redhat linux hardening tips with bash script

9/21/12 Redhat linux hardening tips & bash script

www.binbert.com/blog/2011/01/redhat-linux-hardening/

X

Home

Authors

Forum

Ask A QuestionAnswer A Question

Electronics

Internet

Misc

MobileNetworking

ProgrammingSecurity

ServersSoftwares

Redhat linux hardening tips & bash script

January 18th, 2011 |

Not | Posted in Security, Servers

Hello fellow Twitter user! Don't forget to Twit this post if you like it, or follow me on Twitter if

you find me interesting.

From the time a servers goes to live environment its prone to too many attacks from the

hands of crackers (hackers) also as a system administrator you need to secure your Linux server to protect and

save your data, intellectual property, and time here server hardening comes into effect. Securing a server is muchdifferent than securing a desktop computer for a variety of reasons. By default, a desktop operating system is

installed to provide the user with an environment that can be run out of the box. Desktop operating systems are sold

on the premise that they require minimal configuration and come loaded with as many applications as possible to get



the user up and running. Conversely, a server’s operating system should abide by the Principle of Least Privilege,

which states that it should have only the services, software, and permissions necessary to perform the tasks it’s

responsible for.

We already covered some topics in earlier articles some of them are linked here.

Here are some tips for servers hardening ( Some already mentioned in my previous posts)

1) Removing Unnecessary Software Packages (RPMs)

An administrator should be crystal clear about the primary function or role of the Linux server also should know

what is on the server.Therefore, it is very critical to look at the default list of software packages and remove

unneeded packages.

To get a list of all installed RPMs you can use the following command:

rpm -qa

Remove the unneeded packages from the list.

2) Disabling Run level System Services

In Linux servers, some services are enabled to start at boot up by default.

it is safe to disable all services that are not needed as they are risks security and waste of hardware resources. Read

more.

3) Reviewing Inittab and Boot Scripts

The inittab file /etc/inittab also describes which processes are started at bootup and during normal operation.For example, Oracle uses it to start cluster services at bootup. Therefore, it is recommended to ensure that all

entries in /etc/inittab are legitimate in your environment.

I would at least remove the CTRL-ALT-DELETE trap entry to prevent accidental reboots:

The default runlevel should be set to 3 since in my opinion X11 (X Windows System) should not be running on a

production server. In fact, it shouldn’t even be installed.

# grep ':initdefault' /etc/inittabid:3:initdefault:

To have changes in /etc/inittab become effective immediately, you can run:

# init q

4) Securing SSH

Ssh is a great protocol and as it name stands for Secure SHell its secure but its prone to attacks with basic

configuration. There are ways to make ssh even more secure than it is now.Read more

5) SSH login without passwords

Automated authentication onto server using RAS key authenticating mechanism . Read more



6) Kernel Tuning

Following are some tunable kernel parameters you can use to secure your Linux server against attacks .We need to

add these entries inside /etc/sysctl.conf configuration file to make the change permanent after reboots.To activate the

configured kernel parameters immediately at runtime, use:

#sysctl -p

Disable IP Source Routing

net.ipv4.conf.all.accept_source_route = 0

Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0

Enable Ignoring Broadcasts Request

net.ipv4.icmp_echo_ignore_broadcasts = 1

Enable Bad Error Message Protection

net.ipv4.icmp_ignore_bogus_error_responses = 1

Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.all.log_martians = 1

The above mentioned are only few steps for harding . There are many more steps like providing strong password ,

locking user accounts after too many login failures , restricting use of previous used passwords , setting banners etc.

Hardening five or six servers can be done quite easily at a stretch but when the number of servers increases it just

becomes tiresome and time consuming . So why don’t we think about a running a script that does all the hardening

jobs and there wont be any waste of time. The script presented can be customized according to the requirement.

#!/bin/bashchkconfig autofs offchkconfig avahi-daemon offchkconfig avahi-dnsconfd offchkconfig bluetooth offchkconfig conman offchkconfig cups offchkconfig dhcdbd offchkconfig firstboot offchkconfig gpm offchkconfig haldaemon offchkconfig isdn offchkconfig iptables offchkconfig ip6tables offchkconfig irda offchkconfig irqbalance offchkconfig kdump offchkconfig kudzu offchkconfig mcstrans offchkconfig microcode_ctl offchkconfig multipathd offchkconfig netconsole off

MORE IN SECURITY, SERVERS (16 OF 50 ARTICLES)

PfSense advanced configuration with SquidGuard and

Lightsquid



chkconfig netfs offchkconfig netplugd offchkconfig nfs offchkconfig nfslock offchkconfig nscd offchkconfig pcscd offchkconfig portmap offchkconfig rdisc offchkconfig rhnsd offchkconfig restorecond offchkconfig rpcgssd offchkconfig rpcidmapd offchkconfig rpcsvcgssd offchkconfig sendmail offchkconfig smartd offchkconfig winbind offchkconfig wpa_supplicant offchkconfig xfs offchkconfig ypbind offchkconfig yum-updatesd offchkconfig acpid onchkconfig anacron onchkconfig atd onchkconfig cpuspeed onchkconfig lvm2-monitor onchkconfig messagebus onchkconfig ntpd onchkconfig network onchkconfig oracle onchkconfig oracleasm onchkconfig readahead_early onchkconfig readahead_later onchkconfig syslog onchkconfig sshd oncat > /root/banner << EOF|-----------------------------------------------------------------|| This system is for the use of authorized users only. || Individuals using this computer system without authority, or in || excess of their authority, are subject to having all of their || activities on this system monitored and recorded by system || personnel. || || In the course of monitoring individuals improperly using this || system, or in the course of system maintenance, the activities || of authorized users may also be monitored. || || Anyone using this system expressly consents to such monitoring || and is advised that if such monitoring reveals possible || evidence of criminal activity, system personnel may provide the || evidence of such monitoring to law enforcement officials. ||-----------------------------------------------------------------|EOFcat /root/bannersed -i 's/id:5:initdefault:/id:3:initdefault:/g' /etc/inittabsed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g' /etc/inittabecho PermitRootLogin no >> /etc/ssh/sshd_configecho Banner /root/banner >> /etc/ssh/sshd_configsed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' /etc/ssh/sshd_configsed -i 's/#X11Forwarding no/X11Forwarding no/g' /etc/ssh/sshd_configsed -i 's/X11Forwarding yes/#X11Forwarding yes/g' /etc/ssh/sshd_configsed -i 's/#StrictModes yes/StrictModes yes/g' /etc/ssh/sshd_configsed -i 's/#IgnoreRhosts yes/IgnoreRhosts yes/g' /etc/ssh/sshd_configsed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/g' /etc/ssh/sshd_configsed -i 's/#RhostsRSAAuthentication no/RhostsRSAAuthentication no/g' /etc/ssh/sshd_config



service sshd restartecho net.ipv4.conf.all.accept_source_route = 0 >> /etc/sysctl.confecho net.ipv4.conf.all.accept_redirects = 0 >> /etc/sysctl.confecho net.ipv4.icmp_echo_ignore_broadcasts = 1 >> /etc/sysctl.confecho net.ipv4.icmp_ignore_bogus_error_responses = 1 >> /etc/sysctl.confecho net.ipv4.conf.all.log_martians = 1 >> /etc/sysctl.confsysctl -pif [ $(id -u) -eq 0 ]; thenread -p "Enter username : " usernameread -s -p "Enter password : " passwordegrep "̂$username" /etc/passwd >/dev/nullif [ $? -eq 0 ]; thenecho "$username exists!"exit 1elsepass=$(perl -e 'print crypt($ARGV[0], "password")' $password)useradd -m -p $pass $username[ $? -eq 0 ] && echo "User has been added to system!" || echo "Failed to add a user!"fielseecho "Only root may add a user to the system"exit 2fi

Not Found

The requested URL /plugins/like.php was not found on this server.

Leave a Reply ShareThis 19500 views, 17 today | TweetTweet 4 0

Tags: Bash, Hardening, Linux, Redhat, scripting

Author : Sandeep kalathil

Iam a System Engineer working in Cochin , Interested in Linux and Windows servers and happy to shareknowledge that i have gained through my day to day work.

Debian lenny Colorful Bash prompt and file names

Printing command from history without executingConfigure a GPRS dialer in Linux using wvdial / gnome-ppp

You must be logged in to post a comment.

Get updates via Email : Subscribe

This webpage is not available

Google Chrome's connection attempt to www.facebook.com was rejected. The

website may be down, or your network may not be properly configured.

Here are some suggestions:

Reload this webpage later.

Check your Internet connection. Restart any router, modem, or other network

devices you may be using.



Our online presence

Questions

Samsung SyncMaster monitor issue

What is Facebook timeline cover image dimension ?

werfault.exe – Application Error

Restore Point will not enter Windows 7How to edit registry using .bat file

Categories

Electronics (2)

Internet (24)

Misc (33)Mobile (30)

Networking (20)

Programming (9)

Not Found

The requested URL /plugins/fan.php was not found on

this server.

Apache/2.2.22 (Fedora) Server at

www.facebook.com Port 80



Security (24)

Servers (30)Softwares (37)

Friends Blogs

Arun Basil Lal

Arun wilson

Binoy XJ

Manjunath ( Aka Punter )Nirmal TV

Recent Post

Backup your android applications and data using a computer

PC Power Supply Unit – Is it important ???

How to hide user account in Windows 7Supercharge your wireless router !!!

Google+ and the missing social media channel

Facebook timeline cover photo sizeExport the list of virtual machines to a CSV file

List of VM Property Names in Vmware – vSphere PowerCLI

Installation of Windows 8 Developer preview on VHD

Configure LACP with ESX/ESXi and Foundry BigIron switchesBackup and Restore ESXi configuration using VMware vSphere CLI

Update timthumb.php to prevent Zero Day vulnerability

Protect Freemind files with password.

Performance testing tool for HDD / DVD / SSD / Flash diskshtml signature in outlook 2007

Most Popular

Install Android 2.1 UI on Nokia S60v5 mobile (353622 views)

Manual GPRS Settings for Airtel, Idea, Hutch, Bsnl, Aircel (164264 views)

Divx player on Nokia 5800 Touch Screen (145426 views)

Download Epic Browser – First Indian Browser (86346 views)Default Time To Live (TTL) values (60777 views)

Download Windows 7 SP1 (59786 views)

Mobile DivX Player for Touch screen Phones released (58901 views)

How to install Tor on Backtrack 5 (56373 views)Trade from mobile FLIP-ME (50852 views)

Default Environment variable Values of Windows 7 / xp (46849 views)

Popular Today



Install Android 2.1 UI on Nokia S60v5 mobile (84 views)

Default Time To Live (TTL) values (29 views)

Default Environment variable Values of Windows 7 / xp (26 views)

Java Applet Not Working (Blank) in IE9 (26 views)PfSense advanced configuration with SquidGuard and Lightsquid (25 views)

How to install Tor on Backtrack 5 (21 views)

Differences Between CAT5, CAT5E, CAT6 and CAT6e Cables (19 views)

Redhat linux hardening tips & bash script (17 views)Find which application/service is running in a port - Windows (17 views)

Download Epic Browser – First Indian Browser (16 views)

Back to Top

Contact |

About |Mobile |

Powered by Wordpress | Administration Albin Sebastian

redhat linux hardening tips with bash script

Documents