9/21/12

Redhat linux hardening tips & bash script

Home Authors Forum Ask A Question Answer A Question Electronics Internet Misc Mobile Networking Programming Security Servers Softwares

Redhat linux hardening tips & bash script

January 18th, 2011 |

Hello fellow Twitter user! Don't forget to Twit this post if you like it, or follow me on Twitter if you find me interesting.

Not

| Posted in Security, Servers

X

From the time a servers goes to live environment its prone to too many attacks from the hands of crackers (hackers) also as a system administrator you need to secure your Linux server to protect and save your data, intellectual property, and time here server hardening comes into effect. Securing a server is much different than securing a desktop computer for a variety of reasons. By default, a desktop operating system is installed to provide the user with an environment that can be run out of the box. Desktop operating systems are sold on the premise that they require minimal configuration and come loaded with as many applications as possible to get
www.binbert.com/blog/2011/01/redhat-linux-hardening/

9/21/12

Redhat linux hardening tips & bash script

the user up and running. Conversely, a servers operating system should abide by the Principle of Least Privilege, which states that it should have only the services, software, and permissions necessary to perform the tasks its responsible for. We already covered some topics in earlier articles some of them are linked here. Here are some tips for servers hardening ( Some already mentioned in my previous posts)

1) Removing Unnecessary Software Packages (RPMs)

An administrator should be crystal clear about the primary function or role of the Linux server also should know what is on the server.Therefore, it is very critical to look at the default list of software packages and remove unneeded packages. To get a list of all installed RPMs you can use the following command:
r p mq a

Remove the unneeded packages from the list.

2) Disabling Run level System Services

In Linux servers, some services are enabled to start at boot up by default. it is safe to disable all services that are not needed as they are risks security and waste of hardware resources. Read more.

3) Reviewing Inittab and Boot Scripts

The inittab file / e t c / i n i t t a balso describes which processes are started at bootup and during normal operation. For example, Oracle uses it to start cluster services at bootup. Therefore, it is recommended to ensure that all entries in / e t c / i n i t t a bare legitimate in your environment. I would at least remove the CTRL-ALT-DELETE trap entry to prevent accidental reboots: The default runlevel should be set to 3 since in my opinion X11 (X Windows System) should not be running on a production server. In fact, it shouldnt even be installed.
#g r e p' : i n i t d e f a u l t '/ e t c / i n i t t a b i d : 3 : i n i t d e f a u l t :

To have changes in / e t c / i n i t t a bbecome effective immediately, you can run:

#i n i tq

4) Securing SSH
Ssh is a great protocol and as it name stands for Secure SHell its secure but its prone to attacks with basic configuration. There are ways to make ssh even more secure than it is now.Read more

5) SSH login without passwords

Automated authentication onto server using RAS key authenticating mechanism . Read more
www.binbert.com/blog/2011/01/redhat-linux-hardening/

9/21/12

Redhat linux hardening tips & bash script

6) Kernel Tuning
Following are some tunable kernel parameters you can use to secure your Linux server against attacks .We need to add these entries inside /etc/sysctl.conf configuration file to make the change permanent after reboots.To activate the configured kernel parameters immediately at runtime, use:
# s y s c t lp

Disable IP Source Routing

n e t . i p v 4 . c o n f . a l l . a c c e p t _ s o u r c e _ r o u t e=0

Disable ICMP Redirect Acceptance

n e t . i p v 4 . c o n f . a l l . a c c e p t _ r e d i r e c t s=0

Enable Ignoring Broadcasts Request

n e t . i p v 4 . i c m p _ e c h o _ i g n o r e _ b r o a d c a s t s=1

Enable Bad Error Message Protection

n e t . i p v 4 . i c m p _ i g n o r e _ b o g u s _ e r r o r _ r e s p o n s e s=1

Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets

n e t . i p v 4 . c o n f . a l l . l o g _ m a r t i a n s=1

The above mentioned are only few steps for harding . There are many more steps like providing strong password , locking user accounts after too many login failures , restricting use of previous used passwords , setting banners etc. Hardening five or six servers can be done quite easily at a stretch but when the number of servers increases it just becomes tiresome andMORE time consuming . So why dont we think about a running a script that does all the hardening IN SECURITY, SERVERS (16 OF 50 ARTICLES) jobs and there wont be any waste of time. The script presented be customized PfSense advanced configuration with can SquidGuard and according to the requirement. Lightsquid # ! / b i n / b a s h c h k c o n f i ga u t o f so f f c h k c o n f i ga v a h i d a e m o no f f c h k c o n f i ga v a h i d n s c o n f do f f c h k c o n f i gb l u e t o o t ho f f c h k c o n f i gc o n m a no f f c h k c o n f i gc u p so f f c h k c o n f i gd h c d b do f f c h k c o n f i gf i r s t b o o to f f c h k c o n f i gg p mo f f c h k c o n f i gh a l d a e m o no f f c h k c o n f i gi s d no f f c h k c o n f i gi p t a b l e so f f c h k c o n f i gi p 6 t a b l e so f f c h k c o n f i gi r d ao f f c h k c o n f i gi r q b a l a n c eo f f c h k c o n f i gk d u m po f f c h k c o n f i gk u d z uo f f c h k c o n f i gm c s t r a n so f f c h k c o n f i gm i c r o c o d e _ c t lo f f c h k c o n f i gm u l t i p a t h do f f c h k c o n f i gn e t c o n s o l eo f f
www.binbert.com/blog/2011/01/redhat-linux-hardening/

9/21/12

Redhat linux hardening tips & bash script

c h k c o n f i gn e t f so f f c h k c o n f i gn e t p l u g do f f c h k c o n f i gn f so f f c h k c o n f i gn f s l o c ko f f c h k c o n f i gn s c do f f c h k c o n f i gp c s c do f f c h k c o n f i gp o r t m a po f f c h k c o n f i gr d i s co f f c h k c o n f i gr h n s do f f c h k c o n f i gr e s t o r e c o n do f f c h k c o n f i gr p c g s s do f f c h k c o n f i gr p c i d m a p do f f c h k c o n f i gr p c s v c g s s do f f c h k c o n f i gs e n d m a i lo f f c h k c o n f i gs m a r t do f f c h k c o n f i gw i n b i n do f f c h k c o n f i gw p a _ s u p p l i c a n to f f c h k c o n f i gx f so f f c h k c o n f i gy p b i n do f f c h k c o n f i gy u m u p d a t e s do f f c h k c o n f i ga c p i do n c h k c o n f i ga n a c r o no n c h k c o n f i ga t do n c h k c o n f i gc p u s p e e do n c h k c o n f i gl v m 2 m o n i t o ro n c h k c o n f i gm e s s a g e b u so n c h k c o n f i gn t p do n c h k c o n f i gn e t w o r ko n c h k c o n f i go r a c l eo n c h k c o n f i go r a c l e a s mo n c h k c o n f i gr e a d a h e a d _ e a r l yo n c h k c o n f i gr e a d a h e a d _ l a t e ro n c h k c o n f i gs y s l o go n c h k c o n f i gs s h do n c a t>/ r o o t / b a n n e r< <E O F | | |T h i ss y s t e mi sf o rt h eu s eo fa u t h o r i z e du s e r so n l y .| |I n d i v i d u a l su s i n gt h i sc o m p u t e rs y s t e mw i t h o u ta u t h o r i t y ,o ri n| |e x c e s so ft h e i ra u t h o r i t y ,a r es u b j e c tt oh a v i n ga l lo ft h e i r| |a c t i v i t i e so nt h i ss y s t e mm o n i t o r e da n dr e c o r d e db ys y s t e m| |p e r s o n n e l .| || |I nt h ec o u r s eo fm o n i t o r i n gi n d i v i d u a l si m p r o p e r l yu s i n gt h i s| |s y s t e m ,o ri nt h ec o u r s eo fs y s t e mm a i n t e n a n c e ,t h ea c t i v i t i e s| |o fa u t h o r i z e du s e r sm a ya l s ob em o n i t o r e d .| || |A n y o n eu s i n gt h i ss y s t e me x p r e s s l yc o n s e n t st os u c hm o n i t o r i n g| |a n di sa d v i s e dt h a ti fs u c hm o n i t o r i n gr e v e a l sp o s s i b l e| |e v i d e n c eo fc r i m i n a la c t i v i t y ,s y s t e mp e r s o n n e lm a yp r o v i d et h e| |e v i d e n c eo fs u c hm o n i t o r i n gt ol a we n f o r c e m e n to f f i c i a l s .| | | E O F c a t/ r o o t / b a n n e r s e di' s / i d : 5 : i n i t d e f a u l t : / i d : 3 : i n i t d e f a u l t : / g '/ e t c / i n i t t a b s e di' s / c a : : c t r l a l t d e l : / # c a : : c t r l a l t d e l : / g '/ e t c / i n i t t a b e c h oP e r m i t R o o t L o g i nn o> >/ e t c / s s h / s s h d _ c o n f i g e c h oB a n n e r/ r o o t / b a n n e r> >/ e t c / s s h / s s h d _ c o n f i g s e di' s / # A l l o w T c p F o r w a r d i n gy e s / A l l o w T c p F o r w a r d i n gn o / g '/ e t c / s s h / s s h d _ c o n f i g s e di' s / # X 1 1 F o r w a r d i n gn o / X 1 1 F o r w a r d i n gn o / g '/ e t c / s s h / s s h d _ c o n f i g s e di' s / X 1 1 F o r w a r d i n gy e s / # X 1 1 F o r w a r d i n gy e s / g '/ e t c / s s h / s s h d _ c o n f i g s e di' s / # S t r i c t M o d e sy e s / S t r i c t M o d e sy e s / g '/ e t c / s s h / s s h d _ c o n f i g s e di' s / # I g n o r e R h o s t sy e s / I g n o r e R h o s t sy e s / g '/ e t c / s s h / s s h d _ c o n f i g s e di' s / # H o s t b a s e d A u t h e n t i c a t i o nn o / H o s t b a s e d A u t h e n t i c a t i o nn o / g '/ e t c / s s h / s s h d _ c o n f i g s e di' s / # R h o s t s R S A A u t h e n t i c a t i o nn o / R h o s t s R S A A u t h e n t i c a t i o nn o / g '/ e t c / s s h / s s h d _ c o n f i g
www.binbert.com/blog/2011/01/redhat-linux-hardening/

