P. 1
Linux Baseline Document Santosh

Linux Baseline Document Santosh

|Views: 1,386|Likes:
Published by utpalbasak

More info:

Published by: utpalbasak on Jun 11, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

07/13/2013

pdf

text

original

Linux Baseline Hardening Document For

BHARTI TELESOFT

About This Document This document presents the steps for hardening of Linux Server before the applications are installed. NOTE: Please Follow those step that we required for low level Hardening. This Document include High level hardening step that mainly not useful for us.

Table of Contents Securing Linux Server ........................................ .....................1 Securing Linux Server ........................................ .....................1
1. 1. 2. 2. Security Patches....................................................................................1 Security Patches....................................................................................1 File system security...............................................................................1 File system security...............................................................................1 1.1. BIOS Security is not enabled................................................................1 1.2. Partition security.................................................................................2 1.3. Weak system umask............................................................................3 1.4. Temporary folder permission.................................................................3 1.5. CRON and AT files security...................................................................4 1.6. Passwd, shadow and group file permission.............................................4 1.7. User home directory permission............................................................5 1.8. SUID bit is set for files.........................................................................5 1.9. Hidden files are present in Root’s path...................................................6 3. User Accounts and Policies....................................................................7 3. User Accounts and Policies....................................................................7 1.10. Password Policy....................................................................... ..........7 1.11. Disable non-essential accounts............................................................8 1.12. Disable Accounts with empty passwords...............................................8 1.13. Duplicate root UIDs ..........................................................................9 1.14. Disable remote root login...................................................................9 1.15. Password protect single user mode....................................................10 4. Login Banner........................................................................................11 4. Login Banner........................................................................................11 1.16. FTP and Telnet banners ...................................................................11 5. Auditing and Logging...........................................................................13 5. Auditing and Logging...........................................................................13 1.17. Enable user authentication auditing...................................................13 1.18. Permission on log files......................................................................13 6. Non-essential services ........................................................................15 6. Non-essential services ........................................................................15 7. Secure FTP and TFTP settings..............................................................18 7. Secure FTP and TFTP settings..............................................................18 1.19. FTP settings are not secure...............................................................18 1.20. TFTP permission is not secured..........................................................19 8. Secure Network Settings.....................................................................20 8. Secure Network Settings.....................................................................20 1.21. Network settings.............................................................................20 1.22. Disable unauthenticated remote login by users....................................20 1.23. Route daemon service is not secured.................................................21 9. System Security options......................................................................22 9. System Security options......................................................................22

1.24. Crtl+Alt+Del Setting........................................................................22 10. Installing SSH (Telnet is used for remote administration).................23 10. Installing SSH (Telnet is used for remote administration).................23

Securing Linux Server
1. Security Patches
Install the latest rpm packages for Linux. Check for latest RPMs at RedHat Linux website. http://updates.redhat.com/enterprise/3WS/en/os/SRPMS/ http://updates.redhat.com/enterprise/3AS/en/os/SRPMS/ Else go to http://updates.redhat.com/enterprise/ and select the enterprise version running and install all patches from the link Download the current RPMs from RedHat’s Website and install them using the following command. rpm –ivh file_name.rpm

2. File system security
1.1.BIOS Security is not enabled
Description: Changes need to be made to the BIOS settings in order to increase the security of Linux system. Impact: A malicious user with physical access to the machine can boot from a rescue floppy or a CD-ROM and gain root access. Once that is done, it is easy for him to mount and modify various filesystems, add new administrators and misuse the system. Solution: In order to prevent malicious users from gaining root access, the following changes need to be made in the BIOS: 1. Set Supervisor Password. 2. After the installation, disable booting from the Floppy or the CD-ROM drive.

1.2.Partition security
Description: When mounting a partition you can provide various options in the /etc/fstab file that increase the security of your system manifold. The various options that can be used are: • • • • nosuid: Do not set SUID/SGID access on this partition.

noexec: Do not allow execution of any binaries on this partition. ro: Allow read-only access to the partition. rw: Allow read-write access to the partition.

