PSS-UNIX's RedHat Linux Security Checklist

This checklist lists security precautions which apply to most versions of RedHat Linux. It is meant to be brief! More details, including explanations and system commands, can be found on the Linux details page.

• Shadow passwords

  Run pwconv to turn on shadow passwords.

• Turn off unnecessary services

  Implementation will depend on the Redhat version installed.

  For RH 6.2 edit /etc/inetd.conf to comment out as many of the following as possible in your situation.

     ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a 
     telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd 
     gopher  stream  tcp     nowait  root    /usr/sbin/tcpd  gn
     shell   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
     login   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
     talk    dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
     ntalk   dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
     pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd  ipop2d
     pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd  ipop3d
     imap    stream  tcp     nowait  root    /usr/sbin/tcpd  imapd
     finger  stream  tcp     nowait  root    /usr/sbin/tcpd  in.fingerd
     time    stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.timed
     time    dgram   udp     wait    nobody  /usr/sbin/tcpd  in.timed
     auth   stream  tcp     nowait    nobody    /usr/sbin/in.identd in.identd -l - e -o
  

  Remember to SIGHUP inetd!

  For RH 7.x you should take the same approach, but network services are administered differently.

  Use chkconfig and/or ntsysv to see what is running and what is set to run. chkconfig is a comand line interface and ntsysv works like a text-mode installation program. Turn everything you don't need off and set it so that it will not restart.

  chkconfig --list
  network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
  random          0:off   1:off   2:on    3:on    4:on    5:on    6:off
  httpd          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
  innd           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
  mars-nwe        0:off   1:off   2:off   3:off   4:off   5:off   6:off
  nfs             0:off   1:off   2:off   3:off   4:off   5:off   6:off
  sendmail        0:off   1:off   2:off   3:off   4:off   5:off   6:off
  xinetd          0:off   1:off   2:off   3:on    4:on    5:on    6:off
  sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
  keytable       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
  crond          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
  atd            	0:off	1:off	2:off	3:on	4:on	5:on	6:off
  syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
  xinetd based services:
          finger: off
          linuxconf-web:  off
          rexec:  off
          rlogin: off
          rsh:    off
          swat:   off
          ntalk:  off
          talk:   off
          telnet: off
          tftp:   off
          wu-ftpd:        off
          chargen:        off
          chargen-udp:    off
          daytime:        off
          daytime-udp:    off
          echo:   off
          echo-udp:       off
          time:   off
          time-udp:       off
  

• Don't run sendmail

  Either don't run the sendmail daemon, or install the latest available with the 'norelay' option.

• Install updates

  Install and use updateme:

   rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/updateme-3.5.4-1.noarch.rpm

  Running a cron job to notify you of updates is a great idea.

• Read root's mail

  Make sure that a human reads root's mail. Change /etc/aliases and run newaliases

• Use secure shell

  Install, configure and use openssh (you need to install it on RH 6.2, it comes with RH 7.x):

    rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/openssh6.2/openssh-3.1p1-1.i386.rpm 
    rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/openssh6.2/openssh-askpass-3.1p1-1.i386.rpm
    rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/openssh6.2/openssh-askpass-gnome-3.1p1-1.i386.rpm
    rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/openssh6.2/openssh-clients-3.1p1-1.i386.rpm
    rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/openssh6.2/openssh-server-3.1p1-1.i386.rpm
  

• Manage your logs

  • Change /etc/logrotate.conf
  • Install and configure logcheck:

     rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/redhat/contrib/libc6/i386/logcheck-1.1.1-1.i386.rpm 

• Don't volunteer information

  Remove /etc/issue and /etc/issue.net and change /etc/rc.d/rc.local. This will make it harder for potential hackers to gain information about your machine.

• Use tcpwrappers

  Configure tcpwrappers and limit connections to localhost and other trusted domains within UGA.

• And for the paranoid ...

  Move the telnet port to some number other than 23 to make it a bit more confusing to hack.