How To Setup And Secure A Linux Server
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View How To Setup And Secure A Linux Server as PDF for free.
More details
- Words: 2,718
- Pages: 15
How to setup an secure a linux server #Reference:http://www.cisecurity.org/bench_linux.html #Note:This tutorial is based on Fedora Core 4.Should be valid for a newer version of Fedora too.The reader is advised to read the CIS Benchmark pdf after completing all activities mentioned in this document. # Setup an informative command prompt export PS1="-\$?-(\u@\h) \w > " # Hostname Setup Reference:http://www.cpqlinux.com/hostname.html # Please ensure that the correct hostname is setup in the following files.The hostname should ideally match the PTR record of the system IP /etc/hosts /etc/sysconfig/network # Use echo to set the hostname in the file below eg. echo yourhostname > /proc/sys/kernel/hostname /proc/sys/kernel/hostname # Virtual IP Setup cd /etc/sysconfig/network-scripts #Check for existing network adapters with the command: ls ifcfg-* #In most instances, you will see the files ifcfg-eth0 and ifcfg-lo. If you see other files with any other names and are unfamiliar with configuring TCP/IP, you may want to consult with your system administrator before proceeding. cp -a ifcfg-eth0 ifcfg-eth0:0 cp -a ifcfg-eth0 ifcfg-eth0:1 # Ensure the following lines are configured as vi icfg-eth0:0 DEVICE=eth0:0 IPADDR= VLAN=yes vi icfg-eth0:1 DEVICE=eth0:1 IPADDR= VLAN=yes #Disable IPV6 cp -a /etc/modprobe.conf /etc/modprobe_backup.conf echo "alias net-pf-10 off" >> /etc/modprobe.conf echo "alias ipv6 off" >> /etc/modprobe.conf /etc/init.d/ip6tables stop /sbin/chkconfig --level 35 ip6tables off # Restart the network to effect changes
/sbin/service network restart # Edit /etc/hosts and add a line for your new addresses and name such as: 127.0.0.1 localhost.localdomain localhost x.x.x.x newhost1.yourdomain.com x.x.x.x newhost2.yourdomain.com # Disabling selinux vi /etc/sysconfig/selinux #check for the line SELINUX SELINUX=disabled # Date and Time Configuration Ref:http://www.linuxsa.org.au/tips/time.html ln -sf /usr/share/zoneinfo/Asia/Calcutta /etc/localtime date monthdayhourminyear yum install ntp #Configure a cron job to update time every night at 12 AM 00 00 * * * /usr/sbin/ntpdate 0.pool.ntp.org 1.pool.ntp.org # Configure Automatic Updates using yum.Fedora Core 6 or above will have yumupdatesd instead of yum /sbin/chkconfig yum on /sbin/service yum start # If you wish to disable autoupdation of some package, eg.firefox and cacti ,do the following cp -a /etc/yum.conf /etc/yum.conf.orig vi /etc/yum.conf # Add the following line exclude=firefox cacti # For Fedora Core 6 or above do this # Reference: http://www.die.net/doc/linux/man/man5/yum-updatesd.conf.5.html cp -a /etc/updatedb.conf /etc/updatedb.conf.orig vi /etc/yum/yum-updatesd.conf ######### # Configure the entries as shown below # automatically install updates do_update = yes # automatically download updates do_download = yes # automatically download deps of updates do_download_deps = yes ######### /sbin/chkconfig yum-updatesd on /sbin/service yum-updatesd start
crontab -e 00 0 * * * yum -y update # Configuring updatedb cp -a /etc/updatedb.conf /etc/updatedb.conf.orig vi /etc/updatedb.conf #Configure the following values to yes #DAILY_UPDATE=no DAILY_UPDATE=yes # Configuring Log Compression cp -a /etc/logrotate.conf /etc/logrotate.conf.orig vi /etc/logrotate.conf # uncomment this if you want your log files compressed compress # Unalias cp and mv unalias mv cp # Firewall ,Reactive IDS and SSH bruteforce prevention setup Please install and configure shorewall ,psad and fail2ban by referring their separate howtos # Apache Installation # Check if Apache is already installed rpm -qa httpd service httpd status # If httpd is not installed proceed with the apache installation as follows yum install httpd yum install httpd-devel # Apache Hardening Edit httpd.conf file as follows. cd /etc/httpd/conf/ cp -a httpd.conf httpd.conf.orig vi /etc/httpd/conf/httpd.conf # Edit the following entry as follows #ServerTokens OS ServerTokens Prod #ServerSignature On ServerSignature Off
