Linux/Security

From Omnia
Jump to navigation Jump to search

Summary

Minimal Secure Install

Install CentOS 5 (minimal install):

# boot to CD 1
linux text
# do minimal install (deselect ALL package options)

Disable SELinux

# DISABLE SELINUX - not as secure, but much easier to work with
system-config-securitylevel-tui
reboot

Remove Extra Packages:

# Packages with no dependencies...
yum -y remove Deployment_Guide-en-US autofs conman finger gpm nfs-utils nfs-utils* pcmciautils xorg*
# ADDITIONAL: cpuspeed
# Packages with dependencies...
yum -y remove atk bluez-* cairo ccid cups* desktop-file-utils libX11
# ADDITIONAL:  fontconfig freetype portmap
# This remove the following depenencies:
#   GConf2 coolkey gtk2 htmlview libXcursor libXext libXfixes libXft libXi libXinerama libXrandr
#   libXrender libXres libXt libXxf86vm libnotify libwnck mesa-libGL notification-daemon pango
#   paps pinfo redhat-lsb redhat-menus startup-notification yp-tools ypbind
# DISABLE EXTRA SERVICES
# No longer needed as removal of packages takes care of most of these
# for service in apmd autofs bluetooth cpuspeed cups gpm netfs nfslock portmap rpcgssd rpcidmapd ; do chkconfig $service off ; done
# except for apmd cpuspeed
# SETUP NTPD
# Use time-a.nist.gov instead of time.nist.gov
yum -y install ntp ; ntpdate -t 10 time-a.nist.gov ; hwclock -w ; chkconfig ntpd on ; service ntpd start
# SETUP ALIASES
echo -e "root:\t\tkenneth@oeey.com" >> /etc/aliases
newaliases
# DISABLE ROOT SSH LOGIN
adduser kenneth
passwd kenneth
visudo
  # %wheel        ALL=(ALL)       ALL
  %wheel        ALL=(ALL)       ALL
vi /etc/group
  wheel:x:10:root,kenneth
vi /etc/ssh/sshd_config
  #PermitRootLogin yes
  PermitRootLogin no
service sshd restart
# To Configure firewall
system-config-securitylevel-tui
# DO SYSTEM UPDATE AND REBOOT
yum -y update ; reboot

Security Tools

Ports

Linux TCP Ports:

TCP   22	SSH (sshd)
TCP   25	SMTP (sendmail/postfix)
TCP   80	HTTP (httpd)
TCP  110	POP3 (courier/dovcot)
TCP  143	IMAP (courier)
TCP  389	LDAP
TCP  443	HTTPS (httpd)
TCP  465	SMTPS (stunnel->sendmail)
TCP  636	LDAP/SSL (stunnel->LDAP)
TCP  993	IMAPS (stunnel->courier)
TCP  995	POP3S (stunnel->courier)

Linux UDP Ports:

UDP   53	DNS (named)
UDP  123	NTP (ntpd)

Windows Ports:

TCP 3389	Remote Desktop (Windows)

Minimal Install - Anaconda Kickstart

anaconda-ks.cfg:

# Kickstart file automatically generated by anaconda.

install
cdrom
lang en_US.UTF-8
keyboard us
network --device eth0 --bootproto static --ip 10.0.0.41 --netmask 255.255.255.0 --gateway 10.0.0.1 --nameserver 10.0.0.1 --hostname gatekeeper.oeey.com
network --device eth1 --bootproto dhcp --hostname gatekeeper.oeey.com
rootpw --iscrypted $1$Np12nOAS$Nkxxxxxx7i.
firewall --enabled --port=22:tcp
authconfig --enableshadow --enablemd5
selinux --enforcing
timezone --utc America/Boise
bootloader --location=mbr --driveorder=sda
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
#clearpart --all --drives=sda
#part /boot --fstype ext3 --size=101 --asprimary
#part swap --size=3968 --asprimary
#part / --fstype ext3 --size=1 --grow --asprimary

