Avoid hackers hacking linux
Apply Latest OS Patches
All Linux servers running Red Hat are patched at least twice a year.
Configure SSH (server)
Settings:
Protocol 2 # Default
LogLevel INFO # Default
PermitRootLogin no
HostbasedAuthentication no # Default
IgnoreRhosts yes # Default
AllowTcpForwarding no
PermitTunnel no # Default
Banner /etc/issue
Description:
The settings are made in the /etc/ssh/sshd_config file.
Only Protocol 2 can be used. Protocol 1 is deprecated.
Logging must be enabled.
Root logon must be disabled
Host based authentication is weak.
IgnoreRhosts is disabled (set to ‘yes’) because host-based authentication using .rhost is not permitted.
Tunnelling/forwarding is not permitted; it can be used to bypass Firewall rules.
Banner should contain the standard warning regarding unauthorised access.
Secure xinetd network services
Settings:
Disable all services except for psynch. In each service file in /etc/xinetd.d set this parameter:
disable = yes
Description:
Many of the default services are obsolete, vulnerable, or deprecated. Examples include rlogin and telnet.
The psynch service is required for password synchronisation. Everything should be disabled or preferably removed completely.
Minimise Boot Services
Good security practice is to only enable services that are absolutely required. The list below is allowed by default. Only the minimum required should be enabled.
Services Allowed
abrtd
acpid
atd
auditd
cpuspeed
crond
cups
ecap-monitor
funcd
haldaemon
Hardware/VM monitoring agents
iptables
kdump
lm_sensors
lvm2-monitor
mdmonitor
messagebus
netfs
network
networker
ntpd
perfcap
portmap
rhnsd
rsyslog
sshd
sysgem
sysstat
tng
Veritas SF/HA
xinetd
Description:
Because any running service could potentially have vulnerabilities, and be hijacked for malicious use, it is necessary to only enable those that are actually required. This allows us to reduce the attack surface, and reduce the opportunities available to a potential attacker.
This list contains (boot up) services one might expect to see on a new server build. Additional services can be enabled if there is a strong business justification for their use.
Set daemon umask
Settings:
The umask for init should be set to 022. This is the default in RHEL6 and is not tuneable.
The umask for all services started should also be set to 022. This is the default and is defined in /etc/init.d/functions
Description:
This ensures that all files created by daemon processes have rw-r–r– permissions
System Network Parameter Tuning
Network Parameter Modifications
Settings:
Code these in /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
# Malicious routing table alteration should be prevented:
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Preventing Broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
Description:
The above settings are designed to help prevent Denial of service attacks (DOS); spoofing; and redirections, with minimal performance or functionality impact.
Logging
Syslog Message Capture
Settings:
Send all AUTHPRIV and AUTH messages to the loghost server:
Example entry in /etc/syslog.conf
# The authpriv file has restricted access.
authpriv.* /var/log/secure
auth.* /var/log/secure
# Security Syslog
auth.info @loghost-gen
authpriv.info @loghost-gen
# End of Security Syslog
Description:
Authentication messages, including ‘su’ to another account must be recorded in the /var/log/secure file. Additionally, these messages must be sent to the remote log consolidation server, known as loghost-gen. The log consolidation server provides an indelible record of authentication events.
File and Directory Permissions/Access
Password File
Settings:
Ensure that MD5 and shadow passwords are selected.
Description:
These are the default settings. The DES algorithm is now broken, and must not be used. If password shadowing is disabled, the hashes will be stored in /etc/passwd, which is world readable. It would be possible to attempt to crack these hashes, and obtain account passwords.
File System Restriction
Settings:
The following ‘nosuid’, ‘nodev’ and ‘noexec’ settings must be added in /etc/fstab
/dev/rootvg/var /var ext3 defaults,nosuid 1 2
/dev/rootvg/home /home ext3 defaults,nosuid,nodev 1 2
/dev/rootvg/ /apps ext3 defaults,nodev 1 2
/dev/rootvg/tmp /tmp ext3 defaults,nosuid,noexec,nodev 1 2
/dev/rootvg/crash /var/crash ext3 defaults,nosuid,noexec,nodev 1 2
/dev/rootvg/ opt /opt ext3 defaults,nodev 1 2
/dev/rootvg/usr /usr ext3 defaults,nodev 1 2
/dev/rootvg/data /data ext3 defaults,nosuid,noexec,nodev 1 2
Description:
These restrictions are to control mounting of filesystems:
nosuid – prevent suid/sgid access
nodev – prevent devices being created
noexec – prevent execution of binaries
Accidental Deletion Protection
Settings:
Set permissions on /tmp to include the sticky-bit i.e rwxrwxtwt (1777).
Description:
This will prevent file deletion except for the owner of the file.
Eliminate World-Writable Files
Settings:
Ensure files do not have ‘write’ permission for ‘other’ category
chmod o-w <filename>
Data in these files could be compromised by anyone with access to the server.
NOTE: Certain vendor applications may break if this setting is made, so exercise caution before making this change.
Ensure Only Authorised Executables are SUID/SGID
Settings:
Only entries in appendix X should have SUID/SGID set.
The SUID/SGID facility allows executables to execute under root, when run under a non-root account, e.g. ping
Orphaned Files
Settings:
Orphaned files must be removed, or an owner allocated.
Description:
These files do not have an owner, and it may be indicative of a break-in, or some other problem.
7.7. Permissions
Settings:
File Owner Group Access Permissions (minimum)
/etc/passwd root root 644
/etc/shadow root root 400
/etc/group root root 644
/etc/pam.d/<files> root root 644
/etc/at.allow root root 400
/etc/cron.allow root root 400
/etc/crontab root root 400
/etc/ssh/sshd.config root root 400
/etc/syslog.conf root root 600
/var/log/secure root root 600
Description:
These important files should have the permissions set as specified, as a minimum.
System Access, Authentication and Authorisation
Remove .rhosts Feature
Settings:
In /etc/pam.d/rlogin and /etc/pam.d/rsh, remove the entries containing the line:
pam_rhosts_auth.so
Description:
Removing the ‘pam_rhosts_auth.so’ clause is an additional security measure, should rlogin/rsh be enabled. The .rhosts facility has weak authentication, and should not be used.
Restrict Access to at/cron
Settings:
In /etc remove the at.deny and cron.deny files.
Add the entry ‘root’ to at.allow and cron.allow. Remove any other user names that may be present.
Description:
The objective is to restrict the scheduling of jobs to the root account only. BNPP has a scheduling tool that should be used by application teams
who wish to have scheduled tasks.
8.3. Prevent Receiving of syslog Messages
Settings:
The /etc/init.d/syslog file must have this setting: SYSLOGD_OPTIONS=”-m 0”
Description:
The absence or the –r switch, prevents receiving remote syslog messages. A server that is configured to receive syslog messages can be compromised by being bombarded with (fake) syslog messages. This setting prevents a DOS attack.
Recent Comments