By Kurt Seifried Rev 0.1
The basics - Installation and initial securing. (S01.C01)
To secure RedHat 5.X properly you have to start at the very begining, when you install the machine. Install the server from trusted media (CD out of a RedHat shrinkwrapped box strikes me as the best way) and if you are really paranoid check all the MD5 and PGP sigs beforehand on the CD with another machine. If you do a network install from say ftp.wewillhackyou.com you could very well end up with software packages that will exhibit unexpected 'features' later on. Make sure the HD is cleaned out, we don't want any nasty bootsector viruses/etc hanging about, again if you are paranoid do a low level format of the drive (although most recent BIOS's will not support this). In essence start with a clean system, clean install media, etc.
Since the install only takes 20-30 minutes (for me typically, YMMV), sit through it. Do not leave the machine. Someone could gto alt-f2 and use that handy little bash prompt to do nasty things like edit /etc/passwd. When it comes to giving a root password, use something hard to guess and do not write it down. When it asks you to remove the floppy disk and reboot, unplug the network cable. Why? because when that machine reboots it will probably be at the most vulnerable stage of it's life. No firewalling has been implimented, no tcp_wrappers, you may have old broken packages, etc. The machine is now up and running, and probably complaining about the lack of networking. Time to being securing the machine.
Removing Uneeded Packages / ServicesThe first thing to do once you have logged in as root is to start removing software packages you do not need. They just consume uneccesary space and are one more thing you will forget you have, and consequesntly not bother to upgrade, thus ensuring you will end up with one out of date package that has a security hole in it that causes you grief later on (aren't I cheerful?).
rpm -qa | sort | less or rpm -qa | sort > rpm.list
The above will give you a nice alphabetically sorted list of rpm's on your system. I typically remove most of the X apps, printer stuff, news readers, r services, etc. Obviously if you need it, don't remove it. If you accidently remove something, just add it in with rpm -i, removing critical stuff isn't usually a problem because of dependancies, but if you do not know what it does, find the rpm on the CD and:
rpm -qpi package-1-1.i386.rpm
And you will be told what it does, etc.
The basics - Basic config files and what to do with them. (S01.C02)
There are several basic config files in RedHat 5.X that allow you to secure the system. The two main classes of attacks are internal and external. Internal attacks come from users that already have accounts/etc, thus giving them a 'foot in the door', and making you life that much more miserable. External attacks seem to be the current favourite, since most script-kiddiez do not have accounts on your system(s) (and if they do it serves ya right ;). Thus we will deal with external attacks first.
External attacks nowadays are almost exclusively Internet based, by this I mean the old days of people gaining access to a private network, or dial-in modem lines, etc are pretty much over. It is far easier to go to rootshell or l0pht and download some attacks, then try them out on servers at random over the Internet. The chances of getting caught are minimal, and of being pursued or prosecuted even smaller. Hence these are very popular attacks.
/etc/inetd.conf - controls various network services /etc/rc.d/rcX.d/ - controls startup of services /etc/inittab - startup, ctrl-alt-del, etc.
/etc/inetd.conf
# # inetd.conf This file describes the services that will be available # through the INETD TCP/IP super server. To re-configure # the running INETD process, edit this file, then send the # INETD process a SIGHUP signal.
The begining of this file is pretty self-explanatory I think. Instead of running a dozen daemons that typically are not being hammered away at, you run a 'super server' (their words not mine) that listens to the appropriate ports, and when it sees a packet for one of the ports it is responsible for it fires up the appropriate daemon (such as POP). If you do not want to have a service respond (for examply IMAPD), instead of completely removing IMAPD you can simply comment out the line for it in inetd.conf that calls it up, and restart inetd.conf to make it re-read the config file.
