Linux/Security

Minimal Secure Install
Install CentOS 5 (minimal install): linux text
 * 1) boot to CD 1
 * 1) do minimal install (deselect ALL package options)

Disable SELinux system-config-securitylevel-tui reboot
 * 1) DISABLE SELINUX - not as secure, but much easier to work with

Remove Extra Packages: yum -y remove Deployment_Guide-en-US autofs conman finger gpm nfs-utils nfs-utils* pcmciautils xorg* yum -y remove atk bluez-* cairo ccid cups* desktop-file-utils libX11
 * 1) Packages with no dependencies...
 * 1) ADDITIONAL: cpuspeed
 * 2) Packages with dependencies...
 * 1) ADDITIONAL:  fontconfig freetype portmap
 * 2) This remove the following depenencies:
 * 3)   GConf2 coolkey gtk2 htmlview libXcursor libXext libXfixes libXft libXi libXinerama libXrandr
 * 4)   libXrender libXres libXt libXxf86vm libnotify libwnck mesa-libGL notification-daemon pango
 * 5)   paps pinfo redhat-lsb redhat-menus startup-notification yp-tools ypbind


 * 1) DISABLE EXTRA SERVICES
 * 2) No longer needed as removal of packages takes care of most of these
 * 3) for service in apmd autofs bluetooth cpuspeed cups gpm netfs nfslock portmap rpcgssd rpcidmapd ; do chkconfig $service off ; done
 * 4) except for apmd cpuspeed

yum -y install ntp ; ntpdate -t 10 time-a.nist.gov ; hwclock -w ; chkconfig ntpd on ; service ntpd start
 * 1) SETUP NTPD
 * 2) Use time-a.nist.gov instead of time.nist.gov

echo -e "root:\t\tkenneth@oeey.com" >> /etc/aliases newaliases
 * 1) SETUP ALIASES

adduser kenneth passwd kenneth visudo # %wheel       ALL=(ALL)       ALL %wheel       ALL=(ALL)       ALL vi /etc/group wheel:x:10:root,kenneth vi /etc/ssh/sshd_config #PermitRootLogin yes PermitRootLogin no service sshd restart
 * 1) DISABLE ROOT SSH LOGIN

system-config-securitylevel-tui
 * 1) To Configure firewall

yum -y update ; reboot
 * 1) DO SYSTEM UPDATE AND REBOOT

Security Tools

 * Top 75 Security Tools
 * Top 50 Security Tools
 * Top 100 Network Security Tools

Ports
Linux TCP Ports: TCP  22	SSH (sshd) TCP  25	SMTP (sendmail/postfix) TCP  80	HTTP (httpd) TCP 110	POP3 (courier/dovcot) TCP 143	IMAP (courier) TCP 389	LDAP TCP 443	HTTPS (httpd) TCP 465	SMTPS (stunnel->sendmail) TCP 636	LDAP/SSL (stunnel->LDAP) TCP 993	IMAPS (stunnel->courier) TCP 995	POP3S (stunnel->courier)

Linux UDP Ports: UDP  53	DNS (named) UDP 123	NTP (ntpd)

Windows Ports: TCP 3389	Remote Desktop (Windows)

Minimal Install - Anaconda Kickstart
anaconda-ks.cfg:
 * 1) Kickstart file automatically generated by anaconda.

install cdrom lang en_US.UTF-8 keyboard us network --device eth0 --bootproto static --ip 10.0.0.41 --netmask 255.255.255.0 --gateway 10.0.0.1 --nameserver 10.0.0.1 --hostname gatekeeper.oeey.com network --device eth1 --bootproto dhcp --hostname gatekeeper.oeey.com rootpw --iscrypted $1$Np12nOAS$Nkxxxxxx7i. firewall --enabled --port=22:tcp authconfig --enableshadow --enablemd5 selinux --enforcing timezone --utc America/Boise bootloader --location=mbr --driveorder=sda
 * 1) The following is the partition information you requested
 * 2) Note that any partitions you deleted are not expressed
 * 3) here so unless you clear all partitions first, this is
 * 4) not guaranteed to work
 * 5) clearpart --all --drives=sda
 * 6) part /boot --fstype ext3 --size=101 --asprimary
 * 7) part swap --size=3968 --asprimary
 * 8) part / --fstype ext3 --size=1 --grow --asprimary

