Hardening of Linux Servers
Table of Contents:
1. Introduction
2. Securing SSH
3. Disable Telnet
4. TCP Wrappers
5. Creating an SU group
6. Using Welcome Message at login
7. File system Security
i) Control file system Mounting Permissions
ii) Change File and Directory Permissions
iii) Remove Unusual or Hidden files
iv) Find Group and World Writable Files & Directories
v) Find all unowned directories and files
8. Passwords Policy
i) Complexity of Password
ii) Change File and Directory Permissions
iii) Locking Account After Too many Login Failure
iv) Enable Shadow Password
v) Password Aging
9. Account Policy
i) Remove Unwanted Accounts
ii) Session Timeout
iii) Identify Account without password
10. Remove Unwanted Services.
11. Closing Network Ports and disabling run level services.
12. Reviewing inittab and booting scripts
13. Cron Scheduling Entries
14. Kernel Tunable Security Parameters
15. Umask Settings
16. NFS Server/Client Hardening
i) Don't enable the portmap service unless necessary
ii) NFS file systems should be exported using the "read only" parameter.
iii) Export file systems with “root_squash” option
iv) NFS mounts should specify the "nosuid" option.
17. FTP Server Hardening
i) Anonymous FTP should be disabled
ii) FTP access should be restricted only to users who require it.
iii) Access to the FTP server should be restricted to non-privileged users.
iv) Chroot jail Environment
18. The Samba guest account should not be enabled.
19. Preventing accidental denial of Services
20. Detecting Listening Network ports
21. Removing unnecessary packages (RPMs)
22. Fully Qualified Domain Name(FQDN)
The
pam_unix module parameter remember can be used to
configure the number of previous passwords that cannot be reused. And the pam_cracklib module parameter
difok can be used to specify the
number of characters hat must be different between the old and the new
password.
1.
Introduction:-
This paper is a step by step guide for securing Linux
Systems.
Linux is just another operating system like Windows, Mac, BSD
etc. Linux by default is not secured enough compared to Windows which is not secured
by default at all.
There is no such thing as a perfect or a completely secured
operating system. The purpose of this paper is to understand how you can at
least provide some kind of security to your system.
2.
Securing SSH:-
SSH (Secure
Shell) is a protocol which supports logging into a remote system or executing
commands on a remote system, using an encrypted communication between the two
systems. By default SSH is running version 1 and allowing direct root access to
the system. We should disable direct root access on the sshd_config file and
use only protocol 2 which is more secure.
How To:
1) vi
/etc/ssh/sshd_config
2) Change
Protocol 2, 1 to Protocol 2
4)
PermitRootLogin no
5) Restart
SSHD: /etc/rc.d/init.d/sshd restart
ENSURE root
does not have a ~/.rhosts file.
3.
Disable
Telnet:-
In older Linux distributions the telnet system is enabled by
default. Ftp, rlogin and telnet are vulnerable to eavesdropping that’s why it
is recommended to use the secure versions. (sftp,scp, ssh). If you want for any
reason to use the telnet terminal you should at least hide the banner
information although it is not recommended to use telnet at all.
How To:
Disabling
telnet
Modify
/etc/xinetd.d/telnet (could also be /etc/xinetd.d/telnet and change disable=no
to disable=yes)
4.
TCP
Wrappers
By editing hosts.allow and hosts.deny you can restrict or
allow access to inet services.
Tailor this
further to narrow traffic down to only what is appropriate for the network. Restrict
access to Inet services.
1. Create
/etc/hosts.allow:
# echo
""ALL: <net>/<mask>, <net>/<mask>,
…"" >/etc/hosts.allow
where each
<net>/<mask> combination represents one IP subnet in use by your
organization that requires access to this system.
2. Create
/etc/hosts.deny:
# echo ""ALL:
ALL"" >/etc/hosts.deny
Protect the
TCP Wrappers files:
chown
root:root /etc/hosts.deny
chmod 0600 /etc/hosts.deny
5.
Creating
an SU group:-
Because we
had disabled direct root access to the system from SSH and telnet is disabled
we would like to assign some users the privilege to use “su” command to gain
root privilege on the system.
vi /etc/group
Add line:
wheel:x:10:root,user1,
user2 (only authorized to login as root)
Then
chgrp wheel /bin/su
chmod o-rwx /bin/su
1.
Using
Welcome Message:-
You must
provide anyone that tries to login into the system with information about his
actions and let him know that the system is not available for everybody
(public).
