secure machine translate)
TRANSCRIPT
-
8/3/2019 Secure Machine Translate)
1/24
Installation Guidelines
GRUB/LILO
GRUB is the boot loader of choice for RedHat installations; however LILO mayalways be used in the case of most flavors of LINUX. GRUB/LILO can receivemany different kernel level commands and it poses a major security risk if anattacker is able to compromise the kernel. In response you can make sure thatonly authorized users are able to perform those commands by passwordprotecting during the installation process. If using GRUB, the password is bydefault stored as clear text, and so you will want modify the /etc/grub.conf file tostore the password in an MD5 checksum.
$ /sbin/grubmd5crypt
Password: (at the prompt enter the GRUB password you created at installationand press enter)
$ #%t%661GFGftffgctTFTDd (This is the MD5 hash)
edit the grub.conf file and replace the clear text password with the MD5 Hash.You must use the MD5 option or the password will be stored as the MD5 Hashand not the encrypted password.
Password md5 $1$m0tLR/ $#%t%661GFGftffgctTFTDd
Partitioning
Partitioning correctly will help to mitigate against one specific type of denial of
service. For example and attack designed to fill up a/tmpor spooldirectory. Ifyour files are on the same partition as the directory under attack, your systemcould be rendered unusable. One should use a partition strategy where thosedirectories that are most likely to be filled by an attacker. Typically this is/varand/home. If you are using a server for ftp or email, you may want to considerseparate partitions for the application specific files.
/boot /home /usr /var / /tmp swap
containsall files
for bootprocess
containsindividual
userhomedirectories
containsfiles
sharedacrossasystembymultipleusers
containsfiles that
aredynamicbynature. (log files,spoolfiles,scheduler
contains filesfor system
managementwhen nootherpartition isavailable
Containstemp
files
containspaging files
for memorymanagement
-
8/3/2019 Secure Machine Translate)
2/24
files etc.)
Recommended System Schemes Configurations
Workstation Server Laptop Custom
Swap = 2 x physicalmemory
/boot = 50 MB
/ = depends on diskspace
Swap = 2 xphysical memory
/boot = 50 MB
/ = 384 MB
/var = 256 MB
/usr = dependson disk space
/home = dependson disk space
Swap = 2 xphysical memory
/boot = 50 MB
/ = depends ondisk space
Swap = 2 xphysical memory
/boot = 50 MB
/ = depends ondisk space
Firewall Configuration on Installation
No Firewall Allows complete access to your system with no security check atall.
Medium restrictions are automatically on certain services Ports lower than 1023
NFS Server port 2049
Local X Windows display for remote clients
X font server port
High Most restrictive and denies all access except DNS, DHCP and anythingelse explicitly allowed.
If possible install IPTables; it is an improvement over the default installation. Itcan be found at http://www.iptables.org In RedHat 8 and above it is the default
firewall daemon.
Account Authentication Configuration
Make sure that the root password is secure and that you maintain a MD5checksum of all the passwords in a separate file. Make sure that the passwordfile itself is shadowed; this should be default on RedHat installations.
-
8/3/2019 Secure Machine Translate)
3/24
Package Installation:
Install only what you think you will need. You can always install new packages inthe futures.
Network Security
Network Parameter Modification (RedHat only)
Edit /etc/sysctl.conf with the following changes
Net.ipv4.ip_forward = 0 (this disables ip forwarding, it should only beenabled if you plan to use the machine as a router/gateway)
Net.ipv4.conf.all.accept_source_route = 0 (disables ip source routing)
Net.ipv4.tcp_max_syn_backlog = 4096 (enables syn flood protection)
Net.ipv4.conf.all.rpP_filter = 1 (enables ip spoofing protection)Net.ipv4.tcp_syncookies = 1 (enables tcp syn flood protection)
Net.ipv4.conf.all.send_redirects = 0 (disables the ability to send ICMPRedirects)
Net.ipv4.conf.all.accept_redirects = 0 (disables ICMP Redirectacceptance)
Net.ipv4.conf.default.accept_redirects = 0 also disables ICMP redirectacceptance)
Save the changes and run the following commands as root# chown root:root /etc/sysctl.conf
# chmod 0600 /etc/sysctl.conf
# /etc/rc.d/init.d/network restart
Disallow Remote Root Login
There should never be a need for root to login remotely. Any access required byroot for system maintenance should be performed on the local system console orvia SSH.