%packages
@base
@core

Remove Extra Services

  1. Block ping requests:
    • enable firewall
    • $IPTABLES -A INPUT -p ICMP –icmp-type timestamp-request -i $EXTIFACE -j DROP
  2. Secure SSH:
    • vi /etc/ssh/sshd_config
    • Protocol 2
    • ListenAddress 0.0.0.0
    • PermitRootLogin no
  3. Disable extra services:
    • netfs
    • nfslock
    • portmap
    • rpcgssd
    • rpcidmapd
    • acpid (Power Management Related)
    • apmd (Power Management Related)
    • cups
    • isdn (Only used if you have an ISDN card in the machine)
    • pcmcia (Most likely you either don’t have or will not use a pcmcia device in the machine)
    • bluetooth
    • autofs
    • xfs
    • gpm
for service in netfs nfslock portmap rpcgssd rpcidmapd acpid apmd cups isdn pcmcia bluetooth autofs xfs gpm ; do chkconfig $service off ; done

Current list of enabled services:

[kenneth@dev ~]$ sudo /sbin/chkconfig --list | grep 3:on
acpid           0:off   1:off   2:off   3:on    4:on    5:on    6:off
anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off
apmd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
autofs          0:off   1:off   2:off   3:on    4:on    5:on    6:off
cpuspeed        0:off   1:on    2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
firstboot       0:off   1:off   2:off   3:on    4:off   5:on    6:off
gpm             0:off   1:off   2:on    3:on    4:on    5:on    6:off
haldaemon       0:off   1:off   2:off   3:on    4:on    5:on    6:off
hidd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
ip6tables       0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
irqbalance      0:off   1:off   2:on    3:on    4:on    5:on    6:off
jexec           0:on    1:on    2:on    3:on    4:on    5:on    6:on
kudzu           0:off   1:off   2:off   3:on    4:on    5:on    6:off
mcstrans        0:off   1:off   2:on    3:on    4:on    5:on    6:off
mdmonitor       0:off   1:off   2:on    3:on    4:on    5:on    6:off
messagebus      0:off   1:off   2:off   3:on    4:on    5:on    6:off
mysqld          0:off   1:off   2:on    3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
ntpd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
pcscd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
readahead_early 0:off   1:off   2:on    3:on    4:on    5:on    6:off
restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off
sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off
smartd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
yum-updatesd    0:off   1:off   2:off   3:on    4:on    5:on    6:off
getent protocols 50
# find which service has been allocated the port 5353 (in UDP) by IANA.
getent services 5353

Additional items to remove: [1]

yum remove Deployment_Guide-en-US
yum remove finger gaim cups-libs cups bluez-libs desktop-file-utils

This removed also:

bluez-utils GConf2 cups-libs libnotify desktop-file-utils bluez-libs
htmlview paps finger redhat-lsb cups libwnck notification-daemon
redhat-menus pinfo gtk2 bluez-gnome

Some other options:

yum remove apmd acpid cpuspeed
yum remove atk autofs cairo ccid conman fontconfig freetype libX11 pcmciautils
yum remove xorg*

Disabling Root Logins

Disallowing Root Access

Prevent access to the root shell and logs the attempt. Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin.

Prevent access to the root account via the console or the network. An empty /etc/securetty file prevents root login on any devices attached to the computer.

echo > /etc/securetty

Prevent root access via the OpenSSH suit of tools. Edit the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no.

Prevent root access to network services that are PAM aware. Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is required for authentication.

Windows Password Security

"Interestingly, if you run windows (shudder) and want to see just how secure your passwords are, have a look at Ophcrack. Scary stuff!



http://ophcrack.sourceforge.net/

This thing will find any 14 character alphanumeric password in a matter of minutes!" [2]

Security Watches

NMAP

See nmap

Auditor Security Collection

Wiki Auditor Security Collection

"The Auditor security collection is a LiveCD based on Knoppix.

Auditor was planned and developed with the targets of user-friendliness and an optimal toolset. For example, the menu structure is organised into the typical phases of a security check: footprinting, analysis, scanning, wireless scanning, brute-forcing, and cracking.