There are cases in the past that an attacker hacked systems
that didn't provide this information and they court couldn't do anything on
that case because the system was saying Welcome :)
Edit
/etc/issue and put the following banner to be displayed:
This system is owned by <Organization
Name>.This computer system is for authorized users only. If you are not
authorized to access this system, exit immediately. Unauthorized access to this
system is forbidden by <Organization Name>. policies, national, and
international laws. Unauthorized users are subject to criminal and civil
penalties as well as <Organization Name>. initiated disciplinary proceedings.
Individuals using this system without <Organization Name> authority or in
excess of their authority are subject to having all their activities on this
system monitored and recorded or examined by any authorized person, including
law enforcement, as system personnel deem appropriate. In the course of
monitoring individuals improperly using the system or in the course of system
maintenance, the activities of authorized users may also be monitored and
recorded. Any material so recorded may be disclosed as appropriate. Anyone
using this system consents to these terms.
Edit the ssh
configuration file.
vi
/etc/ssh/sshd_config
Banner /etc/issue
Restart sshd
service
Service sshd
restart
FTP Banner:-
Edit the vsftpd server configuration file
/etc/vsftpd/vsftpd.conf.
Add the
following line to the file
banner_file=/etc/issue
service
vsftpd restart
2.
File system Security
i)
Control file system Mounting Permissions
Modify the /etc/fstab file
to set permissions on certain file systems, examples given below:
/dev/hda5 /tmp ext2
rw,nosuid,nodev,noexec, 1 2
/dev/hda9 /home ext2
rw,nosuid,nodev 1 2
Permission sets available:
defaults Allow everything
noquota Do not set users
quotas
nosuid Do not set SUID/SGID
access
nodev Do not set character
or special devices access
noexec Do not set execution
of any binaries
quota Allow users quotas
ro Allow read-only
rw Allow read-write
suid Allow SUID\SGID access
ii)
Change
File and Directory Permissions
/etc/hosts.allow
chmod 600 /etc/hosts.allow
chattr +i etc/hosts.allow
/etc/hosts.deny
chmod 600 /etc/hosts. deny
chattr +i etc/hosts. deny
/etc/sysctl.conf
chmod 600 /etc/sysctl.conf
chattr +i etc/sysctl.conf
/etc/inetd.conf
chmod 600 /etc/inetd.conf
chattr +I /etc/inetd.conf
/etc/services
chattr +i etc/services
/etc/rc.d/init.d (Directory)
chmod –R 700 /etc/rc.d/init.d/*
/bin/rpm
chmod 700 /bin/rpm
/etc/passwd & /etc/shadow
chmod
400 /etc/passwd
chmod 400 /etc/shadow
chmod 700
/usr/bin/gcc
chmod 700 /usr/bin/make
Checking file stats:
Stat /etc/filename
Remove
.rhosts file:
Search for and delete .rhosts file
from file system (user home
directories):
Find / -name .rhosts
–print
i)
Remove Unusual or Hidden files
Find all hidden or unusual
files anywhere on the file system and remove them if not required for a
specific purpose.
Run
Find / -name “.. “ – print
–xdev
Find / -name “.“ – print
–xdev
Find / -name “D“ – print
–xdev
Find / -name “..^G“ – print
–xdev
Find / -name “. .“ – print
–xdev
ii)
Find Group and World Writable Files & Directories
These are security holes,
find and remove them if not required. Normally there are several such files
which includes some in the /dev, /var/catman directories and also all symbolic
links on the system, please ignore these files. Review these files against a known baseline of world writable
files. Verify all world-writable file permissions have a business or
operational need with the following command.
Run:
Find / -type f \( -perm –2
–o –perm –20 \) –exec ls –lg {} \; (Find world writable files)
Find / -type d \( -perm –2
–o –perm –20 \) –exec ls –ldg {} \; (Find world writable dir.)
Or
find / -path /proc -prune -o
-perm -2 ! -type l –ls (Find world
writable files)
find / -perm -2 -type d –ls (Find world writable directories)
iii)
Find
all unowned directories and files
Don’t allow unowned files and
directories on the file system. Ignore files reported in the /dev directory.
Run:
Find / -nouser –o –nogroup
1. Passwords Policy:-
Passwords are a key control on most systems.
