centostricks

Just another WordPress.com site

Hardening RHEL/CentOS 5.x


Hardening RHEL/CentOS

1. System and Network Services 

1.1 The Default Run level to be set to 3 in /etc/inittab 

id:3:initdefault:

1.2 The Below System and Network Services in the table can be enabled 

System and Network Services
ntpd
network
sshd
syslog
auditd
acpid
cpuspeed
crond
anacron
irqbalance
iptables
And All other services specific to the server
Disable All other services in all runlevels which is not needed

To enable the services on the runlevels; chkconfig –level 345 <servicename> on

To disable all other services on the runlevels; chkconfig –level 345 <servicename> off

2. Default Permissions

2.1 Umask must be set to 0027 in /etc/login.defs and /etc/profile

Edit /etc/login.defs  and /etc/profile and set umask 027

3. Password Policies

3.1 Minimum password length must be set to 8 characters.

 Edit /etc/login.defs and set  PASS_MIN_LEN   8

3.2 Password triviality checking must be enforced.

Edit /etc/pam.d/system-auth and set password    requisite     pam_cracklib.so try_first_pass retry=3 minlength=10 difok=2 lcredit=1 ucredit=1 dcredit=1 ocredit=2

3.3 Maximum age of the password must be 90 days.

Edit /etc/login.defs and set  PASS_MAX_DAYS   45

3.4 Minimum age of the password must be 15 days.

Edit /etc/login.defs and set PASS_MIN_DAYS   3

3.5 Set Password Warning age to 7 days.

Edit /etc/login.defs and set PASS_WARN_AGE   7

3.6 User account to be locked after 90 days of inactivity.

Edit /etc/default/useradd and set INACTIVE=90

3.7 Remove encrypted password from /etc/shadow for unused users.

4. Account Policies(PAM)

4.1 Account Lockout policies (lock account after three attempts)

Edit /etc/pam.d/system-auth and add auth        required      pam_tally.so onerr=fail deny=3 unlock_time=360 

The above line should be immediate after pam_env and before the pam_unix.so line in configuration file

Accounts can be unlocked by running faillog –r –u <username>

faillog –u <username> to display the number of attempts and failures

5. Disable unnecessary accounts

5.1 Change the default shell to /sbin/nologin to users in the below table

Make use of command usermod –s /sbin/nologin to change the shell to /sbin/nologin

Below table holds a list of users whose shell has to be disabled

Users Shell
Bin /sbin/nologin
Daemon /sbin/nologin
Adm /sbin/nologin
Lp /sbin/nologin
Uucp /sbin/nologin
Operator /sbin/nologin
Nobody /sbin/nologin
Dbus /sbin/nologin
Avahi /sbin/nologin
Smmsp /sbin/nologin
Mail /sbin/nologin
Ntp /sbin/nologin
Haldaemon /sbin/nologin
Sshd /sbin/nologin
Gdm /sbin/nologin
Xfs /sbin/nologin
Sabayon /sbin/nologin
Sync /sbin/nologin
Shutdown /sbin/nologin
Halt /sbin/nologin
News /sbin/nologin
Games /sbin/nologin
Gopher /sbin/nologin
ftp /sbin/nologin
Nscd /sbin/nologin
Distcache /sbin/nologin
Vcsa /sbin/nologin
Pcap /sbin/nologin
Apache /sbin/nologin
Rpc /sbin/nologin
Nfsnobody /sbin/nologin
Webalizer /sbin/nologin
Dovecot /sbin/nologin
Squid /sbin/nologin
Mailnull /sbin/nologin
Hsqldb /sbin/nologin
Dbus /sbin/nologin
Named /sbin/nologin
Avahi-autoipd /sbin/nologin
Gdm /sbin/nologin

5.2 Check the Group members

Only root should be the member of root group, no other users should be the member of root group

Check the /etc/group and /etc/gshadow file for the group information

Proper group/owner permissions for the application need to be maintained

6. Auditing

6.1 Enabling the Auditd Service.

chkconfig –level 345 auditd on

7. Login Banner to be used

Add a banner as per your company policy

Edit /etc/ssh/sshd_config and set Banner /etc/ssh/sshd.banner

8. SSH Server Settings.

8.1 sshd must be present and configured according to your company accepted practices

Set the following environment variables to be accepted by sshd:

LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_IDENTIFICATION LC_ALL LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

Display the above mentioned warning banner

Require password-based authentication at a minimum

Do not permit empty passwords

Do not permit root login (Permit Root Logon no)

Configure sshd to bind to 22/tcp for incoming connections

Configure sshd to bind to a different port for incoming connections

Require shell login with RSA Key.

Require minimum version 2 of the ssh protocol

Enable X11 forwarding

The SyslogFacility must be set to AUTHPRIV when logging messages from sshd.