Edit /etc/securetty to reflect the following changes:
tty1
tty2
tty3
tty4
-
8/3/2019 Secure Machine Translate)
4/24
tty5
tty6
Save the changes and run the following commands;
# chown root:root /etc/securetty# chmod 400 /etc/securetty
Disable CTRLALTDelete
For those machines with poor or nonexistent physical security it is
recommended to disable the almighty CTRLALTDelete.
Edit /etc/inittab and comment out the following line:
#ca::ctrlaltdel: /sbin/shutdown t3 r now
Save and restart the service
# /sbin/init q
Warning Banners:
Although it is not clear legally, often times administrators will present a warning
banner to assist in prosecution. Also by changing the login banners there is the
additional benefit of hiding the OS version and detailed system information. Edit
the following files
/etc/motd Displays message of the day for a user with successful login
/etc/issue Displayed to any user that is logging into the system locally
/etc/issue.net Displayed to users logging in remotely via SSH, Telnet, or FTP
In earlier versions, before RedHat 7.3 commands in /etc/rc.d/rc.local wouldoverwrite the issue and motd files. These commands have been removed sinceversion 7.3.
Password Protecting SingleuserMode
Single User Mode allows for local system maintenance and allows a user tomove directly into Run Level 1 as root.
Edit /etc/inittab to reflect the following changes
id:3:initdefault:
-
8/3/2019 Secure Machine Translate)
5/24
~~:S:wait:/sbin/sulogin
Save the changes and restart the service
# /sbin/init q
User Account & Password Security:
Quick Tips:
Allow users to use root utilities as .sudo only b/c it is logged by the system
Shadow the password files in /etc/shadow . Run Crack or John the Ripperto check for password integrity.
Familiarity should be found with programs to manage users and groups (man
8 pwunconv) Install a boot loader password during installation
Password Aging
By default a user account is required to change its password every 9999 daysand no minimum limit is set on how long a password must be kept beforechanging it. The following command will set limits for all existing users whose IDis greater than 500 (default for normal user accounts).
# awk F: $3 >= 500 { system (chage M 180 m 2 $1) } /etc/passwd
Change the following lines in the /etc/login.defs so newly created users accountswill inherit these values
PASS_MAX_DAYS 99999 > PASS_MAX_DAYS 180
PASS_MIN_DAYS 0 > PASS_MIN_DAYS 2
Purge any unnecessary user accounts that may have been created during theinstallation process
First make a backup copy
# for file in /etc/{passwd, shadow, group} ; do /bin/cp p $file $file.orig ; done
Remove unnecessary user accounts
# for user in uucp operator games gopher ; do /usr/sbin/userdel $user ; done
-
8/3/2019 Secure Machine Translate)
6/24
Remove unnecessary groups
# for user in dip operator gopher games uucp ; do /usr/sbin/groupdel $group ;done
When deleting groups and users you should verify that no mistakes have beenmade that will prevent someone from logging in.
# /user/sbin/pwck
# /usr/sbin/grpck
These commands validate that /etc/passwd and /etc/group are properly formatted.
Reassign all files originally owned by deleted users to root by using the followingcommands
/usr/sbin/find / nouser exec /bin/chown root {} \;
/usr/sbin/find / nogroup exec /bin/chgrp root {} \;
Locking System Accounts
Some user accounts are only used by a system service or daemon and neverrequire interactive login. Interactive Login should be disabled.
# for user in bin daemon adm ftp sync lp mail news nobody ; do/usr/sbin/usermod L s /dev/null $user ; done
Verify that no account has an empty password
#awk F: ($2 == ) { print $1 } /etc/shadow
If nothing is printed than all is well. Otherwise add a password for the account ordelete/lock the user
Tighten the default umask
A users umask determines permissions on any new files created by a user. Thedefault user account (where user name is the same as group name) with user id
greater than 99 is 002 (i.e. 664 for files and 775 for directories). Root is 022 (644for files and 755 for directories) The default umask should not result in thecreation of world readable files for normal users. Edit the lines in the /etc/bashrcand /etc/csh.cshrc files:
umask 022 > umask 077 (some rpm assume a default umask of 022 andmay give warnings during installs)
umask 002 > umask 007
-
8/3/2019 Secure Machine Translate)
7/24
Miscellaneous Account Limits (RedHat only)
Further user account configuration can be made in the limits.conf, time.confwithin the /etc/security directory.
System Resources Usage (from Bastille)
To prevent individual users from consuming too many system resources, edit/etc/security/limits.conf so that the core files will not be created, individual filessizes are limited to 100MB, and a user can only have 150 concurrent processesrunning
Add the following lines:
hard core 0
hard fsize 102400
nproc 150
Securing and Disabling Services
Identify Services that are configured to start (RedHat only)
# /sbin/chkconfig list | grep e \(:. *on\|xinetd based \)
The services that should be running on a given system are the following:
(look at /etc/init.d/servicenameto see what the services do)
Keytable
Syslog
Network
Random
Crond
Anacron
Iptables
Ntpd
Disable and remove services that should not be started
# /etc/init.d/servicenamestop
# /sbin/chkconfig level 0123456 servicename off
Remove rpm packages
# /bin/rpm e packagename
-
8/3/2019 Secure Machine Translate)
8/24
The package owning a given file can be discovered with
# rpm gf /etc/nit.d/servicemane
Configuring Access with TCPwrappers
Access controls to services compiled with TCPWrappers is implemented in/etc/hosts.allow and /etc/hosts.deny . When connection attempts are made, thehosts.allow file is checked. If a line is matched then the connection is allowed.Then it is checked against hosts.deny. If the connection is no defined at all it isallowed by default.
Creating the /etc/banners directory with the warning banner can be made asfollowed
# /bin/mkdir p /etc/banners
# /bin/echo This system is for restricted users > /etc/banners/prototype
# cd /etc/banners ; /usr/bin/make f /usr/share/doc/tcp_wrappers7.6/Banners.Makefile
Deny everything that is not explicitly allowed
# echo ALL: ALL: spawn (/bin/echo e bin/date \n%c attemptedconnection to %s and was denied\
| /bin/mail s Connection attempt to %s root) & > /etc/hosts.deny
Any connection attempt not listed in hosts.allow will be denied, a message will belogged to the syslog auth facility, and an email will be sent to root.
Allow access only to those that require it
Edit hosts.allow and add a line for each service to which access should beallowed. A few examples are shown below
ALL: LOCAL : banners /etc/banners # All services from local clients
sshd: 10.1.1.0/255.255.254.0 : banners /etc/banners # SSH from host IPaddresses
Secure xinetdXinetd should be removed from workstations. If present, there should be one filein the /etc/xinetd.d directory for each service. To control access to the service,find the file with the service name and add the following line between { }
Only_from = 10.1.1.0/23 # allow connections from host IP addressesbetween 10.1.1.0 and 10.1.2.0
-
8/3/2019 Secure Machine Translate)
9/24
Disable X Windows (Servers Only)
The following command will configure the system to run level 3 (multiuser modewith no X) instead run level 5 (with X) and save the original /etc/inittab as /etc/inittab.bak
# /usr/bin/perl p I.bak e s/id:5:init/id:3:init/ /etc/inittab
Updates and Patches
Up2Date http;//www.redhat.com/docs/manuals/RHNetwork/refguide/
The Red Hat Network Daemon rhnsd (RedHat only) connects to the Red Hatserver 120 minutes to check for available package updates.
Autorpm (http://www.autorpm.org) an alternative to up2date
# /bin/rpm I autorpm2.9.31.noarch.rpm
Registering the system with the Red Hat Network you will be prompted for apassword and username. (RedHat only)
# /usr/sbin/rhn_register
Verify Setup by Manually Checking for Updates (RedHat only)
# /usr/sbin/up2date nox p (updates packages associated with profile onRedHat server)
# /usr/sbin/up2date nox u (downloads and installs packages for
updates)
Configure rhnsd to start when the system boots
# /sbin/chkconfig rhnsd on
# /etc/init.d/rhnsd start
Modify the /etc/autorpm.d/redhatupdates.conf file
RPM packages that fail the signature check are placed in an interactive queue.To prevent these suspect rpm packages from getting accidentally installed later, thefollowing line should be added after the line
PGP_Require (Yes):
PGP_Fail_Install (No);
Any updates for rpm packages that are on the mirror site, but without an earlierversion already installed on the system, it will be added to the interactive queue.To prevent this, underneath the action (new) stanza change the line from
-
8/3/2019 Secure Machine Translate)
10/24
Install (Interactive); to install (No);
Verify Setup by Manually Checking for Updates
Running
# autorpm autowithout arguments and download TermReadlineGnu.
Run
#autorpm autoagain to check for updates.
Binaries will be downloaded and installed. When the prompt returns, issue thefollowing command:
#autorpm install all
An entry in the /etc/cron.daily directory is added by default to enable checking forupdates.
File System Security
Secure File System Mount Options
Make the following edits to the /etc/fstab file. Mount the /usr partition as readonly. Most of the executable commands on the system are located in the /usr filesystem. Mounting as readonly is a good way to protect against Trojanedbinaries from being installed.
LABEL=/usr /usr ext3 or 1 2
The /usr file system will have to be remounted readwrite before applying mostrpm upgrades (including any scheduled to be applied by update agents like up2date orautorpm)
# mount o remount, rw /usr
After installation, the partition can be mounted readonly again with the following
# mount o remount, ro /usr
To prevent SUID or device files from being introduced to the system byremovable media, add the no suid and nodev options to the lines for all removablemedia (e.g. floppy, cdrom)
/dev/fd0 /mnt/floppy ext3 nosuid, nodev 1 2
/dev/cdrom mnt/cdrom ext3 nosuid, nodev 1 2
-
8/3/2019 Secure Machine Translate)
11/24
File systems that contain home directories should also have nosuid and nodevoptions set
LABEL=/home /home ext3 nosuid, nodev 1 2
Restricting Access to Administrative Utilities
Issue the following commands to remove read, write and execute privileges forusers that do not own the files from all files in these directories.
# /bin/chmod R o rwx /usr/sbin ls /sbin* | grep vconsoletype
SUID Permissions for Executable Programs
To see a list of all the files with SUID GUID permissions
/usr/bin/find /bin /usr/bin type f \ ( perm 04000 o perm 02000 \) ls
Remove the SUID and GUID permissions from files that d not require it by settingpermissions on each file to 755
# /bin/chmod 755 /bin/mount /bin/mount /bin/ping /usr/bin/chfn/usr/bin/chsh /usr/bin/chage
Remove compiler packages from workstations and servers not used fordevelopment
# /bin/rm e cpp gcc gccc++ gccg77
Logging
Syslog
If possible store syslog on remote machine to avoid compromise from an intruderwho would have to hack both the system itself and the remote logging server.
Reload the syslogd config file
# /etc/init.d/syslogd restart
Ensure that syslogd runs on Boot
# /sbin/chkconfig level 2345 syslog on
-
8/3/2019 Secure Machine Translate)
12/24
logrotate.d
/etc/logrotate.conf contains the default option for rotation log files
The log rotation times can be changed to lengthen the life of the log file. Bewarned that logs can get quite large so one must monitor the log size that it does notget out of hand.
Logwatch
Use logwatch to monitor logs and have emails sent to the root user in light ofunexpected activities. Simply change the email address in the /etc/log.d/logwatch.conffile.
ntpd
Rather than use the system time clock, you should configure the Network Time
Protocol server daemon to synchronize the system clock with three public NTPservers. NTP servers can be located athttp://www.eecis.udel.edu/~mills/ntp/servers.html
Get permission from the admins of these servers and the edit /etc/ntp.conf andreplace the loopback address with for ex.
Server 10.0.0.1 #IP address of public server 1
Server 10.0.0.2 #IP address of public server 2
Server 10.0.0.3 #IP address of public server 3
Ensure that the NTP daemon is reloaded# /etc/init.d/ntpd restart
Ensure that ntpd is configured to start automatically on boot.
# /sbin/chkconfig level 2345 ntpd on
Scheduler Security
Restrict cronand atby editing the /etc/cron.allow and /etc/at.allow
Root always has access to create cron and at jobsCreate cron.allowfile with
Su
#echo root > /etc/cron.allow
Make sure that the schedule task to run is permitted for that user.
-
8/3/2019 Secure Machine Translate)
13/24
Web Security
Ensure that only necessary modules are installed in your apache web server
Remove Distributed Authoring Version (DAV) module. This enablesmodifications to files on the web server using a client browser.
Apache Configuration File (the following section pertains to httpd.conf)
/etc/httpd/conf/httpd.conf
Comment out unused modules
Such as the following:
mod_autoindex provides directory listings and gives away to much infoto hackers
mod_include unless you use serverside includes you should disable
thismod_info allows a client to visit a url and get info about the serverrunning
mod_status allows a client to view server status from a url
mod_userdir allows users to serve pages from a directory within theirhome directory
Modification to the default Directory Access Permissions
Change the stanza that controls access permissions
Original Modified
Options FollowSymLinks
AllowOverride none
Options None
AllowOverride None
Order allow,deny
Deny from all
The modified version does not allow for symbolic links to be followed on the filesystem.
Modification to the default Root Access Permissions
Original Modified
-
8/3/2019 Secure Machine Translate)
14/24
Options Indexes FollowSymLinks
AllowOverride None
Order allow, deny
Allow from all
Options SymLinksIFOwnerMatch
AllowOverride None
Order allow,deny
Allow from all
The original configuration will show a visitor a directory listing for any documentsin the document root without an index.html. This option prevents the server fromfollowing any links that may be created by other users to areas outside thedocument root. If multiple users need access to files beneath the web serverdocument root, the AllowOveride AuthConfig option can e used in place ofAuthOverride and a separate .htaccess file can be used to authenticate useraccess.
To help us to remain anonymous as to the server version and configuration, wecan change signatures in the httpd.conf file that would normally be attached toweb pages when they are served.
ServerSignature Off
We can also remove strings from the HTTP header that are returned to clientsfrom the client requests. This includes name, version and modules loaded on startup.
ServerTokens Prod
The email address of the web server can also be displayed on server generatedpages. This should be changed to a fake email address.
ServerAdmin foo@localhost
CGI Bin
CGI programs are often a common attack tactic if available; these days manycompanies disable the use of it all together. Reference to the CGI bin andmodules should be commented. Starting with
LoadModule cgi_module module/mod_cgi.so
*
*
File Permissions in the Document Root
Write permissions to any file or directory being served by the web server shouldbe removed or it leaves an open door to defacements. The user and group that
-
8/3/2019 Secure Machine Translate)
15/24
the web server process runs under are defined in the httpd.conf file. You shouldidentify all the directories served by the web server to identify any files for whichthe owner of the web server process has write permissions. These commandsshould return nothing.
# /usr/bin/find /var/www/html user apache perm +202
exec ls ld {} \;# /usr/bin/find /var/www/html group apache perm+022 exec ls ld {} \;
Email Security
Sendmail should be upgraded to the most stable current release, at least8.12.5 to secure against a theoretical buffer overflow vulnerability.
Disable the sendmail daemon on all workstationsEdit /etc/sysconfig/sendmail with:
DAEMON = no
QUEUE = 15m
Then restart the daemon
#/etc/rc.d/init.d/sendmail restart
File and Print Security
SCP and SFTP
The need for remote filetransfer and commandline control sessions is ofparamount importance to Unix administration. For many years however, onlyprotocols such as FTP, Telnet and RSH were available. These protocolstransmitted not only the data of the session but the authentication information aswell in cleartext over the network. The advent of the Secure Shell (ssh) protocolintroduced a muchwelcomed answer to this problem, providing completeencryption of both commandline and data transfer sessions using strongencryption algorithms. Particularly welcome has been the recent development ofOpenSSH, a spinoff of the OpenBSD project, which has helped bring this
protocol into wider use with its opensource implementation that compiles on anynumber of different Unix platforms. The scpand sftpcommands do an excellent
job of replacing the nonencrypted counterparts, emulating the commandlineswitches and options so well that in most cases , scp in particular can simply beused as a dropin replacement for rcp. Configure servers such that using sftpare as secure as possible , including the use of chrootto jail the users filetransfer sessions , by patching the SSH ,source code. Unfortunately, the patch
-
8/3/2019 Secure Machine Translate)
16/24
currently does not work for scp, but chrooted and nonchrooted users can existside by side.
Red Hat , even with the most current patches, does not always offer the latestSSH build, so it will be necessary to get the portable distribution of OpenSSHfrom the OpenSSH team (http://www.openssh.com) .
This manual will not go into the details of how to build an SSH server or chrootingthe server. A future manual will delve into the construction any distribution ofbroad network services.
Securing WuFTPd
WuFTPd is a fairly secure FTP program and is freely available. It should be usedin place of cleartext FTP. It ships default with RedHat 7.3
In order to properly secure WuFTPd we need to tweak the FTP configuration file,/etc/ftpaccess. We do this by not allowing system accounts to login over FTP.
# allowuid ftp
# allowgid ftp
Chroot all users by default
Guest user *
Because we have already chroot all users by default, we dont need to explicitlychroot group
# guestgroup ftpchroot
Set the email address
Permit only two failed logins before termination
Loginfails 2
Change the welcome message to something controllable
Message /.ftpwelcome.msg
Do not allow on the fly compression and tarring
Compress no all
Tar no all
Prevent certain actions from anonymous or guest users. Explicitly listpermissions
.
Umask no real, guest, anonymous
-
8/3/2019 Secure Machine Translate)
17/24
Delete yes real, guest
Overwrite yes real, guest
Rename yes real, guest
Log commands and transfers to and from the server
Log commands real, guest, anonymous
Log transfers anonymous, real, guest inbound, outbound
Mark certain files as nonretrievable
Noretrieve .notar
Noretrieve .ftpwelcome.mag
Set a secure path filter to weed out evil files
Pathfilter guest, anonymous /etc/pathmag [A Za z09_\.]*$ ^\. ^
Remove server version from the greeting
Greeting terse
Use secure default umasks for everyone
Defumask 0377
Defumask 0177 real
Defumask 0133 guest
Networking /Remote Administration
o Remove all .rhosts utilities use find /home name .rhosts print(includersh/rlogin/rcp)
o If using NFS (not recommended) Export all NFS file systems with mostrestrictive access in /etc/exports (nodev, nosuid, noexec). Be sure toFilter TCP port 111, UDP 111 (portmapper), TCP port 2049, UDP port
2049 (nfsd) on firewall, if using NFS.
o Files in /var/log, /var/log/wtmp and /var/run/utmp (contains login records)should have 644 permissions. wtmp logs the login status info of thefollowing
Type of Login
Process ID of login process
-
8/3/2019 Secure Machine Translate)
18/24
Device name of tty
Init ID or abbreviated ttyname
User Name
Hostname for remote login
Exit status of a process Time entry was made
IP address of remote host
o utmp is consulted for currently logged in users.
o Install Cryptographic IP encapsulation to communicate with other hosts
Services
o
The following services should not be installed or disabled NFS/NIS (any rpc) Or at least use NIS+ over NIS
Printer services (lpd)
Telnet
R*
FTP server (use HTTP, scp, SFTP)
BIND
Mail Transfer Agents (sendmail, exim, postfix, qmail)
o Check /etc/rc.d/rc (09).d for symbolic links to services that will not beused. Links can be disabled by replacing upper case (S for Start) to alower case (s). Stop services as root with/etc/init.d/stop. After disabling (with #) restart inetd/etc/init.d/inetd restart.Get list ofrunning scripts with ls l /etc/init.d/ |less
o Can get a quick list of enables services with grep disable /etc/xinetd.d/*|grep no. Disable xinetd services from dunning by changing listings inxinetd.conf to disable = yes
o Comment out unused services in /etc/inetd.conf, rather than removingthose services in the case that one might need them at some time.
o Disable identd for specific users (.noident file) Can be removed altogetherunless using building an IRC server.
o Remove /etc/hosts.equiv
File and System Permissions
o Use //ls al to see all file permissions
-
8/3/2019 Secure Machine Translate)
19/24
o Remove all suid/sgid (chmod g+s to activate sgid) on executableand system files from nonroot home directories. Favorite technique ofhackers to exploit this by placing suid programs to be executed on server.To find all find / type f \ (perm 040000 o perm 02000 \)
o Remove unnecessary setuid and setgid. Can find the ones available by
typingo find / type f perm +6000
o Configure umask with restrictive access. Typical setting should be 022,027, and 077 (most restricted). It is set in /etc/profile . Default in RedHatis 022. Root umask should be 077 . Find the value by subtracting desiredfrom 777.
o Set file system limits in /etc/pam.d/limits.conf (RH, Deb). Restrict numberof processes to 50 and usage per user to 5M
o Find all world writable system files and restrict where necessary. Findthem with
o find / perm 2 ! type l ls Add sticky bit tto file permissions chmod +tto make deletion or modification of the file by the creator only.
o Find all unowned files, which may indicate compromise with find / \ (nouser o nogroup \) print
o System configuration files (etc) should be 640
o Install Cryptographic File Systems (CFS) or Transparent CryptographicFile System (TCFS) for encrypting folder trees where secure users canstore files
System Administration/Logging
o Allow only tty and vtys terminals for root and trusted users
o Secure the /usr/sbin/syslogd from tampering. Look at /etc/syslog.conf tosee where logging is going to. Download a syslog encryption daemon totransfer log info to a central and secure location. View /var/log/messagesfor default logs.
o Make use of /etc/shutdown.allow should be used to prevent someone fromrebooting the machine. It contains a list of authorized users to reboot themachine. It is consulted when ControlAltDel keys
o Use xlock and vlock to lock a workstation.
o If possible configure the tools to run as chroot, a chroot jail for privilegedservices such as Apache so that an attacker does not attain root privilegeon the real O/S
o Delete unnecessary binary packages /bin/rpm e (ifRedHat)
-
8/3/2019 Secure Machine Translate)
20/24
X11
o Secure X displays by having users login to the terminal through the MITMAGICCOOKIE1 A 128 bit cookie as stored in the .Xauthority file. Usexauth for remote users. Or use xdm to login to console and use ssh to goto
Kernel
o Download and install secure Linux Kernel from NSA.govhttp://www.nsa.gov/selinux/download.html
o Process accounting is enabled in most newer builds of the kernel andshould be consulted for kernellevel functions.
Quick Tips Auditing/Firewall/Scan Utilities Check List
Should use IPTables, otherwise enable TCPWrappers (tcpd) to restrict
access from TCP services. Create a /etc/hosts.allow file and add onlythose allowed hosts ex All:127. Create /etc/hosts.deny and put All:All .TCPWrappers only protects inetd services. Use netstat ta to see allservices offered.(netstat tap | grep LISTEN) Record changes with outputto a file (netstat tap | grep LISTEN ~/services.lst)
Install Tripwire, for system integrity. Make sure to write down the passphrases and keep them secret.
Use SAINT or NESSUS to port scan your machine to see where itsvulnerable.
Install OpenPGP to transfer for email (or S/MIME), key transfer and
secure harddrive erasing Install SSL SHTTP for all HTTP requests
Shut Off Telnet and put Open SSH in its place.
Install IPTables/Netfilter as firewall (for advantages of IPTables overIPChains and IPFWAdm go to
Run Internet Security Scanner (ISS) an System Security Scanner (S3)
Freeware Utilities
o SWATCH The Simple Watcher is a popular open source log monitoringand alerting utility. Swatch is designed to monitor your log files against aset of configurable signatures. When Swatch detects an event, it can alertthe system admin via console, sound response, or an email. Swatch canalso be used to filter old log files for activity.
o IPTables The netfilter/iptables project is the Linux 2.4.x / 2.5.x firewallingsubsystem. It delivers you the functionality of packet filtering (stateless orstateful), all different kinds of NAT (Network Address Translation) and
-
8/3/2019 Secure Machine Translate)
21/24
packet mangling. Iptables is the replacement for the userspace toolipchains in the Linux 2.4 kernel and beyond. It is part of the kernelspacenetfilter project. Iptables has many more features than ipchains and is alsostructured more sensibly.
o Tripwire Tripwire software is a tool that checks to see what has changed
on your system. The program monitors key attributes of files that shouldnot change, including binary signature, size, expected change of size, etc.Tripwire is originally known as an intrusion detection tool, but can be usedfor many other purposes such as integrity assurance, changemanagement, policy compliance and more.
o John the Ripper John the Ripper is a freeware password auditing orcracking utility. John the Ripper attempts to brute force the passwords inthe passwd and shadow files, making use of dictionaries and itsknowledge of common password creation techniques.
o Bastille A Linux hardening application that provides novice and
experienced users a way to automate many of the security settings thathave been covered in this guide. Bastille provides both a command lineand GUI format for users. Bastille walks the user through an interactivequestionnaire to determine which setting should be turned on and whatthe ramifications are for making those changes.
o NMAP Is a freeware reconnaissance utility, typically used as a portmapper utility, sending packets to hosts with various settings to determinewhich ports are open on a device. NMAP can also be used as anOperating Systems reconnaissance tool since NMAP has the ability tosend packets to a host and based on the response to those packets,determine which Operating System the host is running.
o NESSUS A freeware vulnerability assessment tool, Nessus works on aclient/server based technology. The server side contains the vulnerabilitydatabase and the engine that actually performs the vulnerabilityassessment. The client connects to the server to configure the settings forthe vulnerability assessment. Nessus can provide reports in a number ofdifferent formats including its native GUI format, HTML, and ASCII.