#Ref:http://www.slac.stanford.edu/comp/unix/apache-security.html #http://publib.boulder.ibm.com/httpserv/ihsdiag/http_trace.html # Disabling Indexing # Ref: http://www.ducea.com/2006/06/26/apache-tips-tricks-disable-directoryindexes/ # In Main Server Configurations Options -Indexes # To disable Trace and Track Methods: For apache version 1.3.34 (or later 1.3.x versions), or apache 2.0.55 (or later), in section 1, add the line TraceEnable off For older versions of apache, see below. #Add Before Secton 3 and in each virtual host configuration section/file # Block access: SLAC addition RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] # End block access rule # Disabling welcome page cp -a /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.orig vi /etc/httpd/conf.d/welcome.conf # Comment all the lines in the file # Disabling configuration by .htaccess AllowOverride None # Restart Apache /etc/rc.d/init.d/httpd start # MySQL Installation # Check if MySQL is already installed rpm -qa mysql service mysqld status # If Mysqld Daemon is not installed proceed with the MySQL installation as follows yum install mysql-server yum install mysql yum install mysql-devel #Start MySQL for the first time mysql_install_db /etc/rc.d/init.d/mysqld start #Note:In case you have issues starting Mysql server for the first time and you see error messggaes saying that tmp files could not be created,please run bastille configuration again and answer N to "Q: Would you like to install TMPDIR/TMP
scripts?" question reboot the system.Post reboot you can start Mysqld /sbin/chkconfig mysqld on #Mysql Hardening: mysql # Removing anonymous login: DELETE FROM mysql.user WHERE User = ''; FLUSH PRIVILEGES; quit #Setting Mysql Root password: /usr/bin/mysqladmin -u root password 'yourpassword' /usr/bin/mysqladmin -u root -h <server_hostname> password 'yourpassword' # Delete test database mysql drop database test; # Configure Mysql to not listen for external connections cp -a /etc/my.cnf /etc/my.cnf.orig vi /etc/my.cnf [mysqld] skip-networking #Perl Installation #check if perl is installed or not rpm -qa perl # If Perl is not installed proceed with the Perl installation as follows yum install perl # Cpan configuration # Before running cpan ensure that gcc is installed else some modules will throw errors during compilation rpm -qa gcc # Install gcc if not found yum install gcc # Run and configure cpan cpan # A first time set of configuration questions will be asked
# Update cpan by running cpan install Bundle::CPAN reload cpan # Bastille Hardening #Bastille Installation cd /tmp wget http://nchc.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-3.2.10.1.noarch.rpm # Ref: http://www.bastille-linux.org/running_bastille_on.htm#top rpm -ivh Bastille-3.2.1-0.1.noarch.rpm # Install Curses from cpan # Please check wheather ncurses-devel is installed rpm -qa ncurses-devel # If ncurses is not installed install it as follows yum install ncurses-devel # Install Curses module as follows cpan install Curses # Run bastille text mode hardening as follows /usr/sbin/bastille -c # Respond to all questions # Check your score /usr/sbin/bastille --report # ICMP Hardening # Check and Download sysctl RPM yum install sysctl # Enter the following in /etc/sysctl.conf file net.ipv4.icmp_echo_ignore_all = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syncookies=1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.tcp_max_orphans = 256 net.ipv4.conf.all.log_martians = 1 # Diable Forwarding and Gateway functionality net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 #Check for the syntax in the file /etc/sysctl.conf /sbin/sysctl -p OR /sbin/iptables -A INPUT -j REJECT -p icmp --icmp-type 13 /sbin/iptables -A OUTPUT -j REJECT -p icmp --icmp-type 14 # Detailed audit trail setup Ref: http://www.cyberciti.biz/tips/howto-log-user-activity-using-processaccounting.html yum install psacct chkconfig psacct on /etc/init.d/psacct start # Rootkit Hunter Reference:http://www.rootkit.nl/ Installation: # Download rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html cd /tmp wget http://nchc.