- 1 Summary
- 2 Minimal Secure Install
- 3 Security Tools
- 4 Ports
- 5 Minimal Install - Anaconda Kickstart
- 6 Remove Extra Services
- 7 Disabling Root Logins
- 8 Windows Password Security
- 9 Security Watches
- 10 NMAP
- 11 Auditor Security Collection
- 12 BackTrack
- 13 DenyHosts
- 14 Tutorials
- 15 References
- 16 http://www.faqs.org/docs/gazette/tips.html Linux Security Tips By Kapil Sharma
- 17 keywords
Minimal Secure Install
Install CentOS 5 (minimal install):
# boot to CD 1 linux text # do minimal install (deselect ALL package options)
# DISABLE SELINUX - not as secure, but much easier to work with system-config-securitylevel-tui reboot
Remove Extra Packages:
# Packages with no dependencies... yum -y remove Deployment_Guide-en-US autofs conman finger gpm nfs-utils nfs-utils* pcmciautils xorg* # ADDITIONAL: cpuspeed # Packages with dependencies... yum -y remove atk bluez-* cairo ccid cups* desktop-file-utils libX11 # ADDITIONAL: fontconfig freetype portmap # This remove the following depenencies: # GConf2 coolkey gtk2 htmlview libXcursor libXext libXfixes libXft libXi libXinerama libXrandr # libXrender libXres libXt libXxf86vm libnotify libwnck mesa-libGL notification-daemon pango # paps pinfo redhat-lsb redhat-menus startup-notification yp-tools ypbind
# DISABLE EXTRA SERVICES # No longer needed as removal of packages takes care of most of these # for service in apmd autofs bluetooth cpuspeed cups gpm netfs nfslock portmap rpcgssd rpcidmapd ; do chkconfig $service off ; done # except for apmd cpuspeed
# SETUP NTPD # Use time-a.nist.gov instead of time.nist.gov yum -y install ntp ; ntpdate -t 10 time-a.nist.gov ; hwclock -w ; chkconfig ntpd on ; service ntpd start
# SETUP ALIASES echo -e "root:\t\email@example.com" >> /etc/aliases newaliases
# DISABLE ROOT SSH LOGIN adduser kenneth passwd kenneth visudo # %wheel ALL=(ALL) ALL %wheel ALL=(ALL) ALL vi /etc/group wheel:x:10:root,kenneth vi /etc/ssh/sshd_config #PermitRootLogin yes PermitRootLogin no service sshd restart
# To Configure firewall system-config-securitylevel-tui
# DO SYSTEM UPDATE AND REBOOT yum -y update ; reboot
Linux TCP Ports:
TCP 22 SSH (sshd) TCP 25 SMTP (sendmail/postfix) TCP 80 HTTP (httpd) TCP 110 POP3 (courier/dovcot) TCP 143 IMAP (courier) TCP 389 LDAP TCP 443 HTTPS (httpd) TCP 465 SMTPS (stunnel->sendmail) TCP 636 LDAP/SSL (stunnel->LDAP) TCP 993 IMAPS (stunnel->courier) TCP 995 POP3S (stunnel->courier)
Linux UDP Ports:
UDP 53 DNS (named) UDP 123 NTP (ntpd)
TCP 3389 Remote Desktop (Windows)
Minimal Install - Anaconda Kickstart
# Kickstart file automatically generated by anaconda. install cdrom lang en_US.UTF-8 keyboard us network --device eth0 --bootproto static --ip 10.0.0.41 --netmask 255.255.255.0 --gateway 10.0.0.1 --nameserver 10.0.0.1 --hostname gatekeeper.oeey.com network --device eth1 --bootproto dhcp --hostname gatekeeper.oeey.com rootpw --iscrypted $1$Np12nOAS$Nkxxxxxx7i. firewall --enabled --port=22:tcp authconfig --enableshadow --enablemd5 selinux --enforcing timezone --utc America/Boise bootloader --location=mbr --driveorder=sda # The following is the partition information you requested # Note that any partitions you deleted are not expressed # here so unless you clear all partitions first, this is # not guaranteed to work #clearpart --all --drives=sda #part /boot --fstype ext3 --size=101 --asprimary #part swap --size=3968 --asprimary #part / --fstype ext3 --size=1 --grow --asprimary %packages @base @core
Remove Extra Services
- Block ping requests:
- enable firewall
- $IPTABLES -A INPUT -p ICMP –icmp-type timestamp-request -i $EXTIFACE -j DROP
- Secure SSH:
- vi /etc/ssh/sshd_config
- Protocol 2
- ListenAddress 0.0.0.0
- PermitRootLogin no
- Disable extra services:
- acpid (Power Management Related)
- apmd (Power Management Related)
- isdn (Only used if you have an ISDN card in the machine)
- pcmcia (Most likely you either don’t have or will not use a pcmcia device in the machine)
for service in netfs nfslock portmap rpcgssd rpcidmapd acpid apmd cups isdn pcmcia bluetooth autofs xfs gpm ; do chkconfig $service off ; done
Current list of enabled services:
[kenneth@dev ~]$ sudo /sbin/chkconfig --list | grep 3:on acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off firstboot 0:off 1:off 2:off 3:on 4:off 5:on 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off hidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off irqbalance 0:off 1:off 2:on 3:on 4:on 5:on 6:off jexec 0:on 1:on 2:on 3:on 4:on 5:on 6:on kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off mcstrans 0:off 1:off 2:on 3:on 4:on 5:on 6:off mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off readahead_early 0:off 1:off 2:on 3:on 4:on 5:on 6:off restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off yum-updatesd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
getent protocols 50 # find which service has been allocated the port 5353 (in UDP) by IANA. getent services 5353
Additional items to remove: 
yum remove Deployment_Guide-en-US yum remove finger gaim cups-libs cups bluez-libs desktop-file-utils
This removed also:
bluez-utils GConf2 cups-libs libnotify desktop-file-utils bluez-libs htmlview paps finger redhat-lsb cups libwnck notification-daemon redhat-menus pinfo gtk2 bluez-gnome
Some other options:
yum remove apmd acpid cpuspeed yum remove atk autofs cairo ccid conman fontconfig freetype libX11 pcmciautils yum remove xorg*
Disabling Root Logins
Prevent access to the root shell and logs the attempt. Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin.
