20 Linux Server Hardening Security Tips

tanhosy · 14/11/2009, 02:13 AM

Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for security Linux box. In this first part of a Linux server security series, I will provide 20 hardening tips for default installation of Linux system.

#1: Encrypt Data Communication

All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates.

Use scp, ssh, rsync, or sftp for file transfer. You can also mount remote server file system or your own home directory using special sshfs and fuse tools.
GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories.
[* Fugu is a graphical frontend to the commandline Secure File Transfer application (SFTP). SFTP is similar to FTP, but unlike FTP, the entire session is encrypted, meaning no passwords are sent in cleartext form, and is thus much less vulnerable to third-party interception. Another option is FileZilla - a cross-platform client that supports FTP, FTP over SSL/TLS (FTPS), and SSH File Transfer Protocol (SFTP).
OpenVPN is a cost-effective, lightweight SSL VPN.
Lighttpd SSL (Secure Server Layer) Https Configuration And Installation

#1.1: Avoid Using FTP, Telnet, And Rlogin / Rsh

Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. The common solution to this problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP. Type the following command to delete NIS, rsh and other outdated service:

# yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve

#2: Minimize Software to Minimize Vulnerability

Do you really need all sort of web services installed? Avoid installing unnecessary software to avoid vulnerabilities in software. Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages.

# yum list installed
# yum list packageName
# yum remove packageName

OR

# dpkg --list
# dpkg --info packageName
# apt-get remove packageName
#3: One Network Service Per System or VM Instance

Run different network services on separate servers or VM instance. This limits the number of other services that can be compromised. For example, if an attacker able to successfully exploit a software such as Apache flow, he / she will get an access to entire server including other services such as MySQL, e-mail server and so on. See how to install Virtualization software:

* Install and Setup XEN Virtualization Software on CentOS Linux 5
* How To Setup OpenVZ under RHEL / CentOS Linux

#4: Keep Linux Kernel and Software Up to Date

Applying security patches is an important part of maintaining Linux server. Linux provides all necessary tools to keep your system updated, and also allows for easy upgrades between versions. All security update should be reviewed and applied as soon as possible. Again, use the RPM package manager such as yum and/or apt-get and/or dpkg to apply all security updates.

# yum update

OR

# apt-get update && apt-get upgrade

You can configure Red hat / CentOS / Fedora Linux to send yum package update notification via email. Another option is to apply all security updates via a cron job. Under Debian / Ubuntu Linux you can use apticron to send security notifications.

#5: Use Linux Security Extensions

Linux comes with various security patches which can be used to guard against misconfigured or compromised programs. If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel.

#5.1: SELinux

I strongly recommend using SELinux which provides a flexible Mandatory Access Control (MAC). Under standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has the user's permissions to objects such as files, sockets, and other processes. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. See the official Redhat documentation which explains SELinux configuration.

#6: User Accounts and Strong Password Policy

Use the useradd / usermod commands to create and maintain user accounts. Make sure you have a good and strong password policy. For example, a good password includes at least 8 characters long and mixture of alphabets, number, special character, upper & lower alphabets etc. Most important pick a password you can remember. Use tools such as "John the ripper" to find out weak users passwords on your server. Configure pam_cracklib.so to enforce the password policy.

#6.1: Password Aging

The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password. The /etc/login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration. To disable password aging, enter:
chage -M 99999 userName
To get password expiration information, enter:
chage -l userName
Finally, you can also edit the /etc/shadow file in the following fields:

{userName}:{password}:{lastpas swdchanged}:{Minimum_days}:{Ma ximum_days}:{Warn}:{Inactive}: {Expire}:

Where,

1. Minimum_days: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password.
2. Maximum_days: The maximum number of days the password is valid (after that user is forced to change his/her password).
3. Warn : The number of days before password is to expire that user is warned that his/her password must be changed.
4. Expire : Days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

I recommend chage command instead of editing the /etc/shadow by hand:

# chage -M 60 -m 7 -W 7 userName

Recommend readings:

* Linux: Force Users To Change Their Passwords Upon First Login
* Linux turn On / Off password expiration / aging
* Lock the user password
* Search for all account without password and lock them
* Use Linux groups to enhance security

#6.2: Restricting Use of Previous Passwords

You can prevent all users from using or reuse same old passwords under Linux. The pam_unix module parameter remember can be used to configure the number of previous passwords that cannot be reused.