9/21/12

Redhat linux hardening tips & bash script

s e r v i c es s h dr e s t a r t e c h on e t . i p v 4 . c o n f . a l l . a c c e p t _ s o u r c e _ r o u t e=0> >/ e t c / s y s c t l . c o n f e c h on e t . i p v 4 . c o n f . a l l . a c c e p t _ r e d i r e c t s=0> >/ e t c / s y s c t l . c o n f e c h on e t . i p v 4 . i c m p _ e c h o _ i g n o r e _ b r o a d c a s t s=1> >/ e t c / s y s c t l . c o n f e c h on e t . i p v 4 . i c m p _ i g n o r e _ b o g u s _ e r r o r _ r e s p o n s e s=1> >/ e t c / s y s c t l . c o n f e c h on e t . i p v 4 . c o n f . a l l . l o g _ m a r t i a n s=1> >/ e t c / s y s c t l . c o n f s y s c t lp i f[$ ( i du )e q0] ;t h e n r e a dp" E n t e ru s e r n a m e:"u s e r n a m e r e a dsp" E n t e rp a s s w o r d:"p a s s w o r d e g r e p" ^ $ u s e r n a m e "/ e t c / p a s s w d> / d e v / n u l l i f[$ ?e q0] ;t h e n e c h o" $ u s e r n a m ee x i s t s ! " e x i t1 e l s e p a s s = $ ( p e r le' p r i n tc r y p t ( $ A R G V [ 0 ] ," p a s s w o r d " ) '$ p a s s w o r d ) u s e r a d dmp$ p a s s$ u s e r n a m e [$ ?e q0]& &e c h o" U s e rh a sb e e na d d e dt os y s t e m ! "| |e c h o" F a i l e dt oa d dau s e r ! " f i e l s e e c h o" O n l yr o o tm a ya d dau s e rt ot h es y s t e m " e x i t2 f i

Not Found
The requested URL /plugins/like.php was not found on this server. This webpage is not available
Google Chrome's connection attempt to www.facebook.com was rejected. The website may be down, or your network may not be properly configured. Here are some suggestions: Reload this webpage later. Check your Internet connection. Restart any router, modem, or other network devices you may be using.

