Not all of the below steps are appropriate for all systems. You will need to use your judgment to pick and choose which security measures are relevant to your environment.

1. Configure Security Banners/Disclaimers
2. Set GRUB boot loader password
3. Password protect single user mode
4. Configure Password Policy
5. Disable Unnecessary Services
6. Delete Unnecessary accounts and groups
7. Restrict su to sysadmin group
8. Prevent root login through ssh
9. Configure IP Access Controls with tcp_wrappers
10. Resource Limits

Configure Security Banners/Disclaimers

The Security Banner refers to the message that is displayed when users log in. Banners provide legal protection against unauthorized access attempts and provide a means to prosecute violators.

Here is an example of a generic banner:

Warning! This is a private system. Unauthorized access to or use of this system is strictly prohibited. Unauthorized users are subject to criminal prosecution and penalties.

To configure a banner in Redhat, edit the file /etc/issue:

su root
Enter root password
vi /etc/issue

Use vi commands to edit file and replace with your banner text. Enter ESC:x! when finished to save file.

In order for this banner to be displayed when users attempt to ssh to your server you will need to add it to the sshd_config file.

vi /etc/ssh/sshd_config

Arrow down to the line that begins with Banner. By default it should be

#Banner /some/banner

Edit this line, removing the # character and change the path to point to the /etc/issue file from above.

Banner /etc/issue

Enter ESC:x! when finished to save file.

Enter the following command to restart the ssh server for the changes to take effect:

/etc/init.d/sshd restart

Set GRUB boot loader password

Setting a password on the grub boot loader will require you to enter a password before booting the system. Although this is a recommended security practice, it is worth mentioning that this can be annoying, especially if you ever need to reboot the system remotely. I would not recommend this if you do not have physical access to the server.

The first step is to create a MD5 representation of your password. Enter the following to execute the grub md5 utility:

/sbin/grub-md5-crypt

Enter your password and confirm it. The program will generate an encrypted string. Carefully copy this string to a notepad.

Next you will need to edit the grub config file and add this encrypted password:

su root
Enter root password
vi /boot/grub/grub.conf

Insert a new line as following, placing your md5 password string after the –md5:

password –md5 $5Hhd9D4HEO7$%df8fHdLO9PDjU70

Save the file by entering ESC:x!

Reboot and verify that the new password is working.

Note: If for some reason this doesn’t work you may be locked out of your system. You will need to insert the RedHat installation CD/DVD and boot the system in recovery mode in order to undo the changes. To undo above edit the /boot/grub/grub.conf file and remove or comment out the password line.

Password protect single user mode

Single user mode is a system maintenance mode similar to windows safemode. If an attacker obtains access to the console he/she could potentially exploit this capability to bypass security controls and obtain root access to the system. It is a good idea to protect single user mode with a password to help prevent this.

Doing so is actually quite easy. Edit the /etc/inittab as followsg:

su root
Enter root password
vi /etc/inittab

Insert the following line:

~~:S:wait:/sbin/sulogin

Type ESC:x! to save and exit.

Configure Password Policy

The following settings force users to change their password every 90 days and enforce passwords at least 8 characters long.

su root
Enter root password
vi /etc/login.defs

Edit the file as follows:

PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_MIN_LEN 8
PASS_WARN_AGE 14

Type ESC:x! to save and exit

Disable Unnecessary Services

An important security principle is “if you don’t need it, disable it”. All running services expose the system to some level of risk. Obviously, some services are much more vulnerable than others but often you don’t know what the vulnerabilities of any given service are, and some may yet to have been discovered.

