Thursday, June 14, 2001

Hardenning a UNIX System


How-TO Harden Linux System


  1. First Step Make sure nobody is able to change any important System Files


Like /etc/passwd, /etc/shadow


#chattr +i /etc/passwd

#chattr +i /etc/shadow

#chattr +i /etc/group

#chattr +i /etc/gshadow

#chattr +i /etc/services

#chattr +i /etc/xinetd.conf or /etc/inetd.conf

#chattr +i /etc/login.defs


#lsattr /etc/passwd

This will list if any chattr permission is set to /etc/passwd file


The +i option immutes the file /etc/passwd ... which means u wont be able to edit the file.

To remove the immute option use

#chattr -i /etc/passwd


After setting the above pemission to passwd and shadow file you wont be able to add any user.


Note : Make sure you run the chattr -i /etc/passwd if you want to add any user or if you run a script that adds users.


Or else it will throw a error like

useradd: Unable to open the passwd file.


  1. Step No 2 : Disable root access


Do not allow root access from any terminal :


Edit the file /etc/securetty

Hash out all the terminals mentioned, this will not allow root access from any terminal.


Will have to login through any normal user then do su to root.


  1. Step No 3 – Reslover Library


If you are not running a DNS server then make sure it resolves /etc/hosts file first then via dns.


For this edit /etc/host.conf file


#Lookup names via /etc/hosts then fall back to DNS

order hosts,bind


#If you have machines with multiple IP Addresses

multi on


#The above option – multi on - specfies if the /etc/hosts file can have multiple IP addresses


# Check for IP Address Spoofing

nospoof on


# The nospoof on specifies not to allow spoofing on this machine. This option must be set to on for all servers.


STEP 4 - Configure TCP WRAPPERS



TCP WRAPPERS is controlled from two files and the search stops at the first match

/etc/hosts.allow

/etc/hosts.deny


Edit - /etc/hosts.deny


#Deny Access to everyone.

ALL: ALL@ALL, PARANOID


which means all services, all locations is blocked unless mentioned in hosts.allow


Note: With the option PARANOID, If you intend to run TELNET or FTP service on your server do not forget to add the clients machine name and IP Address in your /etc/hosts file on the server or you can expect to wait several minutes for DNS lookup

to timeout, before you get the login prompt.



Now if you want to allow access for ssh, ftp from particular IP Address


Edit /etc/hosts.allow

sshd: 10.10.0.20

ftpd: 10.10.0.22

telnetd: ALL : deny : twist /bin/echo “ Sriram Says Connection Refused”


Run tcpdchk


#tcpdchk


tcpdchk is the tcpd wrapper configuration checker. It examines TCP Wrapper configurations and reports any real problems it can find run this after configuring TCP Wrappers


Also check tcpdmatch – Test program


/etc/issue file carries the message displayed while doing a ftp or telnet from outside.

You may change this to reflect something else

STEP 5 – Stopping Unnecessary services like telnet

Services like telnet are run by xinetd, inetd

All the latest linux distribution carries xinetd

#cd /etc/xinetd.d

vi telnet


First line disable should be set to yes

disable = yes


service xinetd restart


If you are still using inetd

Edit /etc/inetd.conf

Hash out any particular service you may not need

Change the permission of this file to chmod 600

#killall -HUP inetd


STEP 6 - Disable root access after particular time if logged in from terminal :

As a Security measure set login timeout for all users including ROOT if inactive.


Edit /etc/profile

add the following line somewhere after the line that read

HISTFILESIZE=

TMOUT=7200

7200= 2 hrs

60*60=3600*2=7200 seconds

This will timeout for all users.

If you want to put it for individual users then put it in their individual .bashrc file


STEP 7 – SET minimum password length to 10

Edit /etc/login.defs

PASS_MIN_LEN 10


STEP 8 – Disable RPM installation for all users

chmod 700 /bin/rpm and rename the file to a different directory say /home/cmd

mv /bin/rpm /home/cmd/mpr as this will disallow users from installing trojans.


STEP 9 – Disable SETUID and SETGID for unnecessary files

Find files with SETUID and SETGID enabled

find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls {} \;


SUID -rwsr-xr-x or SGID -r-xr-sr-x bit enabled


To remove

chmod a-s


STEP 10 – Prevent your system responding to ping


echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

To turn it back on replace with 0

Put the same in /etc/rc.d/rc.local to take effect during reboot

Edit the /etc/sysctl.conf file and add the following line:

            # Enable ignoring ping request             net.ipv4.icmp_echo_ignore_all = 1  Restart the network services  service network restart  Refuse responding to broadcast request   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

add the same to rc.local

Edit the /etc/sysctl.conf file and add the following line:

# Enable ignoring broadcasts request

              net.ipv4.icmp_echo_ignore_broadcasts = 1   Best way of doing a Port Forward is to use Rinetd Services   Install rinetd and then make the following changes in its config file   /etc/rinetd.conf   192.168.0.1 80 10.10.0.4 80  This will forward all the tcp packets for port 80 to 10.10.0.4's 80 port  Its a very simple to use package  

Instead of port numbers, you can also use service names as defined in /etc/services. Therefore, the above mentioned example could also be written like this:

192.168.0.1 www 10.10.0.4 www