I've decided to publish my Linux Security document. You can download it from here as a pdf version.
This document is intended for linux administrator and security personal. The purpose of this document is to secure linux servers for production use. This document shows how to secure a default installation of Redhat Enterprise Linux but can be adopt for other linux distors as well.
· The Redhat server "Install Everything" installation, installs more than 1000 RPM's in RHEL5 and more than 1400 RPM's in RHEL4. The best way to install a server is to "Install what you need", Use the "Minimum" installation and after the install add what you need or to use the "Custom" installation and select the packages needed. (NOTE: The minimum installation installs less than 300 packages!)
· Patch the servers to the latest patch available - After the installation, the server should be patched to the latest errata available. Run "up2date –u" to update the system, If there is no internet connection then download the latest patch from Redhat web site.
· Some packages are not recommended for installation on a server:
o X/Gnome/KDE – The reasons to not install X/Gnome/KDE are performance and security issues
o Telnet/Ftp/Rsh – SSH is much better solution to for all those tools
· If the OS is already installed then remove unnecessary software
· Partition your disks to:
o / - 2G
o /var – 1G (can be smaller)
o /var/log – 1G
o /tmp – 2G
o /usr – 4G (this is the main directory used for tools)
o /usr/local – 1G (can be smaller)
o /home – 500M (depends on the space needed by users)
o /opt – 500M
o /boot – 100M
The linux machine run level is used to define what system services are operating. There are seven run levels:
· 0: Halt the machine
· 1: Single user mode
· 2-5:
o 2 – Multiuser, without NFS
o 3 – Full multiuser mode
o 4 – Unused
o 5 – X
· 6: Reboot
The default run level for a server should be 3. Run level 3 will start without X (GNOME/KDE/other).
To change the default run level on boot you should edit the file /etc/inittab and change the default run level by editing this line:
id:5:initdefault:
to:
id:3:initdefault:
One of the most important things is to close all unneeded network ports and know which ports you leave open. To get the list of open ports run:
netstat –tulpn
The output of this command will return something like this:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2391/portmap
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1966/sshd
udp 0 0 0.0.0.0:68 0.0.0.0:* 1570/dhclient
udp 0 0 0.0.0.0:111 0.0.0.0:* 2391/portmap
Services/ports that you may not want to leave running/open are:
| Tool/Services | Port | Dependencies | Handle service |
| Sendmail | 25 | SMTP protocol | If you need the server to act as SMTP server for outgoing emails only then go to "Secure Sendmail" Section in this document. If you don't need to use this server as SMTP server in any way you can stop it by running: chkconfig sendmail off |
| Portmap (RPC) | 111 | Handles RPC calls | service portmap stop chkconfig portmap off |
| Nfslock | TCP:32700 | Used by NFS client | service nfslock stop chkconfig nfslock off |
| Cupsd | 631 | Printing service | service cups stop chkconfig cups off |
| Hplip/hpiod | 2208 | HP Linux Imaging and Printing | service hplip stop chkconfig hplip off |
| avahi-daemon | UDP: 1024, 5353, 1025 | MDNS/DNS-SD | service avahi-daemon stop chkconfig avahi-daemon off |
The default installation starts some services that you may not need or wish to leave running, this list will show most of them. First of all, the way to get the list of running services is:
chkcnfig –list | grep ":on"
The output for this command will return something like this:
acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
avahi-daemon 0:off 1:off 2:off 3:off 4:off 5:off 6:off
avahi-dnsconfd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
bluetooth 0:off 1:off 2:on 3:on 4:on 5:on 6:off
conman 0:off 1:off 2:off 3:off 4:off 5:off 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
firstboot 0:off 1:off 2:off 3:on 4:off 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
To stop a service from running and start at boot time use:
service
chkconfig
List of services that run by default:
| Service name | Description | Needed? |
| acpid | Handles ACPI event and invokes the command. For example, what happens when the power/sleep button is pressed or AC adapter state is changed. | Y |
| anacron | Like cron but it will run jobs that didn't run because the server was down. | N |
| apmd | Monitoring battery status | N |
| arptables_jf | Automates a packet filtering firewall with arptables | N |
| atd | The same tool as cron. Needed only if using the at command. | N |
| auditd | Handles the audit system | Y |
| autofs | Automount filesystems | If using autofs |
| avahi-daemon | MDNS/DNS-SD, Multicast DNS service Discovery | If using MDNS |