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.2.tar.gz tar zxvf rkhunter-1.3.2.tar.gz cd rkhunter-1.3.2 sh installer.sh --layout default --install # Running Rkhunter /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter -c --createlogfile --quiet The report will be generated at /var/log/rkhunter.log
#Configure rkhunter for automatic update crontab -e 00 0 * * * /usr/local/bin/rkhunter --update -q # SSHD Hardening cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig vi /etc/ssh/sshd_config #change port no from 22 to 222 Port 222 PermitRootLogin no Banner /etc/issue #This banner is generated when you ran Bastille previously. #Prevent X11 forwarding X11Forwarding no #Don't read the user's ~/.rhosts and ~/.shosts files uncomment IgnoreRhosts yes IgnoreRhosts yes # The following switch is not found in Fedora 4.Please check the switch to ensure that it exists #before making this entry RhostsAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no #Note:Before restarting ssh please create a non-root account. Restart sshd /etc/rc.d/init.d/sshd restart # Nessus Setup # Read the Nessus How to file for installing and running Nessus # CIS benchmark security exercise # Download the CIS benchmark locally from http://www.cisecurity.org/bench_linux.html and copy the do-backup.sh file in /root and run the same to backup all important directories and files cd /root chmod 755 do-backup.sh ./do-backup.sh # Uninstalling xinetd rpm -qa xinetd rpm -e xinetd-versionnumber # Incase you still want to use some services in xinetd ,please run the following
comands to stop these unnnecessary services. cd /etc/xinetd.d for FILE in chargen chargen-udp cups-lpd cups daytime \ daytime-udp echo echo-udp eklogin ekrb5-telnet finger \ gssftp imap imaps ipop2 ipop3 krb5-telnet klogin kshell \ ktalk ntalk pop3s rexec rlogin rsh rsync servers services \ sgi_fam talk telnet tftp time time-udp vsftpd wu-ftpd do chkconfig ${FILE} off done # Disable GUI sed -e 's/id:5:initdefault:/id:3:initdefault:/' \ < /etc/inittab-preCIS > /etc/inittab chown root:root /etc/inittab chmod 0600 /etc/inittab diff /etc/inittab-preCIS /etc/inittab # Disable Unneccessary services # Please review all services listed in the following script before running. vi disable_unwanted_services ######## for FILE in apmd avahi-daemon canna cups-config-daemon FreeWnn gpm hidd hpoj hplip innd irda isdn kdcrotate lvs mars-nwe messagebus oki4daemon privoxy rstatd rusersd rwalld rwhod wine; do /sbin/service $FILE stop /sbin/chkconfig $FILE off done for FILE in nfs nfslock autofs ypbind ypserv yppasswdd portmap smb netfs lpd tux snmpd named postgresql webmin kudzu squid cups ip6tables pcmcia bluetooth mDNSResponder; do /sbin/service $FILE stop /sbin/chkconfig $FILE off done ######## chmod 755 disable_unwanted_services ./disable_unwanted_services # Assign Proper permissions to log files chmod o-rwx boot.log* cron* dmesg ksyms* httpd/* maillog* messages* news/* pgsql rpmpkgs* samba/* sa/* scrollkeeper.log secure* spooler* squid/* vbox/* wtmp chmod o-rx boot.log* cron* maillog* messages* pgsql secure* spooler* squid/* sa/* chmod g-w boot.log* cron* dmesg httpd/* ksyms* maillog* messages* pgsql rpmpkgs* samba/* sa/* scrollkeeper.log secure* spooler* chmod g-rx boot.log* cron* maillog* messages* pgsql secure* spooler* chmod o-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/ chmod o-rx httpd/ samba/ squid/ sa/ chmod g-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/
chmod g-rx httpd/ samba/ sa/ chmod u-x kernel syslog loginlog # Verify passwd, shadow, and group File Permissions cd /etc chown root:root passwd shadow group chmod 644 passwd group chmod 400 shadow # Allowing only root access to Cron and At cd /etc/ rm -f cron.deny at.deny echo root > cron.allow echo root > at.allow chown root:root cron.allow at.allow chmod 400 cron.allow at.allow # Restrict Permissions On crontab Files chown root:root /etc/crontab chmod 400 /etc/crontab chown -R root:root /var/spool/cron chmod -R go-rwx /var/spool/cron cd /etc ls | grep cron | grep -v preCIS | xargs chown -R root:root ls | grep cron | grep -v preCIS | xargs chmod -R go-rwx # Block all system accounts from loging on to the server cd /root vi lock_system_accounts #### cd /etc for NAME in `cut -d: -f1 /etc/passwd`; do MyUID=`id -u $NAME` if [ $MyUID -lt 500 -a $NAME != 'root' ]; then /usr/sbin/usermod -L -s /dev/null $NAME fi done ### chmod 755 lock_system_accounts ./lock_system_accounts rm -rf lock_system_accounts # Check for empty password accounts awk -F: '($2 == "") { print $1 }' /etc/shadow # Set Account Expiration Parameters On Active Accounts cd /etc