To see what services are enabled enter:

/sbin/chkconfig –list

To disable a service enter:

/sbin/chkconfig -del service

At a minimum the following should be disabled:

/sbin/chkconfig -del bluetooth
/sbin/chkconfig -del cups
/sbin/chkconfig -del autofs
/sbin/chkconfig -del isdn
/sbin/chkconfig -del portmap
/sbin/chkconfig -del vncserver
/sbin/chkconfig -del mdmonitor
/sbin/chkconfig -del winbind

It is also a good idea to go through the /etc/xinetd.d directory and delete any unused services here. For example:

rm /etc/xinetd.d/gssftp
rm /etc/xinetd.d/krb5-telnet
rm /etc/xinetd.d/tftp
rm /etc/xinetd.d/daytime*
rm /etc/xinetd.d/chargen*
rm /etc/xinetd.d/ekrg5-telnet*

Delete Unnecessary accounts and groups

There are a number of default accounts and groups that you probably will never need and having them around can be a potential risk. Use the following commands to delete them:

/sbin/userdel adm
/sbin/groupdel adm
/sbin/userdel lp
/sbin/groupdel lp
/sbin/userdel shutdown
/sbin/groupdel shutdown
/sbin/userdel halt
/sbin/groupdel halt
/sbin/userdel news
/sbin/groupdel news
/sbin/userdel uucp
/sbin/groupdel uucp
/sbin/userdel operator
/sbin/groupdel operator
/sbin/userdel games
/sbin/groupdel games
/sbin/userdel gopher
/sbin/groupdel gopher
/sbin/userdel ftp
/sbin/groupdel ftp
/sbin/userdel mail
/sbin/groupdel mail
/sbin/userdel xfs
/sbin/groupdel xfs
/sbin/userdel ntp
/sbin/groupdel ntp
/sbin/userdel mailnull
/sbin/groupdel mailnull
/sbin/userdel pcap
/sbin/groupdel pcap

Restrict su to sysadmin group

Another layer of protection is to prevent unprivileged users from being able to execute the su command, denying them the ability to become more powerful users.

The first step is to create a system administrators group. Only trusted system admins should be made members of this group.

/usr/sbin/groupadd sysadmin

Next, enter the following commands to restrict the su command to this group:

chgrp sysadmin /bin/su
chmod o-rwx /bin/su

Finally, make sure to add existing system admins to the sysadmin group. For each account execute the following:

/usr/sbin/usermod -g sysadmin username

Prevent root login through ssh

There is one very well known account that you can’t really get rid of: root. However, one measure you can take to prevent people from trying to access this account is to disallow login as root through ssh.

This is another very easy one to implement. All you need to do is edit the /etc/ssh/sshd_config, uncomment the PermitRootLogin line and set it to no.

su root
Enter root password
vi /etc/ssh/sshd_config

Change the line:

#PermitRootLogin yes

To:

PermitRootLogin no

Configure IP Access Controls with tcp_wrappers

TCP_Wrappers is a security framework used to enforce ip address access controls on services such as ssh and ftp. It is installed by default in RedHat and most linux/unix distros. It can be used two ways: you can deny specified ip address or you can restrict access to only allowed ip addresses. In the following example we will do the later.

There are two configuration files that control the access: /etc/hosts.allow and /etc/hosts.deny. As the names imply, hosts.allow lists ip addresses that are allowed, and hosts.deny lists ip addressses that are not allowed.

In the following example we will first configure the hosts.deny file to deny ALL, and then configure the hosts.allow file to only permit ssh for users on the 192.168.1 subnet.

su root
Enter root password
vi /etc/hosts.deny

add the line:

ALL: ALL

ESC:x! to save

vi /etc/hosts.allow

add the line:

sshd: 192.168.1

ESC:x! to save

Resource Limits

These settings will prevent users from consuming too many resources. These changes will have the following effects: file sized will be limited to 100 MB and users can have a maximum of 150 concurrent processes running.

su root
Enter root password
vi /etc/security/limits

Insert the following lines at the bottom of the file:
hard fsize 102400
hard nproc 150

This document outlines the steps to install VMware tools on Redhat 5.4. This document assumes a fresh vanilla install as described in the post
Installing RedHat 5.4 64 bit.

To begin log into your RedHat server as a user and right click on the desktop to open a terminal window.

Enter the command su and enter your root password to become root.

