Linux Pre-OS Hardening Procedures

Check to make sure the server is not compromised first. We will NOT harden a compromised server.

export HISTFILE=/dev/null

You can use the following to usually accomplish this:

/bin/ps auxwww (review the running processes, look for blank lines as this could possibly be hidden processes)
/bin/netstat –nap (review open ports for anything suspicious, sometimes things wil be hidden from ps but not from netstat)
/usr/sbin/lsof | grep IPv (this will show you all the open ports on the machine)

Check for suspicious files:

ls -A /tmp /var/tmp /var/spool/samba /var/spool/vbox /dev/shm /usr/local/apache/proxy
  • chkrootkit on the server as well. Simply download it, untar/gz it, cd into the 'chkrootkit' dir, type make sense and then run './chkrootkit'.
  • rkhunter. Be sure to run rkhunter –update before you actually run rkhunter to make sure all patches are updated.

Run a vulnerability scan via Sentarus or Nessus also.

If the machine is compromised do NOT continue.