Apply Latest OS Patches<\/p>\n
All Linux servers running Red Hat are patched at least twice a year.<\/p>\n
Configure SSH (server)
\nSettings:
\nProtocol\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a02\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0# Default
\nLogLevel\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0INFO\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0# Default
\nPermitRootLogin\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0no
\nHostbasedAuthentication\u00a0\u00a0 \u00a0no\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0# Default
\nIgnoreRhosts\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0yes\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0# Default
\nAllowTcpForwarding\u00a0\u00a0 \u00a0no
\nPermitTunnel\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0no\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0# Default
\nBanner\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\/etc\/issue<\/p>\n
Description:<\/p>\n
The settings are made in the \/etc\/ssh\/sshd_config file.
\nOnly Protocol 2 can be used. Protocol 1 is deprecated.
\nLogging must be enabled.
\nRoot logon must be disabled
\nHost based authentication is weak.
\nIgnoreRhosts is disabled (set to \u2018yes\u2019) because host-based authentication using .rhost is not permitted.
\nTunnelling\/forwarding is not permitted; it can be used to bypass Firewall rules.
\nBanner should contain the standard warning regarding unauthorised access.<\/p>\n
Secure xinetd network services<\/p>\n
Settings:
\nDisable all services except for psynch. In each service file in \/etc\/xinetd.d set this parameter:
\ndisable = yes<\/p>\n
Description:
\nMany of the default services are obsolete, vulnerable, or deprecated. Examples include rlogin and telnet.
\nThe psynch service is required for password synchronisation. Everything should be disabled or preferably removed completely.<\/p>\n
Minimise Boot Services
\nGood security practice is to only enable services that are absolutely required. The list below is allowed by default. Only the minimum required should be enabled.
\nServices Allowed
\nabrtd
\nacpid
\natd
\nauditd
\ncpuspeed
\ncrond
\ncups
\necap-monitor
\nfuncd
\nhaldaemon
\nHardware\/VM monitoring agents
\niptables
\nkdump
\nlm_sensors
\nlvm2-monitor
\nmdmonitor
\nmessagebus
\nnetfs
\nnetwork
\nnetworker
\nntpd
\nperfcap
\nportmap
\nrhnsd
\nrsyslog
\nsshd
\nsysgem
\nsysstat
\ntng
\nVeritas SF\/HA
\nxinetd<\/p>\n
Description:
\nBecause any running service could potentially have vulnerabilities, and be hijacked for malicious use, it is necessary to only enable those that are actually required. This allows us to reduce the attack surface, and reduce the opportunities available to a potential attacker.
\nThis list contains (boot up) services one might expect to see on a new server build. Additional services can be enabled if there is a strong business justification for their use.<\/p>\n
Set daemon umask
\nSettings:
\nThe umask for init should be set to 022. This is the default in RHEL6 and is not tuneable.
\nThe umask for all services started should also be set to 022. This is the default and is defined in \/etc\/init.d\/functions<\/p>\n
Description:
\nThis ensures that all files created by daemon processes have rw-r–r–\u00a0 permissions<\/p>\n
System Network Parameter Tuning<\/p>\n
Network Parameter Modifications
\nSettings:
\nCode these in \/etc\/sysctl.conf
\n# Controls IP packet forwarding
\nnet.ipv4.ip_forward = 0<\/p>\n
# Do not accept source routing
\nnet.ipv4.conf.default.accept_source_route = 0
\nnet.ipv4.conf.all.accept_source_route = 0<\/p>\n
# Controls the use of TCP syncookies
\nnet.ipv4.tcp_syncookies = 1
\nnet.ipv4.tcp_max_syn_backlog = 4096<\/p>\n
# Malicious routing table alteration should be prevented:
\nnet.ipv4.conf.all.send_redirects = 0
\nnet.ipv4.conf.default.accept_redirects = 0
\nnet.ipv4.conf.all.secure_redirects = 0
\nnet.ipv4.conf.default.secure_redirects = 0
\nnet.ipv4.conf.default.send_redirects = 0<\/p>\n
# Preventing Broadcast requests
\nnet.ipv4.icmp_echo_ignore_broadcasts = 1<\/p>\n
# Enable bad error message Protection
\nnet.ipv4.icmp_ignore_bogus_error_responses = 1<\/p>\n
Description:
\nThe above settings are designed to help prevent Denial of service attacks (DOS); spoofing; and redirections, with minimal performance or functionality impact.<\/p>\n
Logging<\/p>\n
Syslog Message Capture<\/p>\n
Settings:
\nSend all AUTHPRIV and AUTH messages to the loghost server:
\nExample entry in \/etc\/syslog.conf<\/p>\n
# The authpriv file has restricted access.
\nauthpriv.*\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\/var\/log\/secure
\nauth.*\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\/var\/log\/secure<\/p>\n
# Security Syslog
\nauth.info\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0@loghost-gen
\nauthpriv.info\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0@loghost-gen
\n# End of Security Syslog<\/p>\n
Description:
\nAuthentication messages, including \u2018su\u2019 to another account must be recorded in the \/var\/log\/secure file. Additionally, these messages must be sent to the remote log consolidation server, known as loghost-gen. The log consolidation server provides an indelible record of authentication events.<\/p>\n
File and Directory Permissions\/Access<\/p>\n
Password File<\/p>\n
Settings:
\nEnsure that MD5 and shadow passwords are selected.<\/p>\n
Description:
\nThese are the default settings. The DES algorithm is now broken, and must not be used. If password shadowing is disabled, the hashes will be stored in \/etc\/passwd, which is world readable. It would be possible to attempt to crack these hashes, and obtain account passwords.<\/p>\n
File System Restriction<\/p>\n
Settings:
\nThe following \u2018nosuid\u2019, \u2018nodev\u2019 and \u2018noexec\u2019 settings must be added in \/etc\/fstab<\/p>\n
\/dev\/rootvg\/var\u00a0\u00a0\u00a0\u00a0\u00a0 \/var\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ext3\u00a0\u00a0\u00a0 defaults,nosuid\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1 2
\n\/dev\/rootvg\/home\u00a0 \/home\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ext3\u00a0\u00a0\u00a0 defaults,nosuid,nodev\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1 2
\n\/dev\/rootvg\/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/apps\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ext3\u00a0\u00a0\u00a0 defaults,nodev\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1 2
\n\/dev\/rootvg\/tmp\u00a0\u00a0\u00a0 \/tmp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ext3\u00a0\u00a0\u00a0 defaults,nosuid,noexec,nodev\u00a0 1 2
\n\/dev\/rootvg\/crash\u00a0 \/var\/crash\u00a0 ext3\u00a0\u00a0\u00a0 defaults,nosuid,noexec,nodev\u00a0 1 2
\n\/dev\/rootvg\/ opt\u00a0\u00a0\u00a0 \/opt\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ext3\u00a0\u00a0\u00a0 defaults,nodev\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1 2
\n\/dev\/rootvg\/usr\u00a0\u00a0\u00a0\u00a0 \/usr\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ext3\u00a0\u00a0\u00a0 defaults,nodev\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1 2
\n\/dev\/rootvg\/data\u00a0\u00a0 \/data\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ext3\u00a0\u00a0\u00a0 defaults,nosuid,noexec,nodev\u00a0 1 2<\/p>\n
Description:
\nThese restrictions are to control mounting of filesystems:
\nnosuid\u00a0\u00a0\u00a0 – prevent suid\/sgid access
\nnodev\u00a0\u00a0\u00a0\u00a0 – prevent devices being created
\nnoexec\u00a0\u00a0\u00a0 – prevent execution of binaries<\/p>\n
Accidental Deletion Protection<\/p>\n
Settings:
\nSet permissions on \/tmp to include the sticky-bit i.e rwxrwxtwt (1777).<\/p>\n
Description:
\nThis will prevent file deletion except for the owner of the file.<\/p>\n
Eliminate World-Writable Files<\/p>\n
Settings:
\nEnsure files do not have \u2018write\u2019 permission for \u2018other\u2019 category
\nchmod o-w <filename><\/p>\n
Data in these files could be compromised by anyone with access to the server.
\nNOTE: Certain vendor applications may break if this setting is made, so exercise caution before making this change.<\/p>\n
Ensure Only Authorised Executables are SUID\/SGID<\/p>\n
Settings:
\nOnly entries in appendix X should have SUID\/SGID set.<\/p>\n
The SUID\/SGID facility allows executables to execute under root, when run under a non-root account, e.g. ping<\/p>\n
Orphaned Files
\nSettings:
\nOrphaned files must be removed, or an owner allocated.<\/p>\n
Description:
\nThese files do not have an owner, and it may be indicative of a break-in, or some other problem.<\/p>\n
7.7.\u00a0\u00a0 \u00a0Permissions
\nSettings:
\nFile\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Owner\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Group\u00a0\u00a0\u00a0\u00a0\u00a0 Access Permissions (minimum)
\n\/etc\/passwd\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 644
\n\/etc\/shadow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 400
\n\/etc\/group\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 644
\n\/etc\/pam.d\/<files>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 644
\n\/etc\/at.allow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 400
\n\/etc\/cron.allow\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 400
\n\/etc\/crontab\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 400
\n\/etc\/ssh\/sshd.config\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 400
\n\/etc\/syslog.conf\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 600
\n\/var\/log\/secure\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 600<\/p>\n
Description:
\nThese important files should have the permissions set as specified, as a minimum.<\/p>\n
System Access, Authentication and Authorisation<\/p>\n
Remove .rhosts Feature
\nSettings:
\nIn \/etc\/pam.d\/rlogin and \/etc\/pam.d\/rsh, remove the entries containing the line:<\/p>\n
pam_rhosts_auth.so<\/p>\n
Description:
\nRemoving the \u2018pam_rhosts_auth.so\u2019 clause is an additional security measure, should rlogin\/rsh be enabled. The .rhosts facility has weak authentication, and should not be used.<\/p>\n
Restrict Access to at\/cron
\nSettings:
\nIn \/etc remove the at.deny and cron.deny files.
\nAdd the entry \u2018root\u2019 to at.allow and cron.allow. Remove any other user names that may be present.<\/p>\n
Description:<\/p>\n
The objective is to restrict the scheduling of jobs to the root account only. BNPP has a scheduling tool that should be used by application teams
\nwho wish to have scheduled tasks.<\/p>\n
8.3.\u00a0\u00a0 \u00a0Prevent Receiving of syslog Messages<\/p>\n
Settings:
\nThe \/etc\/init.d\/syslog file must have this setting:\u00a0 SYSLOGD_OPTIONS=\u201d-m 0\u201d
\nDescription:
\nThe absence or the \u2013r switch, prevents receiving remote syslog messages. A server that is configured to receive syslog messages can be compromised by being bombarded with (fake) syslog messages. This setting prevents a DOS attack.<\/p>\n","protected":false},"excerpt":{"rendered":"
Avoid hackers hacking linux <\/p>\n
Apply Latest OS Patches<\/p>\n
All Linux servers running Red Hat are patched at least twice a year.<\/p>\n
Configure SSH (server) Settings: Protocol 2 # Default LogLevel INFO # Default PermitRootLogin no HostbasedAuthentication no # Default IgnoreRhosts yes # Default AllowTcpForwarding no PermitTunnel no # Default Banner \/etc\/issue<\/p>\n
Description:<\/p>\n
The settings are […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/783"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=783"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/783\/revisions"}],"predecessor-version":[{"id":784,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/783\/revisions\/784"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}