%packages @base @core

Remove Extra Services

 * 1) Block ping requests:
 * 2) *enable firewall
 * 3) *$IPTABLES -A INPUT -p ICMP –icmp-type timestamp-request -i $EXTIFACE -j DROP
 * 4) Secure SSH:
 * 5) *vi /etc/ssh/sshd_config
 * 6) *Protocol 2
 * 7) *ListenAddress 0.0.0.0
 * 8) *PermitRootLogin no
 * 9) Disable extra services:
 * 10) *netfs
 * 11) *nfslock
 * 12) *portmap
 * 13) *rpcgssd
 * 14) *rpcidmapd
 * 15) *acpid (Power Management Related)
 * 16) *apmd (Power Management Related)
 * 17) *cups
 * 18) *isdn (Only used if you have an ISDN card in the machine)
 * 19) *pcmcia (Most likely you either don’t have or will not use a pcmcia device in the machine)
 * 20) *bluetooth
 * 21) *autofs
 * 22) *xfs
 * 23) *gpm

for service in netfs nfslock portmap rpcgssd rpcidmapd acpid apmd cups isdn pcmcia bluetooth autofs xfs gpm ; do chkconfig $service off ; done

Current list of enabled services: [kenneth@dev ~]$ sudo /sbin/chkconfig --list | grep 3:on acpid          0:off   1:off   2:off   3:on    4:on    5:on    6:off anacron        0:off   1:off   2:on    3:on    4:on    5:on    6:off apmd           0:off   1:off   2:on    3:on    4:on    5:on    6:off atd            0:off   1:off   2:off   3:on    4:on    5:on    6:off autofs         0:off   1:off   2:off   3:on    4:on    5:on    6:off cpuspeed       0:off   1:on    2:on    3:on    4:on    5:on    6:off crond          0:off   1:off   2:on    3:on    4:on    5:on    6:off firstboot      0:off   1:off   2:off   3:on    4:off   5:on    6:off gpm            0:off   1:off   2:on    3:on    4:on    5:on    6:off haldaemon      0:off   1:off   2:off   3:on    4:on    5:on    6:off hidd           0:off   1:off   2:on    3:on    4:on    5:on    6:off ip6tables      0:off   1:off   2:on    3:on    4:on    5:on    6:off iptables       0:off   1:off   2:on    3:on    4:on    5:on    6:off irqbalance     0:off   1:off   2:on    3:on    4:on    5:on    6:off jexec          0:on    1:on    2:on    3:on    4:on    5:on    6:on kudzu          0:off   1:off   2:off   3:on    4:on    5:on    6:off mcstrans       0:off   1:off   2:on    3:on    4:on    5:on    6:off mdmonitor      0:off   1:off   2:on    3:on    4:on    5:on    6:off messagebus     0:off   1:off   2:off   3:on    4:on    5:on    6:off mysqld         0:off   1:off   2:on    3:on    4:on    5:on    6:off network        0:off   1:off   2:on    3:on    4:on    5:on    6:off ntpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off pcscd          0:off   1:off   2:on    3:on    4:on    5:on    6:off readahead_early 0:off  1:off   2:on    3:on    4:on    5:on    6:off restorecond    0:off   1:off   2:on    3:on    4:on    5:on    6:off sendmail       0:off   1:off   2:on    3:on    4:on    5:on    6:off smartd         0:off   1:off   2:on    3:on    4:on    5:on    6:off sshd           0:off   1:off   2:on    3:on    4:on    5:on    6:off syslog         0:off   1:off   2:on    3:on    4:on    5:on    6:off yum-updatesd   0:off   1:off   2:off   3:on    4:on    5:on    6:off

getent protocols 50 getent services 5353
 * 1) find which service has been allocated the port 5353 (in UDP) by IANA.

Additional items to remove: yum remove Deployment_Guide-en-US yum remove finger gaim cups-libs cups bluez-libs desktop-file-utils

This removed also: bluez-utils GConf2 cups-libs libnotify desktop-file-utils bluez-libs htmlview paps finger redhat-lsb cups libwnck notification-daemon redhat-menus pinfo gtk2 bluez-gnome

Some other options: yum remove apmd acpid cpuspeed yum remove atk autofs cairo ccid conman fontconfig freetype libX11 pcmciautils yum remove xorg*

Disabling Root Logins
Disallowing Root Access

Prevent access to the root shell and logs the attempt. Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin.

Prevent access to the root account via the console or the network. An empty /etc/securetty file prevents root login on any devices attached to the computer. echo > /etc/securetty

Prevent root access via the OpenSSH suit of tools. Edit the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no.

Prevent root access to network services that are PAM aware. Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is required for authentication.

Windows Password Security
"Interestingly, if you run windows (shudder) and want to see just how secure your passwords are, have a look at Ophcrack. Scary stuff! http://ophcrack.sourceforge.net/ This thing will find any 14 character alphanumeric password in a matter of minutes!" 