Auditor Security Collection is now known as BackTrack."[3]

BackTrack

BackTrack

"BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes. [4]

"BackTrack is a Linux distribution distributed as a LiveDistro that results from the merger of WHAX and Auditor-based Auditor Security Collection." [5]

DenyHosts

DenyHosts - http://denyhosts.sourceforge.net/

"DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?

DenyHosts attempts to address the above"

NOTE: DenyHosts is a Python script!  :-)

-

Got Security? You’re in Denial | Linux Magazine:

"Do you think your systems are secure? Install DenyHosts and you’ll realize that you were in denial. "
"Exposing a system to the Internet means that you’ll soon (within hours) experience login attempts from random locations, from people you don’t know and from those with unclear motivations. DenyHosts is an SSH security tool in the form of a python script that helps prevent brute force and dictionary-based attacks against your systems. On my home system, I have at least one such attempt added to my /etc/hosts.deny file per day. I use DenyHosts to maintain that stealth watch over my insignificant system here in my dusty little corner of the Internet that I call home."

DenyHosts Installation

Installation:

yum install --enablerepo=rpmforge denyhosts

Start service:

service denyhosts start
 starting DenyHosts:    /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts/denyhosts.cfg

Config:

/etc/denyhosts/denyhosts.cfg

-- Manual Installation --

apt-get install python python2.3-dev python2.3
cd /tmp
wget http://mesh.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.0.tar.gz
tar xvfz DenyHosts-2.0.tar.gz
cd DenyHosts-2.0
python setup.py install
cd /usr/share/denyhosts
cp denyhosts.cfg-dist denyhosts.cfg

Preventing SSH Dictionary Attacks With DenyHosts | HowtoForge - Linux Howtos and Tutorials - http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts

Tutorials

The R Zone: Hardening a Linux Server in 10 Minutes

Wed Mar  1 16:14:18 CET 2006 (as copied from :
http://rudd-o.com/archives/2006/02/27/hardening-a-linux-server-in-10-minutes/ )

Did you know that a freshly installed Linux server can be hardened in 
less than 10 minutes? Heres how!

Print these instructions out, and keep them posted on a wall in your 
office or home. Before plugging a freshly installed network server, 
simply remember to follow these instructions. Make these instructions 
second nature to you.

Youll need a bit of experience with the Linux command-line environment, 
as the following commands are usually issued in a terminal. You will 
need root access on your server as well. By the way, the following 
instructions apply to any LSB-compliant Linux distribution, but Ill use 
Fedora Core as an example.
  • Step 1: turn all unneeded services off
  • Step 2: limit access to running services using iptables


IBM - Hardening the Linux server

"Servers—whether used for testing or production—are primary targets for attackers. By taking the proper steps, you can turn a vulnerable box into a hardened server and help thwart outside attackers. Learn how to secure SSH sessions, configure firewall rules, and set up intrusion detection to alert you to any possible attacks on your GNU/Linux® server. Once you've gained a solid foundation in the basics of securing your server, you can build on this knowledge to further harden your systems."

References

http://www.faqs.org/docs/gazette/tips.html Linux Security Tips By Kapil Sharma

"In this article I will explain how to make your Linux box secure by taking basic security measures. This article will enable anybody to tighten the security of a redhat Linux box."

Summary:

  • BIOS Security - password protect
  • LILO Security - password protect
  • Disable all special accounts - delete unused accounts
  • Choose a Right password - set password definitions
  • Enable shadow password support - /usr/sbin/authconfig, pwconv, grpconv
  • The root account - timeout
  • Disable all console-equivalent access for regular users
  • Disable & uninstall all unused services - inetd
  • TCP_WRAPPERS - disallow all by default
  • Don't let system issue file to be displayed - telnetd
  • Change the "/etc/host.conf" file
  • Immunize the "/etc/services" file - immutable
  • Disallow root login from different consoles - /etc/securetty
  • Blocking anyone to su to root - pam, wheel account
  • Shell logging - history size
  • Disable the Control-Alt-Delete keyboard shutdown command - /etc/inittab
  • Fix the permissions under "/etc/rc.d/init.d" directory for script files - chmod 700
  • Hide your system information - /etc/issue
  • Disable unused SUID/SGID programs - find with chmod

keywords

linux security