awk '($1 ~ /^PASS_MAX_DAYS/) { $2="90" } ($1 ~ /^PASS_MIN_DAYS/) { $2="7" } ($1 ~ /^PASS_WARN_AGE/) { $2="28" } ($1 ~ /^PASS_MIN_LEN/) { $2="6" } { print } ' login.defs-preCIS > login.defs diff login.defs-preCIS login.defs chown root:root login.defs chmod 640 login.defs diff login.defs-preCIS login.defs useradd -D -f 7 diff /etc/default/useradd-preCIS /etc/default/useradd for NAME in `cut -d: -f1 /etc/passwd`; do uid=`id -u $NAME` if [ $uid -ge 500 -a $uid != 65534 ]; then chage -m 7 -M 90 -W 28 -I 7 $NAME fi done diff shadow-preCIS shadow # Verify No Legacy '+' Entries Exist In passwd, shadow, And group Files grep ^+: /etc/passwd /etc/shadow /etc/group # No '.' or Group/World-Writable Directory In Root's $PATH #To find ‘.’ in $PATH: echo $PATH | egrep '(^|:)(\.|:|$)' #To find group- or world-writable directories in $PATH: find `echo $PATH | tr ':' ' '` -type d \( -perm -002 -o -perm -020 \) -ls #These commands should produce no output. #User Home Directories Should Be Mode 750 or More Restrictive vi user_directories_permission ############### for DIR in `awk -F: '($3 >= 500) { print $6 }' /etc/passwd`; do chmod g-w $DIR chmod o-rwx $DIR done ############## chmod 755 user_directories_permission ./user_directories_permission #No User Dot-Files Should Be World-Writable vi user_dot_files_non_worldwritable ############# for DIR in `awk -F: '($3 >= 500) { print $6 }' /etc/passwd`; do for FILE in $DIR/.[A-Za-z0-9]*; do if [ ! -h "$FILE" -a -f "$FILE" ]; then chmod go-w "$FILE" fi
done done ######### chmod 755 user_dot_files_non_worldwritable ./user_dot_files_non_worlwritable #Remove User .netrc Files find / -name .netrc # If any .netrc file is found then run the following script to remove vi remove_netrc ############### for DIR in `cut -f6 -d: /etc/passwd`; do if [ -e $DIR/.netrc ]; then echo "Removing $DIR/.netrc" rm -f $DIR/.netrc fi done ############### chmod 755 remove_netrc ./remove_netrc #Set Default umask For Users vi set_default_umask ######### cd /etc for FILE in profile csh.login csh.cshrc bashrc; do if ! egrep -q 'umask.*77' $FILE ; then echo "umask 077" >> $FILE fi chown root:root $FILE chmod 444 $FILE diff ${FILE}-preCIS $FILE done cd /root for FILE in .bash_profile .bashrc .cshrc .tcshrc; do if ! egrep -q 'umask.*77' $FILE ; then echo "umask 077" >> $FILE # See description fi chown root:root $FILE diff ${FILE}-preCIS $FILE done ########### chmod 755 set_default_umask ./set_default_umask # Disable Core Dumps cp -a
/etc/security/limits.conf
/etc/security/limits.conf.orig
vi /etc/security/limits.conf #Add the following two lines.In future you can enable core dumps for invidual users if required. * soft core 0 * hard core 0 #### # Limit Access To The Root Account From su # Warning:Please add your account to the wheel group before proceeding with this activity else you # will not be able to su. # eg. /usr/sbin/usermod -G wheel # In case you want to create a new account and add it to the wheel group, then run this command /usr/sbin/useradd -G wheel # Limit Access To The Root Account From su cd /etc/pam.d/ cp -a su su_backup_18_dec_2006 vi su ##Uncommenting this line allows only the users in the wheel group to become root by using the su command and entering the root password.All other users get the message Incorrect Password auth required /lib/security/$ISA/pam_wheel.so use_uid # Banners # Note:/etc/issue banner should have already been created by BastilleIf you havent run Bastille please create an appropriate banner file /etc/issue as follows
*************************************************************************** NOTICE TO USERS This computer system is the private property of, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. **************************************************************************** cp -a issue.net issue_backup_todays_date.net cp -a issue issue.net # Contents of /etc/motd are displayed after a user logins in so its not neccessary to create a #banner in that file chown root:root /etc/motd /etc/issue /etc/issue.net chmod 644 /etc/motd /etc/issue /etc/issue.net # Removing unnecessary applications # Please refer http://www.mjmwired.net/resources/mjm-services-fc6.html for the list of services and their uses and recommendations on which to disable cd /etc/init.d ls # Verify the softwares that are listed here.Remove all unnecesaasy packages as show below. # For eg. if you see bluetooth and you want to identify what package it represnts, do the following rpm -qf bluetooth bluez-utils-2.15-7 yum remove bluez-utils-2.15-7 # Do this for all