PSS-UNIX's RedHat Linux Security Details

This page provides details about RedHat Linux security precautions. There is also a shorter page in "checklist" format.

• Shadow passwords

  Run pwconv to turn on shadow passwords. This places the encrypted password strings in a file readable only by root, preventing someone from copying the /etc/passwd file and running it through a cracking program.

• Turn off unnecessary services

  For Redhat 6.2i: edit /etc/inetd.conf to comment out as many of the following as possible in your situation. Check the man pages for each service to find out what these services are for. As a notable example, if you can require all your users to use secure shell you don't need to allow telnet, rlogin or rsh.

     ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a 
     telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd 
     gopher  stream  tcp     nowait  root    /usr/sbin/tcpd  gn
     shell   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
     login   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
     talk    dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
     ntalk   dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
     pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd  ipop2d
     pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd  ipop3d
     imap    stream  tcp     nowait  root    /usr/sbin/tcpd  imapd
     finger  stream  tcp     nowait  root    /usr/sbin/tcpd  in.fingerd
     time    stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.timed
     time    dgram   udp     wait    nobody  /usr/sbin/tcpd  in.timed
     auth   stream  tcp     nowait    nobody    /usr/sbin/in.identd in.identd -l - e -o
  

  After changing /etc/inetd.conf, restart inetd with this command: /usr/bin/killall -HUP inetd

  For RH 7.x: the control of network services may depend on the type of install you chose. For a server installation, or if you chose it explicitly during a custom install, xinetd may serve as a replacement for inetd. For more information on this highly configurable daemon see the man pages or the xinetd web page: http://www.xinetd.org/.

  If you chose to do a workstation or laptop install, xinetd will not be installed, since the assumption is that you will not be offering network services.

  Use chkconfig and ntsysv to see what is running and what is set to run. Then turn everything you don't need off and set it so that it will not restart.

  chkconfig --list | grep :on
         network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
         random          0:off   1:off   2:on    3:on    4:on    5:on    6:off
         xinetd          0:off   1:off   2:off   3:on    4:on    5:on    6:off
         sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
         keytable        0:off   1:off   2:on    3:on    4:on    5:on    6:off
         crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
         atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
         syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
         xinetd based services:
                 finger: off
                 linuxconf-web:  off
                 rexec:  off
                 rlogin: off
                 rsh:    off
                 swat:   off
                 ntalk:  off
                 talk:   off
                 telnet: off
                 tftp:   off
                 wu-ftpd:        off
                 chargen:        off
                 chargen-udp:    off
                 daytime:        off
                 daytime-udp:    off
                 echo:   off
                 echo-udp:       off
                 time:   off
                 time-udp:       off
  

  Another useful trick is to issue the command netstat -a | grep LISTEN and turn off any listening services that you don't need.

  To turn off a service you don't need use the startup script (ie. /etc/rc.d/init.d/portmap stop ). To keep the service from starting up again use: chkconfig --del service

• Don't run sendmail

  Consider whether email needs to be deliverable to this machine. Unless it is a departmental or other central mail server, the answer is probably "no." In that case you should not run the sendmail daemon since it can be a security risk. In any case, you should install the latest sendmail available.

  If you decide to remove sendmail, here's how to disable it from restarting at boot time: chkconfig --del sendmail

• Install updates

  Install updateme, a handy script for keeping your system up-to-date:

   rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/updateme-3.5.4-1.noarch.rpm

  Note for Redhat 6.2 users:

  Before you try to install or run "updateme" for the first time, install the f ollowing updates with the commands listed below, in the order shown:

  1.  rpm -U ftp://linuxserv.uga.edu/pub/unix/linux/redhat/updates
     /6.2/en/os/i386/db3-3.1.17-4.6x.i386.rpm 

  2.  rpm -U ftp://linuxserv.uga.edu/pub/unix/linux/redhat/updates
     /6.2/en/os/i386/openssl-0.9.5a-7.6.x.i386.rpm 

  3.  rpm -U ftp://linuxserv.uga.edu/pub/unix/linux/redhat/update
     s/6.2/en/os/i386/openldap-1.2.12-3.i386.rpm 

  4.  rpm -U ftp://linuxserv.uga.edu/pub/unix/linux/redhat/updates
     /6.2/en/os/i386/rpm-4.0.2-6x.i386.rpm

  It is especially important to install the "db3" package before installing rpm version 4.0.2-6 x.

