Linux security 1

[7280]

Hi,
I need to implement security on my linux servers (all redhat el as, versions 3 and 4).
First of all I have to setup a password management policy, so password should expire every month, password length is 8 characters, minimum 2 alpanumeric, and so on..
root user can login only on console, not remotely.
These are the most important to start with.

After that I want to disable unneeded services, is there any security guide to follow?

Thanks in advance

 

[QatQat]

to set password minimal length to 8 edit the file

/etc/default/passwd

if you do not find a valid option there add the following

PASSLENGTH=8

The passwd utility also allows you to set number of days before the user is asked for a password.

passwd -x 30 mike

will set the new password for user mike and set its validity to 30 days.



to prevent root user from logging in remotely edit the file

/etc/ssh/sshd.conf

add the following directive

PermitRootLogin no


Cheers

QatQat

Life is what happens when you are making other plans.

 

[QatQat]

Apologies,

the file to edit to prevent root login is

/etc/ssh/sshd_config


QatQat

Life is what happens when you are making other plans.

 

[7280]

thanks, is it possible to set the number of days for all users, even the new one created without issuing command passwd -x 30 username?

thanks again

 

[QatQat]

try adding

MAXWEEKS=4

to your /etc/default/passwd file


QatQat

Life is what happens when you are making other plans.

 

[lgarner]

You can change the 5th field in /etc/shadow to "30". I think that the -x option works without requiring a password change (at least it did when I just tried it on a test account). You could do something like this:

for u in `awk -F: '{ print $1 }' /etc/passwd`; do passwd -x 30 $u; done

 

[pansophic]

Haven't read it thoroughly, but it will probably get you into the right ballpark:

http://www.governmentsecurity.org/forum/index.php?showtopic=1546

As far as disabling services in RedHat specifically, this should be helpful, assuming you understand what a service is by its name:

http://www.uic.edu/depts/accc/security/os/rhlinux.html#0

Remember, nmap is your friend when verifying a closed or filtered port.


pansophic

 

[7280]

That is the problem.
I have lot of services and don't know what they are!

acpid 0ff 1ff 2ff 3n 4n 5n 6ff
anacron 0ff 1ff 2n 3n 4n 5n 6ff
arptables_jf 0ff 1ff 2n 3n 4n 5n 6ff
atd 0ff 1ff 2ff 3n 4n 5n 6ff
autofs 0ff 1ff 2ff 3n 4n 5n 6ff
cpuspeed 0ff 1n 2n 3n 4n 5n 6ff
crond 0ff 1ff 2n 3n 4n 5n 6ff
cups 0ff 1ff 2n 3n 4n 5n 6ff
cups-config-daemon 0ff 1ff 2ff 3n 4n 5n 6ff
dkms_autoinstaller 0ff 1ff 2n 3n 4n 5n 6ff
gpm 0ff 1ff 2n 3n 4n 5n 6ff
haldaemon 0ff 1ff 2ff 3n 4n 5n 6ff
iptables 0ff 1ff 2n 3n 4n 5n 6ff
irqbalance 0ff 1ff 2ff 3n 4n 5n 6ff
isdn 0ff 1ff 2n 3n 4n 5n 6ff
kudzu 0ff 1ff 2ff 3n 4n 5n 6ff
lm_sensors 0ff 1ff 2n 3n 4n 5n 6ff
mdmonitor 0ff 1ff 2n 3n 4n 5n 6ff
messagebus 0ff 1ff 2ff 3n 4n 5n 6ff
microcode_ctl 0ff 1ff 2n 3n 4n 5n 6ff
netfs 0ff 1ff 2ff 3n 4n 5n 6ff
network 0ff 1ff 2n 3n 4n 5n 6ff
nfslock 0ff 1ff 2ff 3n 4n 5n 6ff
ntpd 0ff 1ff 2ff 3n 4ff 5n 6ff
pcmcia 0ff 1ff 2n 3n 4n 5n 6ff
portmap 0ff 1ff 2ff 3n 4n 5n 6ff
rawdevices 0ff 1ff 2ff 3n 4n 5n 6ff
readahead 0ff 1ff 2ff 3ff 4ff 5n 6ff
readahead_early 0ff 1ff 2ff 3ff 4ff 5n 6ff
rhnsd 0ff 1ff 2n 3n 4n 5n 6ff
rpcgssd 0ff 1ff 2ff 3n 4n 5n 6ff
rpcidmapd 0ff 1ff 2ff 3n 4n 5n 6ff
sendmail 0ff 1ff 2n 3n 4n 5n 6ff
smartd 0ff 1ff 2n 3n 4n 5n 6ff
sshd 0ff 1ff 2n 3n 4n 5n 6ff
syslog 0ff 1ff 2n 3n 4n 5n 6ff
sysstat 0ff 1n 2n 3n 4n 5n 6ff
xfs 0ff 1ff 2n 3n 4n 5n 6ff
xinetd 0ff 1ff 2ff 3n 4n 5n 6ff

file /etc/inetd.conf doesn't exist, what is the corresponding file in redhat?

Last thing, if I do nmap on that server I see:
(The 1657 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
1720/tcp open H.323/Q.931

Does this mean that I have only those 3 ports open?
Can I disable rpcbind? H.323 is voip right?

Thanks again.

 

[QatQat]

Well, where to start, normally f you google each of these daemons you will find a lot of info.

You could kill all hardware recognition and software /hardware communication packages if your system is in production and you are not changin git anymore

kudzu
haldaemon

you can kill isdn unless you need it

unless yu are using a desktop system, kill cups and cups config (printers database)

anacron can be disabled if your system will be always on (it is sort of cron daemon for systems that do not run 24/7.

pcmcia, yu know if you need it (if it is not a laptop disable it)

lm_sensors, when you will need it you will find out what it is, for the time being you can disable it

This is just a start; I suggest you google all services you do not know and prevent them from starting at whatever runlevel you work.

Cheers

QatQat





If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!

 

[pansophic]

portmap is the service that has port 111 (rpcmapper) open. If you turn it off, it will close the port and potentially increase the security of your system. The downside is that services that rely on rpc won't work. So that is things like NIS, NFS, mountd, etc.

So if you are running a standalone server you can safely turn off netfs, portmap, rpcidmapd and rpcgssd.

Other than that only other network accessible protocols you are running are sshd and some H.323 VoIP service. Presumably both of these are required for your application.

It doesn't look like you are using any of the xinetd services, so you should be able to turn that off as well.

But as QatQat says, googling the services is the best way to determine what is and is not critical to your application.


pansophic

 

[7280]

Hi,
I'm trying to implement password policy as suggested but I'm not finding file /etc/default/passwd.
In /etc/default directory I have only useradd and nss files.
Also I'm having many users that I want to lock or delete:

adm:x:3:4:adm:/var/adm:/sbin/nologin
apache:x:48:48:Apache:/var/

http://www:/sbin/nologin

bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
desktop:x:80:80:desktop:/var/lib/menu/kde:/sbin/nologin
ftpredactum:x:506:50:Redactum FTP User:/home/ftpredactum:/bin/ftponly
ftpuser:x:504:50::/home/ftpuser:/bin/bash
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
gfimon:x:514:100:Account per il monitoring di gfi:/home/gfimon:/bin/bash
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
halt:x:7:0:halt:/sbin:/sbin/halt
ident:x:100:101::/home/ident:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
news:x:9:13:news:/etc/news:
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
operator:x:11:0perator:/root:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
rpc:x:32:32ortmapper RPC user:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
sshd:x:74:74rivilege-separated SSH:/var/empty/sshd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/

http://www/usage:/sbin/nologin

xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin

Do I need to lock also users that have /sbin/nologin shell or I don't have to care about them since they can't login?

Thanks again.