Search |
University of Florida | Department of Physics
--> Overview

--> Common Questions

--> Adobe Acrobat

--> Cisco

--> SGI Scanner

--> Packet Video Conf

--> Small Video Conf

--> New Users

--> Lic. Software

--> Public Domain

--> X-term & CDE

--> AS400

--> Digital Unix

--> Solaris

--> RedHat Linux(Alpha)

--> Silicon Graphics

--> Next

--> Misc Procedures

--> Windows 95, NT

--> Dialup

* Linux

Securing Linux

These instructions are probably specific to RedHat Linux 6.x. If you are running some other distribution you should be familiar with Linux and system management and be able to adapt these instructions.

  1. Decide what services you need to provide with this machine. If it is your desktop machine and noone else needs access to it over the network, then you do not need to provide any services to the internet. In that case do not even start up inetd at all. The best way to do this is to just delete /etc/inetd.conf

  2. Edit /etc/inetd.conf to stop services that are not needed. Here is what your /etc/inetd.conf file should look like:

    
ftp    stream tcp  nowait root   /usr/sbin/tcpd       in.ftpd -l -a
telnet stream tcp  nowait root   /usr/sbin/tcpd       in.telnetd
shell  stream tcp  nowait root   /usr/sbin/tcpd       in.rshd
login  stream tcp  nowait root   /usr/sbin/tcpd       in.rlogind
talk   dgram  udp  wait   root   /usr/sbin/tcpd       in.talkd
ntalk  dgram  udp  wait   root   /usr/sbin/tcpd       in.ntalkd
time   stream tcp  nowait nobody /usr/sbin/tcpd       in.timed
time   dgram  udp  wait   nobody /usr/sbin/tcpd       in.timed
auth   stream tcp  nowait nobody /usr/sbin/in.identd  in.identd -l -e -o

  3. Restrict the services that are staying open to specific machines through the use of tcp wrappers. Tcp wrappers are installed by default on RedHat 5.x machines, but they are not doing anything other than logging. Tcp wrappers use the files /etc/hosts.deny and /etc/hosts.allow to determine which users and domainnames are allowed to connect to services on your machine. Here is /etc/hosts.deny:

     
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
ALL:		ALL
portmap:	ALL
    and here is /etc/hosts.allow:
    
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
ALL:    	127.0.0.1, 128.227.64.XXX
portmap:	128.227.64.0/255.255.255.0
portmap:	255.255.255.255 0.0.0.0
    XXX identifies a particular machine that you want to allow access to. For example you might have the ip number of your office PC if the Linux machine is in your lab and you want to be able to telnet in.

  4. After making the above changes send a HUP to the inetd process

  5. Test your setup:

    1. make sure finger is not answering: finger @localhost
    2. check to see if telnet works from the hosts which are allowed:
      • telnet yourhostname from the local machine
      • telnet yourhostname from a machine not listed in /etc/hosts.allow
      • telnet yourhostname from a machine listed in /etc/hosts.allow

  6. Next cut back on the daemons started at boot time. To see some of what is being started type /sbin/chkconfig --list. This will tell you which daemons are being started in what runlevels. If you see something like this:

    
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfsfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
random 0:off 1:on 2:on 3:on 4:on 5:on 6:off
keytable 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pcmcia 0:off 1:off 2:on 3:on 4:on 5:on 6:off
linuxconf 0:off 1:off 2:on 3:on 4:on 5:on 6:off
lpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
kerneld 0:off 1:on 2:on 3:on 4:on 5:on 6:off
inet 0:off 1:off 2:off 3:on 4:on 5:on 6:off
portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off
routed 0:off 1:off 2:off 3:on 4:on 5:on 6:off
sound 0:off 1:off 2:off 3:on 4:on 5:on 6:off
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    You can start turning things off. For example, routed is being started in run levels three, four, and five. It should not be started, so I type /sbin/chkconfig --del routed

  7. Turn off services that are not chkconfig compliant. To do this I like to remove the link from /etc/rc.d/init.d/whatever to /etc/rc.d/rc?.d/SnnWhatever. Basically the way things work is you have startup/shutdown scripts in /etc/rc.d/init.d which are linked to from the different runlevel directories. If you remove the link then the scripts are never called. I don't remove the original script in case I need it later. For example, suppose inetd is being started and the script is not chkconfig compliant. I look for the link by doing:

    • cd /etc/rc.d
    • find . -print | grep inet

    Here is the output: 

    ./init.d/inet
./rc0.d/K50inet
./rc1.d/K50inet
./rc2.d/K50inet
./rc3.d/S50inet
./rc4.d/S50inet
./rc5.d/S50inet
./rc6.d/K50inet
    This tells me that inetd is being started in runlevels 3, 4 and 5. I remove the links and then reboot and there are no longer any of the inetd controlled services to worry about.