  To actually install the updates, run /usr/local/bin/updateme.

  Run /usr/local/bin/updateme --cron to install a cron job that will let you know when there are new updates. If you want to get notified weekly instead of daily, do this: mv /etc/cron.daily/updateme /etc/cron.weekly

• Read root's mail

  Make sure that a human reads all the mail sent to the root account. Your system will send all important log and security messages to root--don't ignore them. Add:

  root: johndoe@uga.edu
  

  (or whatever address you want) to /etc/aliases and then run newaliases to make the change.

• Use secure shell

  Install and use ssh (6.2 you need to install it - it comes with 7):

    rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/openssh6.2/openssh-3.1p1-1.i386.rpm
    rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/openssh6.2/openssh-askpass-3.1p1-1.i386.rpm
    rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/openssh6.2/openssh-askpass-gnome-3.1p1-1.i386.rpm
    rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/openssh6.2/openssh-clients-3.1p1-1.i386.rpm
    rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/openssh6.2/openssh-server-3.1p1-1.i386.rpm
  

  Ssh is a telnet-like utility which encrypts your login id, password, and terminal session, and a related tool, scp can be used to copy files to and from computers over an encrypted connection. It's a great security tool! Ssh can use the tcpwrappers configuration files to control access too. For more information, read the ssh man pages.

  It is possible to configure ssh so that a user can login without using his or her password. This is a bad idea because compromise of one system can quickly lead to compromise of others. Don't use .rhosts or .shosts to allow passwordless entry.

  Make sure /etc/ssh/sshd_config contains these lines:

  	PermitRootLogin no
  	PermitEmptyPasswords no
  

• Manage your logs

  • Change /etc/logrotate.conf so that you rotate logs regularly and keep as many copies as you like.

  • Install and configure logcheck:

     rpm -i ftp://linuxserv.uga.edu/pub/unix/linux/redhat/contrib/libc6/i386/logcheck-1.1.1-1.i386.rpm 

    Logcheck periodically searches through the logs in /var/log to find unusual or "suspicious" entries. Each time it is run, it mails a nice report to the root user.

    You may want to modify your /etc/logcheck/logcheck.ignore file so it doesn't send you too much useless information. Here is a sample logcheck.ignore file that has been modified to weed out harmless log entries.

• Don't volunteer information

  Remove /etc/issue and /etc/issue.net and change /etc/rc.d/rc.local. This will make it harder for potential hackers to gain information about your machine.

    rm /etc/issue /etc/issue.net
  

  Comment out the lines in /etc/rc.d/rc.local that look like this:

    #This will overwrite /etc/issue at every boot.  So, make any changes you
    # want to make to /etc/issue here or you will lose them when you reboot.
    #echo "" > /etc/issue
    #echo "$R" >> /etc/issue
    #echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue
  
    #cp -f /etc/issue /etc/issue.net
    #echo >> /etc/issue
  

• Use tcpwrappers

  Configure tcpwrappers and limit connections to localhost and other trusted domains within UGA:
  • Prepare the access control files.
    • The allow file is in /etc/hosts.allow. The format is service : [host] [domain] ...
    • The deny file is in /etc/hosts.deny. The format is service : [host] [domain] ...
    Please read the man pages for more detailed instructions on this:

    	man hosts.allow
    	man hosts.deny
            

  • Check your tcpwrappers setup (for 6.2 only).

    	/usr/sbin/tcpdchk -i /etc/inetd.conf
    	/usr/sbin/tcpdmatch -i /etc/inetd.conf [daemon] [host]
            

• And for the paranoid ...

  Move the telnet port to make it a bit more confusing to hack. First, pick an unused port above 1000. Then add this to /etc/services:

    telnet2          <port>/tcp
  

  For RH 6.2 change the line in inetd.conf that begins with "telnet" to "telnet2":

    telnet2  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
  

  Then restart inetd: /usr/bin/killall -HUP inetd

  For RH 7 use chkconfig or ntsysv to add the service .

  ---

  Last modified: Fri Jun 8 10:53:59 EDT 2001
  URL: http://www.uga.edu/~ucns/wsg/security/linuxdetails.html