Prevent access to the root account via the console or the network. An empty /etc/securetty file prevents root login on any devices attached to the computer.
echo > /etc/securetty
Prevent root access via the OpenSSH suit of tools. Edit the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no.
Prevent root access to network services that are PAM aware. Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is required for authentication.
Windows Password Security
"Interestingly, if you run windows (shudder) and want to see just how secure your passwords are, have a look at Ophcrack. Scary stuff!
This thing will find any 14 character alphanumeric password in a matter of minutes!" 
Auditor Security Collection
"The Auditor security collection is a LiveCD based on Knoppix.
Auditor was planned and developed with the targets of user-friendliness and an optimal toolset. For example, the menu structure is organised into the typical phases of a security check: footprinting, analysis, scanning, wireless scanning, brute-forcing, and cracking.
Auditor Security Collection is now known as BackTrack."
"BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes. 
"BackTrack is a Linux distribution distributed as a LiveDistro that results from the merger of WHAX and Auditor-based Auditor Security Collection." 
DenyHosts - http://denyhosts.sourceforge.net/
"DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?
DenyHosts attempts to address the above"
NOTE: DenyHosts is a Python script! :-)
- "Do you think your systems are secure? Install DenyHosts and you’ll realize that you were in denial. "
- "Exposing a system to the Internet means that you’ll soon (within hours) experience login attempts from random locations, from people you don’t know and from those with unclear motivations. DenyHosts is an SSH security tool in the form of a python script that helps prevent brute force and dictionary-based attacks against your systems. On my home system, I have at least one such attempt added to my /etc/hosts.deny file per day. I use DenyHosts to maintain that stealth watch over my insignificant system here in my dusty little corner of the Internet that I call home."
yum install --enablerepo=rpmforge denyhosts
service denyhosts start starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts/denyhosts.cfg
-- Manual Installation --
apt-get install python python2.3-dev python2.3
cd /tmp wget http://mesh.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.0.tar.gz tar xvfz DenyHosts-2.0.tar.gz cd DenyHosts-2.0 python setup.py install
cd /usr/share/denyhosts cp denyhosts.cfg-dist denyhosts.cfg
Preventing SSH Dictionary Attacks With DenyHosts | HowtoForge - Linux Howtos and Tutorials - http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts
Wed Mar 1 16:14:18 CET 2006 (as copied from : http://rudd-o.com/archives/2006/02/27/hardening-a-linux-server-in-10-minutes/ ) Did you know that a freshly installed Linux server can be hardened in less than 10 minutes? Heres how! Print these instructions out, and keep them posted on a wall in your office or home. Before plugging a freshly installed network server, simply remember to follow these instructions. Make these instructions second nature to you. Youll need a bit of experience with the Linux command-line environment, as the following commands are usually issued in a terminal. You will need root access on your server as well. By the way, the following instructions apply to any LSB-compliant Linux distribution, but Ill use Fedora Core as an example.
- Step 1: turn all unneeded services off
- Step 2: limit access to running services using iptables
- "Servers—whether used for testing or production—are primary targets for attackers. By taking the proper steps, you can turn a vulnerable box into a hardened server and help thwart outside attackers. Learn how to secure SSH sessions, configure firewall rules, and set up intrusion detection to alert you to any possible attacks on your GNU/Linux® server. Once you've gained a solid foundation in the basics of securing your server, you can build on this knowledge to further harden your systems."
- CentOS 4 Security Assessment :
- Securing CentOS Linux installations by disabling unneeded services 
- Securing and Optimizing Linux (HTML eBook)
- Securing and Hardening Red Hat Linux Production Systems
- Good article to read!
- Securing & Optimizing Linux: The Ultimate Solution (PDF eBook)
- Securing & Optimizing Linux: Red Hat Edition (PDF eBook)
- Minimal Services on CentOS 4.4 Mini-HowTo
- Includes an extensive list of services to disable.
- My guide to a secure password by Marc Mercer
- OpenNA Security Books
- OpenNA Documentation
- Several good articles to read
http://www.faqs.org/docs/gazette/tips.html Linux Security Tips By Kapil Sharma
"In this article I will explain how to make your Linux box secure by taking basic security measures. This article will enable anybody to tighten the security of a redhat Linux box."
- BIOS Security - password protect
- LILO Security - password protect
- Disable all special accounts - delete unused accounts
- Choose a Right password - set password definitions
- Enable shadow password support - /usr/sbin/authconfig, pwconv, grpconv
- The root account - timeout
- Disable all console-equivalent access for regular users
- Disable & uninstall all unused services - inetd
- TCP_WRAPPERS - disallow all by default
- Don't let system issue file to be displayed - telnetd
- Change the "/etc/host.conf" file
- Immunize the "/etc/services" file - immutable
- Disallow root login from different consoles - /etc/securetty
- Blocking anyone to su to root - pam, wheel account
- Shell logging - history size
- Disable the Control-Alt-Delete keyboard shutdown command - /etc/inittab
- Fix the permissions under "/etc/rc.d/init.d" directory for script files - chmod 700
- Hide your system information - /etc/issue
- Disable unused SUID/SGID programs - find with chmod