Installation Guidelines
GRUB/LILO
GRUB is the boot loader of choice for RedHat installations; however LILO may always be used in the case of most flavors of LINUX. GRUB/LILO can receive many different kernel level commands and it poses a major security risk if an attacker is able to compromise the kernel. In response you can make sure that only authorized users are able to perform those commands by password protecting during the installation process. If using GRUB, the password is by default stored as clear text, and so you will want modify the /etc/grub.conf file to store the password in an MD5 checksum. $ /sbin/grub–md5–crypt Password: (at the prompt enter the GRUB password you created at installation and press enter) $ #%t%661GFGftffgctTFTDd (This is the MD5 hash) edit the grub.conf file and replace the clear text password with the MD5 Hash. You must use the –MD5 option or the password will be stored as the MD5 Hash and not the encrypted password. Password – md5 $1$m0tLR/ $#%t%661GFGftffgctTFTDd

Partitioning
Partitioning correctly will help to mitigate against one specific type of denial of service. For example and attack designed to fill up a /tmp or spool directory. If your files are on the same partition as the directory under attack, your system could be rendered unusable. One should use a partition strategy where those directories that are most likely to be filled by an attacker. Typically this is /var and /home . If you are using a server for ftp or e–mail, you may want to consider separate partitions for the application specific files. /boot contains all files for boot process /home contains individual user home directories /usr contains files shared across a system by multiple users /var contains files that are dynamic by nature. ( log files, spool files, scheduler / /tmp swap

contains files Contains contains for system temp paging files management files for memory when no management other partition is available

files etc.)

Recommended System Schemes Configurations
Workstation Swap = 2 x physical memory /boot = 50 MB / = depends on disk space Server Swap = 2 x physical memory /boot = 50 MB / = 384 MB /var = 256 MB /usr = depends on disk space /home = depends on disk space Firewall Configuration on Installation No Firewall – Allows complete access to your system with no security check at all. Medium – restrictions are automatically on certain services • • • • Ports lower than 1023 NFS Server port 2049 Local X Windows display for remote clients X font server port Laptop Swap = 2 x physical memory /boot = 50 MB / = depends on disk space Custom Swap = 2 x physical memory /boot = 50 MB / = depends on disk space

High – Most restrictive and denies all access except DNS, DHCP and anything else explicitly allowed. If possible install IPTables; it is an improvement over the default installation. It can be found at http://www.iptables.org In RedHat 8 and above it is the default firewall daemon. Account Authentication Configuration Make sure that the root password is secure and that you maintain a MD5 checksum of all the passwords in a separate file. Make sure that the password file itself is shadowed; this should be default on RedHat installations.

Package Installation:
Install only what you think you will need. You can always install new packages in the futures. Network Security Network Parameter Modification (RedHat only) Edit /etc/sysctl.conf with the following changes Net.ipv4.ip_forward = 0 (this disables ip forwarding, it should only be enabled if you plan to use the machine as a router/gateway) Net.ipv4.conf.all.accept_source_route = 0 (disables ip source routing) Net.ipv4.tcp_max_syn_backlog = 4096 (enables syn flood protection) Net.ipv4.conf.all.rpP_filter = 1 (enables ip spoofing protection) Net.ipv4.tcp_syncookies = 1 (enables tcp syn flood protection) Net.ipv4.conf.all.send_redirects = 0 (disables the ability to send ICMP Redirects) Net.ipv4.conf.all.accept_redirects = 0 (disables ICMP Redirect acceptance) Net.ipv4.conf.default.accept_redirects = 0 also disables ICMP redirect acceptance) Save the changes and run the following commands as root # chown root:root /etc/sysctl.conf # chmod 0600 /etc/sysctl.conf # /etc/rc.d/init.d/network restart