#6.3: Locking User Accounts After Login Failures

Under Linux you can use the faillog command to display faillog records or to set login failure limits. faillog formats the contents of the failure log from /var/log/faillog database / log file. It also can be used for maintains failure counters and limits.To see failed login attempts, enter:

faillog

To unlock an account after login failures, run:

faillog -r -u userName

Note you can use passwd command to lock and unlock accounts:

# lock account
passwd -l userName
# unlocak account
passwd -u userName

#6.4: How Do I Verify No Accounts Have Empty Passwords?

Type the following command

# awk -F: '($2 == "") {print}' /etc/shadow

Lock all empty password accounts:

# passwd -l accountName

#6.5: Make Sure No Non-Root Accounts Have UID Set To 0

Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:

# awk -F: '($3 == "0") {print}' /etc/passwd

You should only see one line as follows

root:x:0:0:root:/root:/bin/bash

If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.

(Cont...)

tanhosy · 19/11/2009, 07:11 PM

#6.5: Make Sure No Non-Root Accounts Have UID Set To 0

Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:
# awk -F: '($3 == "0") {print}' /etc/passwd
You should only see one line as follows:

root Click to view full size

:0:0:root:/root:/bin/bash

If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.
#7: Disable root Login

Never ever login as root user. You should use sudo to execute root level commands as and when required. sudo does greatly enhances the security of the system without sharing root password with other users and admins. sudo provides simple auditing and tracking features too.
#8: Physical Server Security

You must protect Linux servers physical console access. Configure the BIOS and disable the booting from external devices such as DVDs / CDs / USB pen. Set BIOS and grub boot loader password to protect these settings. All production boxes must be locked in IDCs (Internet Data Center) and all persons must pass some sort of security checks before accessing your server. See also:

* 9 Tips To Protect Linux Servers Physical Console Access.

#9: Disable Unwanted Services

Disable all unnecessary services and daemons (services that runs in the background). You need to remove all unwanted services from the system start-up. Type the following command to list all services which are started at boot time in run level # 3:
# chkconfig --list | grep '3 Click to view full size

n'
To disable service, enter:
# service serviceName stop
# chkconfig serviceName off
#9.1: Find Listening Network Ports

Use the following command to list all open ports and associated programs:
netstat -tulpn
OR
nmap -sT -O localhost
nmap -sT -O server.example.com
Use iptables to close open ports or stop all unwanted network services using above service and chkconfig commands.
#9.2: See Also

* update-rc.d like command on Redhat Enterprise / CentOS Linux.
* Ubuntu / Debian Linux: Services Configuration Tool to Start / Stop System Services.
* Get Detailed Information About Particular IP address Connections Using netstat Command.

#10: Delete X Windows

X Windows on server is not required. There is no reason to run X Windows on your dedicated mail and Apache web server. You can disable and remove X Windows to improve server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter:
# yum groupremove "X Window System"
#11: Configure Iptables and TCPWrappers

Iptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel. Use firewall to filter out traffic and allow only necessary traffic. Also use the TCPWrappers a host-based networking ACL system to filter network access to Internet. You can prevent many denial of service attacks with the help of Iptables:

* Lighttpd Traffic Shaping: Throttle Connections Per Single IP (Rate Limit).
* How to: Linux Iptables block common attack.
* psad: Linux Detect And Block Port Scan Attacks In Real Time.

#12: Linux Kernel /etc/sysctl.conf Hardening

/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time. Sample /etc/sysctl.conf:

# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1

#13: Separate Disk Partitions

Separation of the operating system files from user files may result into a better and secure system. Make sure the following filesystems are mounted on separate partitions:

* /usr
* /home
* /var and /var/tmp
* /tmp

Create septate partitions for Apache and FTP server roots. Edit /etc/fstab file and make sure you add the following configuration options:

1. noexec - Do not set execution of any binaries on this partition (prevents execution of binaries but allows scripts).
2. nodev - Do not allow character or special devices on this partition (prevents use of device files such as zero, sda etc).
3. nosuid - Do not set SUID/SGID access on this partition (prevent the setuid bit).