If passwords are not complex, they may be guessed by a malicious user. If the
password hashes are obtained, complex passwords will be more resistant to brute
force cracking attempts, which increases the probability that monitoring
controls will alert systems administrators of a compromise before the malicious
user obtains access.
i)
Complexity of Password
Utilize the UNIX password dictionary to
enforce the creation of more secure passwords. Utilize the PAM credit password
complexity features to force specific password attributes. The recommended
guidelines state.
At
least 1 uppercase character , 1 lower case character, 1 special character and 1
number or as defined by corporate policy. The Password length should be minimum
8 characters.
For
baseline implementation:
Configure
PAM to require the use of "credits" which will enforce the user of
numbers, special characters, and mixed cases in passwords. Ensure the following
parameters are present in the line where "pam_cracklib.so" is
referenced:
dcredit=-1
ucredit=-1 lcredit=-1 ocredit=-1
This
will require the use of 1 uppercase alphabet character, 1 numeric digit, and 1
lowercase alphabet character and 1 special character.
vi /etc/pam.d/system-auth
Edit File:
password requisite pam_cracklib.so retry=3 minlen=8 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1
Note:
Positive
"credit" numbers specify a maximum credit for that credit attribute.
To require the use of a password attribute, negative credits should be used as
detailed above
ucredit:
uppercase letters required
lcredit:
lowercase letters required
dcredit:
digits required
ocredit:
special characters required
ii)
Restricting use of 3 previous password
Edit the /etc/pam.d/system-auth file
and add/change the following pam_cracklib
and pam_unix
arguments:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3
password
sufficient
/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=3
i)
Locking Account After Too many Login Failure
Add the following two
lines highlighted in blue to the /etc/pam.d/system-auth
file as shown below:
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so per_user deny=8 no_magic_root reset
The first added line counts failed login and failed su attempts for each user. The default location for attempted accesses is recorded in /var/log/faillog.
The second added line specifies to lock accounts automatically after 8 failed login or su attempts (deny=8). The counter will be reset to 0 (reset) on successful entry
To see failed login attempts, run:
# faillog
To unlock an account after too many
login failures, run:
# faillog -u <user> -r
Make sure to test these changes
thoroughly on your system using e.g. ssh and su, and make sure root does not
get locked!
To lock/unlock accounts manually, you can run one of the following commands:
To lock/unlock accounts manually, you can run one of the following commands:
# passwd -l <user>
# usermod -L <user>
# passwd -u <user>
# usermod -U <user>
Since the /var/log/faillog is owned by root and only root can write to the /var/log/faillog file, xscreensaver and vlock won't work correctly.
i) Enable Shadow Password.Shadow password file is already enabled in Linux.You can check whether /etc/shadow file exist or not.If not you can run pwconv command to enable the shadow password. pwconv creates shadow from passwd and an optionally existing shadow. First, entries in the shadowed file which don't exist in the main file are removed. Then, shadowed entries which don't have `x' as the password in the main file are updated. Any missing shadowed entries are added.Run:# pwconvii) Password AgingSet the maximum password age in accordance with corporate security policy or industry guidelines. Recommended Standards: - 60 Days1) Review the /etc/login.defs file with the following command:#more /etc/login.defs2) Set the PASS_MAX_DAYS variable is set in accordance with corporate security policy or industry guidelines.1. Account Policyi) Disbale/Remove Unwanted AccountsBy default all the user account mentioned in the hardening list are disabled. If not,you can do this by putting a * symbol after the username in /etc/shadow filed. (Ex-news, lp, sync, shutdown, uucp, games, halt, etc..)bin:*:14525:0:99999:7:::daemon:*:14525:0:99999:7:::è Use userdel and groupdel to remove unwanted users and Groups.è To lock specific user accounts: /usr/sbin/usermod -L -s /bin/false user.ii) Session TimeoutEdit File /etc/profile fileSet a session timeout to automatically terminate or logout. Unattended or orphan sessions opened into your linux box,TMOUT = 1800TIMEOUT=1800Export TMOUT, TIMEOUTSpecifies timeout of 1800 seconds. Add this line just below the HISTFILESIZE line in the inittab file.iii) Identify Account without passwordUser accounts without passwords increase the risk that unauthorized users will gain access to the system. Once a malicious user has obtained a list of system users, a common next step in attempting to compromise the system is to try logging into each account with a blank password.1) Identify any accounts without passwords using the following command:# cat /etc/passwd | cut -d':' -f1 | xargs -i passwd -S {}2) Accounts without passwords will not have any characters between the second and third set of colons; and3) Set passwords on any accounts found without passwords using the following command:# passwd usernameFind accounts without passwords using the following command:cat /etc/shadow | awk -F: 'length($2)<2 {print $1}' Disable all accounts found without passwords.1. Remove Unwanted Services. ( Xinetd Services)The xinetd daemon is a replacement for inetd, the internet services daemon. It monitors the ports for all network services configured in /etc/xinetd.d, and starts the services in response to incoming connections. Disable all the services which run as part of the TCP Superserver xinetd, unless specifically required.Services, which are left running, should be further locked downby applying Tcp Wrappers.To check if xinetd is enabled and running, execute:# chkconfig --list xinetdxinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off# /etc/init.d/xinetd statusxinetd (pid 2619) is running...If xinetd is active, it is important to check which Unix services are active and controlled by xinetd. The following command shows all services configured in /etc/xinetd.d and wheter xinetd monitors the ports for these services:# chkconfig --list | awk '/xinetd based services/,/""/'To get a list of only active services for which xinetd monitors the ports, you could run:# chkconfig --list | awk '/xinetd based services/,/""/' | grep -v offHow to:1. Open the /etc/xinetd.d/ file for all unnecessary rpc services in an editor.2. Add the line "disable = yes".3.. Restart the inetd process by performing the following commands:# pkill -HUP xinetd2. Closing Network Ports and disabling run level services.One of the most important tasks is to remove any network services from the system startup process that are not needed.On Red Hat systems you can list all services which are started at bootup using the following command:chkconfig --list |grep on
To permanently disable e.g. the runlevel service nfs, run:chkconfig nfs off –level 1,2,3,4,5To immediately disable the runlevel service nfs, run:/etc/init.d/nfs stop3. Reviewing inittab and booting scripts:-i) Disable the CTRL-ALT-DELETE trap entry to prevent accidental reboots:#ca::ctrlaltdel:/sbin/shutdown -t3 -r nowii) To have changes in /etc/inittab become effective immediately, you can run:# init qiii)The /etc/rc.local script is used for commands or startup scripts which are pertinent only to a specific server. (/etc/rc.local is a link to /etc/rc.d/rc.local). Ensure that all startup scripts in /etc/rc.d/rc.local are legitimate.4. Cron Scheduling EntriesRemove all cron files for non-existent users from the /var/spool/cron directory. If these jobs are essential to system operation, they should be scheduled to run using a valid user identification code. Remove all jobs in third party scheduling software for non-existent users.
1. Kernel Tunable
Security Parameters
Add the following lines to the end of
/etc/sysctl.conf:
###### Additional parameters to meet PCI
requirement: Added in 2011 #######
#
Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
#Prevent
SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries
= 2
#
Enable IP spoofing protection, turn on source route
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#
Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Disables packet
forwarding
net.ipv4.ip_forward
= 0
# Send redirects, if router, but this is just server
net.ipv4.conf.all.send_redirects
= 0
net.ipv4.conf.default.send_redirects = 0
#
Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
#
Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
then issue the command 'sysctl -p' to load the changes into memory.
2. Umask Settings
The umask (user file-creation
mode mask) command is a shell built-in command which determines the default
file permissions for newly created files. This can be overwritten by system
calls but many programs and utilities make use of umask.
By default, Red Hat sets umask to 022 or 002 which is fine. If the name of the user account and the group account is the same and the UID is 100 or larger, then umask is set to 002, otherwise it's set to 022, see /etc/bashrc for bash shells.
By default, Red Hat sets umask to 022 or 002 which is fine. If the name of the user account and the group account is the same and the UID is 100 or larger, then umask is set to 002, otherwise it's set to 022, see /etc/bashrc for bash shells.
For the bash shell you can find the
setting of umask in /etc/bashrc. The /etc/bashrc file is for
system-wide aliases and functions and is invoked by ~/.bashrc.
3. NFS Server/Client Hardening:-
i)
Don't
enable the portmap service unless necessary. A machine that doesn't use the
sunrpc services (i.e. NFS or NIS) doesn't need portmap.
Consider replacing portmapper/rpcbind
with a more secure version, which can restrict local forwarding of rpc calls (indirect
calls) and provides enhanced logging.
Check portmap
service by running
#service portmap status
or
#/etc/init.d/portmap status
Stop portmap service by running command
#service portmap stop
#chkconfig portmap off
ii)
Unless specified by operational requirements,
NFS file systems should be exported using the "read only" parameter.
Export file systems as "read only".
