Monday, 9 July 2012

Hardening of Linux Server


                                                            Hardening of Linux Servers


Table of Contents:
1.    Introduction
2.    Securing SSH
3.    Disable Telnet
4.    TCP Wrappers
5.    Creating an SU group
6.    Using Welcome Message at login
7.    File system Security
i)              Control file system Mounting Permissions
ii)             Change File and Directory Permissions
iii)            Remove Unusual or Hidden files
iv)            Find Group and World Writable Files & Directories
v)             Find all unowned directories and files
8.    Passwords Policy
i)              Complexity of Password
ii)             Change File and Directory Permissions
iii)            Locking Account After Too many Login Failure
iv)            Enable Shadow Password
v)             Password Aging
9.    Account Policy
i)              Remove Unwanted Accounts
ii)             Session Timeout
iii)            Identify Account without password
10.    Remove Unwanted Services.
11.    Closing Network Ports and disabling run level services.
12.    Reviewing inittab and booting scripts
13.    Cron Scheduling Entries
14.    Kernel Tunable Security Parameters
15.    Umask Settings
16.    NFS Server/Client Hardening
i)            Don't enable the portmap service unless necessary
ii)             NFS file systems should be exported using the "read only" parameter.
iii)            Export file systems with “root_squash” option
iv)            NFS mounts should specify the "nosuid" option.
17.    FTP Server Hardening
i)              Anonymous FTP should be disabled
ii)             FTP access should be restricted only to users who require it.
iii)            Access to the FTP server should be restricted to non-privileged users.
iv)            Chroot jail Environment
18.    The Samba guest account should not be enabled.
19.    Preventing accidental denial of Services
20.    Detecting Listening Network ports
21.    Removing unnecessary packages (RPMs)
22.     Fully Qualified Domain Name(FQDN)





  

1.     Introduction:-

This paper is a step by step guide for securing Linux Systems.
Linux is just another operating system like Windows, Mac, BSD etc. Linux by default is not secured enough compared to Windows which is not secured by default at all.
There is no such thing as a perfect or a completely secured operating system. The purpose of this paper is to understand how you can at least provide some kind of security to your system.

2.     Securing SSH:-

SSH (Secure Shell) is a protocol which supports logging into a remote system or executing commands on a remote system, using an encrypted communication between the two systems. By default SSH is running version 1 and allowing direct root access to the system. We should disable direct root access on the sshd_config file and use only protocol 2 which is more secure.


How To:
1) vi /etc/ssh/sshd_config
2) Change Protocol 2, 1 to Protocol 2
4) PermitRootLogin   no
5) Restart SSHD: /etc/rc.d/init.d/sshd restart

ENSURE root does not have a ~/.rhosts file.


3.     Disable Telnet:-


In older Linux distributions the telnet system is enabled by default. Ftp, rlogin and telnet are vulnerable to eavesdropping that’s why it is recommended to use the secure versions. (sftp,scp, ssh). If you want for any reason to use the telnet terminal you should at least hide the banner information although it is not recommended to use telnet at all.


How To:


Disabling telnet
Modify /etc/xinetd.d/telnet (could also be /etc/xinetd.d/telnet and change disable=no to disable=yes)





4.     TCP Wrappers
By editing hosts.allow and hosts.deny you can restrict or allow access to inet services.
Tailor this further to narrow traffic down to only what is appropriate for the network. Restrict access to Inet services.


1. Create /etc/hosts.allow:
# echo ""ALL: <net>/<mask>, <net>/<mask>, …"" >/etc/hosts.allow
where each <net>/<mask> combination represents one IP subnet in use by your organization that requires access to this system.

2. Create /etc/hosts.deny:
# echo ""ALL: ALL"" >/etc/hosts.deny

Protect the TCP Wrappers files:
chown root:root /etc/hosts.deny
chmod 0600 /etc/hosts.deny



5.     Creating an SU group:-
Because we had disabled direct root access to the system from SSH and telnet is disabled we would like to assign some users the privilege to use “su” command to gain root privilege on the system.



vi /etc/group

Add line:

wheel:x:10:root,user1, user2 (only authorized to login as root)

Then

chgrp wheel  /bin/su
chmod o-rwx  /bin/su

  

1.     Using Welcome Message:-

You must provide anyone that tries to login into the system with information about his actions and let him know that the system is not available for everybody (public).