other softwares like portmap,apmd,cups,isdn,irda,etc. #Firewall Configuration /bin/netstat -ltunp # The above command will show you list of processes running on specific ports.Please ensure that unnecassary services are disabled and uninstalled as shown in the above point. # Open required ports in iptables using Shorewall (Please refer the separate Howto) /usr/sbin/lokkit # Remove All Compilers and Assemblers #The following command will help you identify the packages installed on your system rpm -qa | egrep "^gcc|java|bin86|dev86|nasm" #Identify the package and remove the ones you dont need #Verify That No Unauthorized UID 0 Accounts Exists getent passwd | awk -F: '$3 == "0" { print $1 }' #should return only the word "root", unless additional uid 0 accounts have been
specifically authorized. Having #multiple uid 0 accounts are acceptable if the accounts are authorized, but not recommended for some situations
/sbin/service network restart # Edit /etc/hosts and add a line for your new addresses and name such as: 127.0.0.1 localhost.localdomain localhost x.x.x.x newhost1.yourdomain.com x.x.x.x newhost2.yourdomain.com # Disabling selinux vi /etc/sysconfig/selinux #check for the line SELINUX SELINUX=disabled # Date and Time Configuration Ref:http://www.linuxsa.org.au/tips/time.html ln -sf /usr/share/zoneinfo/Asia/Calcutta /etc/localtime date monthdayhourminyear yum install ntp #Configure a cron job to update time every night at 12 AM 00 00 * * * /usr/sbin/ntpdate 0.pool.ntp.org 1.pool.ntp.org # Configure Automatic Updates using yum.Fedora Core 6 or above will have yumupdatesd instead of yum /sbin/chkconfig yum on /sbin/service yum start # If you wish to disable autoupdation of some package, eg.firefox and cacti ,do the following cp -a /etc/yum.conf /etc/yum.conf.orig vi /etc/yum.conf # Add the following line exclude=firefox cacti # For Fedora Core 6 or above do this # Reference: http://www.die.net/doc/linux/man/man5/yum-updatesd.conf.5.html cp -a /etc/updatedb.conf /etc/updatedb.conf.orig vi /etc/yum/yum-updatesd.conf ######### # Configure the entries as shown below # automatically install updates do_update = yes # automatically download updates do_download = yes # automatically download deps of updates do_download_deps = yes ######### /sbin/chkconfig yum-updatesd on /sbin/service yum-updatesd start
crontab -e 00 0 * * * yum -y update # Configuring updatedb cp -a /etc/updatedb.conf /etc/updatedb.conf.orig vi /etc/updatedb.conf #Configure the following values to yes #DAILY_UPDATE=no DAILY_UPDATE=yes # Configuring Log Compression cp -a /etc/logrotate.conf /etc/logrotate.conf.orig vi /etc/logrotate.conf # uncomment this if you want your log files compressed compress # Unalias cp and mv unalias mv cp # Firewall ,Reactive IDS and SSH bruteforce prevention setup Please install and configure shorewall ,psad and fail2ban by referring their separate howtos # Apache Installation # Check if Apache is already installed rpm -qa httpd service httpd status # If httpd is not installed proceed with the apache installation as follows yum install httpd yum install httpd-devel # Apache Hardening Edit httpd.conf file as follows. cd /etc/httpd/conf/ cp -a httpd.conf httpd.conf.orig vi /etc/httpd/conf/httpd.conf # Edit the following entry as follows #ServerTokens OS ServerTokens Prod #ServerSignature On ServerSignature Off
#Ref:http://www.slac.stanford.edu/comp/unix/apache-security.html #http://publib.boulder.ibm.com/httpserv/ihsdiag/http_trace.html # Disabling Indexing # Ref: http://www.ducea.com/2006/06/26/apache-tips-tricks-disable-directoryindexes/ # In Main Server Configurations Options -Indexes # To disable Trace and Track Methods: For apache version 1.3.34 (or later 1.3.x versions), or apache 2.0.55 (or later), in section 1, add the line TraceEnable off For older versions of apache, see below. #Add Before Secton 3 and in each virtual host configuration section/file # Block access: SLAC addition RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] # End block access rule # Disabling welcome page cp -a /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.orig vi /etc/httpd/conf.d/welcome.conf # Comment all the lines in the file # Disabling configuration by .htaccess AllowOverride None # Restart Apache /etc/rc.d/init.d/httpd start # MySQL Installation # Check if MySQL is already installed rpm -qa mysql service mysqld status # If Mysqld Daemon is not installed proceed with the MySQL installation as follows yum install mysql-server yum install mysql yum install mysql-devel #Start MySQL for the first time mysql_install_db /etc/rc.d/init.d/mysqld start #Note:In case you have issues starting Mysql server for the first time and you see error messggaes saying that tmp files could not be created,please run bastille configuration again and answer N to "Q: Would you like to install TMPDIR/TMP
