Installation Guidelines

GRUB/LILO
GRUB is the boot loader of choice for RedHat installations; however LILO may always be used in the case of most flavors of LINUX. GRUB/LILO can receive many different kernel level commands and it poses a major security risk if an attacker is able to compromise the kernel. In response you can make sure that only authorized users are able to perform those commands by password protecting during the installation process. If using GRUB, the password is by default stored as clear text, and so you will want modify the /etc/grub.conf file to store the password in an MD5 checksum. $ /sbin/grubmd5crypt Password: (at the prompt enter the GRUB password you created at installation and press enter) $ #%t%661GFGftffgctTFTDd (This is the MD5 hash) edit the grub.conf file and replace the clear text password with the MD5 Hash. You must use the MD5 option or the password will be stored as the MD5 Hash and not the encrypted password. Password md5 $1$m0tLR/ $#%t%661GFGftffgctTFTDd

Partitioning
Partitioning correctly will help to mitigate against one specific type of denial of service. For example and attack designed to fill up a /tmp or spool directory. If your files are on the same partition as the directory under attack, your system could be rendered unusable. One should use a partition strategy where those directories that are most likely to be filled by an attacker. Typically this is /var and /home . If you are using a server for ftp or email, you may want to consider separate partitions for the application specific files. /boot contains all files for boot process /home contains individual user home directories /usr contains files shared across a system by multiple users /var contains files that are dynamic by nature. ( log files, spool files, scheduler / /tmp swap

contains files Contains contains for system temp paging files management files for memory when no management other partition is available

files etc.)

Recommended System Schemes Configurations

Workstation Swap = 2 x physical memory /boot = 50 MB / = depends on disk space Server Swap = 2 x physical memory /boot = 50 MB / = 384 MB /var = 256 MB /usr = depends on disk space /home = depends on disk space Firewall Configuration on Installation No Firewall Allows complete access to your system with no security check at all. Medium restrictions are automatically on certain services Ports lower than 1023 NFS Server port 2049 Local X Windows display for remote clients X font server port Laptop Swap = 2 x physical memory /boot = 50 MB / = depends on disk space Custom Swap = 2 x physical memory /boot = 50 MB / = depends on disk space

High Most restrictive and denies all access except DNS, DHCP and anything else explicitly allowed. If possible install IPTables; it is an improvement over the default installation. It can be found at http://www.iptables.org In RedHat 8 and above it is the default firewall daemon. Account Authentication Configuration Make sure that the root password is secure and that you maintain a MD5 checksum of all the passwords in a separate file. Make sure that the password file itself is shadowed; this should be default on RedHat installations.

Package Installation:
Install only what you think you will need. You can always install new packages in the futures. Network Security Network Parameter Modification (RedHat only) Edit /etc/sysctl.conf with the following changes Net.ipv4.ip_forward = 0 (this disables ip forwarding, it should only be enabled if you plan to use the machine as a router/gateway) Net.ipv4.conf.all.accept_source_route = 0 (disables ip source routing) Net.ipv4.tcp_max_syn_backlog = 4096 (enables syn flood protection) Net.ipv4.conf.all.rpP_filter = 1 (enables ip spoofing protection) Net.ipv4.tcp_syncookies = 1 (enables tcp syn flood protection) Net.ipv4.conf.all.send_redirects = 0 (disables the ability to send ICMP Redirects) Net.ipv4.conf.all.accept_redirects = 0 (disables ICMP Redirect acceptance) Net.ipv4.conf.default.accept_redirects = 0 also disables ICMP redirect acceptance) Save the changes and run the following commands as root # chown root:root /etc/sysctl.conf # chmod 0600 /etc/sysctl.conf # /etc/rc.d/init.d/network restart