Change directories to the temp directory:

cd /tmp

From the VMWare file menu click on VM and click on “Install VMware Tools”

Enter the following command to mount the cdrom:

mount -o ro /dev/cdrom /mnt

Enter the following command to copy files from the /mnt mointpoint to the current directory (/tmp):

cp /mnt/* .

There are two files: an rpm and a tar.gz archive. I have not had the best of luck with the rpm, so instead we will install the generic way using the perl script contained within the archive.

Enter the following to unzip the archive:

gunzip VM*.gz
tar -xvf VM*.tar

Change directories to the newly created vmware-tools-distrib directory:

cd vmware-tools-distrib

Enter the following to execute the vmware-install perl script:

perl vmware-install.pl

Continue to press Enter at prompts to accept defaults until script completes

Script completes in about a minute and you’re all done

Please post questions or comments below

Insert CD/DVD and power on system. At the splash screen press Enter key to begin install.

Select OK and press Enter to run a media test (optional).

Review License Agreement and press Close to continue

Press Next

Select Language

If you have an Installation Number enter it here. Otherwise select Skip.

If you are installing on a fresh disk you will receive a message indicating that no partition table was found. Press Yes to initialize disk.

Leave default selected (”Remove linux partitions on selected drives and create default layout”) but check the box “Review and Modify Partition Layout”

At warning Press Yes to continue creating new partitions (existing data will be deleted)

On the following screen you may review default partitions. By default there are only two partitions: swap and / (root). 1 GB of swap should be good for most systems. Some people use the rule of thumb: swap equals twice physical memory; however, nowadays systems typically have multiple gigs of memory in which case this much swap is overkill.

In this build we will modify the / partition and reallocate space to create additional partitions for /var and /opt. This step is optional, but it separates logs (mostly on /var) and applications (often in /opt) into their own partitions, providing some insurance to prevent them from filling up disk space on the root partition.

Click on the / partition and press the edit button.

On the popup screen, select / and press Edit. Reduce the size to allow for the creation of the /var and /opt partitions. In this case we will make the / partition 8992 MB (Use your judgment to decide how much to assign depending on how much space is available and what types of applications will be running).

Press the Add button to create new partitions for /var and /opt. In this case we will make /var 4000 MB and /opt 4288 MB.

Review partitions one more time and press Next

Leave defaults and press next (if you want to be super secure, you may configure a password for the grub loader, which requires a password to boot the system. This can be very annoying if you are doing remote administration).

Enter static IP address and network configuration

Select time zone

Enter root password

The software development option gives you all kinds of useful stuff like perl and java. These are a pain to install manually so it’s nice to let the installer do it for you here.

If this is going to be a web server you may choose to check the web server box, but I am not a fan of the default apache package so I prefer to build it manually post-install.

Select Software Development and press next

Press Next

OS will be installed. May take about 10-15 minutes

When installation is complete press Reboot

After reboot there will be a few more configuration items. Press Forward to continue

Read License Agreement and press Forward

RedHat comes with a server-based firewall. Select services to be enabled and/or add any port exceptions. Since we don’t really know what this server will be used for at this point the only one we will worry about is ssh.

We will leave default setting for SELinux security settings.

We will enable kdump to capture information in the event of a crash and leave the default 128 memory allocation.

We will use NTP to keep the system clock in-sync. Click on the Network Time Protocol tab and enter NTP servers (if unsure skip and just leave default).

Setup software updates. If you have a subscription to red hat you may setup software updates here.

It’s a bad idea to log in as root all the time so you should create a user account. Enter your username and password.

We don’t have a sound card so we skip this.

At this point we are done the OS install. Press Finish.

Press OK to Reboot.

Please leave comments below if you have any questions or would like to add anything to this build.

I recommend you also review this article on Redhat 5.4 Security

In this build we will be installing Webmin on a fresh Ubuntu LAMP server install (see Building LAMP on Ubuntu Part 1).