Sample /etc/fstab entry to to limit user access on /dev/sda5 (ftp server root directory):

/dev/sda5  /ftpdata          ext3    defaults,nosuid,nodev,noexec 1 2

#13.1: Disk Quotas

Make sure disk quota is enabled for all users. To implement disk quotas, use the following steps:

1. Enable quotas per file system by modifying the /etc/fstab file.
2. Remount the file system(s).
3. Create the quota database files and generate the disk usage table.
4. Assign quota policies.
5. See implementing disk quotas tutorial for further details.

#14: Turn Off IPv6

Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and provides many benefits. Currently there are no good tools out which are able to check a system over network for IPv6 security issues. Most Linux distro began enabling IPv6 protocol by default. Crackers can send bad traffic via IPv6 as most admins are not monitoring it. Unless network configuration requires it, disable IPv6 or configure Linux IPv6 firewall:

* RedHat / Centos Disable IPv6 Networking.
* Debian / Ubuntu And Other Linux Distros Disable IPv6 Networking.
* Linux IPv6 Howto - Chapter 19. Security.
* Linux IPv6 Firewall configuration and scripts are available here.

Julius · 26/11/2009, 06:23 PM

Tạ Nho Sỹ quả có trình độ uyên thâm về Linux, bái phục Click to view full size

Lam Giang cuồn cuộn về Biền Đông... Click to view full size

tanhosy · 26/11/2009, 10:19 PM

Xin lỗi anh em là đang post dở nên "quên" đề tên tác giả. Để post xong cả bài em ghi rõ xuất xứ luôn ở đầu. Click to view full size

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

14/11/2009, 02:13 AM	#1
tanhosy Status: Member Join Date: 22/09/2009 Posts: 208 Thanks: 79 Thanked 184 Times in 119 Posts	20 Linux Server Hardening Security Tips Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for security Linux box. In this first part of a Linux server security series, I will provide 20 hardening tips for default installation of Linux system. #1: Encrypt Data Communication All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates. Use scp, ssh, rsync, or sftp for file transfer. You can also mount remote server file system or your own home directory using special sshfs and fuse tools. GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories. [* Fugu is a graphical frontend to the commandline Secure File Transfer application (SFTP). SFTP is similar to FTP, but unlike FTP, the entire session is encrypted, meaning no passwords are sent in cleartext form, and is thus much less vulnerable to third-party interception. Another option is FileZilla - a cross-platform client that supports FTP, FTP over SSL/TLS (FTPS), and SSH File Transfer Protocol (SFTP). OpenVPN is a cost-effective, lightweight SSL VPN. Lighttpd SSL (Secure Server Layer) Https Configuration And Installation #1.1: Avoid Using FTP, Telnet, And Rlogin / Rsh Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. The common solution to this problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP. Type the following command to delete NIS, rsh and other outdated service: # yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve #2: Minimize Software to Minimize Vulnerability Do you really need all sort of web services installed? Avoid installing unnecessary software to avoid vulnerabilities in software. Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages. # yum list installed # yum list packageName # yum remove packageName OR # dpkg --list # dpkg --info packageName # apt-get remove packageName #3: One Network Service Per System or VM Instance Run different network services on separate servers or VM instance. This limits the number of other services that can be compromised. For example, if an attacker able to successfully exploit a software such as Apache flow, he / she will get an access to entire server including other services such as MySQL, e-mail server and so on. See how to install Virtualization software: * Install and Setup XEN Virtualization Software on CentOS Linux 5 * How To Setup OpenVZ under RHEL / CentOS Linux #4: Keep Linux Kernel and Software Up to Date Applying security patches is an important part of maintaining Linux server. Linux provides all necessary tools to keep your system updated, and also allows for easy upgrades between versions. All security update should be reviewed and applied as soon as possible. Again, use the RPM package manager such as yum and/or apt-get and/or dpkg to apply all security updates. # yum update OR # apt-get update && apt-get upgrade You can configure Red hat / CentOS / Fedora Linux to send yum package update notification via email. Another option is to apply all security updates via a cron job. Under Debian / Ubuntu Linux you can use apticron to send security notifications. #5: Use Linux Security Extensions Linux comes with various security patches which can be used to guard against misconfigured or compromised programs. If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel. #5.1: SELinux I strongly recommend using SELinux which provides a flexible Mandatory Access Control (MAC). Under standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has the user's permissions to objects such as files, sockets, and other processes. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. See the official Redhat documentation which explains SELinux configuration. #6: User Accounts and Strong Password Policy Use the useradd / usermod commands to create and maintain user accounts. Make sure you have a good and strong password policy. For example, a good password includes at least 8 characters long and mixture of alphabets, number, special character, upper & lower alphabets etc. Most important pick a password you can remember. Use tools such as "John the ripper" to find out weak users passwords on your server. Configure pam_cracklib.so to enforce the password policy. #6.1: Password Aging The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password. The /etc/login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration. To disable password aging, enter: chage -M 99999 userName To get password expiration information, enter: chage -l userName Finally, you can also edit the /etc/shadow file in the following fields: {userName}:{password}:{lastpas swdchanged}:{Minimum_days}:{Ma ximum_days}:{Warn}:{Inactive}: {Expire}: Where, 1. Minimum_days: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password. 2. Maximum_days: The maximum number of days the password is valid (after that user is forced to change his/her password). 3. Warn : The number of days before password is to expire that user is warned that his/her password must be changed. 4. Expire : Days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used. I recommend chage command instead of editing the /etc/shadow by hand: # chage -M 60 -m 7 -W 7 userName Recommend readings: * Linux: Force Users To Change Their Passwords Upon First Login * Linux turn On / Off password expiration / aging * Lock the user password * Search for all account without password and lock them * Use Linux groups to enhance security #6.2: Restricting Use of Previous Passwords You can prevent all users from using or reuse same old passwords under Linux. The pam_unix module parameter remember can be used to configure the number of previous passwords that cannot be reused. #6.3: Locking User Accounts After Login Failures Under Linux you can use the faillog command to display faillog records or to set login failure limits. faillog formats the contents of the failure log from /var/log/faillog database / log file. It also can be used for maintains failure counters and limits.To see failed login attempts, enter: faillog To unlock an account after login failures, run: faillog -r -u userName Note you can use passwd command to lock and unlock accounts: # lock account passwd -l userName # unlocak account passwd -u userName #6.4: How Do I Verify No Accounts Have Empty Passwords? Type the following command # awk -F: '($2 == "") {print}' /etc/shadow Lock all empty password accounts: # passwd -l accountName #6.5: Make Sure No Non-Root Accounts Have UID Set To 0 Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0: # awk -F: '($3 == "0") {print}' /etc/passwd You should only see one line as follows root:x:0:0:root:/root:/bin/bash If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0. (Cont...) __________________ Trường Giang cuồn cuộn chảy về đông. Bạc đầu ngọn sóng cuốn anh hùng. Thị phi, thành bại theo dòng nước. Sừng sững cơ đồ bổng tay không. Last edited by tanhosy; 14/11/2009 at 02:30 AM.

19/11/2009, 07:11 PM	#2
tanhosy Status: Member Join Date: 22/09/2009 Posts: 208 Thanks: 79 Thanked 184 Times in 119 Posts	#6.5: Make Sure No Non-Root Accounts Have UID Set To 0 Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0: # awk -F: '($3 == "0") {print}' /etc/passwd You should only see one line as follows: root:0:0:root:/root:/bin/bash If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0. #7: Disable root Login Never ever login as root user. You should use sudo to execute root level commands as and when required. sudo does greatly enhances the security of the system without sharing root password with other users and admins. sudo provides simple auditing and tracking features too. #8: Physical Server Security You must protect Linux servers physical console access. Configure the BIOS and disable the booting from external devices such as DVDs / CDs / USB pen. Set BIOS and grub boot loader password to protect these settings. All production boxes must be locked in IDCs (Internet Data Center) and all persons must pass some sort of security checks before accessing your server. See also: * 9 Tips To Protect Linux Servers Physical Console Access. #9: Disable Unwanted Services Disable all unnecessary services and daemons (services that runs in the background). You need to remove all unwanted services from the system start-up. Type the following command to list all services which are started at boot time in run level # 3: # chkconfig --list \| grep '3n' To disable service, enter: # service serviceName stop # chkconfig serviceName off #9.1: Find Listening Network Ports Use the following command to list all open ports and associated programs: netstat -tulpn OR nmap -sT -O localhost nmap -sT -O server.example.com Use iptables to close open ports or stop all unwanted network services using above service and chkconfig commands. #9.2: See Also * update-rc.d like command on Redhat Enterprise / CentOS Linux. * Ubuntu / Debian Linux: Services Configuration Tool to Start / Stop System Services. * Get Detailed Information About Particular IP address Connections Using netstat Command. #10: Delete X Windows X Windows on server is not required. There is no reason to run X Windows on your dedicated mail and Apache web server. You can disable and remove X Windows to improve server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter: # yum groupremove "X Window System" #11: Configure Iptables and TCPWrappers Iptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel. Use firewall to filter out traffic and allow only necessary traffic. Also use the TCPWrappers a host-based networking ACL system to filter network access to Internet. You can prevent many denial of service attacks with the help of Iptables: * Lighttpd Traffic Shaping: Throttle Connections Per Single IP (Rate Limit). * How to: Linux Iptables block common attack. * psad: Linux Detect And Block Port Scan Attacks In Real Time. #12: Linux Kernel /etc/sysctl.conf Hardening /etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time. Sample /etc/sysctl.conf: # Turn on execshield kernel.exec-shield=1 kernel.randomize_va_space=1 # Enable IP spoofing protection net.ipv4.conf.all.rp_filter=1 # Disable IP source routing net.ipv4.conf.all.accept_source_route=0 # Ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_messages=1 # Make sure spoofed packets get logged net.ipv4.conf.all.log_martians = 1 #13: Separate Disk Partitions Separation of the operating system files from user files may result into a better and secure system. Make sure the following filesystems are mounted on separate partitions: * /usr * /home * /var and /var/tmp * /tmp Create septate partitions for Apache and FTP server roots. Edit /etc/fstab file and make sure you add the following configuration options: 1. noexec - Do not set execution of any binaries on this partition (prevents execution of binaries but allows scripts). 2. nodev - Do not allow character or special devices on this partition (prevents use of device files such as zero, sda etc). 3. nosuid - Do not set SUID/SGID access on this partition (prevent the setuid bit). Sample /etc/fstab entry to to limit user access on /dev/sda5 (ftp server root directory): /dev/sda5 /ftpdata ext3 defaults,nosuid,nodev,noexec 1 2 #13.1: Disk Quotas Make sure disk quota is enabled for all users. To implement disk quotas, use the following steps: 1. Enable quotas per file system by modifying the /etc/fstab file. 2. Remount the file system(s). 3. Create the quota database files and generate the disk usage table. 4. Assign quota policies. 5. See implementing disk quotas tutorial for further details. #14: Turn Off IPv6 Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and provides many benefits. Currently there are no good tools out which are able to check a system over network for IPv6 security issues. Most Linux distro began enabling IPv6 protocol by default. Crackers can send bad traffic via IPv6 as most admins are not monitoring it. Unless network configuration requires it, disable IPv6 or configure Linux IPv6 firewall: * RedHat / Centos Disable IPv6 Networking. * Debian / Ubuntu And Other Linux Distros Disable IPv6 Networking. * Linux IPv6 Howto - Chapter 19. Security. * Linux IPv6 Firewall configuration and scripts are available here. __________________ Trường Giang cuồn cuộn chảy về đông. Bạc đầu ngọn sóng cuốn anh hùng. Thị phi, thành bại theo dòng nước. Sừng sững cơ đồ bổng tay không.

26/11/2009, 06:23 PM	#3
Julius Status: SA Member Join Date: 25/11/2009 Posts: 120 Thanks: 90 Thanked 277 Times in 122 Posts	Tạ Nho Sỹ quả có trình độ uyên thâm về Linux, bái phục Lam Giang cuồn cuộn về Biền Đông... __________________ С Новым 2010 Годом!

26/11/2009, 10:19 PM	#4
tanhosy Status: Member Join Date: 22/09/2009 Posts: 208 Thanks: 79 Thanked 184 Times in 119 Posts	Xin lỗi anh em là đang post dở nên "quên" đề tên tác giả. Để post xong cả bài em ghi rõ xuất xứ luôn ở đầu. __________________ Trường Giang cuồn cuộn chảy về đông. Bạc đầu ngọn sóng cuốn anh hùng. Thị phi, thành bại theo dòng nước. Sừng sững cơ đồ bổng tay không.