Security Watches

 * PayPal Security Flaw allows Identity Theft
 * SSL defeated in IE and Konqueror

NMAP
See nmap

Auditor Security Collection
Wiki Auditor Security Collection

"'The Auditor security collection is a LiveCD based on Knoppix. Auditor was planned and developed with the targets of user-friendliness and an optimal toolset. For example, the menu structure is organised into the typical phases of a security check: footprinting, analysis, scanning, wireless scanning, brute-forcing, and cracking. Auditor Security Collection is now known as BackTrack.'"


 * Freshmeat: Auditor security collection
 * Auditor: The security tool collection

BackTrack
BackTrack

"'BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes."

"'BackTrack is a Linux distribution distributed as a LiveDistro that results from the merger of WHAX and Auditor-based Auditor Security Collection.'"


 * Wiki: BackTrack

DenyHosts
DenyHosts - http://denyhosts.sourceforge.net/

"DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?

DenyHosts attempts to address the above"

NOTE: DenyHosts is a Python script! :-)

-

[http://www.linux-mag.com/cache/7729/1.html Got Security? You’re in Denial | Linux Magazine]:
 * "Do you think your systems are secure? Install DenyHosts and you’ll realize that you were in denial. "


 * "Exposing a system to the Internet means that you’ll soon (within hours) experience login attempts from random locations, from people you don’t know and from those with unclear motivations. DenyHosts is an SSH security tool in the form of a python script that helps prevent brute force and dictionary-based attacks against your systems. On my home system, I have at least one such attempt added to my /etc/hosts.deny file per day. I use DenyHosts to maintain that stealth watch over my insignificant system here in my dusty little corner of the Internet that I call home."

DenyHosts Installation
Installation: yum install --enablerepo=rpmforge denyhosts

Start service: service denyhosts start starting DenyHosts:   /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts/denyhosts.cfg

Config: /etc/denyhosts/denyhosts.cfg

-- Manual Installation --

apt-get install python python2.3-dev python2.3

cd /tmp wget http://mesh.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.0.tar.gz tar xvfz DenyHosts-2.0.tar.gz cd DenyHosts-2.0 python setup.py install

cd /usr/share/denyhosts cp denyhosts.cfg-dist denyhosts.cfg

Preventing SSH Dictionary Attacks With DenyHosts | HowtoForge - Linux Howtos and Tutorials - http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts

The R Zone: Hardening a Linux Server in 10 Minutes
Wed Mar 1 16:14:18 CET 2006 (as copied from : http://rudd-o.com/archives/2006/02/27/hardening-a-linux-server-in-10-minutes/ )

Did you know that a freshly installed Linux server can be hardened in less than 10 minutes? Heres how!

Print these instructions out, and keep them posted on a wall in your office or home. Before plugging a freshly installed network server, simply remember to follow these instructions. Make these instructions second nature to you.

Youll need a bit of experience with the Linux command-line environment, as the following commands are usually issued in a terminal. You will need root access on your server as well. By the way, the following instructions apply to any LSB-compliant Linux distribution, but Ill use Fedora Core as an example.


 * Step 1: turn all unneeded services off
 * Step 2: limit access to running services using iptables

IBM - Hardening the Linux server

 * "Servers—whether used for testing or production—are primary targets for attackers. By taking the proper steps, you can turn a vulnerable box into a hardened server and help thwart outside attackers. Learn how to secure SSH sessions, configure firewall rules, and set up intrusion detection to alert you to any possible attacks on your GNU/Linux® server. Once you've gained a solid foundation in the basics of securing your server, you can build on this knowledge to further harden your systems."

http://www.faqs.org/docs/gazette/tips.html Linux Security Tips By Kapil Sharma
"In this article I will explain how to make your Linux box secure by taking  basic security measures. This article will enable anybody to tighten the security of a redhat Linux box."

Summary:
 * BIOS Security - password protect
 * LILO Security - password protect
 * Disable all special accounts - delete unused accounts
 * Choose a Right password - set password definitions
 * Enable shadow password support - /usr/sbin/authconfig, pwconv, grpconv
 * The root account - timeout
 * Disable all console-equivalent access for regular users
 * Disable & uninstall all unused services - inetd
 * TCP_WRAPPERS - disallow all by default
 * Don't let system issue file to be displayed - telnetd
 * Change the "/etc/host.conf" file
 * Immunize the "/etc/services" file - immutable
 * Disallow root login from different consoles - /etc/securetty
 * Blocking anyone to su to root - pam, wheel account
 * Shell logging - history size
 * Disable the Control-Alt-Delete keyboard shutdown command - /etc/inittab
 * Fix the permissions under "/etc/rc.d/init.d" directory for script files - chmod 700
 * Hide your system information - /etc/issue
 * Disable unused SUID/SGID programs - find with chmod

keywords
linux security