There are cases in the past that an attacker hacked systems that didn't provide this information and they court couldn't do anything on that case because the system was saying Welcome :)


Edit /etc/issue and put the following banner to be displayed:


This system is owned by <Organization Name>.This computer system is for authorized users only. If you are not authorized to access this system, exit immediately. Unauthorized access to this system is forbidden by <Organization Name>. policies, national, and international laws. Unauthorized users are subject to criminal and civil penalties as well as <Organization Name>. initiated disciplinary proceedings. Individuals using this system without <Organization Name> authority or in excess of their authority are subject to having all their activities on this system monitored and recorded or examined by any authorized person, including law enforcement, as system personnel deem appropriate. In the course of monitoring individuals improperly using the system or in the course of system maintenance, the activities of authorized users may also be monitored and recorded. Any material so recorded may be disclosed as appropriate. Anyone using this system consents to these terms.


Edit the ssh configuration file.
vi /etc/ssh/sshd_config

Banner /etc/issue


Restart sshd service

Service sshd restart



FTP Banner:-


 Edit the vsftpd server configuration file /etc/vsftpd/vsftpd.conf.
Add the following line to the file

 banner_file=/etc/issue

service vsftpd restart




2.     File system Security

i)              Control file system Mounting Permissions

Modify the /etc/fstab file to set permissions on certain file systems, examples given below:

/dev/hda5 /tmp ext2 rw,nosuid,nodev,noexec, 1 2
/dev/hda9 /home ext2 rw,nosuid,nodev 1 2

Permission sets available:

defaults Allow everything
noquota Do not set users quotas
nosuid Do not set SUID/SGID access
nodev Do not set character or special devices access
noexec Do not set execution of any binaries
quota Allow users quotas
ro Allow read-only
rw Allow read-write
suid Allow SUID\SGID access


ii)             Change File and Directory Permissions


/etc/hosts.allow
chmod 600 /etc/hosts.allow
chattr +i etc/hosts.allow

/etc/hosts.deny
chmod 600 /etc/hosts. deny
chattr +i etc/hosts. deny

/etc/sysctl.conf
chmod 600 /etc/sysctl.conf
chattr +i etc/sysctl.conf

/etc/inetd.conf
chmod 600 /etc/inetd.conf
chattr +I /etc/inetd.conf

/etc/services
chattr +i etc/services

/etc/rc.d/init.d (Directory)
chmod –R 700 /etc/rc.d/init.d/*

/bin/rpm
chmod 700 /bin/rpm


 /etc/passwd & /etc/shadow
chmod   400 /etc/passwd
chmod   400 /etc/shadow

chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/make

Checking file stats:
Stat /etc/filename

Remove .rhosts file:
Search for and delete .rhosts file from file system (user home
directories):
Find / -name .rhosts –print

i)              Remove Unusual or Hidden files

Find all hidden or unusual files anywhere on the file system and remove them if not required for a specific purpose.

Run

Find / -name “.. “ – print –xdev
Find / -name “.“ – print –xdev
Find / -name “D“ – print –xdev
Find / -name “..^G“ – print –xdev
Find / -name “. .“ – print –xdev

ii)             Find Group and World Writable Files & Directories

These are security holes, find and remove them if not required. Normally there are several such files which includes some in the /dev, /var/catman directories and also all symbolic links on the system, please ignore these files. Review these files against a known baseline of world writable files. Verify all world-writable file permissions have a business or operational need with the following command.


Run:
Find / -type f \( -perm –2 –o –perm –20 \) –exec ls –lg {} \; (Find world writable files)
Find / -type d \( -perm –2 –o –perm –20 \) –exec ls –ldg {} \; (Find world writable dir.)

Or

find / -path /proc -prune -o -perm -2 ! -type l –ls  (Find world writable files)
find / -perm -2 -type d –ls  (Find world writable directories)


iii)            Find all unowned directories and files

Don’t allow unowned files and directories on the file system. Ignore files reported in the /dev directory.

Run:

Find / -nouser –o –nogroup


1.     Passwords Policy:-

 Passwords are a key control on most systems. If passwords are not complex, they may be guessed by a malicious user. If the password hashes are obtained, complex passwords will be more resistant to brute force cracking attempts, which increases the probability that monitoring controls will alert systems administrators of a compromise before the malicious user obtains access.

i)              Complexity of Password

 Utilize the UNIX password dictionary to enforce the creation of more secure passwords. Utilize the PAM credit password complexity features to force specific password attributes. The recommended guidelines state.