Disallow Remote Root Login
There should never be a need for root to login remotely. Any access required by root for system maintenance should be performed on the local system console or via SSH. Edit /etc/securetty to reflect the following changes: tty1 tty2 tty3 tty4

tty5 tty6 Save the changes and run the following commands; # chown root:root /etc/securetty # chmod 400 /etc/securetty Disable CTRL–ALT–Delete For those machines with poor or non–existent physical security it is recommended to disable the almighty CTRL–ALT–Delete. Edit /etc/inittab and comment out the following line: #ca::ctrlaltdel: /sbin/shutdown –t3 –r now Save and restart the service # /sbin/init q

Warning Banners:
Although it is not clear legally, often time’s administrators will present a warning banner to assist in prosecution. Also by changing the login banners there is the additional benefit of hiding the OS version and detailed system information. Edit the following files /etc/motd – Displays message of the day for a user with successful login /etc/issue – Displayed to any user that is logging into the system locally /etc/issue.net – Displayed to users logging in remotely via SSH, Telnet, or FTP In earlier versions, before RedHat 7.3 commands in /etc/rc.d/rc.local would overwrite the issue and motd files. These commands have been removed since version 7.3.

Password Protecting Single–user–Mode
Single User Mode allows for local system maintenance and allows a user to move directly into Run Level 1 as root. Edit /etc/inittab to reflect the following changes id:3:initdefault:

~~:S:wait:/sbin/sulogin Save the changes and restart the service # /sbin/init q

User Account & Password Security:

Quick Tips:
• • • • Allow users to use root utilities as .sudo only b/c it is logged by the system Shadow the password files in /etc/shadow . Run “Crack” or “John the Ripper” to check for password integrity. Familiarity should be found with programs to manage users and groups (man 8 pwunconv) Install a boot loader password during installation

Password Aging
By default a user account is required to change its password every 9999 days and no minimum limit is set on how long a password must be kept before changing it. The following command will set limits for all existing users whose ID is greater than 500 (default for normal user accounts). # awk – F: ‘$3 >= 500 { system (“chage –M 180 –m 2 “ $1) } ‘ /etc/passwd Change the following lines in the /etc/login.defs so newly created users accounts will inherit these values PASS_MAX_DAYS 99999 –> PASS_MAX_DAYS 180 PASS_MIN_DAYS 0 –> PASS_MIN_DAYS 2 Purge any unnecessary user accounts that may have been created during the installation process First make a backup copy # for file in /etc/{passwd, shadow, group} ; do /bin/cp –p $file $file.orig ; done Remove unnecessary user accounts # for user in uucp operator games gopher ; do /usr/sbin/userdel $user ; done

Remove unnecessary groups done # for user in dip operator gopher games uucp ; do /usr/sbin/groupdel $group ;

When deleting groups and users you should verify that no mistakes have been made that will prevent someone from logging in. # /user/sbin/pwck # /usr/sbin/grpck These commands validate that /etc/passwd and /etc/group are properly formatted. Reassign all files originally owned by deleted users to root by using the following commands /usr/sbin/find / –nouser –exec /bin/chown root {} \; /usr/sbin/find / –nogroup –exec /bin/chgrp root {} \;

Locking System Accounts
Some user accounts are only used by a system service or daemon and never require interactive login. Interactive Login should be disabled. # for user in bin daemon adm ftp sync lp mail news nobody ; do /usr/sbin/usermod –L –s /dev/null $user ; done Verify that no account has an empty password #awk –F: ‘($2 == “”) { print $1 } ‘ /etc/shadow If nothing is printed than all is well. Otherwise add a password for the account or delete/lock the user

Tighten the default umask
A user’s umask determines permissions on any new files created by a user. The default user account (where user name is the same as group name) with user id greater than 99 is 002 (i.e. 664 for files and 775 for directories). Root is 022 (644 for files and 755 for directories) The default umask should not result in the creation of world readable files for normal users. Edit the lines in the /etc/bashrc and /etc/csh.cshrc files: umask 022 –> umask 077 (some rpm assume a default umask of 022 and may give warnings during installs) umask 002 –> umask 007

Miscellaneous Account Limits (RedHat only)
Further user account configuration can be made in the limits.conf, time.conf within the /etc/security directory.