Impact: Without the nosuid value any user can access those file systems with privilege of file system owner or root. Without the rw option any user can write to those file systems. Solution: Edit the /etc/fstab file using text editor. vi /etc/fstab A typical /etc/fstab file with partitions /, /tmp, /home and /var should read as shown below: /dev/hda1 /dev/hda4 /dev/hda2 /dev/hda3 / /usr /home /tmp ext3 defaults,ro ext3 defaults,ro ext3 defaults,nosuid ext3 defaults,nosuid 02 02 02 02

The nosuid will result in no user being able to execute a setuid file in /home and /tmp. The noexec bit will ensure no executable can be run in those partitions. Also once the system is installed, users probably won’t be writing to the / and the /usr file systems. Hence those partitions can be mounted read-only.

1.3.Weak system umask
Description: A default umask of ‘022’ must be set for System created files during initial boot stage. Impact: Malicious users can overwrite the contents of system files and cause denial of service. Solution: This can be done by putting the umask entry in /etc/bashrc file. vi /etc/bashrc umask 022

1.4.Temporary folder permission
Description: Ensure that sticky bit is set for /tmp, /utmp and /utmpx folders. If the sticky bit set then only owner of a file in these folder can delete that file and other users can only read the file but cannot delete it, even they have write permission on the folder. Impact: Any user can delete other users files in temporary folders, because by default all users have write permission on those folders. Solution: Set the sticky bit on temporary folder (/tmp): ls –al (See if sticky bit is set or not) cd / chmod 1777 tmp chmod 1777 utmp chmod 1777 utmpx

1.5.CRON and AT files security
Description: CRON and AT can be used to create scheduled tasks. Users should be given granular permissions for scheduling tasks. Impact: Unauthorized access to these services can be used to run malicious processes including backdoors. Solution: CRON and AT related files must be secured. Only root must be given permissions to run CRON and AT jobs. The files in /etc/cron.d control which users can use the cron and at facilities: Create a /etc/cron.d/cron.allow file: echo "root" > /etc/cron.d/cron.allow chown root /etc/cron.d/cron.allow chmod 600 /etc/cron.d/cron.allow Create a /etc/cron.d/at.allow file: cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow Create a /etc/cron.d/cron.deny file: cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny chown root /etc/cron.d/cron.deny chmod 600 /etc/cron.d/cron.deny Create a /etc/cron.d/at.deny file: cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny

1.6.Passwd, shadow and group file permission
Description: In Linux OS /etc/passwd, /etc/shadow and /etc/group files are most important files. The permission on these files should be secured. Impact:

If an attacker has access to passwd file, he can create user in that file. Attacker can alter the MD5 hash of the root password with a known hash in the shadow file to get into the system or he can add a newly created user under root group in the group file. Solution: Change the owner of these files to root and also change the permission using the following commands: cd /etc chown root:root passwd shadow group chmod 644 passwd group chmod 400 shadow

1.7.User home directory permission
Description: Check the permissions of users’ home directories and verify permissions are secured or not. Impact: A user can access files of other users in their home directories. Solution: Change the ownership and permission on the home directories using following command: chown <username>:<user primary group> <user home directory> chmod 740 <user home directory>

1.8.SUID bit is set for files
Description: SUID (Set UID) file allows users to execute certain programs with elevated privileges; typically as root user. SUID files can leave security loopholes in the system. Impact:

Often such SUID programs can provide malicious users with a root shell if forced to exit abnormally. It is therefore important to remove the SUID bit from those programs that do not require it. Solution: Once you have located an offending file with the SUID bit set, you can use chmod to remove its SUID bit as shown below: find / -perm 4000 -print |more chmod 0700 <suidfilename> The following executables do not need SUID permissions: Ping, mount, umount, traceroute, at

1.9.Hidden files are present in Root’s path
Description: Check and ensure that hidden files or file name started with ‘.’ are not present in Root’s path. Impact: Including the current working directory ('.') or other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a Trojan horse program. Solution: Delete the unnecessary and suspicious hidden files from /, /root and /etc path. 1. /.login 2. /etc/.login 3. /etc/default/login 4. /.cshrc 5. /etc/skel/local.login 6. /etc/skel/local.profile 7. /.profile 8. /etc/profile