At least 1 uppercase character , 1 lower case character, 1 special character and 1 number or as defined by corporate policy. The Password length should be minimum 8 characters.

For baseline implementation:  

Configure PAM to require the use of "credits" which will enforce the user of numbers, special characters, and mixed cases in passwords. Ensure the following parameters are present in the line where "pam_cracklib.so" is referenced:


dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1

This will require the use of 1 uppercase alphabet character, 1 numeric digit, and 1 lowercase alphabet character and 1 special character.

vi /etc/pam.d/system-auth

Edit File:

password    requisite     pam_cracklib.so    retry=3 minlen=8  ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1

Note:

Positive "credit" numbers specify a maximum credit for that credit attribute. To require the use of a password attribute, negative credits should be used as detailed above

ucredit: uppercase letters required

lcredit: lowercase letters required

dcredit: digits required

ocredit: special characters required







ii)             Restricting use of 3 previous password

The pam_unix module parameter remember can be used to configure the number of previous passwords that cannot be reused. And the pam_cracklib module parameter difok can be used to specify the number of characters hat must be different between the old and the new password.
Edit the /etc/pam.d/system-auth file and add/change the following pam_cracklib and pam_unix arguments:


password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3

password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=3



i)              Locking Account After Too many Login Failure


Add the following two lines highlighted in blue to the /etc/pam.d/system-auth file as shown below:

auth        required      /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
 
account     required      /lib/security/$ISA/pam_tally.so per_user deny=8 no_magic_root reset
 
The first added line counts failed login and failed su attempts for each user. The default location for attempted accesses is recorded in /var/log/faillog.
 
The second added line specifies to lock accounts automatically after 8 failed login or su attempts (deny=8). The counter will be reset to 0 (reset) on successful entry
 
To see failed login attempts, run:
# faillog
To unlock an account after too many login failures, run:
# faillog -u <user> -r

Make sure to test these changes thoroughly on your system using e.g. ssh and su, and make sure root does not get locked!

To lock/unlock accounts manually, you can run one of the following commands:
# passwd -l <user>
# usermod -L <user>
# passwd -u <user>
# usermod -U <user>

Since the /var/log/faillog is owned by root and only root can write to the /var/log/faillog file, xscreensaver and vlock won't work correctly.


i)              Enable Shadow Password.
Shadow password file is already enabled in Linux.You can check whether /etc/shadow file exist or not.If not you can run pwconv command to enable the shadow password. pwconv creates shadow from passwd and an optionally existing shadow. First, entries in the shadowed file which don't exist in the main file are removed. Then, shadowed entries which don't have `x' as the password in the main file are updated. Any missing shadowed entries are added.
Run:
# pwconv
ii)             Password Aging
Set the maximum password age in accordance with corporate security policy or industry guidelines. Recommended Standards: - 60 Days
1) Review the /etc/login.defs file with the following command:
#more /etc/login.defs
2) Set the PASS_MAX_DAYS variable is set in accordance with corporate security policy or industry guidelines.
1.     Account Policy
i)              Disbale/Remove Unwanted Accounts
By default all the user account mentioned in the hardening list are disabled. If not,you can do this by putting a * symbol after the username in /etc/shadow filed. (Ex-news, lp, sync, shutdown, uucp, games, halt, etc..)
bin:*:14525:0:99999:7:::
daemon:*:14525:0:99999:7:::
è  Use userdel and groupdel to remove unwanted users and Groups.
è  To lock specific user accounts: /usr/sbin/usermod -L -s /bin/false user.
ii)             Session Timeout
Edit File /etc/profile file
Set a session timeout to automatically terminate or logout. Unattended or orphan sessions opened into your linux box,
TMOUT = 1800
TIMEOUT=1800
Export TMOUT, TIMEOUT
Specifies timeout of 1800 seconds. Add this line just below the HISTFILESIZE line in the inittab file.
iii)            Identify Account without password
User accounts without passwords increase the risk that unauthorized users will gain access to the system. Once a malicious user has obtained a list of system users, a common next step in attempting to compromise the system is to try logging into each account with a blank password.
1) Identify any accounts without passwords using the following command:
# cat /etc/passwd | cut -d':' -f1 | xargs -i passwd -S {}
2) Accounts without passwords will not have any characters between the second and third set of colons; and
3) Set passwords on any accounts found without passwords using the following command:
# passwd username
Find accounts without passwords using the following command:
cat /etc/shadow | awk -F: 'length($2)<2 {print $1}'  Disable all accounts found without passwords.
1.     Remove Unwanted Services. ( Xinetd Services)
The xinetd daemon is a replacement for inetd, the internet services daemon. It monitors the ports for all network services configured in /etc/xinetd.d, and starts the services in response to incoming connections. Disable all the services which run as part of the TCP Superserver xinetd, unless specifically required.Services, which are left running, should be further locked down
by applying Tcp Wrappers.
To check if xinetd is enabled and running, execute:
# chkconfig --list xinetd
xinetd          0:off   1:off   2:off   3:on    4:on    5:on    6:off
# /etc/init.d/xinetd status
xinetd (pid 2619) is running...
If xinetd is active, it is important to check which Unix services are active and controlled by xinetd. The following command shows all services configured in /etc/xinetd.d and wheter xinetd monitors the ports for these services:
# chkconfig --list | awk '/xinetd based services/,/""/'
To get a list of only active services for which xinetd monitors the ports, you could run:
# chkconfig --list | awk '/xinetd based services/,/""/' | grep -v off
How to:
1. Open the /etc/xinetd.d/ file for all unnecessary rpc services in an editor.
2. Add the line "disable = yes".
3.. Restart the inetd process by performing the following commands:
# pkill -HUP xinetd
2.     Closing Network Ports and disabling run level services.
One of the most important tasks is to remove any network services from the system startup process that are not needed.
On Red Hat systems you can list all services which are started at bootup using the following command:
               chkconfig --list |grep on
 
