Sie sind auf Seite 1von 8

9/21/12

Redhat linux hardening tips & bash script

9/21/12 Redhat linux hardening tips & bash script Home Authors Forum Ask A Question Answer A
9/21/12 Redhat linux hardening tips & bash script Home Authors Forum Ask A Question Answer A
9/21/12 Redhat linux hardening tips & bash script Home Authors Forum Ask A Question Answer A

Home9/21/12 Redhat linux hardening tips & bash script Authors Forum Ask A Question Answer A Question

Authors9/21/12 Redhat linux hardening tips & bash script Home Forum Ask A Question Answer A Question

ForumRedhat linux hardening tips & bash script Home Authors Ask A Question Answer A Question Electronics

Ask A Questionlinux hardening tips & bash script Home Authors Forum Answer A Question Electronics Internet Misc Mobile

Answer A Questiontips & bash script Home Authors Forum Ask A Question Electronics Internet Misc Mobile Networking Programming

Electronicsscript Home Authors Forum Ask A Question Answer A Question Internet Misc Mobile Networking Programming Security

InternetAuthors Forum Ask A Question Answer A Question Electronics Misc Mobile Networking Programming Security Servers

MiscForum Ask A Question Answer A Question Electronics Internet Mobile Networking Programming Security Servers Softwares

MobileAsk A Question Answer A Question Electronics Internet Misc Networking Programming Security Servers Softwares Redhat

NetworkingQuestion Answer A Question Electronics Internet Misc Mobile Programming Security Servers Softwares Redhat linux

ProgrammingA Question Electronics Internet Misc Mobile Networking Security Servers Softwares Redhat linux hardening tips &

SecurityElectronics Internet Misc Mobile Networking Programming Servers Softwares Redhat linux hardening tips & bash

ServersInternet Misc Mobile Networking Programming Security Softwares Redhat linux hardening tips & bash script

SoftwaresInternet Misc Mobile Networking Programming Security Servers Redhat linux hardening tips & bash script January 18th,

Redhat linux hardening tips & bash script

January 18th, 2011 |

| Posted in Security, Servers

Hello fellow Twitter user! Don't forget to Twit this post if you like it, or
Hello fellow Twitter user! Don't forget to Twit this post if you like it, or follow me on Twitter if
you find me interesting.
X
it, or follow me on Twitter if you find me interesting. X From the time a

From the time a servers goes to live environment its prone to too many attacks from the hands of crackers (hackers) also as a system administrator you need to secure your Linux server to protect and save your data, intellectual property, and time here server hardening comes into effect. Securing a server is much different than securing a desktop computer for a variety of reasons. By default, a desktop operating system is installed to provide the user with an environment that can be run out of the box. Desktop operating systems are sold on the premise that they require minimal configuration and come loaded with as many applications as possible to get

www.binbert.com/blog/2011/01/redhat-linux-hardening/

9/21/12

Redhat linux hardening tips & bash script

the user up and running. Conversely, a server’s operating system should abide by the Principle of Least Privilege, which states that it should have only the services, software, and permissions necessary to perform the tasks it’s responsible for.

We already covered some topics in earlier articles some of them are linked here.

Here are some tips for servers hardening ( Some already mentioned in my previous posts)

1) Removing Unnecessary Software Packages (RPMs)

An administrator should be crystal clear about the primary function or role of the Linux server also should know what is on the server.Therefore, it is very critical to look at the default list of software packages and remove unneeded packages.

To get a list of all installed RPMs you can use the following command:

rpm-qa

Remove the unneeded packages from the list.

2) Disabling Run level System Services

In Linux servers, some services are enabled to start at boot up by default. it is safe to disable all services that are not needed as they are risks security and waste of hardware resources. Read more.

3) Reviewing Inittab and Boot Scripts

The inittab file /etc/inittabalso describes which processes are started at bootup and during normal operation. For example, Oracle uses it to start cluster services at bootup. Therefore, it is recommended to ensure that all entries in /etc/inittabare legitimate in your environment.

I would at least remove the CTRL-ALT-DELETE trap entry to prevent accidental reboots:

The default runlevel should be set to 3 since in my opinion X11 (X Windows System) should not be running on a production server. In fact, it shouldn’t even be installed.

#grep':initdefault'/etc/inittab

id:3:initdefault:

To have changes in /etc/inittabbecome effective immediately, you can run:

#initq

4) Securing SSH

Ssh is a great protocol and as it name stands for Secure SHell its secure but its prone to attacks with basic configuration. There are ways to make ssh even more secure than it is now.Read more

5) SSH login without passwords

Automated authentication onto server using RAS key authenticating mechanism . Read more

www.binbert.com/blog/2011/01/redhat-linux-hardening/

9/21/12

Redhat linux hardening tips & bash script

6) Kernel Tuning

Following are some tunable kernel parameters you can use to secure your Linux server against attacks .We need to add these entries inside /etc/sysctl.conf configuration file to make the change permanent after reboots.To activate the configured kernel parameters immediately at runtime, use:

#sysctl-p

Disable IP Source Routing

net.ipv4.conf.all.accept_source_route=0

Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects=0

Enable Ignoring Broadcasts Request

net.ipv4.icmp_echo_ignore_broadcasts=1

Enable Bad Error Message Protection

net.ipv4.icmp_ignore_bogus_error_responses=1

Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.all.log_martians=1

The above mentioned are only few steps for harding . There are many more steps like providing strong password , locking user accounts after too many login failures , restricting use of previous used passwords , setting banners etc.

Hardening five or six servers can be done quite easily at a stretch but when the number of servers increases it just

becomes tiresome and time consuming . So why don’t we think about a running a script that does all the hardening

jobs and there wont

MORE IN SECURITY, SERVERS (16 OF 50 ARTICLES)

Lightsquid

be any waste of time. The script presented can be customized according to the requirement.

PfSense

advanced

configuration

with SquidGuard

and

#!/bin/bash

chkconfigautofsoff chkconfigavahi-daemonoff chkconfigavahi-dnsconfdoff chkconfigbluetoothoff chkconfigconmanoff chkconfigcupsoff chkconfigdhcdbdoff chkconfigfirstbootoff chkconfiggpmoff chkconfighaldaemonoff chkconfigisdnoff chkconfigiptablesoff

chkconfigip6tablesoff

chkconfigirdaoff

chkconfigirqbalanceoff

chkconfigkdumpoff

chkconfigkudzuoff

chkconfigmcstransoff

chkconfigmicrocode_ctloff

chkconfigmultipathdoff

chkconfignetconsoleoff

www.binbert.com/blog/2011/01/redhat-linux-hardening/

9/21/12

Redhat linux hardening tips & bash script

chkconfignetfsoff chkconfignetplugdoff chkconfignfsoff chkconfignfslockoff chkconfignscdoff chkconfigpcscdoff chkconfigportmapoff chkconfigrdiscoff chkconfigrhnsdoff chkconfigrestorecondoff chkconfigrpcgssdoff chkconfigrpcidmapdoff chkconfigrpcsvcgssdoff chkconfigsendmailoff chkconfigsmartdoff chkconfigwinbindoff chkconfigwpa_supplicantoff chkconfigxfsoff chkconfigypbindoff chkconfigyum-updatesdoff chkconfigacpidon chkconfiganacronon chkconfigatdon chkconfigcpuspeedon

chkconfiglvm2-monitoron

chkconfigmessagebuson chkconfigntpdon chkconfignetworkon chkconfigoracleon chkconfigoracleasmon chkconfigreadahead_earlyon chkconfigreadahead_lateron chkconfigsyslogon chkconfigsshdon cat>/root/banner<<EOF |-----------------------------------------------------------------| |Thissystemisfortheuseofauthorizedusersonly.| |Individualsusingthiscomputersystemwithoutauthority,orin| |excessoftheirauthority,aresubjecttohavingalloftheir| |activitiesonthissystemmonitoredandrecordedbysystem| |personnel.| || |Inthecourseofmonitoringindividualsimproperlyusingthis| |system,orinthecourseofsystemmaintenance,theactivities| |ofauthorizedusersmayalsobemonitored.| || |Anyoneusingthissystemexpresslyconsentstosuchmonitoring| |andisadvisedthatifsuchmonitoringrevealspossible| |evidenceofcriminalactivity,systempersonnelmayprovidethe| |evidenceofsuchmonitoringtolawenforcementofficials.| |-----------------------------------------------------------------| EOF cat/root/banner

sed-i's/id:5:initdefault:/id:3:initdefault:/g'/etc/inittab

sed-i's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g'/etc/inittab echoPermitRootLoginno>>/etc/ssh/sshd_config echoBanner/root/banner>>/etc/ssh/sshd_config sed-i's/#AllowTcpForwardingyes/AllowTcpForwardingno/g'/etc/ssh/sshd_config

sed-i's/#X11Forwardingno/X11Forwardingno/g'/etc/ssh/sshd_config

sed-i's/X11Forwardingyes/#X11Forwardingyes/g'/etc/ssh/sshd_config

sed-i's/#StrictModesyes/StrictModesyes/g'/etc/ssh/sshd_config

sed-i's/#IgnoreRhostsyes/IgnoreRhostsyes/g'/etc/ssh/sshd_config

sed-i's/#HostbasedAuthenticationno/HostbasedAuthenticationno/g'/etc/ssh/sshd_config

sed-i's/#RhostsRSAAuthenticationno/RhostsRSAAuthenticationno/g'/etc/ssh/sshd_config

www.binbert.com/blog/2011/01/redhat-linux-hardening/

9/21/12

Redhat linux hardening tips & bash script

servicesshdrestart

echonet.ipv4.conf.all.accept_source_route=0>>/etc/sysctl.conf

echonet.ipv4.conf.all.accept_redirects=0>>/etc/sysctl.conf

echonet.ipv4.icmp_echo_ignore_broadcasts=1>>/etc/sysctl.conf

echonet.ipv4.icmp_ignore_bogus_error_responses=1>>/etc/sysctl.conf

echonet.ipv4.conf.all.log_martians=1>>/etc/sysctl.conf

sysctl-p

if[$(id-u)-eq0];then

read-p"Enterusername:"username read-s-p"Enterpassword:"password egrep"^$username"/etc/passwd>/dev/null

if[$?-eq0];then

echo"$usernameexists!"

exit1

else

pass=$(perl-e'printcrypt($ARGV[0],"password")'$password)

useradd-m-p$pass$username

[$?-eq0]&&echo"Userhasbeenaddedtosystem!"||echo"Failedtoaddauser!"

fi else echo"Onlyrootmayaddausertothesystem"

exit2

fi

Not Found

The requested URL /plugins/like php was not found on this server

This webpage is not available

was not found on this server This webpage is not available Google Chrome's connection attempt to

Google Chrome's connection attempt to www.facebook.com was rejected. The website may be down, or your network may not be properly configured.

Here are some suggestions:

Reload this webpage later. this webpage later.

Check your Internet connection. Restart any router, modem, or other network ou maHere are some suggestions: Reload this webpage later. devices be usin Leave a Reply Tags: Bash

devices

be usin

Leave a Reply

Tags: Bash, Hardening, Linux, Redhat, scripting

Author : Sandeep kalathil

ShareThis 19500 views, 17 today |

: Sandeep kalathil ShareThis 19500 views, 17 today | T T w w e e e
: Sandeep kalathil ShareThis 19500 views, 17 today | T T w w e e e

TTwweeeett 4

0
0
ShareThis 19500 views, 17 today | T T w w e e e e t t

Iam a System Engineer working in Cochin , Interested in Linux and Windows servers and happy to share knowledge that i have gained through my day to day work.

Debian lenny Colorful Bash prompt and file namesknowledge that i have gained through my day to day work. Printing command from history without

Printing command from history without executingday work. Debian lenny Colorful Bash prompt and file names Configure a GPRS dialer in Linux

Configure a GPRS dialer in Linux using wvdial / gnome-pppfile names Printing command from history without executing You must be logged in to post a

You must be logged in to post a comment.

9/21/12

Redhat linux hardening tips & bash script

Our online presence

linux hardening tips & bash script Our online presence Not Found The requested URL /plugins/fan.php was

Not Found

The requested URL /plugins/fan.php was not found on this server.

requested URL /plugins/fan.php was not found on this server. Apache/2.2.22 (Fedora) Server at www.facebook.com Port 80

Apache/2.2.22 (Fedora) Server at www.facebook.com Port 80

QuestionsApache/2.2.22 (Fedora) Server at www.facebook.com Port 80 Samsung SyncMaster monitor issue What is Facebook timeline

(Fedora) Server at www.facebook.com Port 80 Questions Samsung SyncMaster monitor issue What is Facebook timeline

Samsung SyncMaster monitor issue(Fedora) Server at www.facebook.com Port 80 Questions What is Facebook timeline cover image dimension ?

What is Facebook timeline cover image dimension ?Port 80 Questions Samsung SyncMaster monitor issue werfault.exe – Application Error Restore Point will not

werfault.exe – Application Errorissue What is Facebook timeline cover image dimension ? Restore Point will not enter Windows 7

Restore Point will not enter Windows 7cover image dimension ? werfault.exe – Application Error How to edit registry using .bat file Categories

How to edit registry using .bat file– Application Error Restore Point will not enter Windows 7 Categories Electronics (2) Internet (24) Misc

Categoriesnot enter Windows 7 How to edit registry using .bat file Electronics (2) Internet (24) Misc

Electronics (2) (2)

Internet (24) (24)

Misc (33) (33)

Mobile (30) (30)

Networking (20) (20)

Programming (9) (9)

www.binbert.com/blog/2011/01/redhat-linux-hardening/

(24) Misc (33) Mobile (30) Networking (20) Programming (9) www.binbert.com/blog/2011/01/redhat-linux-hardening/

9/21/12

Redhat linux hardening tips & bash script

 
  Security (24)

Security (24)

Servers (30)

Servers (30)

Softwares (37)

Softwares (37)

  Security (24) Servers (30) Softwares (37) Friends Blogs   Arun Basil Lal Arun wilson Binoy
  Security (24) Servers (30) Softwares (37) Friends Blogs   Arun Basil Lal Arun wilson Binoy
Friends Blogs

Friends Blogs

 

Arun Basil Lal 

Arun wilson(24) Servers (30) Softwares (37) Friends Blogs   Arun Basil Lal Binoy XJ Manjunath ( Aka

Binoy XJ(24) Servers (30) Softwares (37) Friends Blogs   Arun Basil Lal Arun wilson Manjunath ( Aka

Manjunath ( Aka Punter )  Security (24) Servers (30) Softwares (37) Friends Blogs   Arun Basil Lal Arun wilson Binoy

Nirmal TV(24) Servers (30) Softwares (37) Friends Blogs   Arun Basil Lal Arun wilson Binoy XJ Manjunath

Servers (30) Softwares (37) Friends Blogs   Arun Basil Lal Arun wilson Binoy XJ Manjunath (
Servers (30) Softwares (37) Friends Blogs   Arun Basil Lal Arun wilson Binoy XJ Manjunath (

Recent Post

Backup your android applications and data using a computerXJ Manjunath ( Aka Punter ) Nirmal TV Recent Post PC Power Supply Unit – Is

PC Power Supply Unit – Is it important ???Backup your android applications and data using a computer How to hide user account in Windows

How to hide user account in Windows 7a computer PC Power Supply Unit – Is it important ??? Supercharge your wireless router !!!

Supercharge your wireless router !!!Is it important ??? How to hide user account in Windows 7 Google+ and the missing

Google+ and the missing social media channelaccount in Windows 7 Supercharge your wireless router !!! Facebook timeline cover photo size Export the

Facebook timeline cover photo sizerouter !!! Google+ and the missing social media channel Export the list of virtual machines to

Export the list of virtual machines to a CSV filesocial media channel Facebook timeline cover photo size List of VM Property Names in Vmware –

List of VM Property Names in Vmware – vSphere PowerCLIphoto size Export the list of virtual machines to a CSV file Installation of Windows 8

Installation of Windows 8 Developer preview on VHDList of VM Property Names in Vmware – vSphere PowerCLI Configure LACP with ESX/ESXi and Foundry

Configure LACP with ESX/ESXi and Foundry BigIron switchesPowerCLI Installation of Windows 8 Developer preview on VHD Backup and Restore ESXi configuration using VMware

Backup and Restore ESXi configuration using VMware vSphere CLIConfigure LACP with ESX/ESXi and Foundry BigIron switches Update timthumb.php to prevent Zero Day vulnerability

Update timthumb.php to prevent Zero Day vulnerabilityand Restore ESXi configuration using VMware vSphere CLI Protect Freemind files with password. Performance testing

Protect Freemind files with password.CLI Update timthumb.php to prevent Zero Day vulnerability Performance testing tool for HDD / DVD /

Performance testing tool for HDD / DVD / SSD / Flash disksZero Day vulnerability Protect Freemind files with password. html signature in outlook 2007 Most Popular Install

html signature in outlook 2007Performance testing tool for HDD / DVD / SSD / Flash disks Most Popular Install Android

Most Popular

Install Android 2.1 UI on Nokia S60v5 mobile (353622 views) (353622 views)

Manual GPRS Settings for Airtel, Idea, Hutch, Bsnl, Aircel (164264 views) (164264 views)

Divx player on Nokia 5800 Touch Screen (145426 views) (145426 views)

Download Epic Browser – First Indian Browser (86346 views) (86346 views)

Default Time To Live (TTL) values (60777 views) (60777 views)

Download Windows 7 SP1 (59786 views) (59786 views)

Mobile DivX Player for Touch screen Phones released (58901 views) (58901 views)

How to install Tor on Backtrack 5 (56373 views) (56373 views)

Trade from mobile FLIP-ME (50852 views) (50852 views)

Default Environment variable Values of Windows 7 / xp (46849 views) (46849 views)

Popular Today

www.binbert.com/blog/2011/01/redhat-linux-hardening/

9/21/12

Redhat linux hardening tips & bash script

Install Android 2.1 UI on Nokia S60v5 mobile (84 views) (84 views)

Default Time To Live (TTL) values (29 views) (29 views)

Default Environment variable Values of Windows 7 / xp (26 views) (26 views)

Java Applet Not Working (Blank) in IE9 (26 views) (26 views)

PfSense advanced configuration with SquidGuard and Lightsquid (25 views) (25 views)

How to install Tor on Backtrack 5 (21 views) (21 views)

Differences Between CAT5, CAT5E, CAT6 and CAT6e Cables (19 views) (19 views)

Redhat linux hardening tips & bash script (17 views) (17 views)

Find which application/service is running in a port - Windows (17 views) (17 views)

Download Epic Browser – First Indian Browser (16 views) (16 views)

Back to TopDownload Epic Browser – First Indian Browser (16 views) Contact | About | Mobile | Powered

Contact | |

About|

|

Mobile|

|

Powered by Wordpress | Administration Albin Sebastian

Mobile | Powered by Wordpress | Administration Albin Sebastian www.binbert.com/blog/2011/01/redhat-linux-hardening/

www.binbert.com/blog/2011/01/redhat-linux-hardening/