| avahi-dnsconfd | Daemon which configures unicast DNS servers using server info published via mDNS | If using MDNS |
| bluetooth | Bluetooth services for service discovery, authentication, Human Interface Devices, etc | If using Bluetooth devices |
| canna | Japanese Conversion Engine | N |
| cpuspeed | Monitors the systems idle percentage and reduces or raises the CPUs clock speeds and voltages accordingly to minimize power consumption | Y |
| crond | Handles corn jobs | Y |
| cups-config-daemon | configuring printers through D-BUS | N |
| firstboot | Run the first boot program if this is the first boot or run the reconfiguration program if reconfiguration file exists | Y |
| gpm | Mouse support for text based mode | N |
| haldaemon | Daemon for collecting and maintaining information about hardware from several sources. | Y |
| hidd | Bluetooth Human Interface Device Daemon. Provides keyboard, mouse etc. functionality over Bluetooth. | If using Bluetooth |
| hpoj | HP OfficeJet Linux driver | N |
| iiim | Needed if using IM | N |
| ip6tables | Iptables firewall for IPv6 | ? |
| iptables | Iptables firewall for IPv4 | ? |
| irqbalance | The irqbalance daemon will distribute interrupts across cpus on a multiprocessor/multithreaded system with the purpose of spreading the load. Can be disabled on a single CPU machines. | Y |
| isdn | ISDN | N |
| kudzu | Discover new hardware (can run manually). Run it manually in case of hardware changes. | N |
| lm_sensors | Monitoring motherboard sensor values | Why not |
| mcstrans | SELinux Context Translation System Daemon | If using SELinux |
| mdmonitor | Software RAID monitor | If using software RAID |
| messagebus | This is a daemon which broadcasts notifications of system events and other messages. | Y |
| microcode_ctl | Apply cpu microcode (IA32 Arch) | Y |
| netfs | Mount network filesystems on boot. This service is needed when using NFS filesystems. | Y |
| network | Network configuration | Y |
| openibd | Activates/Deactivates InfiniBand Subnet Manager | If using InfiniBand |
| pcmcia | Handles pcmcia devices | N |
| pcscd | Smart Card support | N |
| rawdevices | If using rawdevices | If using rawdevices |
| readahead | Prereads programs required for startup into memory | Why not? |
| readahead_early | Prereads programs required for startup into memory (/etc/readahead.d/*.early) | Why not? |
| readahead_later | Prereads programs required for startup into memory (/etc/readahead.d/*.later) | Why not? |
| restorecond | Used when using SELinux to restore specific files security context | If using SELinux |
| rhnsd | Redhat network daemon | If using RHN updates |
| rpcgssd | manages RPCSEC GSS contexts for the NFSv4 client | If using NFSv4 |
| rpcidmapd | maps user names to UID and GID numbers for NFSv4 | If using NFSv4 |
| setroubleshoot | starts the SELinux Troubleshooting Daemon | If using SELinux |
| smartd | Self Monitoring and Reporting Technology (SMART) Daemon | Y |
| sshd | SSH | Y |
| syslog | Starts syslog | Y |
| xfs | X font server. You can load it only in run level 5. | N |
| xinetd | Xinetd service | Y |
| yum-updatesd | Provides notification of updates which are available to be applied to your system | If using network updates using yum |
To check which xinetd services run by default:
chkconfig --list | awk '/xinetd based services/,/""/' | grep on
| Service name | Description | Needed? |
| auth | allows remote daemons to query information about users establishing TCP connections on the local server | N |
6. Remove unneeded LKM's (Loadable Kernel Modules)
Loadable kernel modules will be loaded when they are needed by the OS/tools, so after disabling all unneeded services we can see that the amount of loaded modules (using lsmod) before is much greater than now.
To disable unneeded LKM's we can use this method:
· lsmod – Displays a list of all loaded modules
· modinfo
· rmmod
To prevent a specific LKM from loading at boot time you will need to change the modprobe configuration files:
· RHEL4 – edit /etc/modprobe.conf and add the line:
alias
for example: "alias floppy off"
· RHEL5 – edit /etc/modprobe.d/blacklist and add the line:
blacklist
To find the
7. Disable CTRL+ALT+
CTRL+ALT+DEL are the default keys defined to reboot the machine, we've seen few cases which cause this defaults to reboot a production server because of a human mistake. To remove this default, edit the file /etc/inittab and comment the line:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Or to this line if you whish to echo a message when buttons are pressed:
ca::ctrlaltdel:/bin/echo "CTRL+ALT+
after saving the file run this command to reload the init settings:
init q
To disable IPv6 you need to:
· Add this line to /etc/modprobe.conf:
alias net-pf-10 off
NOTE: if the line "alias net-pf-10 ipv6" exists in the file, change it.