 
To permanently disable e.g. the runlevel service nfs, run:
chkconfig nfs off –level 1,2,3,4,5
To immediately disable the runlevel service nfs, run:
/etc/init.d/nfs stop
3.     Reviewing inittab and booting scripts:-
i)              Disable the CTRL-ALT-DELETE trap entry to prevent accidental reboots: 
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
ii)             To have changes in /etc/inittab become effective immediately, you can run:
# init q
iii)The /etc/rc.local script is used for commands or startup scripts which are pertinent only to a specific server. (/etc/rc.local is a link to /etc/rc.d/rc.local). Ensure that all startup scripts in /etc/rc.d/rc.local are legitimate.
4.     Cron Scheduling Entries
Remove all cron files for non-existent users from the /var/spool/cron directory. If these jobs are essential to system operation, they should be scheduled to run using a valid user identification code. Remove all jobs in third party scheduling software for non-existent users.
  
1.     Kernel Tunable Security Parameters


 
Add the following lines to the end of /etc/sysctl.conf:


###### Additional parameters to meet PCI requirement: Added in 2011 #######

# Enable ignoring broadcasts request    
 net.ipv4.icmp_echo_ignore_broadcasts = 1  

 # Disable ICMP Redirect Acceptance
      net.ipv4.conf.all.accept_redirects = 0 
      net.ipv4.conf.default.accept_redirects = 0
#Prevent SYN attack     
net.ipv4.tcp_syncookies = 1 
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 2

# Enable IP spoofing protection, turn on source route
            net.ipv4.conf.all.rp_filter = 1
            net.ipv4.conf.default.rp_filter = 1

# Disables IP source routing
            net.ipv4.conf.all.accept_source_route = 0
             net.ipv4.conf.default.accept_source_route = 0

 # Disables packet forwarding
     net.ipv4.ip_forward = 0
 
   # Send redirects, if router, but this is just server
      net.ipv4.conf.all.send_redirects = 0
      net.ipv4.conf.default.send_redirects = 0

# Enable bad error message Protection
      net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
        net.ipv4.conf.all.log_martians = 1
      net.ipv4.conf.default.secure_redirects = 0
      net.ipv4.conf.all.secure_redirects = 0


then issue the command 'sysctl -p' to load the changes into memory.


2.     Umask Settings


The umask (user file-creation mode mask) command is a shell built-in command which determines the default file permissions for newly created files. This can be overwritten by system calls but many programs and utilities make use of umask.

By default, Red Hat sets umask to 022 or 002 which is fine. If the name of the user account and the group account is the same and the UID is 100 or larger, then umask is set to 002, otherwise it's set to 022, see /etc/bashrc for bash shells.

For the bash shell you can find the setting of umask in /etc/bashrc. The /etc/bashrc file is for system-wide aliases and functions and is invoked by ~/.bashrc.