Disallow Remote Root Login

There should never be a need for root to login remotely. Any access required by root for system maintenance should be performed on the local system console or via SSH. Edit /etc/securetty to reflect the following changes: tty1 tty2 tty3 tty4

tty5 tty6 Save the changes and run the following commands; # chown root:root /etc/securetty # chmod 400 /etc/securetty Disable CTRLALTDelete For those machines with poor or nonexistent physical security it is recommended to disable the almighty CTRLALTDelete. Edit /etc/inittab and comment out the following line: #ca::ctrlaltdel: /sbin/shutdown t3 r now Save and restart the service # /sbin/init q

Warning Banners:
Although it is not clear legally, often times administrators will present a warning banner to assist in prosecution. Also by changing the login banners there is the additional benefit of hiding the OS version and detailed system information. Edit the following files /etc/motd Displays message of the day for a user with successful login /etc/issue Displayed to any user that is logging into the system locally /etc/issue.net Displayed to users logging in remotely via SSH, Telnet, or FTP In earlier versions, before RedHat 7.3 commands in /etc/rc.d/rc.local would overwrite the issue and motd files. These commands have been removed since version 7.3.

Password Protecting SingleuserMode

Single User Mode allows for local system maintenance and allows a user to move directly into Run Level 1 as root. Edit /etc/inittab to reflect the following changes id:3:initdefault:

~~:S:wait:/sbin/sulogin Save the changes and restart the service # /sbin/init q

User Account & Password Security:

Quick Tips:
Allow users to use root utilities as .sudo only b/c it is logged by the system Shadow the password files in /etc/shadow . Run Crack or John the Ripper to check for password integrity. Familiarity should be found with programs to manage users and groups (man 8 pwunconv) Install a boot loader password during installation

Password Aging
By default a user account is required to change its password every 9999 days and no minimum limit is set on how long a password must be kept before changing it. The following command will set limits for all existing users whose ID is greater than 500 (default for normal user accounts). # awk F: $3 >= 500 { system (chage M 180 m 2 $1) } /etc/passwd Change the following lines in the /etc/login.defs so newly created users accounts will inherit these values PASS_MAX_DAYS 99999 > PASS_MAX_DAYS 180 PASS_MIN_DAYS 0 > PASS_MIN_DAYS 2 Purge any unnecessary user accounts that may have been created during the installation process First make a backup copy # for file in /etc/{passwd, shadow, group} ; do /bin/cp p $file $file.orig ; done Remove unnecessary user accounts # for user in uucp operator games gopher ; do /usr/sbin/userdel $user ; done

Remove unnecessary groups done # for user in dip operator gopher games uucp ; do /usr/sbin/groupdel $group ;

When deleting groups and users you should verify that no mistakes have been made that will prevent someone from logging in. # /user/sbin/pwck # /usr/sbin/grpck These commands validate that /etc/passwd and /etc/group are properly formatted. Reassign all files originally owned by deleted users to root by using the following commands /usr/sbin/find / nouser exec /bin/chown root {} \; /usr/sbin/find / nogroup exec /bin/chgrp root {} \;

Locking System Accounts

Some user accounts are only used by a system service or daemon and never require interactive login. Interactive Login should be disabled. # for user in bin daemon adm ftp sync lp mail news nobody ; do /usr/sbin/usermod L s /dev/null $user ; done Verify that no account has an empty password #awk F: ($2 == ) { print $1 } /etc/shadow If nothing is printed than all is well. Otherwise add a password for the account or delete/lock the user

Tighten the default umask

A users umask determines permissions on any new files created by a user. The default user account (where user name is the same as group name) with user id greater than 99 is 002 (i.e. 664 for files and 775 for directories). Root is 022 (644 for files and 755 for directories) The default umask should not result in the creation of world readable files for normal users. Edit the lines in the /etc/bashrc and /etc/csh.cshrc files: umask 022 > umask 077 (some rpm assume a default umask of 022 and may give warnings during installs) umask 002 > umask 007

Miscellaneous Account Limits (RedHat only)

Further user account configuration can be made in the limits.conf, time.conf within the /etc/security directory.

