redhat linux hardening tips with bash script
DESCRIPTION
Mainly deals with RedHat Tips & Tricks/Tweaks using the Linux shell (Bash Scripts) .TRANSCRIPT
![Page 1: Redhat Linux Hardening Tips with Bash Script](https://reader035.vdocuments.net/reader035/viewer/2022081715/5460333eaf795935708b5130/html5/thumbnails/1.jpg)
9/21/12 Redhat linux hardening tips & bash script
www.binbert.com/blog/2011/01/redhat-linux-hardening/
X
Home
Authors
Forum
Ask A QuestionAnswer A Question
Electronics
Internet
Misc
MobileNetworking
ProgrammingSecurity
ServersSoftwares
Redhat linux hardening tips & bash script
January 18th, 2011 |
Not | Posted in Security, Servers
Hello fellow Twitter user! Don't forget to Twit this post if you like it, or follow me on Twitter if
you find me interesting.
From the time a servers goes to live environment its prone to too many attacks from the
hands of crackers (hackers) also as a system administrator you need to secure your Linux server to protect and
save your data, intellectual property, and time here server hardening comes into effect. Securing a server is muchdifferent than securing a desktop computer for a variety of reasons. By default, a desktop operating system is
installed to provide the user with an environment that can be run out of the box. Desktop operating systems are sold
on the premise that they require minimal configuration and come loaded with as many applications as possible to get
![Page 2: Redhat Linux Hardening Tips with Bash Script](https://reader035.vdocuments.net/reader035/viewer/2022081715/5460333eaf795935708b5130/html5/thumbnails/2.jpg)
9/21/12 Redhat linux hardening tips & bash script
www.binbert.com/blog/2011/01/redhat-linux-hardening/
the user up and running. Conversely, a server’s operating system should abide by the Principle of Least Privilege,
which states that it should have only the services, software, and permissions necessary to perform the tasks it’s
responsible for.
We already covered some topics in earlier articles some of them are linked here.
Here are some tips for servers hardening ( Some already mentioned in my previous posts)
1) Removing Unnecessary Software Packages (RPMs)
An administrator should be crystal clear about the primary function or role of the Linux server also should know
what is on the server.Therefore, it is very critical to look at the default list of software packages and remove
unneeded packages.
To get a list of all installed RPMs you can use the following command:
rpm -qa
Remove the unneeded packages from the list.
2) Disabling Run level System Services
In Linux servers, some services are enabled to start at boot up by default.
it is safe to disable all services that are not needed as they are risks security and waste of hardware resources. Read
more.
3) Reviewing Inittab and Boot Scripts
The inittab file /etc/inittab also describes which processes are started at bootup and during normal operation.For example, Oracle uses it to start cluster services at bootup. Therefore, it is recommended to ensure that all
entries in /etc/inittab are legitimate in your environment.
I would at least remove the CTRL-ALT-DELETE trap entry to prevent accidental reboots:
The default runlevel should be set to 3 since in my opinion X11 (X Windows System) should not be running on a
production server. In fact, it shouldn’t even be installed.
# grep ':initdefault' /etc/inittabid:3:initdefault:
To have changes in /etc/inittab become effective immediately, you can run:
# init q
4) Securing SSH
Ssh is a great protocol and as it name stands for Secure SHell its secure but its prone to attacks with basic
configuration. There are ways to make ssh even more secure than it is now.Read more
5) SSH login without passwords
Automated authentication onto server using RAS key authenticating mechanism . Read more
![Page 3: Redhat Linux Hardening Tips with Bash Script](https://reader035.vdocuments.net/reader035/viewer/2022081715/5460333eaf795935708b5130/html5/thumbnails/3.jpg)
9/21/12 Redhat linux hardening tips & bash script
www.binbert.com/blog/2011/01/redhat-linux-hardening/
6) Kernel Tuning
Following are some tunable kernel parameters you can use to secure your Linux server against attacks .We need to
add these entries inside /etc/sysctl.conf configuration file to make the change permanent after reboots.To activate the
configured kernel parameters immediately at runtime, use:
#sysctl -p
Disable IP Source Routing
net.ipv4.conf.all.accept_source_route = 0
Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
Enable Ignoring Broadcasts Request
net.ipv4.icmp_echo_ignore_broadcasts = 1
Enable Bad Error Message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
The above mentioned are only few steps for harding . There are many more steps like providing strong password ,
locking user accounts after too many login failures , restricting use of previous used passwords , setting banners etc.
Hardening five or six servers can be done quite easily at a stretch but when the number of servers increases it just
becomes tiresome and time consuming . So why don’t we think about a running a script that does all the hardening
jobs and there wont be any waste of time. The script presented can be customized according to the requirement.
#!/bin/bashchkconfig autofs offchkconfig avahi-daemon offchkconfig avahi-dnsconfd offchkconfig bluetooth offchkconfig conman offchkconfig cups offchkconfig dhcdbd offchkconfig firstboot offchkconfig gpm offchkconfig haldaemon offchkconfig isdn offchkconfig iptables offchkconfig ip6tables offchkconfig irda offchkconfig irqbalance offchkconfig kdump offchkconfig kudzu offchkconfig mcstrans offchkconfig microcode_ctl offchkconfig multipathd offchkconfig netconsole off
MORE IN SECURITY, SERVERS (16 OF 50 ARTICLES)
PfSense advanced configuration with SquidGuard and
Lightsquid
![Page 4: Redhat Linux Hardening Tips with Bash Script](https://reader035.vdocuments.net/reader035/viewer/2022081715/5460333eaf795935708b5130/html5/thumbnails/4.jpg)
9/21/12 Redhat linux hardening tips & bash script
www.binbert.com/blog/2011/01/redhat-linux-hardening/
chkconfig netfs offchkconfig netplugd offchkconfig nfs offchkconfig nfslock offchkconfig nscd offchkconfig pcscd offchkconfig portmap offchkconfig rdisc offchkconfig rhnsd offchkconfig restorecond offchkconfig rpcgssd offchkconfig rpcidmapd offchkconfig rpcsvcgssd offchkconfig sendmail offchkconfig smartd offchkconfig winbind offchkconfig wpa_supplicant offchkconfig xfs offchkconfig ypbind offchkconfig yum-updatesd offchkconfig acpid onchkconfig anacron onchkconfig atd onchkconfig cpuspeed onchkconfig lvm2-monitor onchkconfig messagebus onchkconfig ntpd onchkconfig network onchkconfig oracle onchkconfig oracleasm onchkconfig readahead_early onchkconfig readahead_later onchkconfig syslog onchkconfig sshd oncat > /root/banner << EOF|-----------------------------------------------------------------|| This system is for the use of authorized users only. || Individuals using this computer system without authority, or in || excess of their authority, are subject to having all of their || activities on this system monitored and recorded by system || personnel. || || In the course of monitoring individuals improperly using this || system, or in the course of system maintenance, the activities || of authorized users may also be monitored. || || Anyone using this system expressly consents to such monitoring || and is advised that if such monitoring reveals possible || evidence of criminal activity, system personnel may provide the || evidence of such monitoring to law enforcement officials. ||-----------------------------------------------------------------|EOFcat /root/bannersed -i 's/id:5:initdefault:/id:3:initdefault:/g' /etc/inittabsed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g' /etc/inittabecho PermitRootLogin no >> /etc/ssh/sshd_configecho Banner /root/banner >> /etc/ssh/sshd_configsed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' /etc/ssh/sshd_configsed -i 's/#X11Forwarding no/X11Forwarding no/g' /etc/ssh/sshd_configsed -i 's/X11Forwarding yes/#X11Forwarding yes/g' /etc/ssh/sshd_configsed -i 's/#StrictModes yes/StrictModes yes/g' /etc/ssh/sshd_configsed -i 's/#IgnoreRhosts yes/IgnoreRhosts yes/g' /etc/ssh/sshd_configsed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/g' /etc/ssh/sshd_configsed -i 's/#RhostsRSAAuthentication no/RhostsRSAAuthentication no/g' /etc/ssh/sshd_config
![Page 5: Redhat Linux Hardening Tips with Bash Script](https://reader035.vdocuments.net/reader035/viewer/2022081715/5460333eaf795935708b5130/html5/thumbnails/5.jpg)
9/21/12 Redhat linux hardening tips & bash script
www.binbert.com/blog/2011/01/redhat-linux-hardening/
service sshd restartecho net.ipv4.conf.all.accept_source_route = 0 >> /etc/sysctl.confecho net.ipv4.conf.all.accept_redirects = 0 >> /etc/sysctl.confecho net.ipv4.icmp_echo_ignore_broadcasts = 1 >> /etc/sysctl.confecho net.ipv4.icmp_ignore_bogus_error_responses = 1 >> /etc/sysctl.confecho net.ipv4.conf.all.log_martians = 1 >> /etc/sysctl.confsysctl -pif [ $(id -u) -eq 0 ]; thenread -p "Enter username : " usernameread -s -p "Enter password : " passwordegrep "̂$username" /etc/passwd >/dev/nullif [ $? -eq 0 ]; thenecho "$username exists!"exit 1elsepass=$(perl -e 'print crypt($ARGV[0], "password")' $password)useradd -m -p $pass $username[ $? -eq 0 ] && echo "User has been added to system!" || echo "Failed to add a user!"fielseecho "Only root may add a user to the system"exit 2fi
Not Found
The requested URL /plugins/like.php was not found on this server.
Leave a Reply ShareThis 19500 views, 17 today | TweetTweet 4 0
Tags: Bash, Hardening, Linux, Redhat, scripting
Author : Sandeep kalathil
Iam a System Engineer working in Cochin , Interested in Linux and Windows servers and happy to shareknowledge that i have gained through my day to day work.
Debian lenny Colorful Bash prompt and file names
Printing command from history without executingConfigure a GPRS dialer in Linux using wvdial / gnome-ppp
You must be logged in to post a comment.
Get updates via Email : Subscribe
This webpage is not available
Google Chrome's connection attempt to www.facebook.com was rejected. The
website may be down, or your network may not be properly configured.
Here are some suggestions:
Reload this webpage later.
Check your Internet connection. Restart any router, modem, or other network
devices you may be using.
![Page 6: Redhat Linux Hardening Tips with Bash Script](https://reader035.vdocuments.net/reader035/viewer/2022081715/5460333eaf795935708b5130/html5/thumbnails/6.jpg)
9/21/12 Redhat linux hardening tips & bash script
www.binbert.com/blog/2011/01/redhat-linux-hardening/
Our online presence
Questions
Samsung SyncMaster monitor issue
What is Facebook timeline cover image dimension ?
werfault.exe – Application Error
Restore Point will not enter Windows 7How to edit registry using .bat file
Categories
Electronics (2)
Internet (24)
Misc (33)Mobile (30)
Networking (20)
Programming (9)
Not Found
The requested URL /plugins/fan.php was not found on
this server.
Apache/2.2.22 (Fedora) Server at
www.facebook.com Port 80
![Page 7: Redhat Linux Hardening Tips with Bash Script](https://reader035.vdocuments.net/reader035/viewer/2022081715/5460333eaf795935708b5130/html5/thumbnails/7.jpg)
9/21/12 Redhat linux hardening tips & bash script
www.binbert.com/blog/2011/01/redhat-linux-hardening/
Security (24)
Servers (30)Softwares (37)
Friends Blogs
Arun Basil Lal
Arun wilson
Binoy XJ
Manjunath ( Aka Punter )Nirmal TV
Recent Post
Backup your android applications and data using a computer
PC Power Supply Unit – Is it important ???
How to hide user account in Windows 7Supercharge your wireless router !!!
Google+ and the missing social media channel
Facebook timeline cover photo sizeExport the list of virtual machines to a CSV file
List of VM Property Names in Vmware – vSphere PowerCLI
Installation of Windows 8 Developer preview on VHD
Configure LACP with ESX/ESXi and Foundry BigIron switchesBackup and Restore ESXi configuration using VMware vSphere CLI
Update timthumb.php to prevent Zero Day vulnerability
Protect Freemind files with password.
Performance testing tool for HDD / DVD / SSD / Flash diskshtml signature in outlook 2007
Most Popular
Install Android 2.1 UI on Nokia S60v5 mobile (353622 views)
Manual GPRS Settings for Airtel, Idea, Hutch, Bsnl, Aircel (164264 views)
Divx player on Nokia 5800 Touch Screen (145426 views)
Download Epic Browser – First Indian Browser (86346 views)Default Time To Live (TTL) values (60777 views)
Download Windows 7 SP1 (59786 views)
Mobile DivX Player for Touch screen Phones released (58901 views)
How to install Tor on Backtrack 5 (56373 views)Trade from mobile FLIP-ME (50852 views)
Default Environment variable Values of Windows 7 / xp (46849 views)
Popular Today
![Page 8: Redhat Linux Hardening Tips with Bash Script](https://reader035.vdocuments.net/reader035/viewer/2022081715/5460333eaf795935708b5130/html5/thumbnails/8.jpg)
9/21/12 Redhat linux hardening tips & bash script
www.binbert.com/blog/2011/01/redhat-linux-hardening/
Install Android 2.1 UI on Nokia S60v5 mobile (84 views)
Default Time To Live (TTL) values (29 views)
Default Environment variable Values of Windows 7 / xp (26 views)
Java Applet Not Working (Blank) in IE9 (26 views)PfSense advanced configuration with SquidGuard and Lightsquid (25 views)
How to install Tor on Backtrack 5 (21 views)
Differences Between CAT5, CAT5E, CAT6 and CAT6e Cables (19 views)
Redhat linux hardening tips & bash script (17 views)Find which application/service is running in a port - Windows (17 views)
Download Epic Browser – First Indian Browser (16 views)
Back to Top
Contact |
About |Mobile |
Powered by Wordpress | Administration Albin Sebastian