Folks,
In response to my server been hacked recently, I've installed a fresh
version of RH 7.3 with the *BARE* minimum of packages for what we
require.
I thought it might be benificial for both myself and other list
members if we could run through the steps in hardening a linux box,
in particular, RH 7.3. I also have a few questions as well.
Firstly, I set up separate partitions for each of /tmp, /usr, /var,
/boot and the rest resdiding on /.
Once installed and booted (without a network connection), I ran
tripwire and initialised the database. Then I connected to RedHat and
ran up2date - there were about 4 packages that needed this.
On the advice of some of the list members I proceeded to OpedBSD.org
and downloaded the latest version of OpenSSH (3.2.3p1-1), where
RedHat comes with 3.1p1-3 and up2date doesn't update to the latest.
All this server will do is serve HTTP with apache (version 1.3.23-11 -
is this okay?), as well as Java serlets with jakarta-tomcat and
jserv, and be availible for ssh connections.
My first job was to turn off all unneccessary services. I've got it
down to the following (chkconfig --list | grep on):
keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
random 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off
apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ipchains 0:off 1:off 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
I'm happy with all but portmap and xinetd. I'm not using netfs so is
portmap neccessary? Also I'm not running and inetd services so is
xinetd neccessary or does it provide protection anyway?
My next job was the firewall rules. RH 7.3 comes with both ipchains
and iptables and tries to run both by default (from what I've seen).
I've disabled iptables and am working with ipchains and the following
config: (I should mention that we have two ethernet cards)
:input DENY
:forward DENY
:output ACCEPT
and then:
Allow inbound packets from the loopback address on the loopback
interface
Allow packets inbound that belong to established connections
Allow inbound packets on the well known port for SSH (the secure
shell)
Allow inbound udp packets from the well known DNS source port - and
only from UCD's DNS servers
Allow incoming ICMP
Allow HTTP
What do you guys and girls think?
--
Regards,
Barry O'Donovan barry.odonovan at ucd.ie
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
