You are on page 1of 4

1

CA Server Hardening Guideline


There are many services in a standard operating system which are not needed in a CA server and which
may cause security issues. Disabling these services is recommended.
In the normal operation as well as local administration of the server most of the networking services are
not required (e.g. sendmail). For remote administration an SSH service can be used. NTP can be used to
synchronize server time to some outside time source.

Checking and Disabling Services


In Red Hat Enterprise Linux, services and their naming may differ depending on the version or setup. In
general, the purpose of the services can be checked from files under /etc/rc.d/init.d -directory.
For example rawdevices service is started with /etc/rc.d/init.d/rawdevices file, and the
purpose of the service can be found out by reading the file with an editor or other file reading command.
The service description is found in "# description" field. An example of rawdevices description:
# chkconfig: 345 56 44
# description: This scripts assignes raw devices to block devices \
#
(such as hard drive partitions). This is for the use \
#
of applications such as Oracle. You can set up the \
#
raw device to block device mapping by editing \
#
the file /etc/sysconfig/rawdevices.

Based on the description you can see that the service is not required in CA server and it can be turned off.
A list of all started services in text and graphical mode (runlevels 3 and 5) can be seen with commands:
chkconfig --list | grep 3:on
chkconfig --list | grep 5:on

Network services can be listed with commands:


netstat ?an
netstat -anp

Services can be disabled with chkconfig command. This is done for run levels 3 and 5 with these
commands (example services rawdevices and netfs):
chkconfig --level 35 rawdevices off
chkconfig --level 35 netfs off

The following services can be disabled:


pcscd
iiim
rpcidmapd
lm_sensors
pcmcia
FreeWnn
canna
gpm
sendmail
kudzu
netfs
rawdevices
apmd
lpd
portmap
xinetd
rhnsd

2
autofs
nfs
nfslock
nscd
identd
radvd
snmpd
snmptrapd
isdn
vncserver
yppasswdd
ypserv
ypxfrd
arpwatch
cups
arptables_jf
cups-config-daemon
firstboot
rpcgssd
bluetooth
avahi_daemon
hidd
hplip

These services should be left enabled:


syslog
network
random
anacron
atd
acpid (in virtual machine not mantadory)
irqbalance
microcode_ctl
smartd (in virtual machine not mantadory)
ntpd
sshd
crond
xfs (?)
haldaemon (?)
messagebus (?)
cpuspeed

It is recommended that the server OS is run in text mode i.e. runlevel 3.

Core settings
Some settings can be configured via control files in /proc directory. For example routing can be
disabled with command:
echo ?0? > /proc/sys/net/ipv4/ip_forward

The contents of ip_forward file is changed to 0 resulting routing activation. Control files are reset at
start-up and must be reactivated. The settings can also be done to /etc/sysctl.conf file. That way
the control files will be automatically updated at startup. After setting the parameters in
/etc/sysctl.conf, the settings can be taken into use by running the command:
sysctl -p

or by restarting the OS.


For example routing activation in /etc/sysctl.conf file will be done by setting the parameter:

3
net.ipv4.ip_forward = 0

Information about other settings can be found from web page:


http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html.

Hardening SSH Service


Login via SSH should be disabled for the "root" user. This can be done by setting into
/etc/ssh/sshd_config file this line:
PermitRootLogin no

The SSH protocol version should be set to 2 with the line:


Protocol 2

Algorithms used by SSH server are defined as:


Ciphers aes128-cbc,aes256-cbc
MACs hmac-sha1,hmac-ripemd160

After changing the settings SSH service must be restarted with command:
service sshd restart

Certifier Security
There are a few practices that should be followed to ensure secure operation of Certifier.
After installation, a root operator admin is created with a password "admin". The password
should be changed at the minimum. It is also possible to delete the admin operator after creation
of a new operator with same access level. This is recommended if operators have personal user
accounts.
Engine TLS private key should be protected with a master password. This can be done by setting
"Encrypt TLS private key" in System Parameters page.
Master password should also be changed from its default value.
If possible, the Administration service should be bound to localhost only. If remote access is
required it should be protected with TLS and preferably with client authentication.
The default Web Enrollment service should be removed if it is not required; for example when
using CMP, SCEP or off-line certification via Administration GUI.
Web Enrollment service should be protected with TLS.
If the CA server has multiple network interfaces, services should be bound only to the required
interface by explicitly specifying the corresponding IP address.
In a multi-CA environment it is recommended to use different services for accessing CAs from
different organizations; for example a separate CMP service bound to different ports.
DoS settings (dos (host-rate-limit <n>)) in server.conf should be checked for
different services. The rate limit value specifies how many requests from a single host is allowed
in 10 seconds. However, this does not prevent DoS attacks against OS's TCP/IP stack
implementation.
Operator access levels should be explicitly set for needed CAs and should only have level
sufficient for operator's purpose. Only admin or similar operator should have "super-user"
access to "All CAs".
Access to CAs for delegated RAs should be explicitly specified and never allow access for
implicit "All CAs".
Accessible CAs for certain services (Web Enrollment, CMP, SCEP, Validation Authority) should
be set explicitly and always use "Only selected CAs" mode instead of implicit "All CAs" or "All
except selected CAs".
3

4
Publishing service (to LDAP server) can also be protected with TLS.

Links to More Information


These web pages have more information on Linux security and hardening:

http://www.redhat.com/support Support pages for Red Hat Linux.


http://fedora.redhat.com/ Fedora homepage.
http://www.linuxsecurity.com/ Linux security page.
http://www.faqs.org/docs/securing/ Red Hat Linux hardening guide.