· Add this line to /etc/sysconfig/network
NETWORKING_IPV6=no
NOTE: If the line "NETWORKING_IPV6=yes" exists in the file, change it.
SSH is the replacement for telnet, rsh, rcp and rlogin, with SSH you can create an encrypted & secure connection to the machine. The main sshd configuration file is /etc/ssh/sshd_config.
· To restrict direct root login via ssh set:
PermitRootLogin no
· Allow only ssh version 2 connections, set:
Protocol 2
· Ensure that strict mode is enabled to check file permissions and ownerships of important files locate at the user home directory. With this setting set to yes the sshd will fail connection to the user if the files are not set correctly:
StrictMode yes
· Disable all host based authentications via ssh:
IgnoreRhosts yes
HostbasedAuthentication no
RhostsRSAAuthentication no
· Set idle session timeout to 15 min:
ClientAliveInterval 300
ClientAliveCountMax 3
· Allow only specific users to connect via ssh by create a sshgroup and enable it in ssh:
AllowGroups sshgroup
· Disable sftp if not needed, remark the line:
Subsystem sftp /usr/lib/misc/sftp-server
· Use privilege separation to separate the ssh daemon into two parts, a small part will run as root and the second part will run in cohort jail environment. To do this set:
UsePrivilegeSeparation yes
| Purpose | Description | Parameter |
| TCP SYN attack cookie protection | TCP SYN Attack is a DOS attack that consumes all the resources of a machine. | net.ipv4.tcp_syncookies = 1 |
| Disable IP forwarding | Disable ip forwarding. This parameter should be set to 1 when the linux server acts as a router. | net.ipv4.ip_forward = 0 |
| Disable IP source routing | Source routing is used to specify a path or route through the network from source to destination. This feature can be used by intruders to send a new source route to route traffic to different place and listen to the server network without the server know it happens. | net.ipv4.conf.all.accept_source_route = 0 |
| Disable ICMP Redirect Acceptance | ICMP redirects are used to tell a server the better path to other networks than the one chosen by the server. This feature can be used by intruders. | net.ipv4.conf.all.accept_redirects = 0 |
| Enable IP Spoofing Protection | IP sppofing is when an intruder change the source of an IP packet. | net.ipv4.conf.all.rp_filter = 1 |
| Disable ping | Disable ping requests | net.ipv4.icmp_echo_ignore_all = 1 |
| Disable broadcast requests | Disable broadcast requests | net.ipv4.icmp_echo_ignore_broadcasts = 1 |
| Alert for bad error messages in network | | net.ipv4.icmp_ignore_bogus_error_responses = 1 |
| Enable logging | Enable logging of source route packets, spoofed packets and redirect packets | net.ipv4.conf.all.log_martians = 1 |
There are many accounts created with linux installation (more than 40), most of them are locked already locked. We will check the users that are not locked and decide what to do with each account.
To get the list of open account use:
cat /etc/passwd | grep -v nologin | grep -v false | grep -v root | grep -v sync | grep -v shutdown | grep -v halt
| Account | Description | Action |
| news | Used when using the machine as a news feed server | lock |
| postgres | Used for postgresql database | lock |
| mysql | Used for mysql database | lock |
| netdump | Send oops data and memory dumps over the network | lock |
| pvm | Parallel processing, used for GRID | lock |
| cyrus | IMAP server | lock |
| amanda | Backup tool | lock |
To allow access from and to specific networks/servers/services we can use TCPWrapper.
The configuration files for TCP Wrapper are:
§ /etc/hosts.allow
§ /etc/hosts.deny
The files format is:
Useful man pages for more information:
§ hosts_options(5)
§ hosts_access(5)
NOTE: hosts.allow file take precedence over hosts.deny.
For example:
§ Allowing access via ssh only from specific hosts/subnets:
sshd: server1 server2 .mydomain.com
§ Allowing any type of access to the server only from specific hosts/subnets:
ALL: server1 server2 .mydomain.com
§ To remote logging all connections from server1 use:
sshd: server1: spawn echo "Login from %c to %s" | mail –s "Login" admin@mydomain.com
NOTE: For more complex filtering we can use iptables.