System Resources Usage (from Bastille)
To prevent individual users from consuming too many system resources, edit /etc/security/limits.conf so that the core files will not be created, individual files sizes are limited to 100MB, and a user can only have 150 concurrent processes running Add the following lines: • • • hard core 0 hard fsize 102400 nproc 150

Securing and Disabling Services
Identify Services that are configured to start (RedHat only) # /sbin/chkconfig –list | grep –e “\(:. *on\|xinetd based \)’ The services that should be running on a given system are the following: (look at /etc/init.d/servicename to see what the services do) Keytable Syslog Network Random Crond Anacron Iptables Ntpd

Disable and remove services that should not be started
# /etc/init.d/servicename stop # /sbin/chkconfig –level 0123456 servicename off

Remove rpm packages
# /bin/rpm –e packagename

The package owning a given file can be discovered with # rpm –gf /etc/nit.d/servicemane

Configuring Access with TCPwrappers
Access controls to services compiled with TCPWrappers is implemented in /etc/hosts.allow and /etc/hosts.deny . When connection attempts are made, the hosts.allow file is checked. If a line is matched then the connection is allowed. Then it is checked against hosts.deny. If the connection is no defined at all it is allowed by default. Creating the /etc/banners directory with the warning banner can be made as followed # /bin/mkdir – p /etc/banners # /bin/echo “This system is for restricted users” > /etc/banners/prototype # cd /etc/banners ; /usr/bin/make –f /usr/share/doc/tcp_wrappers– 7.6/Banners.Makefile

Deny everything that is not explicitly allowed
# echo ‘ALL: ALL: spawn (/bin/echo –e ‘bin/date’” \n%c attempted connection to %s and was denied”\ | /bin/mail –s “Connection attempt to %s” root) &’ > /etc/hosts.deny Any connection attempt not listed in hosts.allow will be denied, a message will be logged to the syslog auth facility, and an email will be sent to root.

Allow access only to those that require it
Edit hosts.allow and add a line for each service to which access should be allowed. A few examples are shown below ALL: LOCAL : banners /etc/banners # All services from local clients sshd: 10.1.1.0/255.255.254.0 : banners /etc/banners # SSH from host IP addresses

Secure xinetd
Xinetd should be removed from workstations. If present, there should be one file in the /etc/xinetd.d directory for each service. To control access to the service, find the file with the service name and add the following line between { } Only_from = 10.1.1.0/23 # allow connections from host IP addresses between 10.1.1.0 and 10.1.2.0

Disable X Windows (Servers Only)
The following command will configure the system to run level 3 (multi–user mode with no X) instead run level 5 (with X) and save the original /etc/inittab as /etc/inittab.bak # /usr/bin/perl –p –I.bak –e ‘s/id:5:init/id:3:init/’ /etc/inittab

Updates and Patches
Up2Date http;//www.redhat.com/docs/manuals/RHNetwork/ref–guide/ The Red Hat Network Daemon rhnsd (RedHat only) connects to the Red Hat server 120 minutes to check for available package updates. Autorpm (http://www.autorpm.org) an alternative to up2date # /bin/rpm –I autorpm–2.9.3–1.noarch.rpm Registering the system with the Red Hat Network – you will be prompted for a password and username. (RedHat only) # /usr/sbin/rhn_register Verify Set–up by Manually Checking for Updates (RedHat only) # /usr/sbin/up2date –nox –p (updates packages associated with profile on RedHat server) # /usr/sbin/up2date –nox –u (downloads and installs packages for updates) Configure rhnsd to start when the system boots # /sbin/chkconfig rhnsd on # /etc/init.d/rhnsd start Modify the /etc/autorpm.d/redhat–updates.conf file RPM packages that fail the signature check are placed in an interactive queue. To prevent these suspect rpm packages from getting accidentally installed later, the following line should be added after the line PGP_Require (Yes): PGP_Fail_Install (No); Any updates for rpm packages that are on the mirror site, but without an earlier version already installed on the system, it will be added to the interactive queue. To prevent this, underneath the action (new) stanza change the line from

Install (Interactive); to install (No); Verify Set–up by Manually Checking for Updates Running # autorpm auto without arguments and download TermReadlineGnu. Run #autorpm auto again to check for updates. Binaries will be downloaded and installed. When the prompt returns, issue the following command: #autorpm “install all” An entry in the /etc/cron.daily directory is added by default to enable checking for updates.

File System Security
Secure File System Mount Options
Make the following edits to the /etc/fstab file. Mount the /usr partition as read– only. Most of the executable commands on the system are located in the /usr file system. Mounting as read–only is a good way to protect against Trojaned binaries from being installed. LABEL=/usr /usr ext3 or 1 2

The /usr file system will have to be remounted read–write before applying most rpm upgrades (including any scheduled to be applied by update agents like up2date or autorpm) # mount –o remount, rw /usr After installation, the partition can be mounted read–only again with the following # mount –o remount, ro /usr To prevent SUID or device files from being introduced to the system by removable media, add the no suid and nodev options to the lines for all removable media (e.g. floppy, cdrom) /dev/fd0 /dev/cdrom /mnt/floppy mnt/cdrom ext3 ext3 nosuid, nodev nosuid, nodev 1 1 2 2

File systems that contain home directories should also have nosuid and nodev options set LABEL=/home /home ext3 nosuid, nodev 1 2

Restricting Access to Administrative Utilities
Issue the following commands to remove read, write and execute privileges for users that do not own the files from all files in these directories. consoletype’ # /bin/chmod –R o –rwx /usr/sbin ‘ls /sbin* | grep –v

SUID Permissions for Executable Programs
To see a list of all the files with SUID GUID permissions 02000 \) –ls /usr/bin/find /bin /usr/bin –type f \ ( –perm –04000 –o –perm –

Remove the SUID and GUID permissions from files that d not require it by setting permissions on each file to 755 # /bin/chmod 755 /bin/mount /bin/mount /usr/bin/chsh /usr/bin/chage /bin/ping /usr/bin/chfn

Remove compiler packages from workstations and servers not used for development
# /bin/rm –e cpp gcc gcc–c++ gcc–g77

Logging
Syslog
If possible store syslog on remote machine to avoid compromise from an intruder who would have to hack both the system itself and the remote logging server. Reload the syslogd config file # /etc/init.d/syslogd restart Ensure that syslogd runs on Boot # /sbin/chkconfig –level 2345 syslog on

logrotate.d
/etc/logrotate.conf contains the default option for rotation log files The log rotation times can be changed to lengthen the life of the log file. Be warned that logs can get quite large so one must monitor the log size that it does not get out of hand.

Logwatch
Use logwatch to monitor logs and have emails sent to the root user in light of unexpected activities. Simply change the email address in the /etc/log.d/logwatch.conf file.

ntpd
Rather than use the system time clock, you should configure the Network Time Protocol server daemon to synchronize the system clock with three public NTP servers. NTP servers can be located at http://www.eecis.udel.edu/~mills/ntp/servers.html Get permission from the admins of these servers and the edit /etc/ntp.conf and replace the loopback address with for ex. Server 10.0.0.1 Server 10.0.0.2 Server 10.0.0.3 #IP address of public server #IP address of public server #IP address of public server 1 2 3

Ensure that the NTP daemon is reloaded # /etc/init.d/ntpd restart Ensure that ntpd is configured to start automatically on boot. # /sbin/chkconfig –level 2345 ntpd on

Scheduler Security
Restrict cron and at by editing the /etc/cron.allow and /etc/at.allow Root always has access to create cron and at jobs Create cron.allow file with Su #echo root > /etc/cron.allow Make sure that the schedule task to run is permitted for that user.

Web Security
Ensure that only necessary modules are installed in your apache web server Remove Distributed Authoring Version (DAV) module. This enables modifications to files on the web server using a client browser.