scripts?" question reboot the system.Post reboot you can start Mysqld /sbin/chkconfig mysqld on #Mysql Hardening: mysql # Removing anonymous login: DELETE FROM mysql.user WHERE User = ''; FLUSH PRIVILEGES; quit #Setting Mysql Root password: /usr/bin/mysqladmin -u root password 'yourpassword' /usr/bin/mysqladmin -u root -h <server_hostname> password 'yourpassword' # Delete test database mysql drop database test; # Configure Mysql to not listen for external connections cp -a /etc/my.cnf /etc/my.cnf.orig vi /etc/my.cnf [mysqld] skip-networking #Perl Installation #check if perl is installed or not rpm -qa perl # If Perl is not installed proceed with the Perl installation as follows yum install perl # Cpan configuration # Before running cpan ensure that gcc is installed else some modules will throw errors during compilation rpm -qa gcc # Install gcc if not found yum install gcc # Run and configure cpan cpan # A first time set of configuration questions will be asked
# Update cpan by running cpan install Bundle::CPAN reload cpan # Bastille Hardening #Bastille Installation cd /tmp wget http://nchc.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-3.2.10.1.noarch.rpm # Ref: http://www.bastille-linux.org/running_bastille_on.htm#top rpm -ivh Bastille-3.2.1-0.1.noarch.rpm # Install Curses from cpan # Please check wheather ncurses-devel is installed rpm -qa ncurses-devel # If ncurses is not installed install it as follows yum install ncurses-devel # Install Curses module as follows cpan install Curses # Run bastille text mode hardening as follows /usr/sbin/bastille -c # Respond to all questions # Check your score /usr/sbin/bastille --report # ICMP Hardening # Check and Download sysctl RPM yum install sysctl # Enter the following in /etc/sysctl.conf file net.ipv4.icmp_echo_ignore_all = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syncookies=1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.tcp_max_orphans = 256 net.ipv4.conf.all.log_martians = 1 # Diable Forwarding and Gateway functionality net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 #Check for the syntax in the file /etc/sysctl.conf /sbin/sysctl -p OR /sbin/iptables -A INPUT -j REJECT -p icmp --icmp-type 13 /sbin/iptables -A OUTPUT -j REJECT -p icmp --icmp-type 14 # Detailed audit trail setup Ref: http://www.cyberciti.biz/tips/howto-log-user-activity-using-processaccounting.html yum install psacct chkconfig psacct on /etc/init.d/psacct start # Rootkit Hunter Reference:http://www.rootkit.nl/ Installation: # Download rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html cd /tmp wget http://nchc.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.2.tar.gz tar zxvf rkhunter-1.3.2.tar.gz cd rkhunter-1.3.2 sh installer.sh --layout default --install # Running Rkhunter /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter -c --createlogfile --quiet The report will be generated at /var/log/rkhunter.log
#Configure rkhunter for automatic update crontab -e 00 0 * * * /usr/local/bin/rkhunter --update -q # SSHD Hardening cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig vi /etc/ssh/sshd_config #change port no from 22 to 222 Port 222 PermitRootLogin no Banner /etc/issue #This banner is generated when you ran Bastille previously. #Prevent X11 forwarding X11Forwarding no #Don't read the user's ~/.rhosts and ~/.shosts files uncomment IgnoreRhosts yes IgnoreRhosts yes # The following switch is not found in Fedora 4.Please check the switch to ensure that it exists #before making this entry RhostsAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no #Note:Before restarting ssh please create a non-root account. Restart sshd /etc/rc.d/init.d/sshd restart # Nessus Setup # Read the Nessus How to file for installing and running Nessus # CIS benchmark security exercise # Download the CIS benchmark locally from http://www.cisecurity.org/bench_linux.html and copy the do-backup.sh file in /root and run the same to backup all important directories and files cd /root chmod 755 do-backup.sh ./do-backup.sh # Uninstalling xinetd rpm -qa xinetd rpm -e xinetd-versionnumber # Incase you still want to use some services in xinetd ,please run the following