· Edit /etc/login.defs
o Change the values of: PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_AGE
· Edit /etc/default/useradd
o Change the value of: EXPIRE to the number of days the password will live
o Change the value of: INACTIVE to the number of days that the user will be locked after a password expires
o Or use chage…
· use passwd –S
13.2. Strong password enforcement
· Edit /etc/pam.d/system-auth and add:
minlen=10 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3
To the end of the line:
/lib/security/$ISA/pam_cracklib.so retry=3
· Edit /etc/pam.d/system-auth and add:
remember=20
To the end of the line:
/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
13.4. Locking user after too many logins
· Edit /etc/pam.d/system-auth and add:
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
after the line:
auth required /lib/security/$ISA/pam_env.so
Also, add the line:
account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset
after the line:
account required /lib/security/$ISA/pam_unix.so
To prevent accidental DOS we will set ulimits for all users/groups that we use. This example will show how to set the ulimit for oracle user and for users group. We will use only 2 type of limits (nofile and nproc), but there are more than 10 other types of limits that can be set, like memory, cpu, max logins and more.
· Edit /etc/security/limits.conf, and add:
o For oracle account:
oracle soft nofile 4096
oracle hard nofile 63536
oracle soft nproc 2047
oracle hard nproc 16384
o For the users group:
@users soft nofile 500
@users hard nofile 1000
@users soft nproc 250
@users hard nproc 500
Auditing will log all activities made by users, the drawback of linux auditing system is that we are unable to see the parameters used by a command, for example, if a user will run the command "rm –rf" we will only see rm in the audit trail.
Auditing users commands is available by psacct daemon.
To enable psacct run:
/etc/init.d/psacct start
chkconfig psacct on
Commands to get information from psacct database are:
§ lastcomm – last commands by users
§ ac – statistics about users connect time
§ ac –p – Total time for each user
§ ac –d – Total time for each day
§ sa – summarize accounting information
§ sa –u – print the user for each command
§ sa –m – CPU usage per user
§ and more options for each command (sa, ac, lastcomm)…
There are few patch management solutions, here is a list of a few products:
· Yum (Yellow dog Updater, Modified) – Opensource tool to manage RPM based installations
o Opensource & Free
o Simple to use and manage
o No central management console
· Redhat default up2date solution:
o No central management console
o Each server handles it's own updates
o Each server need access to RHN (can be solved by http proxy server)
· Redhat Satellite server –Implements a solution for patch management by creating a single server that all servers register to get the new patches. This server collects all needed information and packages from Redhat Network for all the registered servers, and can automatically/manually update the registered servers. The satellite server is the only one that needs to have access to the Internet. Redhat Satellite server benefits:
o Single place to manage all servers
o Single place with access to the internet. Can be protected by firewalls.
o Monitoring system – can monitor servers performance
o Network based server install (Kickstart install solution implemented)
o Servers cloning (clones software that were installed by RPM's only)
· IBM Tivoli provisioning management
· HP Radia
· Quest configuration management for SMS
Using iptables we can filter/reroute/logging packets and more. For example, if we would like to allow connections log all packets received from a specific ip on a specific port we can do it with iptables.
I will not discuss iptables in this document, but this is a very good way to do this type of jobs.
iptables can be loaded by the services:
§ iptables6 – for IPv6
§ iptables – for IPv4
If you will use iptables to forward communication you will also need to set the kernel parameter ip_forward to 1.
18. Syslog shipping (Remote Logging)
Syslog can send the log records to a remote host for central monitoring, protecting the data from the administrator and from hackers. To do this all you need to do is:
§ On the syslog server side (The server that will log and save the data) edit the file /etc/sysconfig/syslog and add "-r" to the SYSLOGD_OPTIONS variable and restart syslog daemon.
§ On each client add the following line to /etc/syslog.conf and restart the syslog daemon:
*.* @syslog-server
Where syslog-server is the syslog server name/ip.
NOTE: Running syslog server (The server that will log and save the data) will open UDP:514 port.
Apache is the default web server for linux and the most common web server on the internet. Because of this, apache is a very secure web server but there are few things to do when configuring apache, the main configuration file of apache is /etc/httpd/conf/http.conf:
§ By default apache bounds it self to all networks (Ethernet interfaces) available in the server. Bounding apache to listen to specific interface will minimize the vulnerable of apache, to do that we will need to set the parameter: Listen to smoothing like this:
Listen 192.168.0.122:80
Where 192.168.0.122 is the ip address that we wish apache to listen on.