3. User Accounts and Policies
1.10.Password Policy
Description: Passwords are used to securely login to users’ account. The security of the users’ passwords can be implemented system wide by enabling MD5 and shadow passwords. Impact: All accounts are vulnerable to attacks and hence the passwords should be a stored in a secure fashion. Passwords can be retrieved if they are stored in weak encryption format. Solution: Increase password security, by enabling the following: Type 'setup' on the shell prompt. Choose Authentication configuration. Click next, and configure MD5 Passwords Password Shadowing passwords] Edit /etc/login.defs file and set the following password configuration: Set minimum password length to PASS_MIN_LEN=8 Set password expiry to PASS_MAX_DAYS=45 PASS_MIN_DAYS=1 PASS_WARN=14 [Allows passwords up to 256 characters] [Prevents users from obtaining the encrypted

1.11.Disable non-essential accounts
Description: Unnecessary user accounts should be tracked and be deleted from the system. Impact: Attackers can use these accounts to harm the system. Solution: Use the following command to delete non-essential accounts. cat /etc/passwd | cut –d : -f 1 userdel <unnecessary Username> Non-essential accounts Lp Sync shutdown Halt news uucp operator games gopher adm ftp nobody nscd nfsnobody

1.12.Disable Accounts with empty passwords
Description: Check the login accounts in the system with empty password. Impact: Accounts with empty passwords pose a grave security risk to the system because all that is needed to login to such an account is knowledge of the login name. Solution: Check for lines with no passwd and set password for these accounts using the following command. cat /etc/shadow | cut –d : -f 1,2 Assign password for this type of account using the following command: passwd <username>

1.13.Duplicate root UIDs
Description: Accounts in the system are mapped to UIDs. At times UID corresponding to root account is mapped to multiple login accounts. Impact: A low privileged user with the same UID as that of root account can compromise the system. Solution: Ensure that accounts with same UID as that of root are authorized system administrators. In the /etc/passwd file change the UID of such accounts. Check /etc/passwd and /etc/group files and check for the accounts with same uid and gid as root and change their ID using following command usermod –u <changed UID> username

1.14.Disable remote root login
Description: Root user must not be able to login from a remote console. The login command is part of the authentication process to access a local Linux Operating Environment account. Any action requiring direct login to the system using ‘root’ should be restricted to the local console. Impact: Login to the system through telnet session can reveal the clear text password of root user. Allowing remote login for root also enables a malicious user to attempt access to the system leading to system compromise. Solution: Ensure that /etc/securetty file contains the list of all terminals from where root is not allowed to remotely login. The available terminals are: [root@localhost root]# less /etc/securetty vc/1 vc/2 vc/3 tty0 tty1 tty2 tty11 tty12 tty13 tty22 tty23 tty24

[root@localhost root]# less /etc/securetty vc/4 vc/5 vc/6 vc/7 vc/8 vc/9 vc/10 vc/11 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10 tty14 tty15 tty16 tty17 tty18 tty19 tty20 tty21 tty25 tty26 tty27 tty28 tty29 tty30 tty31

1.15.Password protect single user mode
Description: Linux provides a mechanism for system maintenance via “Single user mode” which is typically started when the system is booting. Impact: This allows an attacker at the console to bypass any system protection and move into run level 1 as root and change system settings. Solution: Edit /etc/inittab file to have entry as shown below. vi /etc/inittab id:5:initdefault: ~~:S:wait:/sbin/sulogin Save the changes and restart the service: /sbin/init q

4. Login Banner
Description: An appropriate login message must be displayed to the user when he/she tries to login to the system. This file should contain warnings about inappropriate and unauthorized use of the system. It should also warn users that their sessions and accounts may be monitored for illegal or inappropriate use. Impact: Displaying appropriate warning messages when users access a system will assist in processing computer crime cases and will also act as an effective deterrent. Solution: Create or modify the /etc/issue, /etc/issue.net, /etc/motd files with appropriate statutory warning. vi /etc/issue “This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all their activities on this system monitored and recorded by system personnel." Same process for editing the files /etc/issue.net /etc/motd

1.16.FTP and Telnet banners
Description: If FTP or TELNET services are required to run on the system then ensure that the services do not advertise the operating system version when users connect to the system.

Impact: Attackers can easily get the fingerprint of the OS from the banner and using the information they can start some specific attacks to the system.