comands to stop these unnnecessary services. cd /etc/xinetd.d for FILE in chargen chargen-udp cups-lpd cups daytime \ daytime-udp echo echo-udp eklogin ekrb5-telnet finger \ gssftp imap imaps ipop2 ipop3 krb5-telnet klogin kshell \ ktalk ntalk pop3s rexec rlogin rsh rsync servers services \ sgi_fam talk telnet tftp time time-udp vsftpd wu-ftpd do chkconfig ${FILE} off done # Disable GUI sed -e 's/id:5:initdefault:/id:3:initdefault:/' \ < /etc/inittab-preCIS > /etc/inittab chown root:root /etc/inittab chmod 0600 /etc/inittab diff /etc/inittab-preCIS /etc/inittab # Disable Unneccessary services # Please review all services listed in the following script before running. vi disable_unwanted_services ######## for FILE in apmd avahi-daemon canna cups-config-daemon FreeWnn gpm hidd hpoj hplip innd irda isdn kdcrotate lvs mars-nwe messagebus oki4daemon privoxy rstatd rusersd rwalld rwhod wine; do /sbin/service $FILE stop /sbin/chkconfig $FILE off done for FILE in nfs nfslock autofs ypbind ypserv yppasswdd portmap smb netfs lpd tux snmpd named postgresql webmin kudzu squid cups ip6tables pcmcia bluetooth mDNSResponder; do /sbin/service $FILE stop /sbin/chkconfig $FILE off done ######## chmod 755 disable_unwanted_services ./disable_unwanted_services # Assign Proper permissions to log files chmod o-rwx boot.log* cron* dmesg ksyms* httpd/* maillog* messages* news/* pgsql rpmpkgs* samba/* sa/* scrollkeeper.log secure* spooler* squid/* vbox/* wtmp chmod o-rx boot.log* cron* maillog* messages* pgsql secure* spooler* squid/* sa/* chmod g-w boot.log* cron* dmesg httpd/* ksyms* maillog* messages* pgsql rpmpkgs* samba/* sa/* scrollkeeper.log secure* spooler* chmod g-rx boot.log* cron* maillog* messages* pgsql secure* spooler* chmod o-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/ chmod o-rx httpd/ samba/ squid/ sa/ chmod g-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/
chmod g-rx httpd/ samba/ sa/ chmod u-x kernel syslog loginlog # Verify passwd, shadow, and group File Permissions cd /etc chown root:root passwd shadow group chmod 644 passwd group chmod 400 shadow # Allowing only root access to Cron and At cd /etc/ rm -f cron.deny at.deny echo root > cron.allow echo root > at.allow chown root:root cron.allow at.allow chmod 400 cron.allow at.allow # Restrict Permissions On crontab Files chown root:root /etc/crontab chmod 400 /etc/crontab chown -R root:root /var/spool/cron chmod -R go-rwx /var/spool/cron cd /etc ls | grep cron | grep -v preCIS | xargs chown -R root:root ls | grep cron | grep -v preCIS | xargs chmod -R go-rwx # Block all system accounts from loging on to the server cd /root vi lock_system_accounts #### cd /etc for NAME in `cut -d: -f1 /etc/passwd`; do MyUID=`id -u $NAME` if [ $MyUID -lt 500 -a $NAME != 'root' ]; then /usr/sbin/usermod -L -s /dev/null $NAME fi done ### chmod 755 lock_system_accounts ./lock_system_accounts rm -rf lock_system_accounts # Check for empty password accounts awk -F: '($2 == "") { print $1 }' /etc/shadow # Set Account Expiration Parameters On Active Accounts cd /etc
awk '($1 ~ /^PASS_MAX_DAYS/) { $2="90" } ($1 ~ /^PASS_MIN_DAYS/) { $2="7" } ($1 ~ /^PASS_WARN_AGE/) { $2="28" } ($1 ~ /^PASS_MIN_LEN/) { $2="6" } { print } ' login.defs-preCIS > login.defs diff login.defs-preCIS login.defs chown root:root login.defs chmod 640 login.defs diff login.defs-preCIS login.defs useradd -D -f 7 diff /etc/default/useradd-preCIS /etc/default/useradd for NAME in `cut -d: -f1 /etc/passwd`; do uid=`id -u $NAME` if [ $uid -ge 500 -a $uid != 65534 ]; then chage -m 7 -M 90 -W 28 -I 7 $NAME fi done diff shadow-preCIS shadow # Verify No Legacy '+' Entries Exist In passwd, shadow, And group Files grep ^+: /etc/passwd /etc/shadow /etc/group # No '.' or Group/World-Writable Directory In Root's $PATH #To find ‘.’ in $PATH: echo $PATH | egrep '(^|:)(\.|:|$)' #To find group- or world-writable directories in $PATH: find `echo $PATH | tr ':' ' '` -type d \( -perm -002 -o -perm -020 \) -ls #These commands should produce no output. #User Home Directories Should Be Mode 750 or More Restrictive vi user_directories_permission ############### for DIR in `awk -F: '($3 >= 500) { print $6 }' /etc/passwd`; do chmod g-w $DIR chmod o-rwx $DIR done ############## chmod 755 user_directories_permission ./user_directories_permission #No User Dot-Files Should Be World-Writable vi user_dot_files_non_worldwritable ############# for DIR in `awk -F: '($3 >= 500) { print $6 }' /etc/passwd`; do for FILE in $DIR/.[A-Za-z0-9]*; do if [ ! -h "$FILE" -a -f "$FILE" ]; then chmod go-w "$FILE" fi