§ The default configuration of apache is to follow symbolic links and this could be exploited by hackers, to disable this feature remove the "FollowSymLinks" option from apache configuration file.
§ Remove SSI (Server-Side Includes) support – SSI is a way to run server side commands before an html is delivered to the client. SSI is usually disabled by default, to check that that it is also true for our installation check if the option "+Includes" exists in apache configuration files.
§ Disable CGI support – apache CGI support is a way to run scripts from apache, this could be exploited if the script is not written in a secure way. CGI is enabled for all "ScriptAlias" directories and disabled for all other directories by default. To check that the CGI is disable in our installation we need to check that the "ExecCGI" option is not used.
§ Remove unused modules – apache comes with a very big set of loadable modules, we can find the loaded modules in apache configuration files by looking for the directive "LoadModule". It is a good idea to comment the modules that are not used. Here is a list of few modules that are not used commonly, and can be removed probably:
| Module Name | Description |
| ldap_module | LDAP support |
| auth_ldap_module | LDAP authentication with apache |
| include_module | SSI support |
| dav_module | WebDAV support |
| autoindex_module | Needed if using the Index option |
| info_module | Provides a comprehensive overview of the server configuration |
| status_module | Provides information on server activity and performance |
| dav_fs_module | filesystem provider for mod_dav |
| proxy_module | HTTP proxy server |
| proxy_ftp_module | FTP support module |
| proxy_http_module | HTTP support module |
| cgi_module | Execution of CGI scripts |
§ Hiding apache version number and other sensitive information by setting:
ServerSignature Off
ServerTokens Prod
§ Turn off support for .htaccess files, This is done in a Directory tag with the AllowOverride directive. Set it to None:
AllowOverride None
§ Lower the "Timeout" value to 45
§ Limiting large requests:
o Limiting the size of a body requests to 1MB (Do not set this if allowing to upload large files):
LimitRequestBody 1048576
o Limiting the size of an XML file (if using webdav):
LimitXMLRequestBody 10485760
o You can also check "LimitRequestFields", "LimitRequestFieldSize" and "LimitRequestLine". These directives are set to a reasonable defaults for most servers, but you may want to tweak them to best fit your needs.
o Use SSL communication, apache support SSL and can be very easily configured for ssl.
o The final thing to do, but only if truly needed is to run apache in a chrooted environment. This is very tricky thing to do, but possible, we will not discuss this in here.
Sendmail is the default mail server for linux, it's not very secure and pretty hard to configure, But Sendmail is usually used for local mail delivery and not as an SMTP server, if you need an SMTP server I recommend postfix over Sendmail. To use Sendmail for local mail delivery we don't need it to listen to SMTP port 25, to do that all we need to do is edit the file /etc/sysconfig/Sendmail and change the DAEMON variable from "yes" to "no" like this:
DAEMON=no
§ Use NFS over TCP
§ Restrict use for NFSv3 and v4 only
§ Use TCP wrapper on NFS
§ Export only to those machines that you really need
§ Use fully qualified domain names
§ Export only directories you need to export
§ Export read-only wherever possible
Antivirus for linux are no commonly used unless:
· The server role is a windows file server using samba
· The server role is a mailserver
There are three very well known anti-viruses for linux:
· ClamAV – OpenSource antivirus
· Panda – Commercial antivirus
· McAfee LinuxShield - Commercial antivirus
23. Other tools worth checking
Nessus is a very popular vulnerability scanner used, started as an opensource and now it's a closed source but still available for free download.
http://www.nessus.org
Bastille Linux is a tool that helps protecting the operating system by setting a large amount of parameters. It's a good thing to run this tool after implementing this document.
http://www.bastille-linux.org/
DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks)
http://denyhosts.sourceforge.net/
Rootkits - (Wikipedia) a set of software tools intended to conceal running processes, files or system data from the operating system. Rootkits have their origin in benign applications, but in recent years have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. chkrootkit is one of the most commonly used for rookits checking.
http://www.chkrootkit.org/
Nikto is an Open Source web server scanner which performs comprehensive tests against web servers.
http://www.cirt.net/code/nikto.shtml
Tripwire is a file and directory integrity checker. Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes.
http://www.tripwire.com/
ntop is a network traffic probe that shows the network usage, similar to what the popular top Unix command does.
http://www.ntop.org
1 comment:
Excellent guide sir. Thanks a lot. You have done a great job for new learners thanku so much once again.
Regards,
Rakesh
Post a Comment