secure machine translate)

8/3/2019 Secure Machine Translate)

1/24

Installation Guidelines

GRUB/LILO

GRUB is the boot loader of choice for RedHat installations; however LILO mayalways be used in the case of most flavors of LINUX. GRUB/LILO can receivemany different kernel level commands and it poses a major security risk if anattacker is able to compromise the kernel. In response you can make sure thatonly authorized users are able to perform those commands by passwordprotecting during the installation process. If using GRUB, the password is bydefault stored as clear text, and so you will want modify the /etc/grub.conf file tostore the password in an MD5 checksum.

$ /sbin/grubmd5crypt

Password: (at the prompt enter the GRUB password you created at installationand press enter)

$ #%t%661GFGftffgctTFTDd (This is the MD5 hash)

edit the grub.conf file and replace the clear text password with the MD5 Hash.You must use the MD5 option or the password will be stored as the MD5 Hashand not the encrypted password.

Password md5 $1$m0tLR/ $#%t%661GFGftffgctTFTDd

Partitioning

Partitioning correctly will help to mitigate against one specific type of denial of

service. For example and attack designed to fill up a/tmpor spooldirectory. Ifyour files are on the same partition as the directory under attack, your systemcould be rendered unusable. One should use a partition strategy where thosedirectories that are most likely to be filled by an attacker. Typically this is/varand/home. If you are using a server for ftp or email, you may want to considerseparate partitions for the application specific files.

/boot /home /usr /var / /tmp swap

containsall files

for bootprocess

containsindividual

userhomedirectories

containsfiles

sharedacrossasystembymultipleusers

containsfiles that

aredynamicbynature. (log files,spoolfiles,scheduler

contains filesfor system

managementwhen nootherpartition isavailable

Containstemp

files

containspaging files

for memorymanagement


2/24

files etc.)

Recommended System Schemes Configurations

Workstation Server Laptop Custom

Swap = 2 x physicalmemory

/boot = 50 MB

/ = depends on diskspace

Swap = 2 xphysical memory

/boot = 50 MB

/ = 384 MB

/var = 256 MB

/usr = dependson disk space

/home = dependson disk space


/boot = 50 MB

/ = depends ondisk space


/boot = 50 MB

/ = depends ondisk space

Firewall Configuration on Installation

No Firewall Allows complete access to your system with no security check atall.

Medium restrictions are automatically on certain services Ports lower than 1023

NFS Server port 2049

Local X Windows display for remote clients

X font server port

High Most restrictive and denies all access except DNS, DHCP and anythingelse explicitly allowed.

If possible install IPTables; it is an improvement over the default installation. Itcan be found at http://www.iptables.org In RedHat 8 and above it is the default

firewall daemon.

Account Authentication Configuration

Make sure that the root password is secure and that you maintain a MD5checksum of all the passwords in a separate file. Make sure that the passwordfile itself is shadowed; this should be default on RedHat installations.


3/24

Package Installation:

Install only what you think you will need. You can always install new packages inthe futures.

Network Security

Network Parameter Modification (RedHat only)

Edit /etc/sysctl.conf with the following changes

Net.ipv4.ip_forward = 0 (this disables ip forwarding, it should only beenabled if you plan to use the machine as a router/gateway)

Net.ipv4.conf.all.accept_source_route = 0 (disables ip source routing)

Net.ipv4.tcp_max_syn_backlog = 4096 (enables syn flood protection)

Net.ipv4.conf.all.rpP_filter = 1 (enables ip spoofing protection)Net.ipv4.tcp_syncookies = 1 (enables tcp syn flood protection)

Net.ipv4.conf.all.send_redirects = 0 (disables the ability to send ICMPRedirects)

Net.ipv4.conf.all.accept_redirects = 0 (disables ICMP Redirectacceptance)

Net.ipv4.conf.default.accept_redirects = 0 also disables ICMP redirectacceptance)

Save the changes and run the following commands as root# chown root:root /etc/sysctl.conf

# chmod 0600 /etc/sysctl.conf

# /etc/rc.d/init.d/network restart

Disallow Remote Root Login

There should never be a need for root to login remotely. Any access required byroot for system maintenance should be performed on the local system console orvia SSH.

Edit /etc/securetty to reflect the following changes:

tty1

tty2

tty3

tty4


4/24

tty5

tty6

Save the changes and run the following commands;

# chown root:root /etc/securetty# chmod 400 /etc/securetty

Disable CTRLALTDelete

For those machines with poor or nonexistent physical security it is

recommended to disable the almighty CTRLALTDelete.

Edit /etc/inittab and comment out the following line:

#ca::ctrlaltdel: /sbin/shutdown t3 r now

Save and restart the service

# /sbin/init q

Warning Banners:

Although it is not clear legally, often times administrators will present a warning

banner to assist in prosecution. Also by changing the login banners there is the

additional benefit of hiding the OS version and detailed system information. Edit

the following files

/etc/motd Displays message of the day for a user with successful login

/etc/issue Displayed to any user that is logging into the system locally

/etc/issue.net Displayed to users logging in remotely via SSH, Telnet, or FTP

In earlier versions, before RedHat 7.3 commands in /etc/rc.d/rc.local wouldoverwrite the issue and motd files. These commands have been removed sinceversion 7.3.

Password Protecting SingleuserMode

Single User Mode allows for local system maintenance and allows a user tomove directly into Run Level 1 as root.

Edit /etc/inittab to reflect the following changes

id:3:initdefault:


5/24

~~:S:wait:/sbin/sulogin

Save the changes and restart the service

# /sbin/init q

User Account & Password Security:

Quick Tips:

Allow users to use root utilities as .sudo only b/c it is logged by the system

Shadow the password files in /etc/shadow . Run Crack or John the Ripperto check for password integrity.

Familiarity should be found with programs to manage users and groups (man

8 pwunconv) Install a boot loader password during installation

Password Aging

By default a user account is required to change its password every 9999 daysand no minimum limit is set on how long a password must be kept beforechanging it. The following command will set limits for all existing users whose IDis greater than 500 (default for normal user accounts).

# awk F: $3 >= 500 { system (chage M 180 m 2 $1) } /etc/passwd

Change the following lines in the /etc/login.defs so newly created users accountswill inherit these values

PASS_MAX_DAYS 99999 > PASS_MAX_DAYS 180

PASS_MIN_DAYS 0 > PASS_MIN_DAYS 2

Purge any unnecessary user accounts that may have been created during theinstallation process

First make a backup copy

# for file in /etc/{passwd, shadow, group} ; do /bin/cp p $file $file.orig ; done

Remove unnecessary user accounts

# for user in uucp operator games gopher ; do /usr/sbin/userdel $user ; done


6/24

Remove unnecessary groups

# for user in dip operator gopher games uucp ; do /usr/sbin/groupdel $group ;done

When deleting groups and users you should verify that no mistakes have beenmade that will prevent someone from logging in.

# /user/sbin/pwck

# /usr/sbin/grpck

These commands validate that /etc/passwd and /etc/group are properly formatted.

Reassign all files originally owned by deleted users to root by using the followingcommands

/usr/sbin/find / nouser exec /bin/chown root {} \;

/usr/sbin/find / nogroup exec /bin/chgrp root {} \;

Locking System Accounts

Some user accounts are only used by a system service or daemon and neverrequire interactive login. Interactive Login should be disabled.

# for user in bin daemon adm ftp sync lp mail news nobody ; do/usr/sbin/usermod L s /dev/null $user ; done

Verify that no account has an empty password

#awk F: ($2 == ) { print $1 } /etc/shadow

If nothing is printed than all is well. Otherwise add a password for the account ordelete/lock the user

Tighten the default umask

A users umask determines permissions on any new files created by a user. Thedefault user account (where user name is the same as group name) with user id

greater than 99 is 002 (i.e. 664 for files and 775 for directories). Root is 022 (644for files and 755 for directories) The default umask should not result in thecreation of world readable files for normal users. Edit the lines in the /etc/bashrcand /etc/csh.cshrc files:

umask 022 > umask 077 (some rpm assume a default umask of 022 andmay give warnings during installs)

umask 002 > umask 007


7/24

Miscellaneous Account Limits (RedHat only)

Further user account configuration can be made in the limits.conf, time.confwithin the /etc/security directory.

System Resources Usage (from Bastille)

To prevent individual users from consuming too many system resources, edit/etc/security/limits.conf so that the core files will not be created, individual filessizes are limited to 100MB, and a user can only have 150 concurrent processesrunning

Add the following lines:

hard core 0

hard fsize 102400

nproc 150

Securing and Disabling Services

Identify Services that are configured to start (RedHat only)

# /sbin/chkconfig list | grep e $:. *on\|xinetd based $

The services that should be running on a given system are the following:

(look at /etc/init.d/servicenameto see what the services do)

Keytable

Syslog

Network

Random

Crond

Anacron

Iptables

Ntpd

Disable and remove services that should not be started

# /etc/init.d/servicenamestop

# /sbin/chkconfig level 0123456 servicename off

Remove rpm packages

# /bin/rpm e packagename


8/24

The package owning a given file can be discovered with

# rpm gf /etc/nit.d/servicemane

Configuring Access with TCPwrappers

Access controls to services compiled with TCPWrappers is implemented in/etc/hosts.allow and /etc/hosts.deny . When connection attempts are made, thehosts.allow file is checked. If a line is matched then the connection is allowed.Then it is checked against hosts.deny. If the connection is no defined at all it isallowed by default.

Creating the /etc/banners directory with the warning banner can be made asfollowed

# /bin/mkdir p /etc/banners

# /bin/echo This system is for restricted users > /etc/banners/prototype

# cd /etc/banners ; /usr/bin/make f /usr/share/doc/tcp_wrappers7.6/Banners.Makefile

Deny everything that is not explicitly allowed

# echo ALL: ALL: spawn (/bin/echo e bin/date \n%c attemptedconnection to %s and was denied\

| /bin/mail s Connection attempt to %s root) & > /etc/hosts.deny

Any connection attempt not listed in hosts.allow will be denied, a message will belogged to the syslog auth facility, and an email will be sent to root.

Allow access only to those that require it

Edit hosts.allow and add a line for each service to which access should beallowed. A few examples are shown below

ALL: LOCAL : banners /etc/banners # All services from local clients

sshd: 10.1.1.0/255.255.254.0 : banners /etc/banners # SSH from host IPaddresses

Secure xinetdXinetd should be removed from workstations. If present, there should be one filein the /etc/xinetd.d directory for each service. To control access to the service,find the file with the service name and add the following line between { }

Only_from = 10.1.1.0/23 # allow connections from host IP addressesbetween 10.1.1.0 and 10.1.2.0


9/24

Disable X Windows (Servers Only)

The following command will configure the system to run level 3 (multiuser modewith no X) instead run level 5 (with X) and save the original /etc/inittab as /etc/inittab.bak

# /usr/bin/perl p I.bak e s/id:5:init/id:3:init/ /etc/inittab

Updates and Patches

Up2Date http;//www.redhat.com/docs/manuals/RHNetwork/refguide/

The Red Hat Network Daemon rhnsd (RedHat only) connects to the Red Hatserver 120 minutes to check for available package updates.

Autorpm (http://www.autorpm.org) an alternative to up2date

# /bin/rpm I autorpm2.9.31.noarch.rpm

Registering the system with the Red Hat Network you will be prompted for apassword and username. (RedHat only)

# /usr/sbin/rhn_register

Verify Setup by Manually Checking for Updates (RedHat only)

# /usr/sbin/up2date nox p (updates packages associated with profile onRedHat server)

# /usr/sbin/up2date nox u (downloads and installs packages for

updates)

Configure rhnsd to start when the system boots

# /sbin/chkconfig rhnsd on

# /etc/init.d/rhnsd start

Modify the /etc/autorpm.d/redhatupdates.conf file

RPM packages that fail the signature check are placed in an interactive queue.To prevent these suspect rpm packages from getting accidentally installed later, thefollowing line should be added after the line

PGP_Require (Yes):

PGP_Fail_Install (No);

Any updates for rpm packages that are on the mirror site, but without an earlierversion already installed on the system, it will be added to the interactive queue.To prevent this, underneath the action (new) stanza change the line from


10/24

Install (Interactive); to install (No);

Verify Setup by Manually Checking for Updates

Running

# autorpm autowithout arguments and download TermReadlineGnu.

Run

#autorpm autoagain to check for updates.

Binaries will be downloaded and installed. When the prompt returns, issue thefollowing command:

#autorpm install all

An entry in the /etc/cron.daily directory is added by default to enable checking forupdates.

File System Security

Secure File System Mount Options

Make the following edits to the /etc/fstab file. Mount the /usr partition as readonly. Most of the executable commands on the system are located in the /usr filesystem. Mounting as readonly is a good way to protect against Trojanedbinaries from being installed.

LABEL=/usr /usr ext3 or 1 2

The /usr file system will have to be remounted readwrite before applying mostrpm upgrades (including any scheduled to be applied by update agents like up2date orautorpm)

# mount o remount, rw /usr

After installation, the partition can be mounted readonly again with the following

# mount o remount, ro /usr

To prevent SUID or device files from being introduced to the system byremovable media, add the no suid and nodev options to the lines for all removablemedia (e.g. floppy, cdrom)

/dev/fd0 /mnt/floppy ext3 nosuid, nodev 1 2

/dev/cdrom mnt/cdrom ext3 nosuid, nodev 1 2


11/24

File systems that contain home directories should also have nosuid and nodevoptions set

LABEL=/home /home ext3 nosuid, nodev 1 2

Restricting Access to Administrative Utilities

Issue the following commands to remove read, write and execute privileges forusers that do not own the files from all files in these directories.

# /bin/chmod R o rwx /usr/sbin ls /sbin* | grep vconsoletype

SUID Permissions for Executable Programs

To see a list of all the files with SUID GUID permissions

/usr/bin/find /bin /usr/bin type f \ ( perm 04000 o perm 02000 \) ls

Remove the SUID and GUID permissions from files that d not require it by settingpermissions on each file to 755

# /bin/chmod 755 /bin/mount /bin/mount /bin/ping /usr/bin/chfn/usr/bin/chsh /usr/bin/chage

Remove compiler packages from workstations and servers not used fordevelopment

# /bin/rm e cpp gcc gccc++ gccg77

Logging

Syslog

If possible store syslog on remote machine to avoid compromise from an intruderwho would have to hack both the system itself and the remote logging server.

Reload the syslogd config file

# /etc/init.d/syslogd restart

Ensure that syslogd runs on Boot

# /sbin/chkconfig level 2345 syslog on


12/24

logrotate.d

/etc/logrotate.conf contains the default option for rotation log files

The log rotation times can be changed to lengthen the life of the log file. Bewarned that logs can get quite large so one must monitor the log size that it does notget out of hand.

Logwatch

Use logwatch to monitor logs and have emails sent to the root user in light ofunexpected activities. Simply change the email address in the /etc/log.d/logwatch.conffile.

ntpd

Rather than use the system time clock, you should configure the Network Time

Protocol server daemon to synchronize the system clock with three public NTPservers. NTP servers can be located athttp://www.eecis.udel.edu/~mills/ntp/servers.html

Get permission from the admins of these servers and the edit /etc/ntp.conf andreplace the loopback address with for ex.

Server 10.0.0.1 #IP address of public server 1



Ensure that the NTP daemon is reloaded# /etc/init.d/ntpd restart

Ensure that ntpd is configured to start automatically on boot.

# /sbin/chkconfig level 2345 ntpd on

Scheduler Security

Restrict cronand atby editing the /etc/cron.allow and /etc/at.allow

Root always has access to create cron and at jobsCreate cron.allowfile with

Su

#echo root > /etc/cron.allow

Make sure that the schedule task to run is permitted for that user.


13/24

Web Security

Ensure that only necessary modules are installed in your apache web server

Remove Distributed Authoring Version (DAV) module. This enablesmodifications to files on the web server using a client browser.

Apache Configuration File (the following section pertains to httpd.conf)

/etc/httpd/conf/httpd.conf

Comment out unused modules

Such as the following:

mod_autoindex provides directory listings and gives away to much infoto hackers

mod_include unless you use serverside includes you should disable

thismod_info allows a client to visit a url and get info about the serverrunning

mod_status allows a client to view server status from a url

mod_userdir allows users to serve pages from a directory within theirhome directory

Modification to the default Directory Access Permissions

Change the stanza that controls access permissions

Original Modified

Options FollowSymLinks

AllowOverride none

Options None

AllowOverride None

Order allow,deny

Deny from all

The modified version does not allow for symbolic links to be followed on the filesystem.

Modification to the default Root Access Permissions

Original Modified


14/24

Options Indexes FollowSymLinks

AllowOverride None

Order allow, deny

Allow from all

Options SymLinksIFOwnerMatch

AllowOverride None

Order allow,deny

Allow from all

The original configuration will show a visitor a directory listing for any documentsin the document root without an index.html. This option prevents the server fromfollowing any links that may be created by other users to areas outside thedocument root. If multiple users need access to files beneath the web serverdocument root, the AllowOveride AuthConfig option can e used in place ofAuthOverride and a separate .htaccess file can be used to authenticate useraccess.

To help us to remain anonymous as to the server version and configuration, wecan change signatures in the httpd.conf file that would normally be attached toweb pages when they are served.

ServerSignature Off

We can also remove strings from the HTTP header that are returned to clientsfrom the client requests. This includes name, version and modules loaded on startup.

ServerTokens Prod

The email address of the web server can also be displayed on server generatedpages. This should be changed to a fake email address.

ServerAdmin foo@localhost

CGI Bin

CGI programs are often a common attack tactic if available; these days manycompanies disable the use of it all together. Reference to the CGI bin andmodules should be commented. Starting with

LoadModule cgi_module module/mod_cgi.so

*

*

File Permissions in the Document Root

Write permissions to any file or directory being served by the web server shouldbe removed or it leaves an open door to defacements. The user and group that


15/24

the web server process runs under are defined in the httpd.conf file. You shouldidentify all the directories served by the web server to identify any files for whichthe owner of the web server process has write permissions. These commandsshould return nothing.

# /usr/bin/find /var/www/html user apache perm +202

exec ls ld {} \;# /usr/bin/find /var/www/html group apache perm+022 exec ls ld {} \;

Email Security

Sendmail should be upgraded to the most stable current release, at least8.12.5 to secure against a theoretical buffer overflow vulnerability.

Disable the sendmail daemon on all workstationsEdit /etc/sysconfig/sendmail with:

DAEMON = no

QUEUE = 15m

Then restart the daemon

#/etc/rc.d/init.d/sendmail restart

File and Print Security

SCP and SFTP

The need for remote filetransfer and commandline control sessions is ofparamount importance to Unix administration. For many years however, onlyprotocols such as FTP, Telnet and RSH were available. These protocolstransmitted not only the data of the session but the authentication information aswell in cleartext over the network. The advent of the Secure Shell (ssh) protocolintroduced a muchwelcomed answer to this problem, providing completeencryption of both commandline and data transfer sessions using strongencryption algorithms. Particularly welcome has been the recent development ofOpenSSH, a spinoff of the OpenBSD project, which has helped bring this

protocol into wider use with its opensource implementation that compiles on anynumber of different Unix platforms. The scpand sftpcommands do an excellent

job of replacing the nonencrypted counterparts, emulating the commandlineswitches and options so well that in most cases , scp in particular can simply beused as a dropin replacement for rcp. Configure servers such that using sftpare as secure as possible , including the use of chrootto jail the users filetransfer sessions , by patching the SSH ,source code. Unfortunately, the patch


16/24

currently does not work for scp, but chrooted and nonchrooted users can existside by side.

Red Hat , even with the most current patches, does not always offer the latestSSH build, so it will be necessary to get the portable distribution of OpenSSHfrom the OpenSSH team (http://www.openssh.com) .

This manual will not go into the details of how to build an SSH server or chrootingthe server. A future manual will delve into the construction any distribution ofbroad network services.

Securing WuFTPd

WuFTPd is a fairly secure FTP program and is freely available. It should be usedin place of cleartext FTP. It ships default with RedHat 7.3

In order to properly secure WuFTPd we need to tweak the FTP configuration file,/etc/ftpaccess. We do this by not allowing system accounts to login over FTP.