done done ######### chmod 755 user_dot_files_non_worldwritable ./user_dot_files_non_worlwritable #Remove User .netrc Files find / -name .netrc # If any .netrc file is found then run the following script to remove vi remove_netrc ############### for DIR in `cut -f6 -d: /etc/passwd`; do if [ -e $DIR/.netrc ]; then echo "Removing $DIR/.netrc" rm -f $DIR/.netrc fi done ############### chmod 755 remove_netrc ./remove_netrc #Set Default umask For Users vi set_default_umask ######### cd /etc for FILE in profile csh.login csh.cshrc bashrc; do if ! egrep -q 'umask.*77' $FILE ; then echo "umask 077" >> $FILE fi chown root:root $FILE chmod 444 $FILE diff ${FILE}-preCIS $FILE done cd /root for FILE in .bash_profile .bashrc .cshrc .tcshrc; do if ! egrep -q 'umask.*77' $FILE ; then echo "umask 077" >> $FILE # See description fi chown root:root $FILE diff ${FILE}-preCIS $FILE done ########### chmod 755 set_default_umask ./set_default_umask # Disable Core Dumps cp -a
/etc/security/limits.conf
/etc/security/limits.conf.orig
vi /etc/security/limits.conf #Add the following two lines.In future you can enable core dumps for invidual users if required. * soft core 0 * hard core 0 #### # Limit Access To The Root Account From su # Warning:Please add your account to the wheel group before proceeding with this activity else you # will not be able to su. # eg. /usr/sbin/usermod -G wheel
*************************************************************************** NOTICE TO USERS This computer system is the private property of
of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. **************************************************************************** cp -a issue.net issue_backup_todays_date.net cp -a issue issue.net # Contents of /etc/motd are displayed after a user logins in so its not neccessary to create a #banner in that file chown root:root /etc/motd /etc/issue /etc/issue.net chmod 644 /etc/motd /etc/issue /etc/issue.net # Removing unnecessary applications # Please refer http://www.mjmwired.net/resources/mjm-services-fc6.html for the list of services and their uses and recommendations on which to disable cd /etc/init.d ls # Verify the softwares that are listed here.Remove all unnecesaasy packages as show below. # For eg. if you see bluetooth and you want to identify what package it represnts, do the following rpm -qf bluetooth bluez-utils-2.15-7 yum remove bluez-utils-2.15-7 # Do this for all other softwares like portmap,apmd,cups,isdn,irda,etc. #Firewall Configuration /bin/netstat -ltunp # The above command will show you list of processes running on specific ports.Please ensure that unnecassary services are disabled and uninstalled as shown in the above point. # Open required ports in iptables using Shorewall (Please refer the separate Howto) /usr/sbin/lokkit # Remove All Compilers and Assemblers #The following command will help you identify the packages installed on your system rpm -qa | egrep "^gcc|java|bin86|dev86|nasm" #Identify the package and remove the ones you dont need #Verify That No Unauthorized UID 0 Accounts Exists getent passwd | awk -F: '$3 == "0" { print $1 }' #should return only the word "root", unless additional uid 0 accounts have been
specifically authorized. Having #multiple uid 0 accounts are acceptable if the accounts are authorized, but not recommended for some situations
Related Documents
How To Setup And Secure A Linux Server
November 2019 36
How To Secure Devops
August 2019 22
How To Setup Nfs Service On Linux
May 2020 15
How To Setup
June 2020 17
Linux Dvb Server Setup Commands 2006
November 2019 9
Linux Accessibility How To
June 2020 8More Documents from "Steven Hardy"
How To Setup And Secure A Linux Server
November 2019 36
Roundcube Installation
November 2019 27
Ie Installation On Linux Howto
October 2019 31
Flash Recruit How To
October 2019 37
Hamachi Howto Install
October 2019 31