Tips for securing Red Hat Linux 9 or later

This document offers tips for securing a default installation of Red Hat Linux 9 or later, disabling most unnecessary services and enabling a base upon which to tweak further. These instructions are based upon University of Wisconsin-Madison best practices and tuned for Penn-specific settings.

Securing the operating system

• Log in as root
   
• Run /usr/sbin/visudo. Add your account. We recommend you use this sudoers template:

# Sample Linux sudoers file # /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # http://www.sudo.ws/ ############################ # User alias specification # ############################ # put users into groups here User_Alias ROOTNOPASSWD = User_Alias ROOTPASSWD = User_Alias ROOTRESTRICTED = ############################ # Cmnd alias specification # ############################ # define command aliases here Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /bin/bash2, /bin/ash, /bin/bsh, /bin/tcsh, /bin/csh, /bin/ksh Cmnd_Alias SU = /bin/su Cmnd_Alias PASSWD = /bin/passwd Cmnd_Alias VISUDO = /usr/sbin/visudo ###################### # User specification # ###################### # root can run anything as any user root ALL = (ALL) ALL # ROOTNOPASSWD users can run anything without a password ROOTNOPASSWD ALL = (ALL) NOPASSWD: ALL # ROOTPASSWD USERS may run anything but need a password ROOTPASSWD ALL = (ALL) ALL # ROOTRESTRICTED users may run anything besides a shell, su, passwd, or visudo ROOTRESTRICTED ALL = ALL, !SHELLS, !SU, !PASSWD, !VISUDO

• Log out from the root account
   
• Log in as yourself
   
• Run sudo /usr/sbin/setup
   
• Enter "System Services" and disable everything you don't need. This may include:
   
  • apmd
  • gpm
  • isdn
  • kudzu
  • lpd
  • nfslock
  • pppoe
  • pcmcia
  • portmap
  • rawdevices
  • rhnsd
     
• Note that you will need pcmia if you have a laptop and wish to use PC Card devices, and you will need portmap if you need to connect to and/or serve NFS shares
   
• As root, edit /etc/ntp.conf to set up NTP servers. Use the 'setup' utility to ensure that ntpd is starting at boot. Here is a sample configuration file that will operate with Penn's NTP daemons:

driftfile /var/ntp/ntp.drift server timeserver1.upenn.edu version 3 server timeserver2.upenn.edu version 3 server timeserver3.upenn.edu version 3

• Make sure the /etc/services has the following entries for POP and IMAP service:
   
  • time 37/tcp
    time 37/udp
    
• Be sure to modify /etc/ipfw.conf rules to allow the new services:

add allow tcp from any to any ntp out keep-state add allow udp from any to any ntp out keep-state

• Edit /etc/issue and /etc/issue.net to say: UNAUTHORIZED ACCESS PROHIBITED
   
• Edit /etc/motd to look like this:

This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their  activities on this system monitored and recorded by properly authorized system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored by properly authorized personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the  evidence of such monitoring to law enforcement officials.

• Install rhupdate:
   
  • lynx http://www.jjminer.org/rhupdate/
  • Download the latest rhupdate
  • Expand the file: tar -xzlf rhupdate-whatever.tar.gz
  • Install: cd rhupdate-whatever/; ./configure; sudo make install
  • Delete what's left: cd ..; rm -rf rhupdate-whatever*
    
• Download and install updates:
   
  • Create a download directory: mkdir /tmp/updates
  • Download the updates: /usr/local/bin/rhupdate --download /tmp/updates --server mirror.services.wisc.edu --dir /mirrors/linux/distributions/redhat/updates/ --hash
  • Install the updates: sudo rpm -Uvh /tmp/updates/*.rpm
  • Delete the updates: rm -f /tmp/updates/*
     
• Prevent some DoS-denial attacks. Add the following lines to the end of /etc/rc.d/rc.local:

##### Begin DoS Prevention ##### # shut some DoS stuff down echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # increase the local port range echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range # increase the SYN backlog queue echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog echo 0 > /proc/sys/net/ipv4/tcp_sack echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo 64000 > /proc/sys/fs/file-max ulimit -n 64000 # stop source routing for i in /proc/sys/net/ipv4/conf/*/accept_source_route   do   echo 0 > $i   done # enable reverse-path filtering for i in /proc/sys/net/ipv4/conf/*/rp_filter   do   echo 1 > $i   done ##### End DoS Prevention #####

• Edit /etc/logrotate.conf for the proper settings (compress, etc.)
   
• Edit /etc/sysctl.conf and change kernel.sysrq to equal 1
   
• Edit /etc/hosts.{allow,deny}
   
  • You will need to configure the hosts files to meet the needs of each individual server. As a rule, only allow what you need from where you need it. The best thing to do is start off denying everything and allow only sshd and then add services as you go. For more information see "man 5 hosts_access"
     
• Edit /etc/ssh/sshd_config:
   
  • Change "PermitRootLogin yes" to "PermitRootLogin no"
  • Change "Protocol 1,2" to "Protocol 2"
     
• Reboot the machine: sudo /sbin/shutdown -r now