System Resources Usage (from Bastille)

To prevent individual users from consuming too many system resources, edit /etc/security/limits.conf so that the core files will not be created, individual files sizes are limited to 100MB, and a user can only have 150 concurrent processes running Add the following lines: hard core 0 hard fsize 102400 nproc 150

Securing and Disabling Services

Identify Services that are configured to start (RedHat only) # /sbin/chkconfig list | grep e \(:. *on\|xinetd based \) The services that should be running on a given system are the following: (look at /etc/init.d/servicename to see what the services do) Keytable Syslog Network Random Crond Anacron Iptables Ntpd

Disable and remove services that should not be started

# /etc/init.d/servicename stop # /sbin/chkconfig level 0123456 servicename off

Remove rpm packages

# /bin/rpm e packagename

The package owning a given file can be discovered with # rpm gf /etc/nit.d/servicemane

Configuring Access with TCPwrappers

Access controls to services compiled with TCPWrappers is implemented in /etc/hosts.allow and /etc/hosts.deny . When connection attempts are made, the hosts.allow file is checked. If a line is matched then the connection is allowed. Then it is checked against hosts.deny. If the connection is no defined at all it is allowed by default. Creating the /etc/banners directory with the warning banner can be made as followed # /bin/mkdir p /etc/banners # /bin/echo This system is for restricted users > /etc/banners/prototype # cd /etc/banners ; /usr/bin/make f /usr/share/doc/tcp_wrappers 7.6/Banners.Makefile

Deny everything that is not explicitly allowed

# echo ALL: ALL: spawn (/bin/echo e bin/date \n%c attempted connection to %s and was denied\ | /bin/mail s Connection attempt to %s root) & > /etc/hosts.deny Any connection attempt not listed in hosts.allow will be denied, a message will be logged to the syslog auth facility, and an email will be sent to root.

Allow access only to those that require it

Edit hosts.allow and add a line for each service to which access should be allowed. A few examples are shown below ALL: LOCAL : banners /etc/banners # All services from local clients sshd: 10.1.1.0/255.255.254.0 : banners /etc/banners # SSH from host IP addresses

Secure xinetd
Xinetd should be removed from workstations. If present, there should be one file in the /etc/xinetd.d directory for each service. To control access to the service, find the file with the service name and add the following line between { } Only_from = 10.1.1.0/23 # allow connections from host IP addresses between 10.1.1.0 and 10.1.2.0

Disable X Windows (Servers Only)

The following command will configure the system to run level 3 (multiuser mode with no X) instead run level 5 (with X) and save the original /etc/inittab as /etc/inittab.bak # /usr/bin/perl p I.bak e s/id:5:init/id:3:init/ /etc/inittab

Updates and Patches

Up2Date http;//www.redhat.com/docs/manuals/RHNetwork/refguide/ The Red Hat Network Daemon rhnsd (RedHat only) connects to the Red Hat server 120 minutes to check for available package updates. Autorpm (http://www.autorpm.org) an alternative to up2date # /bin/rpm I autorpm2.9.31.noarch.rpm Registering the system with the Red Hat Network you will be prompted for a password and username. (RedHat only) # /usr/sbin/rhn_register Verify Setup by Manually Checking for Updates (RedHat only) # /usr/sbin/up2date nox p (updates packages associated with profile on RedHat server) # /usr/sbin/up2date nox u (downloads and installs packages for updates) Configure rhnsd to start when the system boots # /sbin/chkconfig rhnsd on # /etc/init.d/rhnsd start Modify the /etc/autorpm.d/redhatupdates.conf file RPM packages that fail the signature check are placed in an interactive queue. To prevent these suspect rpm packages from getting accidentally installed later, the following line should be added after the line PGP_Require (Yes): PGP_Fail_Install (No); Any updates for rpm packages that are on the mirror site, but without an earlier version already installed on the system, it will be added to the interactive queue. To prevent this, underneath the action (new) stanza change the line from

Install (Interactive); to install (No); Verify Setup by Manually Checking for Updates Running # autorpm auto without arguments and download TermReadlineGnu. Run #autorpm auto again to check for updates. Binaries will be downloaded and installed. When the prompt returns, issue the following command: #autorpm install all An entry in the /etc/cron.daily directory is added by default to enable checking for updates.

