10 Simple Steps to RedHat Linux Security

Posted on 20. Oct, 2009 by in Security, Server

Print This Post Print This Post

VN:F [1.6.3_896]
Rating: 8.3/10 (26 votes cast)

This document outlines 10 easy-to-implement steps to lockdown a RedHat Linux server. This document assumes a fresh vanilla RedHat 5.4 install as described in the post Installing RedHat 5.4 64 bit.

Not all of the below steps are appropriate for all systems. You will need to use your judgment to pick and choose which security measures are relevant to your environment.

1. Configure Security Banners/Disclaimers
2. Set GRUB boot loader password
3. Password protect single user mode
4. Configure Password Policy
5. Disable Unnecessary Services
6. Delete Unnecessary accounts and groups
7. Restrict su to sysadmin group
8. Prevent root login through ssh
9. Configure IP Access Controls with tcp_wrappers
10. Resource Limits

Configure Security Banners/Disclaimers

The Security Banner refers to the message that is displayed when users log in. Banners provide legal protection against unauthorized access attempts and provide a means to prosecute violators.

Here is an example of a generic banner:

Warning! This is a private system. Unauthorized access to or use of this system is strictly prohibited. Unauthorized users are subject to criminal prosecution and penalties.

6

To configure a banner in Redhat, edit the file /etc/issue:

su root
Enter root password
vi /etc/issue

Use vi commands to edit file and replace with your banner text. Enter ESC:x! when finished to save file.

2

In order for this banner to be displayed when users attempt to ssh to your server you will need to add it to the sshd_config file.

vi /etc/ssh/sshd_config

Arrow down to the line that begins with Banner. By default it should be

#Banner /some/banner

Edit this line, removing the # character and change the path to point to the /etc/issue file from above.

Banner /etc/issue

Enter ESC:x! when finished to save file.

4

Enter the following command to restart the ssh server for the changes to take effect:

/etc/init.d/sshd restart

Set GRUB boot loader password

Setting a password on the grub boot loader will require you to enter a password before booting the system. Although this is a recommended security practice, it is worth mentioning that this can be annoying, especially if you ever need to reboot the system remotely. I would not recommend this if you do not have physical access to the server.

The first step is to create a MD5 representation of your password. Enter the following to execute the grub md5 utility:

/sbin/grub-md5-crypt

Enter your password and confirm it. The program will generate an encrypted string. Carefully copy this string to a notepad.

7

Next you will need to edit the grub config file and add this encrypted password:

su root
Enter root password
vi /boot/grub/grub.conf

Insert a new line as following, placing your md5 password string after the –md5:

password –md5 $5Hhd9D4HEO7$%df8fHdLO9PDjU70

Save the file by entering ESC:x!

9

Reboot and verify that the new password is working.

10

Note: If for some reason this doesn’t work you may be locked out of your system. You will need to insert the RedHat installation CD/DVD and boot the system in recovery mode in order to undo the changes. To undo above edit the /boot/grub/grub.conf file and remove or comment out the password line.

Password protect single user mode

Single user mode is a system maintenance mode similar to windows safemode. If an attacker obtains access to the console he/she could potentially exploit this capability to bypass security controls and obtain root access to the system. It is a good idea to protect single user mode with a password to help prevent this.

Doing so is actually quite easy. Edit the /etc/inittab as followsg:

su root
Enter root password
vi /etc/inittab

Insert the following line:

~~:S:wait:/sbin/sulogin

Type ESC:x! to save and exit.

12

Configure Password Policy

The following settings force users to change their password every 90 days and enforce passwords at least 8 characters long.

su root
Enter root password
vi /etc/login.defs

Edit the file as follows:

PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_MIN_LEN 8
PASS_WARN_AGE 14

Type ESC:x! to save and exit

14

Disable Unnecessary Services

An important security principle is “if you don’t need it, disable it”. All running services expose the system to some level of risk. Obviously, some services are much more vulnerable than others but often you don’t know what the vulnerabilities of any given service are, and some may yet to have been discovered.