3.       NFS Server/Client Hardening:-

i)              Don't enable the portmap service unless necessary. A machine that doesn't use the sunrpc services (i.e. NFS or NIS) doesn't need portmap.

Consider replacing portmapper/rpcbind with a more secure version, which can restrict local forwarding of rpc calls (indirect calls) and provides enhanced logging.

Check portmap service by running

#service portmap status    or
#/etc/init.d/portmap status

Stop portmap service by running command

#service portmap stop
#chkconfig portmap off


ii)             Unless specified by operational requirements, NFS file systems should be exported using the "read only" parameter.

Export file systems as "read only". If remote users require the ability to write to the file system, ensure that they are exported to specific authorized hosts in the /etc/exports file.

View the /etc/exports file using the following command:

# more /etc/exports

Verify the -ro option is specified to all exported directories listed in the /etc/exports. If write access is needed to an export, ensure that the export is allowed to a fully qualified domain name/authorized network group only.




iii)            Export file systems with “root_squash” option

Do not exports file systems with the 'no_root_squash' option. This permits remote users to access files as root on the exported file system if they are root on the remote machine.

1. Open the /etc/exports file in an editor.
2. Ensure that no file systems are exported with the "no_root_squash" option. By default, "root_squash" is enabled.
3. Explicitly specify the "root_squash" option on each exported file system.


iv)            NFS mounts should specify the "nosuid" option.

An NFS mount point is a location (directory) where remote mounted resources (disks or CD-ROM) are linked to the local file system. If the local system honors the SUID attribute of a remote file, a non-privileged user could obtain privileges by executing a remote command that has set SUID bit. By obtaining privileges on the system, the user would be able to modify or delete files.

Add the nosuid option to all mounted directories listed in the /etc/fstab file.






1.     FTP Server Hardening:-


i)              Anonymous FTP should be disabled

Anonymous FTP allows unauthenticated network users to access files on the system. If this access is incorrectly configured, the unauthorized user may have access to view or modify sensitive data.

How To:-

1) Open the /etc/vsftpd/vsftpd.conf file in an editor
2) Disable anonymous access by setting anonymous_enable=NO; and
3) Enable authenticated ftp access by setting local_user=YES.


ii)             FTP access should be restricted only to users who require it.

Without the existence of the /etc/vsftpd.ftpusers or the /etc/vsftpd.user_list files, any user listed in the /etc/passwd file can transfer files across the network. This increases the risk that unauthorized files are transferred across the network. Ensure only authorized accounts have ftp access by configuring the /etc/vsftpd.ftpusers and /etc/vsftpd.user_list files.

For baseline implementation:
1) Open the /etc/vsftpd.ftpusers file in an editor; and
2) Enter all system, guest, and privileged application accounts in this file.

For enhanced implementations:
3) Open the /etc/vsftpd/vsftpd.conf file in an editor. Add the following lines to the file: -  

      userlist_enable=YES
      userlist_deny=NO

 This will configure the ftp server to only allow users listed in the /etc/vsftpd.user_list file to connect; and

4) Enter valid ftp account names in the /etc/vsftp.user_list file to allow accounts ftp access.


For baseline implementation:
1)     Review the /etc/pam.d/vsftpd file. Ensure the following line exists and is un-commented:

 "auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed" ;

2)      Review the /etc/vsftpd.ftpusers file. Ensure at a minimum the following accounts are listed: - root - bin - sys - uucp - sync - any guest accounts - accounts with restricted shell - privileged application accounts such as "oracle" - any other account that should not be copying files across the network ;

For enhanced implementations:
3)     Review the /etc/vsftp.user_list file. Verify with the system administrator that users listed require ftp access; and

4)     Open the /etc/vsftpd/vsftpd.conf file using an editor. Verify the userlist_enable variable is set to YES. Verify the userlist_deny variable is set to NO.



iii)            Access to the File Transfer Protocol (FTP) server should be restricted to non-privileged users.

Without the existence of the /etc/ftpusers file, any user listed in the /etc/passwd file can log into the system via FTP. FTP does not encrypt credentials or data in transit. Allowing privileged users to log in with FTP increases the risk that their passwords will be sniffed by a malicious user on the network. Additionally, allowing privileged users to log into FTP increases the risk that a malicious user will use FTP as a means of guessing the passwords of privileged users.