File System Security

Secure File System Mount Options
Make the following edits to the /etc/fstab file. Mount the /usr partition as read only. Most of the executable commands on the system are located in the /usr file system. Mounting as readonly is a good way to protect against Trojaned binaries from being installed. LABEL=/usr /usr ext3 or 1 2

The /usr file system will have to be remounted readwrite before applying most rpm upgrades (including any scheduled to be applied by update agents like up2date or autorpm) # mount o remount, rw /usr After installation, the partition can be mounted readonly again with the following # mount o remount, ro /usr To prevent SUID or device files from being introduced to the system by removable media, add the no suid and nodev options to the lines for all removable media (e.g. floppy, cdrom) /dev/fd0 /dev/cdrom /mnt/floppy mnt/cdrom ext3 ext3 nosuid, nodev nosuid, nodev 1 1 2 2

File systems that contain home directories should also have nosuid and nodev options set LABEL=/home /home ext3 nosuid, nodev 1 2

Restricting Access to Administrative Utilities

Issue the following commands to remove read, write and execute privileges for users that do not own the files from all files in these directories. consoletype # /bin/chmod R o rwx /usr/sbin ls /sbin* | grep v

SUID Permissions for Executable Programs

To see a list of all the files with SUID GUID permissions 02000 \) ls /usr/bin/find /bin /usr/bin type f \ ( perm 04000 o perm

Remove the SUID and GUID permissions from files that d not require it by setting permissions on each file to 755 # /bin/chmod 755 /bin/mount /bin/mount /usr/bin/chsh /usr/bin/chage /bin/ping /usr/bin/chfn

Remove compiler packages from workstations and servers not used for development
# /bin/rm e cpp gcc gccc++ gccg77

Logging
Syslog
If possible store syslog on remote machine to avoid compromise from an intruder who would have to hack both the system itself and the remote logging server. Reload the syslogd config file # /etc/init.d/syslogd restart Ensure that syslogd runs on Boot # /sbin/chkconfig level 2345 syslog on

logrotate.d
/etc/logrotate.conf contains the default option for rotation log files The log rotation times can be changed to lengthen the life of the log file. Be warned that logs can get quite large so one must monitor the log size that it does not get out of hand.

Logwatch
Use logwatch to monitor logs and have emails sent to the root user in light of unexpected activities. Simply change the email address in the /etc/log.d/logwatch.conf file.

ntpd
Rather than use the system time clock, you should configure the Network Time Protocol server daemon to synchronize the system clock with three public NTP servers. NTP servers can be located at http://www.eecis.udel.edu/~mills/ntp/servers.html Get permission from the admins of these servers and the edit /etc/ntp.conf and replace the loopback address with for ex. Server 10.0.0.1 Server 10.0.0.2 Server 10.0.0.3 #IP address of public server #IP address of public server #IP address of public server 1 2 3

Ensure that the NTP daemon is reloaded # /etc/init.d/ntpd restart Ensure that ntpd is configured to start automatically on boot. # /sbin/chkconfig level 2345 ntpd on

Scheduler Security
Restrict cron and at by editing the /etc/cron.allow and /etc/at.allow Root always has access to create cron and at jobs Create cron.allow file with Su #echo root > /etc/cron.allow Make sure that the schedule task to run is permitted for that user.

Web Security
Ensure that only necessary modules are installed in your apache web server Remove Distributed Authoring Version (DAV) module. This enables modifications to files on the web server using a client browser.

Apache Configuration File (the following section pertains to httpd.conf)

/etc/httpd/conf/httpd.conf Comment out unused modules Such as the following: mod_autoindex provides directory listings and gives away to much info to hackers mod_include unless you use serverside includes you should disable this mod_info allows a client to visit a url and get info about the server running mod_status allows a client to view server status from a url mod_userdir allows users to serve pages from a directory within their home directory Modification to the default Directory Access Permissions Change the <Directory /> stanza that controls access permissions Original <Directory /> Options FollowSymLinks AllowOverride none </Directory> <Directory /> Options None AllowOverride None Order allow,deny Deny from all </Directory> The modified version does not allow for symbolic links to be followed on the file system. Modification to the default Root Access Permissions Original Modified Modified

<Directory /> Options Indexes FollowSymLinks AllowOverride None Order allow, deny Allow from all </Directory>

<Directory /> Options SymLinksIFOwnerMatch AllowOverride None Order allow,deny Allow from all </Directory>

The original configuration will show a visitor a directory listing for any documents in the document root without an index.html. This option prevents the server from following any links that may be created by other users to areas outside the document root. If multiple users need access to files beneath the web server document root, the AllowOveride AuthConfig option can e used in place of AuthOverride and a separate .htaccess file can be used to authenticate user access. To help us to remain anonymous as to the server version and configuration, we can change signatures in the httpd.conf file that would normally be attached to web pages when they are served. ServerSignature Off We can also remove strings from the HTTP header that are returned to clients from the client requests. This includes name, version and modules loaded on startup. ServerTokens Prod The email address of the web server can also be displayed on server generated pages. This should be changed to a fake email address. ServerAdmin foo@localhost

CGI Bin
CGI programs are often a common attack tactic if available; these days many companies disable the use of it all together. Reference to the CGI bin and modules should be commented. Starting with LoadModule cgi_module * * </Directory> module/mod_cgi.so

File Permissions in the Document Root

Write permissions to any file or directory being served by the web server should be removed or it leaves an open door to defacements. The user and group that

the web server process runs under are defined in the httpd.conf file. You should identify all the directories served by the web server to identify any files for which the owner of the web server process has write permissions. These commands should return nothing. # /usr/bin/find exec ls ld {} \; # /usr/bin/find +022 exec ls ld {} \; /var/www/html /var/www/html user apache perm +202 group apache perm

Email Security
Sendmail should be upgraded to the most stable current release, at least 8.12.5 to secure against a theoretical buffer overflow vulnerability.

Disable the sendmail daemon on all workstations

Edit /etc/sysconfig/sendmail with: DAEMON = no QUEUE = 15m Then restart the daemon #/etc/rc.d/init.d/sendmail restart

File and Print Security

SCP and SFTP
The need for remote filetransfer and commandline control sessions is of paramount importance to Unix administration. For many years however, only protocols such as FTP, Telnet and RSH were available. These protocols transmitted not only the data of the session but the authentication information as well in cleartext over the network. The advent of the Secure Shell (ssh) protocol introduced a muchwelcomed answer to this problem, providing complete encryption of both commandline and data transfer sessions using strong encryption algorithms. Particularly welcome has been the recent development of OpenSSH, a spinoff of the OpenBSD project, which has helped bring this protocol into wider use with its opensource implementation that compiles on any number of different Unix platforms. The scp and sftp commands do an excellent job of replacing the nonencrypted counterparts, emulating the commandline switches and options so well that in most cases , scp in particular can simply be used as a dropin replacement for rcp . Configure servers such that using sftp are as secure as possible , including the use of chroot to jail the users file transfer sessions , by patching the SSH ,source code. Unfortunately, the patch

currently does not work for scp, but chrooted and nonchrooted users can exist side by side. Red Hat , even with the most current patches, does not always offer the latest SSH build, so it will be necessary to get the portable distribution of OpenSSH from the OpenSSH team (http://www.openssh.com) . This manual will not go into the details of how to build an SSH server or chrooting the server. A future manual will delve into the construction any distribution of broad network services.

Securing WuFTPd
WuFTPd is a fairly secure FTP program and is freely available. It should be used in place of cleartext FTP. It ships default with RedHat 7.3 In order to properly secure WuFTPd we need to tweak the FTP configuration file, /etc/ftpaccess. We do this by not allowing system accounts to login over FTP. # allowuid ftp # allowgid ftp

Chroot all users by default

Guest user * Because we have already chroot all users by default, we dont need to explicitly chroot group # guestgroup ftpchroot Set the email address ftpadmin@ftpserver.mydomain.com Permit only two failed logins before termination Loginfails 2 Change the welcome message to something controllable Message /.ftpwelcome.msg Do not allow on the fly compression and tarring Compress Tar no no all all

Prevent certain actions from anonymous or guest users. Explicitly list permissions . Umask no real, guest, anonymous

Delete Overwrite Rename

yes yes yes

real, guest real, guest real, guest

Log commands and transfers to and from the server

Log Log commands transfers real, guest, anonymous anonymous, real, guest inbound, outbound

Mark certain files as nonretrievable Noretrieve Noretrieve .notar .ftpwelcome.mag

Set a secure path filter to weed out evil files Pathfilter *$ ^\. ^ guest, anonymous /etc/pathmag ^[A Za z09_\.]

Remove server version from the greeting Greeting terse

Use secure default umasks for everyone

Defumask Defumask Defumask 0377 0177 real 0133 guest

Networking /Remote Administration

o Remove all .rhosts utilities use find /home name .rhosts print (include rsh/rlogin/rcp) o If using NFS (not recommended) Export all NFS file systems with most restrictive access in /etc/exports (nodev, nosuid, noexec). Be sure to Filter TCP port 111, UDP 111 (portmapper), TCP port 2049, UDP port 2049 (nfsd) on firewall, if using NFS. o Files in /var/log, /var/log/wtmp and /var/run/utmp (contains login records) should have 644 permissions. wtmp logs the login status info of the following Type of Login Process ID of login process

Device name of tty Init ID or abbreviated ttyname User Name Hostname for remote login Exit status of a process Time entry was made IP address of remote host o utmp is consulted for currently logged in users. o Install Cryptographic IP encapsulation to communicate with other hosts

Services
o The following services should not be installed or disabled NFS/NIS (any rpc) Or at least use NIS+ over NIS Printer services (lpd) Telnet R* FTP server (use HTTP, scp, SFTP) BIND Mail Transfer Agents (sendmail, exim, postfix, qmail) o Check /etc/rc.d/rc (09).d for symbolic links to services that will not be used. Links can be disabled by replacing upper case (S for Start) to a lower case (s). Stop services as root with /etc/init.d/<&SERVICE_NAME> stop. After disabling (with #) restart inetd /etc/init.d/inetd restart .Get list of running scripts with ls l /etc/init.d/ |less o Can get a quick list of enables services with grep disable /etc/xinetd.d/* |grep no. Disable xinetd services from dunning by changing listings in xinetd.conf to disable = yes o Comment out unused services in /etc/inetd.conf, rather than removing those services in the case that one might need them at some time. o Disable identd for specific users (.noident file) Can be removed altogether unless using building an IRC server. o Remove /etc/hosts.equiv

File and System Permissions

o Use /<folder>/ls al to see all file permissions

o Remove all suid/sgid (chmod g+s <dir> to activate sgid) on executable and system files from nonroot home directories. Favorite technique of hackers to exploit this by placing suid programs to be executed on server. To find all find / type f \ (perm 040000 o perm 02000 \) o Remove unnecessary setuid and setgid. Can find the ones available by typing o find / type f perm +6000 o Configure umask with restrictive access. Typical setting should be 022, 027, and 077 (most restricted). It is set in /etc/profile . Default in RedHat is 022. Root umask should be 077 . Find the value by subtracting desired from 777. o Set file system limits in /etc/pam.d/limits.conf (RH, Deb). Restrict number of processes to 50 and usage per user to 5M o Find all world writable system files and restrict where necessary. Find them with o find / perm 2 ! type l ls Add sticky bit t to file permissions chmod +t <file> to make deletion or modification of the file by the creator only. o Find all unowned files, which may indicate compromise with find / \ ( nouser o nogroup \) print o System configuration files (etc) should be 640 o Install Cryptographic File Systems (CFS) or Transparent Cryptographic File System (TCFS) for encrypting folder trees where secure users can store files

System Administration/Logging
o Allow only tty and vtys terminals for root and trusted users o Secure the /usr/sbin/syslogd from tampering. Look at /etc/syslog.conf to see where logging is going to. Download a syslog encryption daemon to transfer log info to a central and secure location. View /var/log/messages for default logs. o Make use of /etc/shutdown.allow should be used to prevent someone from rebooting the machine. It contains a list of authorized users to reboot the machine. It is consulted when ControlAltDel keys o Use xlock and vlock to lock a workstation. o If possible configure the tools to run as chroot, a chroot jail for privileged services such as Apache so that an attacker does not attain root privilege on the real O/S o Delete unnecessary binary packages /bin/rpm e <packagename> (if RedHat)

X11
o Secure X displays by having users login to the terminal through the MIT MAGICCOOKIE1 A 128 bit cookie as stored in the .Xauthority file. Use xauth for remote users. Or use xdm to login to console and use ssh to go to

Kernel
o Download and install secure Linux Kernel from NSA.gov http://www.nsa.gov/selinux/download.html o Process accounting is enabled in most newer builds of the kernel and should be consulted for kernellevel functions.

Quick Tips Auditing/Firewall/Scan Utilities Check List

Should use IPTables, otherwise enable TCPWrappers (tcpd) to restrict access from TCP services. Create a /etc/hosts.allow file and add only those allowed hosts ex All:127. Create /etc/hosts.deny and put All:All . TCPWrappers only protects inetd services. Use netstat ta to see all services offered.(netstat tap | grep LISTEN) Record changes with output to a file (netstat tap | grep LISTEN ~/services.lst) Install Tripwire, for system integrity. Make sure to write down the pass phrases and keep them secret. Use SAINT or NESSUS to port scan your machine to see where its vulnerable. Install OpenPGP to transfer for email (or S/MIME), key transfer and secure harddrive erasing Install SSL SHTTP for all HTTP requests Shut Off Telnet and put Open SSH in its place. Install IPTables/Netfilter as firewall (for advantages of IPTables over IPChains and IPFWAdm go to Run Internet Security Scanner (ISS) an System Security Scanner (S3)

Freeware Utilities
o SWATCH The Simple Watcher is a popular open source log monitoring and alerting utility. Swatch is designed to monitor your log files against a set of configurable signatures. When Swatch detects an event, it can alert the system admin via console, sound response, or an email. Swatch can also be used to filter old log files for activity. o IPTables The netfilter/iptables project is the Linux 2.4.x / 2.5.x firewalling subsystem. It delivers you the functionality of packet filtering (stateless or stateful), all different kinds of NAT (Network Address Translation) and

packet mangling. Iptables is the replacement for the userspace tool ipchains in the Linux 2.4 kernel and beyond. It is part of the kernelspace netfilter project. Iptables has many more features than ipchains and is also structured more sensibly. o Tripwire Tripwire software is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc. Tripwire is originally known as an intrusion detection tool, but can be used for many other purposes such as integrity assurance, change management, policy compliance and more. o John the Ripper John the Ripper is a freeware password auditing or cracking utility. John the Ripper attempts to brute force the passwords in the passwd and shadow files, making use of dictionaries and its knowledge of common password creation techniques. o Bastille A Linux hardening application that provides novice and experienced users a way to automate many of the security settings that have been covered in this guide. Bastille provides both a command line and GUI format for users. Bastille walks the user through an interactive questionnaire to determine which setting should be turned on and what the ramifications are for making those changes. o NMAP Is a freeware reconnaissance utility, typically used as a port mapper utility, sending packets to hosts with various settings to determine which ports are open on a device. NMAP can also be used as an Operating Systems reconnaissance tool since NMAP has the ability to send packets to a host and based on the response to those packets, determine which Operating System the host is running. o NESSUS A freeware vulnerability assessment tool, Nessus works on a client/server based technology. The server side contains the vulnerability database and the engine that actually performs the vulnerability assessment. The client connects to the server to configure the settings for the vulnerability assessment. Nessus can provide reports in a number of different formats including its native GUI format, HTML, and ASCII.

Useful Links
How Tos and References for this manual:
o SANS: Step By Step Series Securing Linux: A step by step survival guide, David Koconis, Jim Murray, Jos Purvis, Darrin Wassom o Hacking Exposed 3rd Edition Network Security Secrets and Solutions, Stuart McClure, Joel Scambray, George Kurtz o http://www.linuxsecurity.com/docs/LDP/SecurityQuickstart HOWTO/index.html o http://www.linuxsecurity.com/docs/LDP/SecurityHOWTO/

o http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGui de.html o http://www.linuxsecurity.com/docs/PDF/SecuringOptimizingLinuxRH Edition1_3.pdf o http://www.linuxsecurity.com/docs/LDP/Security HOWTO/ftp://sunsite.unc.edu:/pub/Linux/system/admin/accounts/acct 1.3.73.tar.gz o http://en.tldp.org/HOWTO/IPMasqueradeHOWTO/iptablesvs ipchainsvsipfwadm.html o ftp://sunsite.unc.edu:/pub/Linux/system/admin/accounts/acct1.3.73.tar.gz

Security Resources
o SANS http://www.sans.org o Linux Security http://www.linuxsecurity.com o Security Focus http://www.securityfocus.org o Hacking Linux Exposed http://www.hackinglinuxexposed.com/articles/20021015.html o CERT http://www.cert.org

Firewall Resources:
o http://www.linuxfirewalltools.org o http://www.firestarter.sourceforge.net o http://www.fwbuilder.org o http://www.stearnes.org/mason

Red Hat Resources

o Red Hat http://www.redhat.com o Red Hat Advisories http://rhn.redhat.com/errata/rh73errata.html

Third Party Resources

o APACHE http://httpd.apache.org o APACHE MODS http://httpd.apache.org/docs/mod/ o AUTORPM http://www.autorpm.org o BASTILLE http://www.bastillelinux.org o EXIM http://www.exim.org

o IMAP Connection http://www.imap.org o IPTABLES http://www.iptables.org o John the Ripper http://www.openwall.com/john o Logwatch http://www.logwatch.org o NESSUS http://www.nessus.org o NMAP http://www.nmap.org o NTP http://www.cis.udel.edu/~ntp o OPENSSH http://www.openssh.com o OPENPGP http://www.openpgp.org o PSIONIC TRISENTRY http://www.psionic.com o POSTFIX http://www.postfix.org o QMAIL http://www.qmail.org o QPOPPER http://www.eudora.cm/qpopper o SAINT http://www.saintcorporation.com o SAMBA http://www.samba.org o SENDMAIL http://www.sendmail.org o SNMP http://www.snmplink.org o SNORT http://www.snort.org o SWATCH http://www.oit.ucsb.edu/~eta/swatch o Time Servers http://www.eecis.udel.edu/~mills/ntp/servers.html o TRIPWIRE http://www.tripwire.org o WUFTP http://www.wuftpd.org o XINETD http://www.xinetd.org

Black and White Hat Security Resources

o AstalaVista http://www.astalavista.com o Hacktavismo http://hacktivismo.com/news/modules.php?name=Content&pa=showpage &pid=12/ o Cult of the Dead Cow http://www.cultdeadcow.com/main.php3 o Phrack http://www.phrack.org o 2600 magazine http://www.2600.com o Apcoalypse http://www.apocalypseonline.com/security/exploits/exploits.asp?exp_categ ory=Slackware

o Security Tool review http:///www.securitytoolreview.com o Foundstone http://www.foundstone.com o F.I.R.E. http://fire.dmzs.com/?section=tools o Honeypots http://www.trackinghackers.com o AntiHacker ToolKit http://www.antihackertoolkit.com/tools