{"id":3603,"date":"2014-09-25T13:14:22","date_gmt":"2014-09-25T05:14:22","guid":{"rendered":"http:\/\/rmohan.com\/?p=3603"},"modified":"2014-09-25T13:14:22","modified_gmt":"2014-09-25T05:14:22","slug":"rhel-6-security-guide","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=3603","title":{"rendered":"RHEL 6 Security Guide"},"content":{"rendered":"

1. GRUB password<\/strong><\/p>\n

i. run as root with \/sbin\/grub-md5-crypt to get a MD5 hash.\u00a0<\/span>
\nii. add “password –md5 <password-hash>” below\u00a0<\/span>timeout<\/em>\u00a0<\/span>line in \/boot\/grub\/grub.conf\u00a0<\/span>
\niii. prees\u00a0<\/span>p<\/strong>\u00a0<\/span>when access grub menu<\/p>\n

2. Administrative Controls for Root<\/strong><\/p>\n

Methods of Disabling the Root Account<\/h6>\n
\n\n\n\n\n\n<\/colgroup>\n\n\n\n\n
Method<\/th>\nDescription<\/th>\nEffects<\/th>\nDoes Not Affect<\/th>\n<\/tr>\n<\/thead>\n
Changing the root shell.<\/td>\nEdit the\u00a0<\/span>\/etc\/passwd<\/code>\u00a0<\/span>file and change the shell from\/bin\/bash<\/code>\u00a0<\/span>to\u00a0<\/span>\/sbin\/nologin<\/code>.<\/td>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Prevents access to the root shell and logs any such attempts.<\/td>\n<\/tr>\n
The following programs are prevented from accessing the root account:<\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>login<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>gdm<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>kdm<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>xdm<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>su<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>ssh<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>scp<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>sftp<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n\n\n\n\n\n\n\n\n\n
Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs.<\/td>\n<\/tr>\n
The following programs arenot<\/em><\/span>\u00a0<\/span>prevented from accessing the root account:<\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>sudo<\/code><\/td>\n<\/tr>\n
\u00b7 FTP clients<\/td>\n<\/tr>\n
\u00b7 Email clients<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
Disabling root access via any console device (tty).<\/td>\nAn empty\u00a0<\/span>\/etc\/securetty<\/code>\u00a0<\/span>file prevents root login on any devices attached to the computer.<\/td>\n\n\n\n\n\n\n\n\n\n
Prevents access to the root account via the console or the network. The following programs are prevented from accessing the root account:<\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>login<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>gdm<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>kdm<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>xdm<\/code><\/td>\n<\/tr>\n
\u00b7 Other network services that open a tty<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n\n\n\n\n\n\n\n\n\n\n\n
Programs that do not log in as root, but perform administrative tasks through setuid or other mechanisms.<\/td>\n<\/tr>\n
The following programs arenot<\/em><\/span>\u00a0<\/span>prevented from accessing the root account:<\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>su<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>sudo<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>ssh<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>scp<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>sftp<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
Disabling root SSH logins.<\/td>\nEdit the\u00a0<\/span>\/etc\/ssh\/sshd_config<\/code>file and set thePermitRootLogin<\/code>\u00a0<\/span>parameter tono<\/code>.<\/td>\n\n\n\n\n\n\n\n
Prevents root access via the OpenSSH suite of tools. The following programs are prevented from accessing the root account:<\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>ssh<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>scp<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>sftp<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n\n\n\n\n\n
This only prevents root access to the OpenSSH suite of tools.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
Use PAM to limit root access to services.<\/td>\nEdit the file for the target service in the\u00a0<\/span>\/etc\/pam.d\/<\/code>directory. Make sure thepam_listfile.so<\/code>\u00a0<\/span>is required for authentication.<\/td>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Prevents root access to network services that are PAM aware.<\/td>\n<\/tr>\n
The following services are prevented from accessing the root account:<\/td>\n<\/tr>\n
\u00b7 FTP clients<\/td>\n<\/tr>\n
\u00b7 Email clients<\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>login<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>gdm<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>kdm<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>xdm<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>ssh<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>scp<\/code><\/td>\n<\/tr>\n
\u00b7\u00a0<\/span>sftp<\/code><\/td>\n<\/tr>\n
\u00b7 Any PAM aware services<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n\n\n\n\n\n\n
Programs and services that are not PAM aware.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n
<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

\u00a03. Checking Listening Ports<\/strong><\/p>\n

nmap -sT -O localhost ; netstat -atunp ; lsof -i<\/pre>\n
4. Access Control to Network Services Flowchart<\/strong><\/p>\n
\"iptables\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
1. GRUB password<\/p>\n