Solution: Create files telnetd and ftpd in /etc/default with the entry below to mask the OS version number in the banner, Vi /etc/default/telnetd Vi /etc/default/ftpd BANNER=”” (Append this to both the above files)

5. Auditing and Logging
1.17.Enable user authentication auditing
Description: Syslog facility is used to log system activities. Syslog daemon receives log messages from several sources and directs them to the appropriate location based on the configured facility and priority. It can be used to capture all successful and failed logins. Impact: Malicious login attempts cannot be monitored. Solution: Add the following entry to /etc/syslog.conf for capturing syslog events sent to LOG_AUTH. This contains information on unsuccessful login attempts, successful and failed su (switch user) attempts. vi /etc/syslog.conf authpriv.* /var/log/secure

Use TAB key to separate auth.info from /var/log/secure and not space. Create /var/log/secure by executing the following commands touch /var/log/secure chown root /var/log/secure chmod 600 /var/log/secure

1.18.Permission on log files
Description: Linux maintains extensive logs of various system activities in the directory /var/log. Often suspicious entries in the log files are the first indication that something is wrong with the system. Impact: Attackers can easily delete those file from the system to remove the trace of attacks.

Solution: Enable logging in the syslog.conf file. Secure the permission of the above files and give them permission like 622. Use programs like logcheck and swatch to filter out the suspicious entries in the log files. Check the permission on the following files. The safe permission is 622, ls –l /var/log/messages ls –l /var/log/secure ls –l /var/log/wtmp ls –l /var/log/xferlog ls –l /var/spool/cron ls –l /var/log/lastlog

6. Non-essential services
Description: Linux by default has a number of services available. Some services are not necessary to system operation and should be disabled.

Impact: New/Old vulnerabilities found in unused applications/services can be used by malicious users for break in. Solution: Disable all services as given in the table below. The services run on a Linux machine depend a lot on what it is being used for. So the system administrator will have to activate services on a server-to-server basis using his discretion. Run setup System Services Chose the services to be disabled, uncheck box. Run Tool Service Name Chargen Comsat Daytime Discard Echo Remarks A service used for testing networks. Not required in production systems. Comsat is the server process which receives reports of incoming mail and notifies users if they have requested this service. A service used for testing networks. Not required in production systems. A service used for testing networks. Not required in production systems. A service used for testing networks. Not required in production systems. Rexecd is the server for the rexec(3) routine. The server provides Exec remote execution facilities with authentication based on user names and passwords. Disable this service.

Service Name Finger ftp Identd

Remarks Enabling finger is a security risk. Provides info to potential crackers. Use sftp instead Provides server identity. Talkd and ntalkd are the servers that notify a user that someone else wants to initiate a conversation. It acts a repository of

talk/ntalk/ko talk/talk

invitations, responding to requests by clients wishing to rendezvous to hold a conversation. In a production system these services are usually not required and can be safely disabled. Print Daemon, not required. Rlogind is the server for the rlogin program. The server provides remote login facility with authentication based on privileged port

Lpd

Rlogin

numbers from trusted hosts. This service does not usually prompt the user for a password and hence a security threat. SSH is a safer alternative and this service can be safely disabled.

netfs/nfs/nfsl ock/portmap Radvd rexec/rsh/rlo gin/rcp

Unless a machine is an NFS server, there is no need to run NFS. Router Advertising Daemon. Huge security risk. Disable the service rquotad is an rpc server which returns quotas for a user of a local filesystem which is mounted by a remote machine over the NFS. It

Rquotad

also allows setting of quotas on NFS mounted filesystem. In your environment if you are not assigning quota in NFS mounts then this service can be safely disabled.

Rhnsd Smtp snmp/snmptr ap

Connects to a Redhat Server for updates. SMTP service used for relaying mails. Not required on servers which do not transfer mails. The SNMP services daemon and agent. If the machine is required to respond to SNMP get and set queries. Then this service can be safely disabled. This is a service catered to by the xinetd server which returns the time of the day for client programs. This service can be safely disabled. A service used to connect remotely to the machine. As passwords of

Time telnet

Service Name

Remarks users are transmitted in clear text. It presents a security threat, use SSH instead. Trivial File transfer protocol. Not required in production systems. Must be disabled. Wall sends a message to everybody logged in to the server. If this is not being used in the production server it can be safely disabled. A secure version of the Internet Daemon service. This is a super daemon which caters to other services like telnet, rlogin, rsh, finger etc. If you do not require any of these services then this can be safely disabled. NIS services. If this server is not part of a NIS domain. Then this service can be safely disabled. Unix to Unix system copy server program. This service is usually not required in Production environments and can be safely disabled.