If remote users require the ability to write to the file system, ensure that
they are exported to specific authorized hosts in the /etc/exports file.
View the /etc/exports file using the following command:
# more /etc/exports
Verify the -ro option is specified to all
exported directories listed in the /etc/exports. If write access is needed to
an export, ensure that the export is allowed to a fully qualified domain name/authorized
network group only.
iii)
Export file systems with “root_squash” option
Do not
exports file systems with the 'no_root_squash' option. This permits remote
users to access files as root on the exported file system if they are root on
the remote machine.
1. Open
the /etc/exports file in an editor.
2.
Ensure that no file systems are exported with the "no_root_squash"
option. By default, "root_squash" is enabled.
3.
Explicitly specify the "root_squash" option on each exported file
system.
iv)
NFS mounts should specify the
"nosuid" option.
An NFS
mount point is a location (directory) where remote mounted resources (disks or
CD-ROM) are linked to the local file system. If the local system honors the
SUID attribute of a remote file, a non-privileged user could obtain privileges
by executing a remote command that has set SUID bit. By obtaining privileges on
the system, the user would be able to modify or delete files.
Add the
nosuid option to all mounted directories listed in the /etc/fstab file.
1. FTP Server
Hardening:-
i)
Anonymous FTP should be disabled
Anonymous
FTP allows unauthenticated network users to access files on the system. If this
access is incorrectly configured, the unauthorized user may have access to view
or modify sensitive data.
How To:-
1) Open
the /etc/vsftpd/vsftpd.conf file in an editor
2)
Disable anonymous access by setting anonymous_enable=NO; and
3)
Enable authenticated ftp access by setting local_user=YES.
ii)
FTP access should be restricted only to users
who require it.
Without
the existence of the /etc/vsftpd.ftpusers or the /etc/vsftpd.user_list files,
any user listed in the /etc/passwd file can transfer files across the network.
This increases the risk that unauthorized files are transferred across the
network. Ensure only authorized accounts have ftp access by configuring the
/etc/vsftpd.ftpusers and /etc/vsftpd.user_list files.
For
baseline implementation:
1) Open
the /etc/vsftpd.ftpusers file in an editor; and
2)
Enter all system, guest, and privileged application accounts in this file.
For
enhanced implementations:
3) Open
the /etc/vsftpd/vsftpd.conf file in an editor. Add the following lines to the
file: -
userlist_enable=YES
userlist_deny=NO
This will configure the ftp server to only
allow users listed in the /etc/vsftpd.user_list file to connect; and
4)
Enter valid ftp account names in the /etc/vsftp.user_list file to allow
accounts ftp access.
For
baseline implementation:
1)
Review the /etc/pam.d/vsftpd file. Ensure the
following line exists and is un-commented:
"auth required pam_listfile.so item=user
sense=deny file=/etc/vsftpd.ftpusers onerr=succeed" ;
2)
Review
the /etc/vsftpd.ftpusers file. Ensure at a minimum the following accounts are
listed: - root - bin - sys - uucp - sync - any guest accounts - accounts with
restricted shell - privileged application accounts such as "oracle" -
any other account that should not be copying files across the network ;
For
enhanced implementations:
3)
Review the /etc/vsftp.user_list file. Verify
with the system administrator that users listed require ftp access; and
4)
Open the /etc/vsftpd/vsftpd.conf file using an
editor. Verify the userlist_enable variable is set to YES. Verify the
userlist_deny variable is set to NO.
iii)
Access to the File Transfer Protocol (FTP)
server should be restricted to non-privileged users.
Without
the existence of the /etc/ftpusers file, any user listed in the /etc/passwd
file can log into the system via FTP. FTP does not encrypt credentials or data
in transit. Allowing privileged users to log in with FTP increases the risk
that their passwords will be sniffed by a malicious user on the network.
Additionally, allowing privileged users to log into FTP increases the risk that
a malicious user will use FTP as a means of guessing the passwords of
privileged users.
Add
privileged user IDs to the /etc/ftpusers file, including the following
accounts:
- root
-
domain0
- bin
- sys
- uucp
- sync
- any
guest accounts
-
accounts with restricted shell
- any
other account that should not be copying files across the network (e.g. oracle,
sybase, informix)
For
baseline implementation:
1)
Create the file /etc/ftpusers if it does not
exist and set appropriate file permissions and ownership with the following
commands:
# chmod
600 /etc/ftpusers
# chown
root /etc/ftpusers
2) Open
the /etc/ftpusers file in an editor and add the system accounts, guest
accounts, privileged application accounts, and the root account to the file.
iv)
Chroot jail Enviroment
Chroot
jail one can set up a chroot environment which prevents the user from leaving
its home directory. To enable this, add the following lines to
/etc/vsftpd.conf:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
The
chroot_list_file variable specifies the file which contains users that are
jailed.