Apache Configuration File (the following section pertains to httpd.conf)
/etc/httpd/conf/httpd.conf Comment out unused modules Such as the following: mod_autoindex – provides directory listings and gives away to much info to hackers mod_include – unless you use server–side includes you should disable this mod_info – allows a client to visit a url and get info about the server running mod_status – allows a client to view server status from a url mod_userdir – allows users to serve pages from a directory within their home directory Modification to the default Directory Access Permissions Change the stanza that controls access permissions Original Options FollowSymLinks AllowOverride none Options None AllowOverride None Order allow,deny Deny from all The modified version does not allow for symbolic links to be followed on the file system. Modification to the default Root Access Permissions Original Modified Modified

 Options Indexes FollowSymLinks AllowOverride None Order allow, deny Allow from all

Options SymLinksIFOwnerMatch AllowOverride None Order allow,deny Allow from all

The original configuration will show a visitor a directory listing for any documents in the document root without an index.html. This option prevents the server from following any links that may be created by other users to areas outside the document root. If multiple users need access to files beneath the web server document root, the AllowOveride AuthConfig option can e used in place of AuthOverride and a separate .htaccess file can be used to authenticate user access. To help us to remain anonymous as to the server version and configuration, we can change signatures in the httpd.conf file that would normally be attached to web pages when they are served. ServerSignature Off We can also remove strings from the HTTP header that are returned to clients from the client requests. This includes name, version and modules loaded on start–up. ServerTokens Prod The email address of the web server can also be displayed on server generated pages. This should be changed to a fake email address. ServerAdmin foo@localhost

CGI Bin
CGI programs are often a common attack tactic if available; these days many companies disable the use of it all together. Reference to the CGI bin and modules should be commented. Starting with LoadModule cgi_module * * module/mod_cgi.so

File Permissions in the Document Root
Write permissions to any file or directory being served by the web server should be removed or it leaves an open door to defacements. The user and group that

the web server process runs under are defined in the httpd.conf file. You should identify all the directories served by the web server to identify any files for which the owner of the web server process has write permissions. These commands should return nothing. # /usr/bin/find –exec ls – ld {} \; # /usr/bin/find +022 –exec ls – ld {} \; /var/www/html /var/www/html –user apache –perm +202 –group apache –perm

E–mail Security
Sendmail – should be upgraded to the most stable current release, at least 8.12.5 to secure against a theoretical buffer overflow vulnerability.

Disable the sendmail daemon on all workstations
Edit /etc/sysconfig/sendmail with: DAEMON = no QUEUE = 15m Then restart the daemon #/etc/rc.d/init.d/sendmail restart

File and Print Security
SCP and SFTP
The need for remote file–transfer and command–line control sessions is of paramount importance to Unix administration. For many years however, only protocols such as FTP, Telnet and RSH were available. These protocols transmitted not only the data of the session but the authentication information as well in cleartext over the network. The advent of the Secure Shell (ssh) protocol introduced a much–welcomed answer to this problem, providing complete encryption of both command–line and data transfer sessions using strong encryption algorithms. Particularly welcome has been the recent development of OpenSSH, a spinoff of the OpenBSD project, which has helped bring this protocol into wider use with its open–source implementation that compiles on any number of different Unix platforms. The scp and sftp commands do an excellent job of replacing the non–encrypted counterparts, emulating the command–line switches and options so well that in most cases , scp in particular can simply be used as a drop–in replacement for rcp . Configure servers such that using sftp are as secure as possible , including the use of chroot to jail the users file– transfer sessions , by patching the SSH ,source code. Unfortunately, the patch

currently does not work for scp, but chrooted and non–chrooted users can exist side by side. Red Hat , even with the most current patches, does not always offer the latest SSH build, so it will be necessary to get the portable distribution of OpenSSH from the OpenSSH team (http://www.openssh.com) . This manual will not go into the details of how to build an SSH server or chrooting the server. A future manual will delve into the construction any distribution of broad network services.