Add privileged user IDs to the /etc/ftpusers file, including the following accounts:
- root
- domain0
- bin
- sys
- uucp
- sync
- any guest accounts
- accounts with restricted shell
- any other account that should not be copying files across the network (e.g. oracle, sybase, informix)


For baseline implementation:
1)     Create the file /etc/ftpusers if it does not exist and set appropriate file permissions and ownership with the following commands:

# chmod 600 /etc/ftpusers
# chown root /etc/ftpusers

2) Open the /etc/ftpusers file in an editor and add the system accounts, guest accounts, privileged application accounts, and the root account to the file.






iv)            Chroot jail Enviroment

Chroot jail one can set up a chroot environment which prevents the user from leaving its home directory. To enable this, add the following lines to /etc/vsftpd.conf:

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

The chroot_list_file variable specifies the file which contains users that are jailed.

If enabled in conjunction with the chroot_local_user directive, the local users listed in the file specified in the chroot_list_file directive are not placed in a chroot jail upon log in.

Enabling chroot_local_user opens up a number of security issues, especially for users with upload privileges. For this reason, it is not recommended





1.     The Samba guest account should not be enabled.


Review the /etc/samba/smb.conf file and verify that the the line containing "guest account" is commented.


2.     Preventing accidental denial of Services.

Linux allows you to set limits on the amount of system resources that users and groups can use. This is also very handy if bugs in programs accidentally use up too much resource, slow down the machine, or even render the system unusable.  This could become a security issue if someone is allowed to use up all resources and causes a denial of service attack. Depending on your environment you may want to review resource limits for user accounts and groups.

Most shells like Bash provide control over various resources like the maximum allowable number of open file descriptors or the maximum number of processes available to a user. To see all shell limits, run:

ulimit –a


For example, to change the number of file handles or open files that the Oracle user can use, you have to edit the file /etc/security/limits.conf as root and make the following changes or add the following lines, respectively:

oracle           soft    nofile          4096
oracle           hard    nofile          63536

The "soft limit" in the first line defines the number of file handles or open files that the Oracle user will have after login. If the Oracle user gets error messages about running out of file handles, then the Oracle user can increase the number of file handles like in this example up to 63536 ("hard limit") by running the following command:

ulimit -n 63536


3.     Detecting Listening Network ports:-


In order to list open UDP and TCP ports on repository server, Iuri has
installed some useful software on his machine(192.168.1.48) including nmap20
network tool, this will be used to accomplish the task of port scanning.
The following commands executed on Iuri's machine will list open UDP and
TCP ports on repository server:

# nmap –sU –n -P0  192.168.1.200

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 20041214  03:45 BRST
All 1659 scanned ports on 192.168.1.200 are: closed

# nmap –sT –n -P0 -192.168.1.200

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 20041214  03:48 BRST
Interesting ports on 192.168.1.200: (The 1658 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
As listed above, only two ports are open: 22 and 80. These are the only
network services running on the server.


Another method to list all of the TCP and UDP sockets to which programs are listening is lsof:

# lsof -i -n | egrep 'COMMAND|LISTEN|UDP'
COMMAND    PID USER   FD   TYPE DEVICE SIZE NODE NAME
sshd      2317 root    3u  IPv6   6579       TCP *:ssh (LISTEN)
xinetd    2328 root    5u  IPv4   6698       TCP *:auth (LISTEN)
sendmail  2360 root    3u  IPv4   6729       TCP 127.0.0.1:smtp (LISTEN)


4.     Removing unnecessary packages (RPMs)

A very important step in securing a Linux system is to determine the primary function or role of the Linux server. You should have a detailed knowledge of what is on your system. Otherwise you will have a difficult time to understand what needs to be secured and hence securing your Linux systems proactively won't be that effective. Therefore, it is very critical to look at the default list of software packages and remove unneeded packages or packages that don't comply with your security policy.

One of the first action items should be to create a Linux image that only contains RPMs needed by the applications, and needed for maintenance and troubleshooting purposes. A good approach is to start with a minimum list of RPMs and then add packages as needed. It may be time-consuming but worth the efforts.

To get a list of all installed RPMs you can use the following command:

rpm -qa

If you want to know more about a particular RPM, run:

rpm -qi <package_name>

To check for and report potential conflicts and dependencies for deleting a RPM, run:

rpm -e --test <package_name>

5.     Fully Qualified Domain Name(FQDN):-


The hostname should have Frequently Qualified Domain Name (FQDN) in /etc/sysconfig/network file.

vi /etc/sysconfig/network

HOSTNAME= <Hostname of Server>





2 comments: