WSG's RedHat Linux 7.2 Security Details
For RH 7.x: xinetd is the replacement for inetd. For more information on this highly configurable daemon see the man pages or the xinetd web page: http://www.xinetd.org/. The directory /etc/xinetd.d contains a group of files, one for each service that will run out of xinetd. To turn a service on or off, open the file that corresponds with the service you want (i.e. if you want to turn on ftp, open the file '/etc/xinetd.d/wu-ftp') there will be a line that reads 'disable = yes' or 'disable = no' If you want the service to run, make sure is says 'disable = no' To disable the service make sure it reads 'disable = yes' Then you will need to restart xinetd to activate the changes. The easiest way to do this is 'service xinetd restart'
Use chkconfig to see what is running and what is set to run. Then turn everything you don't need off and set it so that it will not
restart.
I would also like to stress that if you are running a server DO NOT set it to start X-Windows
when it boots. That is runlevel 5. It introduced more services and security problems that you do not need
to deal with. To find out what runlevel your system boots into, check the '/etc/inittab' file. Look for the line
'id:(Number):initdefault:' The number in this line tells the system what runlevel to boot into. For a workstation,
5 is ok; but for a server make sure that it is 3. Now; on to turning off service.
You can use this command (chkconfig --list) to show you every service that starts and stops in every
runlevel. Here is an example:
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
random 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
keytable 0:off 1:off 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xinetd based services:
finger: off
linuxconf-web: off
rexec: off
rlogin: off
rsh: off
swat: off
ntalk: off
talk: off
telnet: off
tftp: off
wu-ftpd: off
chargen: off
chargen-udp: off
daytime: off
daytime-udp: off
echo: off
echo-udp: off
time: off
time-udp: off
Make sure that you look down the column for the runlevel that you are using. In this example, if we are in
runlevel 5: all the services main services are running, and none of the xinetd services are running.
To turn off a service:
(We'll turn off atd in the example above. 'at' is a notorious security hole. To turn off this service, we run
the command 'chkconfig servicename off' So to turn off atd, we'd run 'chkconfig atd off'
If we run the 'chkconfig --list' command again; we get this:
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
random 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
keytable 0:off 1:off 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xinetd based services:
finger: off
linuxconf-web: off
rexec: off
rlogin: off
rsh: off
swat: off
ntalk: off
talk: off
telnet: off
tftp: off
wu-ftpd: off
chargen: off
chargen-udp: off
daytime: off
daytime-udp: off
echo: off
echo-udp: off
time: off
time-udp: off
Notice that atd is now off for all the runlevels. Be sure to turn off every service that you don't need.
Another useful trick is to issue the command netstat -a | grep LISTEN
This will show you every open port on your machine. Here is an example output of such a command:
tcp 0 0 *:32768 *:* LISTEN tcp 0 0 *:printer *:* LISTEN tcp 0 0 *:pop3 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:x11 *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:smtp *:* LISTEN unix 2 [ ACC ] STREAM LISTENING 2539 /tmp/xmms_jabbott.0 unix 2 [ ACC ] STREAM LISTENING 2231 /tmp/ksocket-jabbott/klauncher0B6Kjc.slave-socket unix 2 [ ACC ] STREAM LISTENING 3959 /tmp/orbit-jabbott/orb-4259398361023269615 unix 2 [ ACC ] STREAM LISTENING 2044 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 7860 /tmp/ksocket-jabbott/kdesud_:0 unix 2 [ ACC ] STREAM LISTENING 1798 private/rewrite unix 2 [ ACC ] STREAM LISTENING 1802 private/bounce unix 2 [ ACC ] STREAM LISTENING 1806 private/defer unix 2 [ ACC ] STREAM LISTENING 1814 private/smtp unix 2 [ ACC ] STREAM LISTENING 1153 /var/run/lprngI know that this probably looks like gibberish; but we only need to focus on the top part. This is an example for the machine that I am writing this documentation on. The top section, that lines that being with 'tcp' are open ports on this machine. Port 32768 is an SSH session from another machine to this box, printer is the LPR daemon so people can print to my machine, pop3 is my incoming email server, sunrpc allows me to use NFS to mount remote filesystems, x11 is my X-Windows service, and so on. This screen shows exactly what is open on your machine. It is best to check this after you have turned off all your services and rebooted to ensure that they aren't starting up automatically anymore. After running this, you know what needs to be shutoff still. Go to it.
If you decide to remove sendmail, here's how to disable it from restarting
at boot time: chkconfig --del sendmail
If you do wish to have sendmail running on your system, RedHat ships by default with sendmail only listening
to your local machine and not accepting email. This is for the best. If you are setting up a mailserver;
check our page sendmail configuration page.
rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/updateme-3.5.4-1.noarch.rpm
To actually install the updates, run /usr/local/bin/updateme.
Run /usr/local/bin/updateme --cron to install a cron job
that will let you know when there are new updates.
This will create a cron job in /etc/cron.weekly that will email root every Sunday with any necessary updates.
root: johndoe@uga.edu(or whatever address you want) to
/etc/aliases and then run
newaliases to make the change.
Ssh is a telnet-like utility which encrypts your login id, password, and terminal session, and a related tool, scp can be used to copy files to and from computers over an encrypted connection. It's a great security tool! Ssh can use the tcpwrappers configuration files to control access too. For more information, read the ssh man pages.
It is possible to configure ssh so that a user can login without using his or her password. This is a bad idea because compromise of one system can quickly lead to compromise of others. Don't use .rhosts or .shosts to allow passwordless entry.
Make sure /etc/ssh/sshd_config contains these lines:
PermitRootLogin no PermitEmptyPasswords no
Logcheck periodically searches through the logs in /var/log
to find unusual or "suspicious" entries. Each time it is run,
it mails a nice report to
the root user.
For more information about logcheck, go here.
You may want to modify your /etc/logcheck/logcheck.ignore file
so it doesn't send you too much useless information. Here is a sample
logcheck.ignore file that has been modified
to weed out harmless log entries.
/etc/issue and /etc/issue.net and change
/etc/rc.d/rc.local. This will make it harder for potential
hackers to gain information about your machine.
rm /etc/issue /etc/issue.net
/etc/hosts.allow.
The format is service : [host] [domain] ...
/etc/hosts.deny.
The format is service : [host] [domain] ...
man hosts.allow
man hosts.deny