Thursday, June 14, 2001

Hardenning a UNIX System

How-TO Harden Linux System

  1. First Step Make sure nobody is able to change any important System Files

Like /etc/passwd, /etc/shadow

#chattr +i /etc/passwd

#chattr +i /etc/shadow

#chattr +i /etc/group

#chattr +i /etc/gshadow

#chattr +i /etc/services

#chattr +i /etc/xinetd.conf or /etc/inetd.conf

#chattr +i /etc/login.defs

#lsattr /etc/passwd

This will list if any chattr permission is set to /etc/passwd file

The +i option immutes the file /etc/passwd ... which means u wont be able to edit the file.

To remove the immute option use

#chattr -i /etc/passwd

After setting the above pemission to passwd and shadow file you wont be able to add any user.

Note : Make sure you run the chattr -i /etc/passwd if you want to add any user or if you run a script that adds users.

Or else it will throw a error like

useradd: Unable to open the passwd file.

  1. Step No 2 : Disable root access

Do not allow root access from any terminal :

Edit the file /etc/securetty

Hash out all the terminals mentioned, this will not allow root access from any terminal.

Will have to login through any normal user then do su to root.

  1. Step No 3 – Reslover Library

If you are not running a DNS server then make sure it resolves /etc/hosts file first then via dns.

For this edit /etc/host.conf file

#Lookup names via /etc/hosts then fall back to DNS

order hosts,bind

#If you have machines with multiple IP Addresses

multi on

#The above option – multi on - specfies if the /etc/hosts file can have multiple IP addresses

# Check for IP Address Spoofing

nospoof on

# The nospoof on specifies not to allow spoofing on this machine. This option must be set to on for all servers.


TCP WRAPPERS is controlled from two files and the search stops at the first match



Edit - /etc/hosts.deny

#Deny Access to everyone.


which means all services, all locations is blocked unless mentioned in hosts.allow

Note: With the option PARANOID, If you intend to run TELNET or FTP service on your server do not forget to add the clients machine name and IP Address in your /etc/hosts file on the server or you can expect to wait several minutes for DNS lookup

to timeout, before you get the login prompt.

Now if you want to allow access for ssh, ftp from particular IP Address

Edit /etc/hosts.allow



telnetd: ALL : deny : twist /bin/echo “ Sriram Says Connection Refused”

Run tcpdchk


tcpdchk is the tcpd wrapper configuration checker. It examines TCP Wrapper configurations and reports any real problems it can find run this after configuring TCP Wrappers

Also check tcpdmatch – Test program

/etc/issue file carries the message displayed while doing a ftp or telnet from outside.

You may change this to reflect something else

STEP 5 – Stopping Unnecessary services like telnet

Services like telnet are run by xinetd, inetd

All the latest linux distribution carries xinetd

#cd /etc/xinetd.d

vi telnet

First line disable should be set to yes

disable = yes

service xinetd restart

If you are still using inetd

Edit /etc/inetd.conf

Hash out any particular service you may not need

Change the permission of this file to chmod 600

#killall -HUP inetd

STEP 6 - Disable root access after particular time if logged in from terminal :

As a Security measure set login timeout for all users including ROOT if inactive.

Edit /etc/profile

add the following line somewhere after the line that read



7200= 2 hrs

60*60=3600*2=7200 seconds

This will timeout for all users.

If you want to put it for individual users then put it in their individual .bashrc file

STEP 7 – SET minimum password length to 10

Edit /etc/login.defs


STEP 8 – Disable RPM installation for all users

chmod 700 /bin/rpm and rename the file to a different directory say /home/cmd

mv /bin/rpm /home/cmd/mpr as this will disallow users from installing trojans.

STEP 9 – Disable SETUID and SETGID for unnecessary files

Find files with SETUID and SETGID enabled

find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls {} \;

SUID -rwsr-xr-x or SGID -r-xr-sr-x bit enabled

To remove

chmod a-s

STEP 10 – Prevent your system responding to ping

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

To turn it back on replace with 0

Put the same in /etc/rc.d/rc.local to take effect during reboot

Edit the /etc/sysctl.conf file and add the following line:

            # Enable ignoring ping request             net.ipv4.icmp_echo_ignore_all = 1  Restart the network services  service network restart  Refuse responding to broadcast request   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

add the same to rc.local

Edit the /etc/sysctl.conf file and add the following line:

# Enable ignoring broadcasts request

              net.ipv4.icmp_echo_ignore_broadcasts = 1   Best way of doing a Port Forward is to use Rinetd Services   Install rinetd and then make the following changes in its config file   /etc/rinetd.conf 80 80  This will forward all the tcp packets for port 80 to's 80 port  Its a very simple to use package  

Instead of port numbers, you can also use service names as defined in /etc/services. Therefore, the above mentioned example could also be written like this: www www