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a would result in ftpd start whenever someone connects to port 21, if you wanted to disable it temporarily without having to remove it simply: #ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a comment it out. To restart inetd: [root@somehost somewhere]# killall -1 inetd [root@somehost somewhere]#
| Name | Function | Status |
| echo | echoes characters back | turn it off! |
| discard | accepts data and discards it | turn it off! |
| daytime | time of day | turn it off! |
| chargen | chracter generator | turn it off! |
| ftp | File Transfer Protocol | Do you want to be an FTP server? |
| Telnet | Allows Remote Access | turn it off! Use SSH |
| gopher | gopher (pre-cursor to the web) | Dead protocol, no reason to leave it on |
| smtp | mailserver | typically handled as a daemon by sendmail, turn it off |
| nntp | Usenet News | typically handled as a daemon by inn, turn it off |
| shell | Allows Remote Access | Very dangerous! turn it off! |
| login | Allows Remote Access | Very dangerous! turn it off! |
| exec | Allows Remote Access | Very dangerous! turn it off! |
| talk | allows you to have text based chats with other users | use email / irc, no reason to leave it on |
| ntalk | allows you to have text based chats with other users | use email / irc, no reason to leave it on |
| dtalk | allows you to have text based chats with other users | use email / irc, no reason to leave it on |
| pop-2 | Allows users to retreive email | Do you want remote users to get their email? |
| pop-3 | Allows users to retreive email | Do you want remote users to get their email? |
| imap | Allows users to retreive email | Do you want remote users to get their email? |
| uucp | Unix to Unix CoPy | Unless you need uucp turn it off! (Almost a dead protocol, but still handy) |
| tftp | Trivial FTP Server - for diskless clients/etc | Unless you truely need tftp turn it off! |
| bootps | Information server for diskless clients. | Unless you truely need bootps turn it off! |
| finger | Information about local users | turn it off! |
| cfinger | A safer version, but still gives out local user info | turn it off! |
| systat | Local machine info | Very dangerous! turn it off! |
| netstat | Local machine network info | Very dangerous! turn it off! |
| time | Serves time info | turn it off! use XNTPD |
| auth | Tells remote servers who owns a connection | Some remote server require this, it is polite to leave it on |
| linuxconf | Remote linux conf access | Very dangerous! turn it off! |
/etc/rc.d/rcX.d/
Now for services that run as a daemon (like sendmail, apache, etc). These services typically have their own control files, however often times you may wish to leave the server installed and just disable it. The easiest way to do this is to simply remove the symlinks from /etc/rc.d/rcX.d/ (where X is the run level) that point to it's startup script. For example on many of my headless servers I have gpm installed, but it isn't running (nice to have though when you do hook up a monitor/etc to it). Simply go into the various rcX.d directories and remove the symlinks, you can easily later add them back in. All the services that run as daemons are typically safe, however leaving a service on that you are not using is dangerous. For example to remove sendmail from the startup:
[root@somehost somewhere]# cd /etc/rc.d/ [root@somehost rc.d]# find ./* | grep sendmail ./init.d/sendmail ./rc0.d/K30sendmail ./rc1.d/K30sendmail ./rc2.d/S80sendmail ./rc3.d/S80sendmail ./rc4.d/S80sendmail ./rc5.d/S80sendmail ./rc6.d/K30sendmail [root@somehost rc.d]# rm -r */*sendmail* rm: remove `init.d/sendmail'? n rm: remove `rc0.d/K30sendmail'? y rm: remove `rc1.d/K30sendmail'? y rm: remove `rc2.d/S80sendmail'? y rm: remove `rc3.d/S80sendmail'? y rm: remove `rc4.d/S80sendmail'? y rm: remove `rc5.d/S80sendmail'? y rm: remove `rc6.d/K30sendmail'? y [root@somehost rc.d]# /etc/rc.d/init.d/sendmail stop Shutting down sendmail:
The links to sendmail have been removed, and sendmail has been stopped. From now on when you boot, sendmail will not be started. This is a really bad example, a more proper way to deal with sendmail is to change the init script from running it in daemon mode to simply flushing the queue once ina while (so you can send mail to but not receive it from the Internet).
/etc/inittab
Inittab controls quite a few things, default run level, number of consoles, behaviour for ctrl-alt-del, etc. Typically I leave one console running (as my machines are either headless servers, or they run X all the time, and xdm has a bit to much overhead) and disable ctrl-alt-del (I work on NT a lot, 'nough said). Simply comment out the following lines:
# Trap CTRL-ALT-DELETE ca::ctrlaltdel:/sbin/shutdown -t3 -r now to # Trap CTRL-ALT-DELETE #ca::ctrlaltdel:/sbin/shutdown -t3 -r now and # Run gettys in standard runlevels 1:12345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3 4:2345:respawn:/sbin/mingetty tty4 5:2345:respawn:/sbin/mingetty tty5 6:2345:respawn:/sbin/mingetty tty6 to # Run gettys in standard runlevels 1:12345:respawn:/sbin/mingetty tty1 #2:2345:respawn:/sbin/mingetty tty2 #3:2345:respawn:/sbin/mingetty tty3 #4:2345:respawn:/sbin/mingetty tty4 #5:2345:respawn:/sbin/mingetty tty5 #6:2345:respawn:/sbin/mingetty tty6 and to restart inittab simply: [root@somehost somewhere]# killall -1 init [root@somehost somewhere]#
This initial configuration will solve a lot of problems, you should disable ALL network services initally however, and ftp to a redhat site and grab any of the latest update rpm's you require (ie sendmail for 5.0), install them and then turn on the network services. It's no good restricting access to a network service if it is completely broken (like the bind that ships with redhat 5.0, etc)
Contact Kurt Seifried, All rights reserved Kurt Seifried 1998, content and information may not be reposted physically or electronically without the express permission of the author, this includes but is not limited to www mirror sites, email, usenet news, etc.