If
enabled in conjunction with the chroot_local_user directive, the local users
listed in the file specified in the chroot_list_file directive are not placed
in a chroot jail upon log in.
Enabling
chroot_local_user opens up a number of security issues, especially for users
with upload privileges. For this reason, it is not recommended
1. The Samba guest account
should not be enabled.
Review
the /etc/samba/smb.conf file and verify that the the line containing
"guest account" is commented.
2. Preventing
accidental denial of Services.
Linux allows you to set
limits on the amount of system resources that users and groups can use. This is
also very handy if bugs in programs accidentally use up too much resource, slow
down the machine, or even render the system unusable. This could become a security issue if someone
is allowed to use up all resources and causes a denial of service attack.
Depending on your environment you may want to review resource limits for user
accounts and groups.
Most shells like Bash
provide control over various resources like the maximum allowable number of
open file descriptors or the maximum number of processes available to a user.
To see all shell limits, run:
ulimit –a
For example, to change the
number of file handles or open files that the Oracle user can use, you have to
edit the file /etc/security/limits.conf as root and make the following changes or add the following lines,
respectively:
oracle
soft nofile 4096
oracle
hard nofile 63536
The "soft limit"
in the first line defines the number of file handles or open files that the
Oracle user will have after login. If the Oracle user gets error messages about
running out of file handles, then the Oracle user can increase the number of
file handles like in this example up to 63536 ("hard limit") by
running the following command:
ulimit -n 63536
3. Detecting
Listening Network ports:-
In order to list open UDP and TCP
ports on repository server, Iuri has
installed some useful software on his
machine(192.168.1.48) including nmap20
network tool, this will be used to
accomplish the task of port scanning.
The following commands executed on
Iuri's machine will list open UDP and
TCP ports on repository server:
# nmap –sU –n -P0 192.168.1.200
Starting nmap 3.50 (
http://www.insecure.org/nmap/ ) at 20041214
03:45 BRST
All 1659 scanned ports on
192.168.1.200 are: closed
# nmap –sT –n -P0 -192.168.1.200
Starting nmap 3.50 (
http://www.insecure.org/nmap/ ) at 20041214
03:48 BRST
Interesting ports on 192.168.1.200:
(The 1658 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
As listed above, only two ports are
open: 22 and 80. These are the only
network services
running on the server.
Another method to list all of the
TCP and UDP sockets to which programs are listening is lsof:
# lsof -i -n | egrep 'COMMAND|LISTEN|UDP'
COMMAND PID
USER FD TYPE DEVICE SIZE NODE NAME
sshd 2317
root 3u IPv6 6579
TCP *:ssh (LISTEN)
xinetd 2328
root 5u IPv4
6698 TCP *:auth (LISTEN)
sendmail 2360
root 3u IPv4
6729 TCP 127.0.0.1:smtp (LISTEN)
4. Removing
unnecessary packages (RPMs)
A very
important step in securing a Linux system is to determine the primary function
or role of the Linux server. You should have a detailed knowledge of what is on
your system. Otherwise you will have a difficult time to understand what needs
to be secured and hence securing your Linux systems proactively won't be that
effective. Therefore, it is very critical to look at the default list of
software packages and remove unneeded packages or packages that don't comply
with your security policy.
One of the first action items should be to create a Linux image that
only contains RPMs needed by the applications, and needed for maintenance and
troubleshooting purposes. A good approach is to start with a minimum list of
RPMs and then add packages as needed. It may be time-consuming but worth the
efforts.
To get a list of all installed RPMs
you can use the following command:
rpm -qa
If you want to know more about a
particular RPM, run:
rpm -qi <package_name>
To check for and report potential
conflicts and dependencies for deleting a RPM, run:
rpm -e --test <package_name>
5.
Fully Qualified Domain Name(FQDN):-
The
hostname should have Frequently Qualified Domain Name (FQDN) in /etc/sysconfig/network file.
vi
/etc/sysconfig/network
HOSTNAME= <Hostname of Server>
jabardast he yu to
ReplyDeleteIt is for the beneficial for Linux Administrators.
Delete