Log in to the server as a regular user

Use su command to become root

We will be using the apt installer to download and install the webmin package. In order to obtain this package we will first need to update our apt sources list so the apt program knows where to download it from. Enter the following command to edit the sources file:

vi /etc/apt/sources.list

Use the down arrow to move down to any blank line in the file and press the i key to enter INSERT mode.

Once in INSERT mode enter the following text:

deb https://download.webmin.com/download/repository sarge contrib

Press ESC key to escape from INSERT mode. Then type :x! (colon, lowercase x, exclamation mark) to save and exit.

Now that the apt sources list is updated, enter the following command to force the apt program to update its database:

apt-get update

The apt program will go out and search for available packages. This will take about a minute

At this point, the apt program should have found the webmin package. You may receive an error stating that the key could not be verified. Its OK to ignore this.

To install webmin, simply type the following command:

apt-get install webmin

At the prompt press Y for yes

You may receive a warning asking you if you want to install packages without verification. Press Y to continue

Webmin with be installed. It should only take a couple minutes

At this point Webmin is installed. To access Webmin, open your browser and goto https://ipaddress:10000

Depending on your browser, you will probably receive some kind of error regarding an invalid certificate. This message can be ignored. Follow instructions to continue anyway.

Log in to Webmin using username root and your root password

When you first log in to webmin you will see summary information about your server

To manage Apache, click on the Servers link and click on Apache Webserver

To manage MySQL, click on Servers and MySQL Database Server. The first time you access this you will be asked to enter your MySQL root user account information.

As you click around you will find that Webmin can manage just about every aspect of your server from user accounts, to backups, to cron jobs.

If you have any questions or problems with this build document please leave a comment below.

Set Root Password

At this point in the installation the root password is blank, and therefore there is no way to log in as root. Although most administrative tasks can be performed using the sudo command, it makes things easier to have the ability to become root.

Log in to the console using the user account created in part one and type the following command and press Enter:

sudo passwd root

You will first be prompted to enter your current user password (the one you just logged in with). Next you will be asked to enter a new password for the root account, and type it again to confirm. When complete you should see a message indicating that the root password was successfully updated.

To become root, type the su command and press enter:

su

Enter the root password you just created and press enter

Configure Static IP Address

During the installation in part one, the system automatically configured the IP address of the server using DHCP. However, since this will be a web server, it is a good idea to set a static IP address.

To see the current ip address type the following command and press enter:

ifconfig -a

Current network configuration is displayed. Notice the ip address set for your nic card (probably eth0)

The following shows how to edit the network interface configuration file using the vi editor. Make sure you are still logged in as root and enter the following:

vi /etc/network/interfaces

The file will be opened by vi. Notice that the network card is set to dhcp and there is no address defined.

If you have never used vi before, be forewarned that it takes some getting used to. If you make a mistake, just remember the following sequence to escape and not save changes:

ESC :q! ENTER (press escape key, type colon, lowercase q and an exclamation mark, and press ENTER)

Use the arrow keys to move the cursor up/down/left/right. Position the cursor underneath the d of dhcp.

Press the x key four times to delete the word dhcp

Press the i key to start insert mode (when in insert mode you can insert text. to escape insert mode press ESC). You will know you are in insert mode because it says INSERT at the bottom of the screen.

Type the word static and press ENTER to go to the next line

Next enter address and the server’s static ip address, netmask and the subnet mask, and gateway and the server’s gateway/router

Once finished, press the ESC key to escape from insert mode and enter the following command to save and exit:

:x! (colon, lowercase x, and an exclamation mark)

Changes are saved

We will follow the same procedure to edit DNS. Enter the following command to open the dns configuration file:

vi /etc/resolv.conf

Edit the IP address following nameserver to your primary DNS server, and optionally add a second nameserver line with your secondary name server

Enter the following command for the networking changes to take effect

/etc/init.d/networking restart

Verify that your changes took effect by once again typing ipconfig -a

You should see your new ip address for the primary network card

After you complete the setup, you should also review part 3:

Getting to know Ubuntu LAMP Server

If you have questions or problems with this build doc please leave a comment below.