while you’re at it. ServerSignature puts the information provided by ServerTokens at the bottom of server-generated pages – such as internal server errors.
- Get rid of PHP’s X-Powered-By line
Like Apache, PHP exposes its version by default. To disable this, change the expose_php variable in PHP’s config (php.ini) from “On” to “Off” and restart Apache.Before: HTTP/1.1 200 OK Server: Apache
X-Powered-By: PHP/4.3.11
Content-Type: text/html
After: HTTP/1.1 200 OK Server: Apache
Content-Type: text/html
- Make SSL stricter
SSL is great, but isn’t without some flaws. There are known weaknesses in some of the ciphers and protocols that are used. The best approach is to disable these offending items – which consist of weak and medium ciphers and SSLv2. To do this, update the following lines in your Apache’s configuration file and restart Apache:SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:RC4+RSA:+HIGH - TRACK and TRACE are bad…
You’ll typically find mention of these in the findings of PCI DSS external vulnerability scans. TRACK and TRACE are sometimes used for debugging or troubleshooting, but can be exploited by a potential attacker. As such, they need to be disabled. There are two options to take care of this.If your version of Apache is recent enough (like 2.2) you can add “TraceEnable Off” to your Apache config and restart Apache.If your version of Apache is not so new you’ll need to use mod_rewrite. Add the following to your VirtualHost(s) and restart Apache:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F] - Disable TCP timestamps
TCP timestamps are an optional element of TCP headers and is used for testing. Since the timestamps are relative to real time, an attacker could potentially figure out how long since a system has been rebooted. Run the following command to disable them:shell> sysctl -w net.ipv4.tcp_timestamps=0 Be sure to add the following to /etc/sysctl.conf so they are disabled when the system is rebooted:
net.ipv4.tcp_timestamps = 0
Linux is a great OS, but some of the things that make it great can also be a pain when it’s time to assess your environment for compliance. Fortunately, it’s not too painful to reconfigure Linux to be a little more stringent with the information it gives out or the assistance it gives to potential attackers.
![[img]](/imagesb/yellow_star.jpg)
Share this article:
