This article was copied from http://www.linuxgazette.com/issue58/sharma.html I do not use this nor have I tried, use at own risk.
In this article I will explain how to make your Linux box secure by taking basic security measures. This article will enable anybody to tighten the security of a redhat Linux box.
BIOS Security
Always set a password on BIOS to disallow
booting from floppy by changing the BIOS settings. This will block
undesired people from trying to boot your Linux system with a special boot disk
and will protect you from people trying to change BIOS feature like
allowing boot from floppy drive or booting the server without password
prompt.
LILO Security
Add the three parameters in "/etc/lilo.conf"
file i.e. time-out, restricted and password. These options will ask for
password if boot time options (such as "linux single") are passed to the boot
loader.
Step 1
Edit the lilo.conf file (vi /etc/lilo.conf) and
add or change the three options :
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
time-out=00 #change this line to
00
prompt
Default=linux
restricted #add this
line
password=<password> #add this line and put your
password
image=/boot/vmlinuz-2.2.14-12
label=linux
initrd=/boot/initrd-2.2.14-12.img
root=/dev/hda6
read-only
Step 2
The "/etc/lilo.conf" file should be readable by only root
because it contains unencrypted passwords.
[root@kapil /]# chmod 600
/etc/lilo.conf (will be no longer world readable).
Step 3
Update your configuration file "/etc/lilo.conf" for the
change to take effect.
[Root@kapil /]# /sbin/lilo -v (to update the
lilo.conf file).
Step 4
One more security measure you can take to secure the
"/etc/lilo.conf" file is to set it immutable, using the chattr command.
* To set the file immutable simply, use the
command:
[root@kapil /]# chattr +i /etc/lilo.conf
This will prevent any changes
(accidental or otherwise) to the "lilo.conf" file.
For more information about lilo security, read my article on LILO.
Disable all special accounts
You should delete all
default users and group accounts that you don't use on your system like lp,
sync, shutdown, halt, news, uucp, operator, games, gopher etc
To delete a
user account :
[root@kapil /]# userdel LP
To delete a group:
[root@kapil /]# groupdel LP
Choose a Right password
You should follow the following
guidelines before choosing the right password.
The password Length: The minimum acceptable password length by default when you install your Linux system is 5. This is not enough and must be 8. To do this you have to edit the login.defs file (vi /etc/login.defs) and change the line that read:
Disable all console-equivalent access for regular users
You
should disable all console-equivalent access to programs like shutdown, reboot,
and halt for regular users on your server.
To do this, run the
following command:
[root@kapil /]# rm -f
/etc/security/console.apps/<servicename>
Where
<servicename> is the name of the program to which you wish to disable
console-equivalent access.
Disable & uninstall all unused services
You
should disable and uninstall all services that you do not use so that you
have one less thing to worry about. Look at your "/etc/inetd.conf" file
and disable what you do not need by commenting them out (by adding a # at
the beginning of the line), and then sending your inetd process a SIGHUP command
to update it to the current "inetd.conf" file. To do this:
Step
1
Change the permissions on "/etc/inetd.conf" file to 600, so that only
root can read or write to it.
[Root@kapil /]# chmod 600 /etc/inetd.conf
Step 2
ENSURE that the owner of the file
"/etc/inetd.conf" is root.
Step 3
Edit the inetd.conf file
(vi /etc/inetd.conf) and disable the services like:
ftp, telnet,
shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc unless
you plan to use it. If it's turned off it's much less of a risk.
Step
4
Send a HUP signal to your inetd process
[root@kapil /]# killall
-HUP inetd
Step 5
Set "/etc/inetd.conf" file immutable,
using the chattr command so that nobody can modify that file
* To set the file immutable
simply, execute the following command:
[root@kapil /]# chattr +i /etc/inetd.conf
This will prevent any
changes (accidental or otherwise) to the "inetd.conf" file. The only person that
can set or clear this attribute is the super-user root. To modify the
inetd.conf file you will need to unset the immutable flag:
* To unset
the immutable simply, execute the following command:
[root@kapil /]# chattr -i /etc/inetd.conf
TCP_WRAPPERS
By using TCP_WRAPPERS you can make
your server secure against outside intrusion . The best policy is to deny
all hosts by putting "ALL: ALL@ALL, PARANOID" in the "/etc/hosts.deny" file and
then explicitly list trusted hosts who are allowed to your machine in the
"/etc/hosts.allow" file. TCP_WRAPPERS is controlled from two files and the
search stops at the first match.
/etc/hosts.allow
/etc/hosts.deny
Step 1
Edit the hosts.deny file (vi /etc/hosts.deny) and add the
following lines:
# Deny access to everyone.
ALL: ALL@ALL, PARANOID
Which means all services, all locations is blocked, unless they are
permitted access by entries in the allow file.
Step 2
Edit the hosts.allow file (vi /etc/hosts.allow) and
add for example, the following line:
As an example:
ftp: 202.54.15.99
foo.com
For your client machine: 202.54.15.99 is the IP address and
foo.com the host name of one of your client allowed using ftp.
Step 3
The tcpdchk program is the tcpd wrapper
configuration checker. It examines your tcp wrapper configuration and
reports all potential and real problems it can find.
* After your configuration is done, run the program tcpdchk.
[Root@kapil /]# tcpdchk
Don't let system issue file to be displayed
You
should not display your system issue file when people log in
remotely . To do this, you can
change the telnet option in your
"/etc/inetd.conf".
To do this change the line in "/etc/inetd.conf":
telnet stream tcp nowait
root /usr/sbin/tcpd in.telnetd
to look
like:
telnet stream tcp
nowait root /usr/sbin/tcpd in.telnetd -h
Adding the "-h" flag on the end will cause the daemon to not
display any system information and just hit the user with a login:
prompt. I will recommend to use sshd instead.
Change the "/etc/host.conf" file
The
"/etc/host.conf" file specifies how names are resolved.
Edit the
host.conf file (vi /etc/host.conf) and add the following lines:
#
Lookup names via DNS first then fall back to /etc/hosts.
order bind,hosts
# We have machines with multiple IP addresses.
multi on
# Check for
IP address spoofing.
nospoof on
The first option is to resolve the host name through DNS first and then
hosts file.The multi option determines whether a host in the "/etc/hosts" file
can have multiple IP addresses (multiple interface ethN).
The nospoof
option indicates to take care of not permitting spoofing on this machine.
Immunize the "/etc/services" file
You must immunize the
"/etc/services" file to prevent unauthorized deletion or addition of
services.
* To immunize the "/etc/services" file, use the command:
[root@kapil /]# chattr +i /etc/services
Disallow root login from different consoles
The
"/etc/securetty" file allows you to specify which TTY devices the "root" user is
allowed to login . Edit the "/etc/securetty" file to disable any tty that you do
not need by commenting them out (# at the beginning of the line).
Blocking anyone to su to root
The su (Substitute
User) command allows you to become other existing users on the system.
If you don't want anyone to su to root or restrict "su" command to certain
users then add the following two lines to the top of your "su" configuration
file in the "/etc/pam.d/" directory.
Step 1
Edit the su file (vi
/etc/pam.d/su) and add the following two lines to the top of the file:
auth sufficient /lib/security/pam_rootok.so debug
auth
required /lib/security/Pam_wheel.so group=wheel
Which means only members of the "wheel" group can su to root; it also
includes logging. You can add the users to the group wheel so that only
those users will be allowed to su as root.
Shell logging
The bash shell stores up to 500 old
commands in the "~/.bash_history" file (where "~/" is your home directory) to
make it easy for you to repeat long commands. Each user that has an account on
the system will have this file "Bash_history" in their home directory. The bash
shell should store less number of commands and delete it on logout of the
user.
Step 1
The HISTFILESIZE and HISTSIZE lines in the
"/etc/profile" file determine the size of old commands the "Bash_history" file
for all users on your system can hold. I would highly recommend
setting the HISTFILESIZE and HISTSIZE in "/etc/profile" file to a low value such
as 30.
Edit the profile file (vi /etc/profile) and change the lines
to:
HISTFILESIZE=30
HISTSIZE=30
Which mean, the "Bash_history"
file in each users home directory can store 20 old commands
and no more.
Step 2
The administrator should also add into the
"/etc/skel/Bash_logout" file the
"rm -f $HOME/Bash_history"
line, so that each time a user logs out, its "Bash_history" file will be
deleted.
Edit the Bash_logout file (vi /etc/skel/Bash_logout) and add
the following line:
rm -f $HOME/Bash_history
Disable the Control-Alt-Delete keyboard shutdown command
To
do this comment out the line (with a "#") listed below in your "/etc/inittab"
file .
To do this, edit the inittab file (vi /etc/inittab) and change
the line:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
To read:
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Now, for the
change to take effect type in the following at a prompt:
[root@kapil
/]# /sbin/init q
Fix the permissions under "/etc/rc.d/init.d" directory for script
files
Fix the permissions of the script files that are
responsible for starting and stopping all your normal processes that need
to run at boot time. To do this:
[root@kapil/]# chmod -R 700
/etc/rc.d/init.d/*
Which means only root is allowed to Read, Write,
and Execute scripts files on this directory.
Hide your system information
By default, when you
login to a Linux box, it tells you the Linux distribution name, version,
kernel version, and the name of the server. This is sufficient information
for a crackers to get information about your server. You should just prompt
users with a "Login:" prompt.
Step 1
To do this, Edit the
"/etc/rc.d/rc.local" file and Place "#" in front of the following lines as
shown:
# This will overwrite /etc/issue at every boot. So, make any changes
you
# want to make to /etc/issue here or you will lose them when you reboot.
#echo "" > /etc/issue
#echo "$R" >> /etc/issue
#echo
"Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue
#
#cp -f
/etc/issue /etc/issue.net
#echo >> /etc/issue
Step
2
Then, remove the following files: "issue.net" and "issue" under "/etc"
directory:
[root@kapil /]# rm -f /etc/issue
[root@kapil /]# rm -f
/etc/issue.net
Disable unused SUID/SGID programs
A regular user will
be able to run a program as root if it is set to SUID root. A system
administrator should minimize the use of these SUID/GUID programs and disable
the programs which are not needed.
Step 1
* To find all
files with the `s' bits from root-owned programs, use the command:
[root@kapil]# find /
-type f \( -perm -04000 -o -perm -02000 \) \-exec ls lg {} \;
* To disable the suid bits on selected
programs above, type the following commands:
[root@kapil /]# chmod
a-s [program]
After following the above security guidelines, a system administrator can
maintain a basic level of system security. Some of the above tasks are a
continuous process. The system administrator has to continuously follow the
above guidelines to keep system secure.
Written by: Kapil Sharma
Email: kapil@linux4biz.net
Website: http://www.linux4biz.net/
[Kapil Sharma
is a Linux and Internet security consultant. He has been working on various
Linux/Unix systems and Internet Security for more than 2 years. He is maintaing
a web site http://www.linux4biz.net/ for
providing free as well as commercial support for web, Linux and Unix solutions.]