  8. Configure sendmail for queuing only:

    • edit /etc/sysconfig/sendmail and change DAEMON=yes to no
    • create a /etc/sendmail.cf file that forwards to the mail server for Physics. To do this use the clientproto.mc file which comes with sendmail and specify phys.ufl.edu as the mail server. Or you can use the file which I have already made for sendmail 8.9.3. To use this file just backup /etc/mail/sendmail.cf and replace it with mine. If phys.ufl.edu is not your smtp server please look through the cf file and specify your smtp server and domain name. Please remember to edit /etc/aliases and specify that mail destined for "root" goes to the appropriate person. If that person is you then just look for the line in the file with root on the left hand side and put your email address on the right hand side. On current RedHat distributions this line is commented out and the mail goes to "marc."

  9. Edit /etc/rc.d/rc.local to stop telling people what kernel you are running and the OS. Just put a welcome message, or some kind of warning in /etc/issue rather than the output of uname. People will telnet to every machine in a subnet looking for a particular revision of RedHat which they know has a security problem.

  10. Have the machine scanned for known problems, contact us to schedule this.

  11. Restrict the machines that can get an XDM session from you (unless you are serving Xterminals or PC full screen sessions). The file to edit is /etc/X11/xdm/Xaccess. You will want to comment out two lines in this file which allow any machine to be served XDM and also the chooser which responds to broadcasts:

    #*                                      #any host can get a login window
#*              CHOOSER BROADCAST       #any indirect host can get a chooser

  12. Not really related to security, but this is useful info. To have X startup in 16bpp mode rather than 8bpp edit the file /etc/X11/xdm/Xservers and set the line for the local display (screen :0) like so:

    :0 local /usr/X11R6/bin/X -bpp 16

  13. Once you are sure that X is working fine you can make the machine boot in X by default. To do this edit /etc/inittab and change the default runlevel:

    # Default runlevel. The runlevels used by RHS are:
#   0 - halt (Do NOT set initdefault to this)
#   1 - Single user mode
#   2 - Multiuser, without NFS (The same as 3, if you do not have networking)
#   3 - Full multiuser mode
#   4 - unused
#   5 - X11
#   6 - reboot (Do NOT set initdefault to this)
# 
id:5:initdefault:

  14. Reconfigure rsh and install ssh.

    rsh needs to be moved out of the users path so that it is only used if ssh fails and the user is warned that they are using an insecure protocol. Remove the rsh binary by typing

    rpm -e rsh
    Now grab the rpm source file from the ftp site and install it (rpm -i) into /usr/src/redhat/SOURCES the tar file you need is netkit-rsh*.tar.gz Unpack it and configure
    ./configure --prefix=/usr/notinpath --disable-pam --disable-shadow
    This only sets the install path for rsh though, edit the file pathnames.h in the rcp and rsh dir to change the path from:
    #define _PATH_RSH       "/usr/bin/rsh"
to:
#define _PATH_RSH       "/usr/notinpath/bin/rsh"
    When you actually install the programs you will have to make the directories as the Makefile does not do it.

    Configure ssh to fall back to the rsh binary just installed: 

    ./configure --with-x --with-rsh=/usr/notinpath/bin/rsh \
 --program-transform-name='s/^s/r/' --with-libwrap \
 --with-etcdir=/etc/ssh --with-rsaref 

    

Refer to our general 
ssh 
page for more info.  Here is what your /etc/inetd.conf should now look like:

    ftp    stream tcp  nowait root	 /usr/sbin/tcpd		in.ftpd -l -a
auth   stream tcp  nowait nobody /usr/sbin/in.identd  in.identd -l -e -o

    

    
   
  15. Turn off anonymous ftp access (if you have to have ftp at all) by
editing /etc/ftpaccess  You will see a line :
    class   all   real,guest,anonymous  *
    Just remove the words guest and anonymous from the line.
    16.