How-TO Harden Linux System
First Step Make sure nobody is able to change any important System Files
Like /etc/passwd, /etc/shadow
#chattr +i /etc/passwd
#chattr +i /etc/shadow
#chattr +i /etc/group
#chattr +i /etc/gshadow
#chattr +i /etc/services
#chattr +i /etc/xinetd.conf or /etc/inetd.conf
#chattr +i /etc/login.defs
#lsattr /etc/passwd
This will list if any chattr permission is set to /etc/passwd file
The +i option immutes the file /etc/passwd ... which means u wont be able to edit the file.
To remove the immute option use
#chattr -i /etc/passwd
After setting the above pemission to passwd and shadow file you wont be able to add any user.
Note : Make sure you run the chattr -i /etc/passwd if you want to add any user or if you run a script that adds users.
Or else it will throw a error like
useradd: Unable to open the passwd file.
Step No 2 : Disable root access
Do not allow root access from any terminal :
Edit the file /etc/securetty
Hash out all the terminals mentioned, this will not allow root access from any terminal.
Will have to login through any normal user then do su to root.
Step No 3 – Reslover Library
If you are not running a DNS server then make sure it resolves /etc/hosts file first then via dns.
For this edit /etc/host.conf file
#Lookup names via /etc/hosts then fall back to DNS
order hosts,bind
#If you have machines with multiple IP Addresses
multi on
#The above option – multi on - specfies if the /etc/hosts file can have multiple IP addresses
# Check for IP Address Spoofing
nospoof on
# The nospoof on specifies not to allow spoofing on this machine. This option must be set to on for all servers.
STEP 4 - Configure TCP WRAPPERS
TCP WRAPPERS is controlled from two files and the search stops at the first match
/etc/hosts.allow
/etc/hosts.deny
Edit - /etc/hosts.deny
#Deny Access to everyone.
ALL: ALL@ALL, PARANOID
which means all services, all locations is blocked unless mentioned in hosts.allow
Note: With the option PARANOID, If you intend to run TELNET or FTP service on your server do not forget to add the clients machine name and IP Address in your /etc/hosts file on the server or you can expect to wait several minutes for DNS lookup
to timeout, before you get the login prompt.
Now if you want to allow access for ssh, ftp from particular IP Address
Edit /etc/hosts.allow
sshd: 10.10.0.20
ftpd: 10.10.0.22
telnetd: ALL : deny : twist /bin/echo “ Sriram Says Connection Refused”
Run tcpdchk
#tcpdchk
tcpdchk is the tcpd wrapper configuration checker. It examines TCP Wrapper configurations and reports any real problems it can find run this after configuring TCP Wrappers
Also check tcpdmatch – Test program
/etc/issue file carries the message displayed while doing a ftp or telnet from outside.
You may change this to reflect something else
STEP 5 – Stopping Unnecessary services like telnet
Services like telnet are run by xinetd, inetd
All the latest linux distribution carries xinetd
#cd /etc/xinetd.d
vi telnet
First line disable should be set to yes
disable = yes
service xinetd restart
If you are still using inetd
Edit /etc/inetd.conf
Hash out any particular service you may not need
Change the permission of this file to chmod 600
#killall -HUP inetd
STEP 6 - Disable root access after particular time if logged in from terminal :
As a Security measure set login timeout for all users including ROOT if inactive.
Edit /etc/profile
add the following line somewhere after the line that read
HISTFILESIZE=
TMOUT=7200
7200= 2 hrs
60*60=3600*2=7200 seconds
This will timeout for all users.
If you want to put it for individual users then put it in their individual .bashrc file
STEP 7 – SET minimum password length to 10 Edit /etc/login.defs
PASS_MIN_LEN 10
STEP 8 – Disable RPM installation for all users
chmod 700 /bin/rpm and rename the file to a different directory say /home/cmd
mv /bin/rpm /home/cmd/mpr as this will disallow users from installing trojans.
STEP 9 – Disable SETUID and SETGID for unnecessary files
Find files with SETUID and SETGID enabled
find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls {} \;
SUID -rwsr-xr-x or SGID -r-xr-sr-x bit enabled
To remove
chmod a-s
STEP 10 – Prevent your system responding to ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
To turn it back on replace with 0
Put the same in /etc/rc.d/rc.local to take effect during reboot
Edit the /etc/sysctl.conf file and add the following line:
# Enable ignoring ping request net.ipv4.icmp_echo_ignore_all = 1 Restart the network services service network restart Refuse responding to broadcast request echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
add the same to rc.local
Edit the /etc/sysctl.conf file and add the following line:
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1 Best way of doing a Port Forward is to use Rinetd Services Install rinetd and then make the following changes in its config file /etc/rinetd.conf 192.168.0.1 80 10.10.0.4 80 This will forward all the tcp packets for port 80 to 10.10.0.4's 80 port Its a very simple to use package
Instead of port numbers, you can also use service names as defined in /etc/services. Therefore, the above mentioned example could also be written like this:
192.168.0.1 www 10.10.0.4 www