Leave a Reply ShareThis 19500 views, 17 today | Tags: Bash, Hardening, Linux, Redhat, scripting

Tw eet

Author : Sandeep kalathil

Iam a System Engineer working in Cochin , Interested in Linux and Windows servers and happy to share knowledge that i have gained through my day to day work. Debian lenny Colorful Bash prompt and file names Printing command from history without executing Configure a GPRS dialer in Linux using wvdial / gnome-ppp You must be logged in to post a comment.

Get updates via Email :

Subscribe

www.binbert.com/blog/2011/01/redhat-linux-hardening/

9/21/12

Redhat linux hardening tips & bash script

Our online presence

Not Found
The requested URL /plugins/fan.php was not found on this server. Apache/2.2.22 (Fedora) Server at www.facebook.com Port 80

Questions
Samsung SyncMaster monitor issue What is Facebook timeline cover image dimension ? werfault.exe Application Error Restore Point will not enter Windows 7 How to edit registry using .bat file

Categories
Electronics (2) Internet (24) Misc (33) Mobile (30) Networking (20) Programming (9)
www.binbert.com/blog/2011/01/redhat-linux-hardening/

9/21/12

Redhat linux hardening tips & bash script

Security (24) Servers (30) Softwares (37)

Friends Blogs
Arun Basil Lal Arun wilson Binoy XJ Manjunath ( Aka Punter ) Nirmal TV

Recent Post
Backup your android applications and data using a computer PC Power Supply Unit Is it important ??? How to hide user account in Windows 7 Supercharge your wireless router !!! Google+ and the missing social media channel Facebook timeline cover photo size Export the list of virtual machines to a CSV file List of VM Property Names in Vmware vSphere PowerCLI Installation of Windows 8 Developer preview on VHD Configure LACP with ESX/ESXi and Foundry BigIron switches Backup and Restore ESXi configuration using VMware vSphere CLI Update timthumb.php to prevent Zero Day vulnerability Protect Freemind files with password. Performance testing tool for HDD / DVD / SSD / Flash disks html signature in outlook 2007

Most Popular
Install Android 2.1 UI on Nokia S60v5 mobile (353622 views) Manual GPRS Settings for Airtel, Idea, Hutch, Bsnl, Aircel (164264 views) Divx player on Nokia 5800 Touch Screen (145426 views) Download Epic Browser First Indian Browser (86346 views) Default Time To Live (TTL) values (60777 views) Download Windows 7 SP1 (59786 views) Mobile DivX Player for Touch screen Phones released (58901 views) How to install Tor on Backtrack 5 (56373 views) Trade from mobile FLIP-ME (50852 views) Default Environment variable Values of Windows 7 / xp (46849 views)

Popular Today
www.binbert.com/blog/2011/01/redhat-linux-hardening/

9/21/12

Redhat linux hardening tips & bash script

Install Android 2.1 UI on Nokia S60v5 mobile (84 views) Default Time To Live (TTL) values (29 views) Default Environment variable Values of Windows 7 / xp (26 views) Java Applet Not Working (Blank) in IE9 (26 views) PfSense advanced configuration with SquidGuard and Lightsquid (25 views) How to install Tor on Backtrack 5 (21 views) Differences Between CAT5, CAT5E, CAT6 and CAT6e Cables (19 views) Redhat linux hardening tips & bash script (17 views) Find which application/service is running in a port - Windows (17 views) Download Epic Browser First Indian Browser (16 views)

Back to Top Contact | About | Mobile | Powered by Wordpress | Administration Albin Sebastian

www.binbert.com/blog/2011/01/redhat-linux-hardening/