Securing WuFTPd
WuFTPd is a fairly secure FTP program and is freely available. It should be used in place of clear–text FTP. It ships default with RedHat 7.3 In order to properly secure WuFTPd we need to tweak the FTP configuration file, /etc/ftpaccess. We do this by not allowing system accounts to login over FTP. # allow–uid ftp # allow–gid ftp

Chroot all users by default
Guest user * Because we have already chroot all users by default, we don’t need to explicitly chroot group # guestgroup ftpchroot Set the email address ftpadmin@ftpserver.mydomain.com Permit only two failed logins before termination Loginfails 2 Change the welcome message to something controllable Message /.ftpwelcome.msg Do not allow on the fly compression and tarring Compress Tar no no all all

Prevent certain actions from anonymous or guest users. Explicitly list permissions …. Umask no real, guest, anonymous

Delete Overwrite Rename

yes yes yes

real, guest real, guest real, guest

Log commands and transfers to and from the server
Log Log commands transfers real, guest, anonymous anonymous, real, guest inbound, outbound

Mark certain files as non–retrievable Noretrieve Noretrieve .notar .ftpwelcome.mag

Set a secure path filter to weed out evil files Path–filter *$ ^\. ^– guest, anonymous /etc/pathmag ^[–A –Za –z0–9_\.]

Remove server version from the greeting Greeting terse

Use secure default umasks for everyone
Defumask Defumask Defumask 0377 0177 real 0133 guest

Networking /Remote Administration o Remove all .rhosts utilities use find /home –name .rhosts –print (include rsh/rlogin/rcp) o If using NFS (not recommended) Export all NFS file systems with most restrictive access in /etc/exports (nodev, nosuid, noexec). Be sure to Filter TCP port 111, UDP 111 (portmapper), TCP port 2049, UDP port 2049 (nfsd) on firewall, if using NFS. o Files in /var/log, /var/log/wtmp and /var/run/utmp (contains login records) should have 644 permissions. wtmp logs the login status info of the following Type of Login Process ID of login process

Device name of tty Init ID or abbreviated ttyname User Name Hostname for remote login Exit status of a process Time entry was made IP address of remote host o utmp is consulted for currently logged in users. o Install Cryptographic IP encapsulation to communicate with other hosts

Services o The following services should not be installed or disabled NFS/NIS (any rpc) Or at least use NIS+ over NIS Printer services (lpd) Telnet R* FTP server (use HTTP, scp, SFTP) BIND Mail Transfer Agents (sendmail, exim, postfix, qmail) o Check /etc/rc.d/rc (0–9).d for symbolic links to services that will not be used. Links can be disabled by replacing upper case (S for Start) to a lower case (s). Stop services as root with /etc/init.d/ stop. After disabling (with #) restart inetd /etc/init.d/inetd restart .Get list of running scripts with ls –l /etc/init.d/ |less o Can get a quick list of enables services with grep disable /etc/xinetd.d/* |grep no. Disable xinetd services from dunning by changing listings in xinetd.conf to disable = yes o Comment out unused services in /etc/inetd.conf, rather than removing those services in the case that one might need them at some time. o Disable identd for specific users (.noident file) Can be removed altogether unless using building an IRC server. o Remove /etc/hosts.equiv

File and System Permissions o Use //ls –al to see all file permissions

o Remove all suid/sgid (chmod g+s to activate sgid) on executable and system files from non–root home directories. Favorite technique of hackers to exploit this by placing suid programs to be executed on server. To find all find / –type f \ (–perm –040000 –o –perm –02000 \) o Remove unnecessary setuid and setgid. Can find the ones available by typing o find / –type f –perm +6000 o Configure umask with restrictive access. Typical setting should be 022, 027, and 077 (most restricted). It is set in /etc/profile . Default in RedHat is 022. Root umask should be 077 . Find the value by subtracting desired from 777. o Set file system limits in /etc/pam.d/limits.conf (RH, Deb). Restrict number of processes to 50 and usage per user to 5M o Find all world writable system files and restrict where necessary. Find them with o find / –perm –2 ! –type l –ls Add sticky bit t to file permissions chmod +t to make deletion or modification of the file by the creator only. o Find all un–owned files, which may indicate compromise with find / \ (– nouser –o –nogroup \) –print o System configuration files (etc) should be 640 o Install Cryptographic File Systems (CFS) or Transparent Cryptographic File System (TCFS) for encrypting folder trees where secure users can store files

