Securing Red Hat Linux 7.3
This is a work in progress and is NOT completed! Actually I started to write this article a few days ago.
This article will become a step-by-step procedure for securing a RedHat Linux server.
If you are maybe interested in Oracle9i on RedHat Linux 7.x, then check my other
article.
General
Log Files
Errors and system messages:
/var/log/dmesg (kernel boot messages)
/var/log/boot (runlevel boot logging messages)
/var/log/messages (system messages)
...
Authentication Files:
/var/run/utmp
/var/log/wtmp
/var/log/btmp
/var/log/secure
/var/log/lastlog
Server-specific Logs:
/var/log/xferlog (ftpd logging information)
/var/log/maillog (sendmail logging information)
/var/log/pacct
...
Connect Accounting Utilities
Here is a list of commands you can use to get data about user logins:
who
Shows a listing
of currently logged-in users. This command reads /var/log/utmp.
w
Shows who
is logged on and what they are doing.
last
Shows a list of last logged-in
users, including login time, logout time etc. This command reads /var/log/wtmp.
lastb
Same as last, except that by
default it shows a log of the file /var/log/btmp, which contains
all the bad login attempts.
lastlog
This command reports data maintained
in /var/log/lastlog, which is a record of the last time a user logged in.
ac
Prints out the
connect time in hours on a per-user basis or daily basis etc. This command
reads /var/log/wtmp.
dump-utmp
Converts the raw data from /var/run/utmp or
/var/log/wtmp into ASCII-parsable format.
ftpwho
The ftpwho program utility displays
all active ftp users, and their current process information on the system.
The output of the command is in the format of the "/bin/ps" command.
ftpcount
The ftpcount program utility, a simplified
version of ftpwho, shows only the current number of users logged in to
the system, and the maximum number of users allowed.
RedHat Package Manager (RPM)
You should make sure that you remove all packages you don't need on a production server (e.g compilers, development packages, X, etc.).
Here are some basic RPM options for maintaining packages:
To install a RPM package:
rpm -ivh package_name.rpm
To delete a RPM package:
rpm -e package_name.rpm
To check what happens if a package gets deleted (dependency checks etc.):
rpm -e --test package_name.rpm
To install or upgrade a RPM package that is currently installed to a newer version:
rpm -Uvh package_name.rpm
To upgrade a RPM package only if an earlier version currently exists:
rpm -Fvh package_name.rpm
To query for all packages:
rpm -qa
To get package information about a specific package:
rpm -qi package_name.rpm
To list all files and directories that belong to a RPM package:
rpm -ql package_name.rpm
To query for the package that owns a specific file on your server:
rpm -qf /bin/ls
The /etc/inittab File
You might want to disable the "Control-Alt-Del" key sequence. To do that, make sure the following line is commented out in the /etc/inittab file:
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Make sure that the change becomes effective immediately by invoking the following command:
init q
Some recommend to add, for example, the following line in the /etc/inittab file to ensure that a root password is required for the Single User Mode logon:
~~:S:wait:/sbin/sulogin
But this would give you a false sense of security. When you get into the Single User Mode, it will certainly ask you for the root password. But it's too easy to get around. Instead of using "linux single", you can also use "linux init=/bin/bash" which will not ask for the root password. Your server should be physically secured anyway.
Services
To get a list of all enabled services, execute the following command:
chkconfig --list
TCP Wrapper
TO BE CONTINUED... :-)Settings for /etc/passwd and /etc/shadow
The following files and parameters are used when a new account is created with the Linux command 'useradd'. These settings are recorded for each user account in the files /etc/passwd and /etc/shadow. It is important to have the following changes in place before adding any user accounts on the node. Here is an example:/etc/login.defs |
PASS_MAX_DAYS |
58 |
Maximum number of days a password is valid |
/etc/login.defs |
PASS_MIN_DAYS |
7 |
Minimum number of days allowed between password changes |
/etc/login.defs |
PASS_WARN_AGE |
7 |
Number of days before a forced password change |
/etc/login.defs |
UID_MIN |
500 |
Min value for automatic UID selection |
/etc/login.defs |
GID_MIN |
500 |
Min value for automatic GID selection |
/etc/login.defs |
PASS_MIN_LEN |
n/a |
Minimum acceptable password length. This does NOT
work. It is superseded by the PAM module "pam_cracklib"! |
/etc/default/useradd |
GROUP |
100 |
Default group |
/etc/default/useradd |
HOME |
/home |
Default user home location |
/etc/default/useradd |
INACTIVE |
14 |
Maximum number of days after a password expired that
a user can change the expired password |
/etc/default/useradd |
EXPIRE |
Expiration date of an account in the format YYYY-MM-DD. |
|
/etc/default/useradd |
SHELL |
/bin/bash |
Default shell |
/etc/default/useradd |
SKEL |
/etc/skel |
Default profile directory |
Pluggable Authentication Modules (PAM)
/etc/pam.d/su: /lib/security/pam_wheel.so parameters
This PAM module permits root authentication to members of the wheel group only.
Ensure that the following parameters are set:
/lib/security/pam_wheel.so use_uid
Linux Security Books
If you want to read a very good book on Linux Security, then you should check out Gerhard Mourani's security book, which covers security very thoroughly and which is intended for a technical audience and Linux administrators. But it also covers material for home users and others as well. I had the opportunity to contribute to the development of the second edition. The edition " Securing & Optimizing Linux: The Ultimate Solution " is now the successor of the very popular book "Securing and Optimizing Linux: Red Hat Edition".
Securing and Optimizing Linux: Red Hat Edition (First Edition)
Warning and Disclaimer: Every effort has been made to provide the information as accurate as possible, but no warranty or fitness is implied. The author shall have no liability nor responsibility to any loss or damages arising from the information contained on this web site.
Comments? comments@puschitz.com