Here are a few notes on how to secure Redhat Linux. These are by no means exahustive, but a place to begin nonetheless.
Run setup and turn off unecessary daemons
To do this, run setup and go into System Services and shut off the following:
Next, is to secure the /etc/password
file. For security you need to use the /etc/shadow file instead. This
securely stores everyone's passwords in a file that only root can have access
to. This protects passwords from being easily accessed, as this is often the
first exploits a hacker looks for. To do this, run the following scripts:
/usr/sbin/pwconv and /usr/sbin/grpconv
You also need to edit the /etc/hosts.allow and the /etc/hosts.deny files. These two files allow you to control which machines can connect to your computer, and what service they can connect to. A general policy is, "Deny access to everyone, except for those that should have access". Therefore your /etc/hosts.deny should contain the following line:
ALL:ALL
Now that we've denied access to everyone, let's say that we want to allow some machines to be able to connect to our system. This might be the case if you're running a home network. Our machines are:
192.168.0.0 subnet - needs to be
able to connect to all services
We would then add the following lines to our /etc/hosts.allow file:
ALL:192.168.0.0/24
If you are running SSH, then you will also need to add the following to the hosts.allow file:
sshd:ALL:allow
Edit the following files /etc/issue /etc/issue.net and remove all information about what type of server you have. Volunteering such information gives hackers a clue as to how to penetrate your system.
Edit the /etc/motd file with warnings of the consequences of unauthorized use of the system. An example of such a message is below:
Warning!!!
Computing activities other than those authorized by <your name, or company> is strictly prohibited on this computer. Unauthorized use or access is regarded as a criminal act in the nature of theft and violator is subjected to civil and criminal prosecution. User's activities may be monitored on this computer without prior notice.
Edit the /etc/sysctl.conf file and add the following:
net.ipv4.ip_forward = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects= 0
net.ipv4.conf.all.log_martians = 1
One tool that is useful for checking Linux servers is nmap. This program does a port scan for open ports. A word of warning! Only use this on your own servers! If you nmap some else's computer without their permission (get it in writing!) it is often assumed that you are about to hack their system. Legal action against you is possible!
Ok, having said that, run nmap against your linux server. In my case, I have two Linux servers, so I run nmap on each of them regularly. to do so, just type the following: nmap <ip_address> where ip_address is the target computer.
You also must use a firewall. For information on how to set up one, go to the iptables page.
To see what ports are open, type the following: netstat -vat it will return something similar to the following:
tcp 0 0 *:6000 *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:finger *:* LISTEN
tcp 0 0 *:shell *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
Each line that says LISTEN is a service waiting for connections.
Some of these services run as stand-alone programs, but many of them are controlled by /etc/inetd.conf. If you are not sure what a service does, look it up in /etc/inetd.conf. For instance, if you type
grep '^finger' /etc/inetd.conf
you will get back a line from inetd.conf like this
finger stream tcp nowait nobody /usr/sbin/tcpd /usr/sbin/in.fingerd
Control access to Cron
Create a /etc/cron.deny file with the following users in the file:
bin
daemon
adm
lp
sync
shutdown
halt
news
uucp
operator
games
gopher
ftp
nobody
rpc
vcsa
nscd
sshd
rpm
mailnull
smmsp
rpcuser
nfsnobody
pcap
Change the following user shells to /sbin/nologin in the /etc/passwd file
sync, shutdown, news, rpm
Run the following shell script to remove SUID and SGID bits from binaries. This makes it so ONLY root can rune these programs. By default, any user that runs thes programs takes on the privs of root in order to run them.
# The following script
file removes the SUID and the SGID bits from these programs
# This makes it so ONLY root can rune these programs. By default, any user that
# runs thes programs takes on the privs of root in order to run them.
#
# the following commands remove the SUID bits from these programs
chmod a-s /usr/bin/chage
chmod a-s /usr/bin/gpasswd
chmod a-s /usr/bin/chfn
chmod a-s /usr/bin/chsh
chmod a-s /usr/bin/newgrp
chmod a-s /usr/sbin/usernetctl
chmod a-s /usr/sbin/traceroute
chmod a-s /bin/mount
chmod a-s /bin/umount
chmod a-s /bin/ping
chmod a-s /sbin/netreport
chmod a-s /usr/bin/at
chmod a-s /usr/bin/rcp
chmod a-s /usr/bin/rlogin
chmod a-s /usr/bin/rsh
chmod a-s /usr/bin/ssh-keysign
chmod a-s /usr/libexec/pt_chown
chmod a-s /usr/sbin/ping6
chmod a-s /usr/sbin/usernetctl
chmod a-s /usr/sbin/traceroute
#
# The following commands remove the SGID bits from these programs
#
chmod ug-s /usr/bin/wall
chmod ug-s /usr/bin/write
chmod ug-s /usr/bin/lockfile
chmod ug-s /usr/bin/slocate
chmod ug-s /usr/sbin/utempter
chmod ug-s /usr/sbin/gnome-pty-helper
chmod ug-s /usr/sbin/lockdev
chmod ug-s /usr/sbin/sendmail.sendmail
chmod ug-s /sbin/netreport
This is by no means complete, but
should get you started to making your Linux box secure.
Also, it is a good idea to addign SSH to a non-standard port, like port 270. Here is how to do it:
edit your /etc/ssh/sshd_config, uncomment the following line:
#port 22
to look like:
port 270