# allowuid ftp

# allowgid ftp

Chroot all users by default

Guest user *

Because we have already chroot all users by default, we dont need to explicitlychroot group

# guestgroup ftpchroot

Set the email address

[email protected]

Permit only two failed logins before termination

Loginfails 2

Change the welcome message to something controllable

Message /.ftpwelcome.msg

Do not allow on the fly compression and tarring

Compress no all

Tar no all

Prevent certain actions from anonymous or guest users. Explicitly listpermissions

.

Umask no real, guest, anonymous


17/24

Delete yes real, guest

Overwrite yes real, guest

Rename yes real, guest

Log commands and transfers to and from the server

Log commands real, guest, anonymous

Log transfers anonymous, real, guest inbound, outbound

Mark certain files as nonretrievable

Noretrieve .notar

Noretrieve .ftpwelcome.mag

Set a secure path filter to weed out evil files

Pathfilter guest, anonymous /etc/pathmag [A Za z09_\.]*$ ^\. ^

Remove server version from the greeting

Greeting terse

Use secure default umasks for everyone

Defumask 0377

Defumask 0177 real

Defumask 0133 guest

Networking /Remote Administration

o Remove all .rhosts utilities use find /home name .rhosts print(includersh/rlogin/rcp)

o If using NFS (not recommended) Export all NFS file systems with mostrestrictive access in /etc/exports (nodev, nosuid, noexec). Be sure toFilter TCP port 111, UDP 111 (portmapper), TCP port 2049, UDP port

2049 (nfsd) on firewall, if using NFS.

o Files in /var/log, /var/log/wtmp and /var/run/utmp (contains login records)should have 644 permissions. wtmp logs the login status info of thefollowing

Type of Login

Process ID of login process


18/24

Device name of tty

Init ID or abbreviated ttyname

User Name

Hostname for remote login

Exit status of a process Time entry was made

IP address of remote host

o utmp is consulted for currently logged in users.

o Install Cryptographic IP encapsulation to communicate with other hosts

Services

o

The following services should not be installed or disabled NFS/NIS (any rpc) Or at least use NIS+ over NIS

Printer services (lpd)

Telnet

R*

FTP server (use HTTP, scp, SFTP)

BIND

Mail Transfer Agents (sendmail, exim, postfix, qmail)

o Check /etc/rc.d/rc (09).d for symbolic links to services that will not beused. Links can be disabled by replacing upper case (S for Start) to alower case (s). Stop services as root with/etc/init.d/stop. After disabling (with #) restart inetd/etc/init.d/inetd restart.Get list ofrunning scripts with ls l /etc/init.d/ |less

o Can get a quick list of enables services with grep disable /etc/xinetd.d/*|grep no. Disable xinetd services from dunning by changing listings inxinetd.conf to disable = yes

o Comment out unused services in /etc/inetd.conf, rather than removingthose services in the case that one might need them at some time.

o Disable identd for specific users (.noident file) Can be removed altogetherunless using building an IRC server.

o Remove /etc/hosts.equiv

File and System Permissions

o Use //ls al to see all file permissions


19/24

o Remove all suid/sgid (chmod g+s to activate sgid) on executableand system files from nonroot home directories. Favorite technique ofhackers to exploit this by placing suid programs to be executed on server.To find all find / type f \ (perm 040000 o perm 02000 \)

o Remove unnecessary setuid and setgid. Can find the ones available by

typingo find / type f perm +6000

o Configure umask with restrictive access. Typical setting should be 022,027, and 077 (most restricted). It is set in /etc/profile . Default in RedHatis 022. Root umask should be 077 . Find the value by subtracting desiredfrom 777.

o Set file system limits in /etc/pam.d/limits.conf (RH, Deb). Restrict numberof processes to 50 and usage per user to 5M

o Find all world writable system files and restrict where necessary. Findthem with

o find / perm 2 ! type l ls Add sticky bit tto file permissions chmod +tto make deletion or modification of the file by the creator only.

o Find all unowned files, which may indicate compromise with find / \ (nouser o nogroup \) print

o System configuration files (etc) should be 640

o Install Cryptographic File Systems (CFS) or Transparent CryptographicFile System (TCFS) for encrypting folder trees where secure users canstore files

System Administration/Logging

o Allow only tty and vtys terminals for root and trusted users

o Secure the /usr/sbin/syslogd from tampering. Look at /etc/syslog.conf tosee where logging is going to. Download a syslog encryption daemon totransfer log info to a central and secure location. View /var/log/messagesfor default logs.

o Make use of /etc/shutdown.allow should be used to prevent someone fromrebooting the machine. It contains a list of authorized users to reboot themachine. It is consulted when ControlAltDel keys

o Use xlock and vlock to lock a workstation.

o If possible configure the tools to run as chroot, a chroot jail for privilegedservices such as Apache so that an attacker does not attain root privilegeon the real O/S

o Delete unnecessary binary packages /bin/rpm e (ifRedHat)


20/24

X11

o Secure X displays by having users login to the terminal through the MITMAGICCOOKIE1 A 128 bit cookie as stored in the .Xauthority file. Usexauth for remote users. Or use xdm to login to console and use ssh to goto

Kernel

o Download and install secure Linux Kernel from NSA.govhttp://www.nsa.gov/selinux/download.html

o Process accounting is enabled in most newer builds of the kernel andshould be consulted for kernellevel functions.

Quick Tips Auditing/Firewall/Scan Utilities Check List

Should use IPTables, otherwise enable TCPWrappers (tcpd) to restrict

access from TCP services. Create a /etc/hosts.allow file and add onlythose allowed hosts ex All:127. Create /etc/hosts.deny and put All:All .TCPWrappers only protects inetd services. Use netstat ta to see allservices offered.(netstat tap | grep LISTEN) Record changes with outputto a file (netstat tap | grep LISTEN ~/services.lst)

Install Tripwire, for system integrity. Make sure to write down the passphrases and keep them secret.

Use SAINT or NESSUS to port scan your machine to see where itsvulnerable.

Install OpenPGP to transfer for email (or S/MIME), key transfer and

secure harddrive erasing Install SSL SHTTP for all HTTP requests

Shut Off Telnet and put Open SSH in its place.

Install IPTables/Netfilter as firewall (for advantages of IPTables overIPChains and IPFWAdm go to

Run Internet Security Scanner (ISS) an System Security Scanner (S3)

Freeware Utilities

o SWATCH The Simple Watcher is a popular open source log monitoringand alerting utility. Swatch is designed to monitor your log files against aset of configurable signatures. When Swatch detects an event, it can alertthe system admin via console, sound response, or an email. Swatch canalso be used to filter old log files for activity.

o IPTables The netfilter/iptables project is the Linux 2.4.x / 2.5.x firewallingsubsystem. It delivers you the functionality of packet filtering (stateless orstateful), all different kinds of NAT (Network Address Translation) and


21/24

packet mangling. Iptables is the replacement for the userspace toolipchains in the Linux 2.4 kernel and beyond. It is part of the kernelspacenetfilter project. Iptables has many more features than ipchains and is alsostructured more sensibly.

o Tripwire Tripwire software is a tool that checks to see what has changed

on your system. The program monitors key attributes of files that shouldnot change, including binary signature, size, expected change of size, etc.Tripwire is originally known as an intrusion detection tool, but can be usedfor many other purposes such as integrity assurance, changemanagement, policy compliance and more.

o John the Ripper John the Ripper is a freeware password auditing orcracking utility. John the Ripper attempts to brute force the passwords inthe passwd and shadow files, making use of dictionaries and itsknowledge of common password creation techniques.

o Bastille A Linux hardening application that provides novice and

experienced users a way to automate many of the security settings thathave been covered in this guide. Bastille provides both a command lineand GUI format for users. Bastille walks the user through an interactivequestionnaire to determine which setting should be turned on and whatthe ramifications are for making those changes.

o NMAP Is a freeware reconnaissance utility, typically used as a portmapper utility, sending packets to hosts with various settings to determinewhich ports are open on a device. NMAP can also be used as anOperating Systems reconnaissance tool since NMAP has the ability tosend packets to a host and based on the response to those packets,determine which Operating System the host is running.

o NESSUS A freeware vulnerability assessment tool, Nessus works on aclient/server based technology. The server side contains the vulnerabilitydatabase and the engine that actually performs the vulnerabilityassessment. The client connects to the server to configure the settings forthe vulnerability assessment. Nessus can provide reports in a number ofdifferent formats including its native GUI format, HTML, and ASCII.

Useful Links

How Tos and References for this manual:

o SANS: Step By Step Series Securing Linux: A step by step survivalguide, David Koconis, Jim Murray, Jos Purvis, Darrin Wassom

o Hacking Exposed 3rd Edition Network Security Secrets and Solutions,Stuart McClure, Joel Scambray, George Kurtz

o http://www.linuxsecurity.com/docs/LDP/SecurityQuickstartHOWTO/index.html

o http://www.linuxsecurity.com/docs/LDP/SecurityHOWTO/


22/24

o http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html

o http://www.linuxsecurity.com/docs/PDF/SecuringOptimizingLinuxRHEdition1_3.pdf

o http://www.linuxsecurity.com/docs/LDP/SecurityHOWTO/ftp://sunsite.unc.edu:/pub/Linux/system/admin/accounts/acct1.3.73.tar.gz

o http://en.tldp.org/HOWTO/IPMasqueradeHOWTO/iptablesvsipchainsvsipfwadm.html

o ftp://sunsite.unc.edu:/pub/Linux/system/admin/accounts/acct1.3.73.tar.gz

Security Resources

o SANS http://www.sans.org

o Linux Security http://www.linuxsecurity.como Security Focus http://www.securityfocus.org

o Hacking Linux Exposed http://www.hackinglinuxexposed.com/articles/20021015.html

o CERT http://www.cert.org

Firewall Resources:

o http://www.linuxfirewalltools.org

o

http://www.firestarter.sourceforge.neto http://www.fwbuilder.org

o http://www.stearnes.org/mason

Red Hat Resources

o Red Hat http://www.redhat.com

o Red Hat Advisories http://rhn.redhat.com/errata/rh73errata.html

Third Party Resourceso APACHE http://httpd.apache.org

o APACHE MODS http://httpd.apache.org/docs/mod/

o AUTORPM http://www.autorpm.org

o BASTILLE http://www.bastillelinux.org

o EXIM http://www.exim.org


23/24

o IMAP Connection http://www.imap.org

o IPTABLES http://www.iptables.org

o John the Ripper http://www.openwall.com/john

o Logwatch http://www.logwatch.org

o NESSUS http://www.nessus.org

o NMAP http://www.nmap.org

o NTP http://www.cis.udel.edu/~ntp

o OPENSSH http://www.openssh.com

o OPENPGP http://www.openpgp.org

o PSIONIC TRISENTRY http://www.psionic.com

o POSTFIX http://www.postfix.org

o QMAIL http://www.qmail.org

o QPOPPER http://www.eudora.cm/qpoppero SAINT http://www.saintcorporation.com

o SAMBA http://www.samba.org

o SENDMAIL http://www.sendmail.org

o SNMP http://www.snmplink.org

o SNORT http://www.snort.org

o SWATCH http://www.oit.ucsb.edu/~eta/swatch

o Time Servers http://www.eecis.udel.edu/~mills/ntp/servers.html

o

TRIPWIRE http://www.tripwire.orgo WUFTP http://www.wuftpd.org

o XINETD http://www.xinetd.org

Black and White Hat Security Resources

o AstalaVista http://www.astalavista.com

o Hacktavismo http://hacktivismo.com/news/modules.php?name=Content&pa=showpage&pid=12/

o Cult of the Dead Cow http://www.cultdeadcow.com/main.php3

o Phrack http://www.phrack.org

o 2600 magazine http://www.2600.com

o Apcoalypse http://www.apocalypseonline.com/security/exploits/exploits.asp?exp_category=Slackware


24/24

o Security Tool review http:///www.securitytoolreview.com

o Foundstone http://www.foundstone.com

o F.I.R.E. http://fire.dmzs.com/?section=tools

o Honeypots http://www.trackinghackers.com

o AntiHacker ToolKit http://www.antihackertoolkit.com/tools

secure machine translate)

Documents