To see what services are enabled enter:

/sbin/chkconfig –list

15

To disable a service enter:

/sbin/chkconfig -del service

At a minimum the following should be disabled:

/sbin/chkconfig -del bluetooth
/sbin/chkconfig -del cups
/sbin/chkconfig -del autofs
/sbin/chkconfig -del isdn
/sbin/chkconfig -del portmap
/sbin/chkconfig -del vncserver
/sbin/chkconfig -del mdmonitor
/sbin/chkconfig -del winbind

16

It is also a good idea to go through the /etc/xinetd.d directory and delete any unused services here. For example:

rm /etc/xinetd.d/gssftp
rm /etc/xinetd.d/krb5-telnet
rm /etc/xinetd.d/tftp
rm /etc/xinetd.d/daytime*
rm /etc/xinetd.d/chargen*
rm /etc/xinetd.d/ekrg5-telnet*

17

Delete Unnecessary accounts and groups

There are a number of default accounts and groups that you probably will never need and having them around can be a potential risk. Use the following commands to delete them:

/sbin/userdel adm
/sbin/groupdel adm
/sbin/userdel lp
/sbin/groupdel lp
/sbin/userdel shutdown
/sbin/groupdel shutdown
/sbin/userdel halt
/sbin/groupdel halt
/sbin/userdel news
/sbin/groupdel news
/sbin/userdel uucp
/sbin/groupdel uucp
/sbin/userdel operator
/sbin/groupdel operator
/sbin/userdel games
/sbin/groupdel games
/sbin/userdel gopher
/sbin/groupdel gopher
/sbin/userdel ftp
/sbin/groupdel ftp
/sbin/userdel mail
/sbin/groupdel mail
/sbin/userdel xfs
/sbin/groupdel xfs
/sbin/userdel ntp
/sbin/groupdel ntp
/sbin/userdel mailnull
/sbin/groupdel mailnull
/sbin/userdel pcap
/sbin/groupdel pcap

Restrict su to sysadmin group

Another layer of protection is to prevent unprivileged users from being able to execute the su command, denying them the ability to become more powerful users.

The first step is to create a system administrators group. Only trusted system admins should be made members of this group.

/usr/sbin/groupadd sysadmin

24

Next, enter the following commands to restrict the su command to this group:

chgrp sysadmin /bin/su
chmod o-rwx /bin/su

25

Finally, make sure to add existing system admins to the sysadmin group. For each account execute the following:

/usr/sbin/usermod -g sysadmin username

26

Prevent root login through ssh

There is one very well known account that you can’t really get rid of: root. However, one measure you can take to prevent people from trying to access this account is to disallow login as root through ssh.

This is another very easy one to implement. All you need to do is edit the /etc/ssh/sshd_config, uncomment the PermitRootLogin line and set it to no.

su root
Enter root password
vi /etc/ssh/sshd_config

Change the line:

#PermitRootLogin yes

To:

PermitRootLogin no

19

Configure IP Access Controls with tcp_wrappers

TCP_Wrappers is a security framework used to enforce ip address access controls on services such as ssh and ftp. It is installed by default in RedHat and most linux/unix distros. It can be used two ways: you can deny specified ip address or you can restrict access to only allowed ip addresses. In the following example we will do the later.

There are two configuration files that control the access: /etc/hosts.allow and /etc/hosts.deny. As the names imply, hosts.allow lists ip addresses that are allowed, and hosts.deny lists ip addressses that are not allowed.

In the following example we will first configure the hosts.deny file to deny ALL, and then configure the hosts.allow file to only permit ssh for users on the 192.168.1 subnet.

su root
Enter root password
vi /etc/hosts.deny

add the line:

ALL: ALL

ESC:x! to save

20

vi /etc/hosts.allow

add the line:

sshd: 192.168.1

ESC:x! to save

23

Resource Limits

These settings will prevent users from consuming too many resources. These changes will have the following effects: file sized will be limited to 100 MB and users can have a maximum of 150 concurrent processes running.

su root
Enter root password
vi /etc/security/limits

Insert the following lines at the bottom of the file:
hard fsize 102400
hard nproc 150

27

VN:F [1.6.3_896]
Rating: 8.3/10 (26 votes cast)

Tags: , , ,

Print This Post Print This Post

3 Comments

Vignesh

26. Sep, 2011

very good post..we can also consider SELinux and iptables..

and about your topic “Password protect single user mode” – how to configure password? if we try to access single user mode after changing inittab as mentioned above, what password will be prompted?

Leave a reply