Tftp Walld

Xinetd

Ypserv/yppas sword Uucp

7. Secure FTP and TFTP settings
1.19.FTP settings are not secure
Description: All local accounts users have FTP access to the system by default. FTP banner should be set to warn the user about the FTP access. Permission on FTP upload and download folder should be secured.

Impact: An intruder can download important files, delete files or upload malicious software to the system. Solution: Configure secure settings. Restrict access to authorized users in the following way: To restrict the FTP access for the all users, use the following commands: touch /etc/vsftpd.ftpusers chown root /etc/vsftpd.ftpusers /etc/vsftpd.user_list chgrp root /etc/vsftpd.ftpusers /etc/vsftpd.user_list chmod 600 /etc/vsftpd.ftpusers /etc/vsftpd.user_list cat /etc/passwd | cut –d : -f 1 > /etc/vsftpd.ftpusers cat /etc/passwd | cut –d : -f 1 > /etc/vsftpd.user_list The above step will deny all accounts for ftp access; remove accounts that require ftp access. Create a banner file which does not reveal information about the Operating system. To change the greeting banner for wu-ftpd, add the following directive to /etc/vsftpd.ftpusers at the start of the file: greeting text <insert_greeting_here>

Ensure that the permissions on the download folder are set to umask 022. If you want to allow anonymous users to upload IN WU-FTPD, it is recommended you create a write-only directory within /var/ftp/pub/. To do this type: mkdir /var/ftp/pub/upload Next change the permissions so that anonymous users cannot see what is within the directory by typing chmod 744 /var/ftp/pub/upload A long format listing of the directory should look like this: drwxr--r-2 root ftp 4096 Aug 20 18:26 upload

1.20.TFTP permission is not secured
Description: If the TFTP service is required, one should create a directory called /tftpboot for uploading and downloading data. Impact: Attacker can easily steal or delete the data from TFTP server. Solution: Assign 754 permission on the /tftpboot directory using chmod command. mkdir /tftpboot chmod 754 /tftpboot

8. Secure Network Settings
1.21.Network settings
Description: There are several kernel options in Red Hat Linux that can be configured to increase the overall network security. The kernel can be modified by editing /etc/sysctl.conf file. The file is loaded whenever the server reboots or an administrator manually restarts the network services. Impact: If these parameters are not set properly attackers can easily attack the server remotely. Solution: Set the value of the parameters as following in /etc/sysctl.conf file vi /etc/sysctl.conf (Configure the following settings) net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syncookies = 1

1.22.Disable unauthenticated remote login by users
Description: Hosts.equiv file in the system allows unauthenticated user to remote login into the system. Impact: Unauthorized access to system.

Solution: Remove /etc/hosts.equiv file if not required. rm /etc/hosts.equiv

1.23.Route daemon service is not secured
Description: If route daemon is required to be running secure it by running it in the quite mode. i.e. The route daemon should be configured to not advertise routes. Impact: Attackers can easily get the information of system’s routing table. Solution: The routed daemon should be run by the –q option vi /etc/rc.d/init.d/routed (/etc/rc.d/init.d/routed file search for “start”) SILENT=true (put this entry before “start”) When routed daemon is started, it will run with the –q option.

9. System Security options
1.24.Crtl+Alt+Del Setting
Description: By default CTRL+ATL+DEL to reboot the machine functionality is enabled in the system. This allows any user to reboot the machine. Impact: This function allows an unauthorized user to reboot the server. Solution: Edit /etc/inittab file comment the following line: vi /etc/innittab ca::ctrlaltdel:/sbin/shutdown –t3 –r –now Save the change and restart init service for the change to take effect: /sbin/init q

10.Installing SSH (Telnet is used for remote administration)
Note : If the SSH is installed on the system then there is no need to follow this step. Description: Telnet is used for remote administration in Linux. But the telnet protocol sends authentication credential and data in clear text to the server. SSH is a similar kind of protocol of telnet. But it is more secured. It sends all the traffic in encrypted format. FTP is used for file transfer. Impact: Attackers can get the sensitive data like username and password using simple packet sniffer. Solution: SSH can be used instead of telnet and FTP. Download the latest rmps for these packages from RedHat’s website or

www.openssh.org website and install those using rpm –ivh <package_name> command. Configure the service to start at system start-up. Install the SSH client software at the client end. Run Netstart command check for port 22.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->