System Administration/Logging o Allow only tty and vtys terminals for root and trusted users o Secure the /usr/sbin/syslogd from tampering. Look at /etc/syslog.conf to see where logging is going to. Download a syslog encryption daemon to transfer log info to a central and secure location. View /var/log/messages for default logs. o Make use of /etc/shutdown.allow should be used to prevent someone from rebooting the machine. It contains a list of authorized users to reboot the machine. It is consulted when Control–Alt–Del keys o Use xlock and vlock to lock a workstation. o If possible configure the tools to run as chroot, a “chroot jail” for privileged services such as Apache so that an attacker does not attain root privilege on the real O/S o Delete unnecessary binary packages /bin/rpm –e (if RedHat)

X11 o Secure X displays by having users login to the terminal through the MIT– MAGIC–COOKIE–1 A 128 bit cookie as stored in the .Xauthority file. Use xauth for remote users. Or use xdm to login to console and use ssh to go to

Kernel o Download and install secure Linux Kernel from NSA.gov http://www.nsa.gov/selinux/download.html o Process accounting is enabled in most newer builds of the kernel and should be consulted for kernel–level functions.

Quick Tips Auditing/Firewall/Scan Utilities Check List
Should use IPTables, otherwise enable TCPWrappers (tcpd) to restrict access from TCP services. Create a /etc/hosts.allow file and add only those allowed hosts ex All:127. Create /etc/hosts.deny and put All:All . TCPWrappers only protects inetd services. Use netstat –ta to see all services offered.(netstat –tap | grep LISTEN) Record changes with output to a file (netstat –tap | grep LISTEN ~/services.lst) Install Tripwire, for system integrity. Make sure to write down the pass phrases and keep them secret. Use SAINT or NESSUS to port scan your machine to see where it’s vulnerable. Install OpenPGP to transfer for email (or S/MIME), key transfer and secure hard–drive erasing Install SSL S–HTTP for all HTTP requests Shut Off Telnet and put Open SSH in its place. Install IP–Tables/Netfilter as firewall (for advantages of IPTables over IPChains and IPFWAdm go to Run Internet Security Scanner (ISS) an System Security Scanner (S3)

Freeware Utilities o SWATCH – The Simple Watcher is a popular open source log monitoring and alerting utility. Swatch is designed to monitor your log files against a set of configurable signatures. When Swatch detects an event, it can alert the system admin via console, sound response, or an email. Swatch can also be used to filter old log files for activity. o IPTables – The netfilter/iptables project is the Linux 2.4.x / 2.5.x firewalling subsystem. It delivers you the functionality of packet filtering (stateless or stateful), all different kinds of NAT (Network Address Translation) and

packet mangling. Iptables is the replacement for the userspace tool ipchains in the Linux 2.4 kernel and beyond. It is part of the kernelspace netfilter project. Iptables has many more features than ipchains and is also structured more sensibly. o Tripwire – Tripwire software is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc. Tripwire is originally known as an intrusion detection tool, but can be used for many other purposes such as integrity assurance, change management, policy compliance and more. o John the Ripper – John the Ripper is a freeware password auditing or cracking utility. John the Ripper attempts to brute force the passwords in the passwd and shadow files, making use of dictionaries and its knowledge of common password creation techniques. o Bastille – A Linux hardening application that provides novice and experienced users a way to automate many of the security settings that have been covered in this guide. Bastille provides both a command line and GUI format for users. Bastille walks the user through an interactive questionnaire to determine which setting should be turned on and what the ramifications are for making those changes. o NMAP – Is a freeware reconnaissance utility, typically used as a port mapper utility, sending packets to hosts with various settings to determine which ports are open on a device. NMAP can also be used as an Operating Systems reconnaissance tool since NMAP has the ability to send packets to a host and based on the response to those packets, determine which Operating System the host is running. o NESSUS – A freeware vulnerability assessment tool, Nessus works on a client/server based technology. The server side contains the vulnerability database and the engine that actually performs the vulnerability assessment. The client connects to the server to configure the settings for the vulnerability assessment. Nessus can provide reports in a number of different formats including its native GUI format, HTML, and ASCII.

Useful Links
How To’s and References for this manual: o SANS: Step By Step Series – Securing Linux: A step by step survival guide, David Koconis, Jim Murray, Jos Purvis, Darrin Wassom o Hacking Exposed 3rd Edition – Network Security Secrets and Solutions, Stuart McClure, Joel Scambray, George Kurtz o http://www.linuxsecurity.com/docs/LDP/Security–Quickstart– HOWTO/index.html o http://www.linuxsecurity.com/docs/LDP/Security–HOWTO/

o http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGui de.html o http://www.linuxsecurity.com/docs/PDF/Securing–Optimizing–Linux–RH– Edition–1_3.pdf o http://www.linuxsecurity.com/docs/LDP/Security– HOWTO/ftp://sunsite.unc.edu:/pub/Linux/system/admin/accounts/acct– 1.3.73.tar.gz o http://en.tldp.org/HOWTO/IP–Masquerade–HOWTO/iptables–vs– ipchains–vs–ipfwadm.html o ftp://sunsite.unc.edu:/pub/Linux/system/admin/accounts/acct–1.3.73.tar.gz

Security Resources o SANS – http://www.sans.org o Linux Security – http://www.linuxsecurity.com o Security Focus – http://www.securityfocus.org o Hacking Linux Exposed – http://www.hackinglinuxexposed.com/articles/20021015.html o CERT – http://www.cert.org

Firewall Resources: o http://www.linux–firewall–tools.org o http://www.firestarter.sourceforge.net o http://www.fwbuilder.org o http://www.stearnes.org/mason

Red Hat Resources o Red Hat – http://www.redhat.com o Red Hat Advisories – http://rhn.redhat.com/errata/rh73–errata.html

Third Party Resources o APACHE – http://httpd.apache.org o APACHE MODS – http://httpd.apache.org/docs/mod/ o AUTORPM – http://www.autorpm.org o BASTILLE – http://www.bastille–linux.org o EXIM – http://www.exim.org

o IMAP Connection – http://www.imap.org o IPTABLES – http://www.iptables.org o John the Ripper – http://www.openwall.com/john o Logwatch – http://www.logwatch.org o NESSUS – http://www.nessus.org o NMAP – http://www.nmap.org o NTP – http://www.cis.udel.edu/~ntp o OPENSSH – http://www.openssh.com o OPENPGP – http://www.openpgp.org o PSIONIC TRISENTRY – http://www.psionic.com o POSTFIX – http://www.postfix.org o QMAIL – http://www.qmail.org o QPOPPER – http://www.eudora.cm/qpopper o SAINT – http://www.saintcorporation.com o SAMBA – http://www.samba.org o SENDMAIL – http://www.sendmail.org o SNMP – http://www.snmplink.org o SNORT – http://www.snort.org o SWATCH – http://www.oit.ucsb.edu/~eta/swatch o Time Servers – http://www.eecis.udel.edu/~mills/ntp/servers.html o TRIPWIRE – http://www.tripwire.org o WU–FTP – http://www.wu–ftpd.org o XINETD – http://www.xinetd.org

Black and White Hat Security Resources o AstalaVista – http://www.astalavista.com o Hacktavismo – http://hacktivismo.com/news/modules.php?name=Content&pa=showpage &pid=12/ o Cult of the Dead Cow – http://www.cultdeadcow.com/main.php3 o Phrack – http://www.phrack.org o 2600 magazine – http://www.2600.com o Apcoalypse – http://www.apocalypseonline.com/security/exploits/exploits.asp?exp_categ ory=Slackware

o Security Tool review – http:///www.securitytoolreview.com o Foundstone – http://www.foundstone.com o F.I.R.E. – http://fire.dmzs.com/?section=tools o Honeypots – http://www.trackinghackers.com o AntiHacker ToolKit – http://www.antihackertoolkit.com/tools