Useful Links
How Tos and References for this manual:
o SANS: Step By Step Series Securing Linux: A step by step survivalguide, David Koconis, Jim Murray, Jos Purvis, Darrin Wassom
o Hacking Exposed 3rd Edition Network Security Secrets and Solutions,Stuart McClure, Joel Scambray, George Kurtz
o http://www.linuxsecurity.com/docs/LDP/SecurityQuickstartHOWTO/index.html
o http://www.linuxsecurity.com/docs/LDP/SecurityHOWTO/
-
8/3/2019 Secure Machine Translate)
22/24
o http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html
o http://www.linuxsecurity.com/docs/PDF/SecuringOptimizingLinuxRHEdition1_3.pdf
o http://www.linuxsecurity.com/docs/LDP/SecurityHOWTO/ftp://sunsite.unc.edu:/pub/Linux/system/admin/accounts/acct1.3.73.tar.gz
o http://en.tldp.org/HOWTO/IPMasqueradeHOWTO/iptablesvsipchainsvsipfwadm.html
o ftp://sunsite.unc.edu:/pub/Linux/system/admin/accounts/acct1.3.73.tar.gz
Security Resources
o SANS http://www.sans.org
o Linux Security http://www.linuxsecurity.como Security Focus http://www.securityfocus.org
o Hacking Linux Exposed http://www.hackinglinuxexposed.com/articles/20021015.html
o CERT http://www.cert.org
Firewall Resources:
o http://www.linuxfirewalltools.org
o
http://www.firestarter.sourceforge.neto http://www.fwbuilder.org
o http://www.stearnes.org/mason
Red Hat Resources
o Red Hat http://www.redhat.com
o Red Hat Advisories http://rhn.redhat.com/errata/rh73errata.html
Third Party Resourceso APACHE http://httpd.apache.org
o APACHE MODS http://httpd.apache.org/docs/mod/
o AUTORPM http://www.autorpm.org
o BASTILLE http://www.bastillelinux.org
o EXIM http://www.exim.org
-
8/3/2019 Secure Machine Translate)
23/24
o IMAP Connection http://www.imap.org
o IPTABLES http://www.iptables.org
o John the Ripper http://www.openwall.com/john
o Logwatch http://www.logwatch.org
o NESSUS http://www.nessus.org
o NMAP http://www.nmap.org
o NTP http://www.cis.udel.edu/~ntp
o OPENSSH http://www.openssh.com
o OPENPGP http://www.openpgp.org
o PSIONIC TRISENTRY http://www.psionic.com
o POSTFIX http://www.postfix.org
o QMAIL http://www.qmail.org
o QPOPPER http://www.eudora.cm/qpoppero SAINT http://www.saintcorporation.com
o SAMBA http://www.samba.org
o SENDMAIL http://www.sendmail.org
o SNMP http://www.snmplink.org
o SNORT http://www.snort.org
o SWATCH http://www.oit.ucsb.edu/~eta/swatch
o Time Servers http://www.eecis.udel.edu/~mills/ntp/servers.html
o
TRIPWIRE http://www.tripwire.orgo WUFTP http://www.wuftpd.org
o XINETD http://www.xinetd.org
Black and White Hat Security Resources
o AstalaVista http://www.astalavista.com
o Hacktavismo http://hacktivismo.com/news/modules.php?name=Content&pa=showpage&pid=12/
o Cult of the Dead Cow http://www.cultdeadcow.com/main.php3
o Phrack http://www.phrack.org
o 2600 magazine http://www.2600.com
o Apcoalypse http://www.apocalypseonline.com/security/exploits/exploits.asp?exp_category=Slackware
-
8/3/2019 Secure Machine Translate)
24/24
o Security Tool review http:///www.securitytoolreview.com
o Foundstone http://www.foundstone.com
o F.I.R.E. http://fire.dmzs.com/?section=tools
o Honeypots http://www.trackinghackers.com
o AntiHacker ToolKit http://www.antihackertoolkit.com/tools