Configure the file transfer subsystem to be /usr/libexec/openssh/sftp-server

Use PAM for authentication

8.2 Configuration as per the details in 8.1

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL

Banner /etc/ssh/sshd.banner

PasswordAuthentication yes

PermitEmptyPasswords no

PermitRootLogin yes

Port 22

Protocol 2

RSAAuthentication yes

X11Forwarding  yes

SyslogFacility AUTHPRIV

Subsystem  sftp   /usr/libexec/openssh/sftp-server

UsePAM  yes

8.3 Remove Network applications that compromise servers

wget (Remove wget package, rpm –e wget)

nmap ( Remove nmap package, rpm –e nmap)

finger (Remove finger package, rpm –e finger)

rlogin, rsh,rcp (Remove rsh package, rpm –e rsh)

remove all email clients

ftp (Remove ftp package, rpm –e ftp)

9. Set User Identity(SUID) and Set Group Identity (SGID) Permission Adjustment

SUID programs (particularly those that are SUID root) are frequent targets of attack. By disabling unnecessary SUID programs, its more difficult for system users to obtain unauthorized privilege

SGID programs (particularly those that are SGID root) are frequent targets of attack. By disabling unnecessary SGID programs, its more difficult for system users to obtain unauthorized privilege

The following programs’ SUID permissions may remain enabled and others as required

/usr/sbin/rhnsd

/usr/sbin/rhn-profile-sync

/usr/sbin/rhn_register

/usr/sbin/rhn_check

/usr/sbin/rhnreg_ks

/usr/bin/passwd

/usr/bin/curl

/bin/ping

/bin/su

/usr/bin/sudo

/usr/bin/sudoedit

All other SUID permissions must be disabled.

All SGID permissions must be disabled.

chmod u-s, g-s <filename> can be used to disable the permissions

10. Host-based Intrusion Detection System (HIDS) Solution

All production servers must have some form of host intrusion detection agent installed onto the system. This is to ensure that monitors are put in place for file integrity, system configuration, application activity, root kit detection, and to report on alerting. Such as: tripwire, aide or another Open Source product

Tools that can be used  atmu and aide

Abstract Machine Test utility – atmu

Memory, network, disk, cpu security tests

Can be run as cron job to repeatedly assure basic security assumptions

Results sent to audit system

Aide – File Integrity testing utility

Configured by /etc/aide.conf

–init snapshots the disksystem to /var/lib/aide/aide.db.new.gz

Copy snapshot to immutable or safe location

Rename snapshot to /var/lib/aide/aide.db.gz before doing comparison

–check will compare current with snapshot for differences, Summary sent to audit system

11. Setup Routing

Routing must be configured according to the approved detail design document and accepted practices. IP forwarding must be disabled.

12. Concord Configuration

Simple Network Management Protocol (SNMP) daemon community strings must be configured according to the detailed design document

13. Remove Crtl+Alt+ Delete Trap

Remove the CTRL-ALT-DELETE trap out of /etc/inittab by commenting out the following line:

#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

14. Disable Interactive Boot

Remove Interactive boot by changing the line in /etc/sysconfig/init

PROMPT=no

15. Sysclt Parameter tuning

Modify the ipv4 to improve security and protect against denial of service attacks by hard coding in /etc/sysctl.conf. The following changes must be made

net.ipv4.ip_forward=0

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.eth0.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.lo.log_martians = 0

net.ipv4.conf.eth0.log_martians = 0

kernel.sysrq = 0

net.ipv4.tcp_fin_timeout = 15

net.ipv4.tcp_keepalive_time = 1800

net.ipv4.tcp_window_scaling = 0

net.ipv4.tcp_sack = 0

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_syncookies = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.conf.all.log_martians = 1

net.ipv4.tcp_max_syn_backlog = 1024

net.ipv4.ip_local_port_range = 16384 65536

16. Network Service Access Control

ü       /etc/hosts.allow and /etc/hosts.deny configurations must be configured according to the current NSA approved list of hosts which are  allowed to use local network services (as decided by the tcpd service) and/or the ssh daemon (the sshd service).

17. Apache Server Hardening Doc

17.1 Apache Banner Linux Distribution Disclosure

Edit /etc/httpd/conf/httpd.conf Change the ServerTokens OS to ServerTokens Prod

17.2 HTTP server type and version revealed

Edit /etc/httpd/conf/httpd.conf Change ServerSignature On to ServerSignature Off

17.3 Disable Trace – telnet to port 80 shows TRACE is enabled or not.

How ever we can add the following line to the httpd.conf for disabling TRACE if its enabled

<Directory />
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* – [F]
</Directory>

17.4 SSL Medium Strength Cipher Suites Supported

Edit /etc/httpd/conf.d/ssl.congSet the line SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Confirm by typing the following line in the concosle openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP(Make sure Open ssl installed)

18. Configure Iptables.

18.1 Block all the traffic by default and create a white list traffic.

IPTABLES

To flush all the rules in all the tables, chains of iptables.

#iptables –F

#iptables –t nat –F

#iptables –t mangle –F

#iptables –t  raw –F

By default all the chain policy will be accept. If not required chains policy can be changed to accept as shown below.

#iptables -P OUTPUT ACCEPT

#iptables -t nat -P PREROUTING ACCEPT

#iptables -t nat -P POSTROUTING ACCEPT

#iptables -t mangle -P POSTROUTING ACCEPT

#iptables -t mangle -P PREROUTING ACCEPT

#iptables -t mangle -P FORWARD ACCEPT

Setting the default policy to DROP to drop all the connection to the System

Drops all the packets entering the local system from the network

iptables –P INPUT DROP

Drops all the packets passing(routed) through the system. Will, be applicable if the system is configured as firewall.

iptables –P FORWARD DROP

I am creating a chain called whitelist all the rules will be added to this chain. This chain will contain all the whitelist rules

#iptables –N whitelist

This will create link to the whitelist chain from INPUT chain. So, all the rules in the whitelist chain will be applicable for the packets entering into INPUT chain. This rules are to be configured on the end server and not on the router.(For router the rules should be put into the FORWARD chain as well)

#iptables –A INPUT –j whitelist

#iptables –A INPUT –j Log

#iptables –A INPUT –j Limit

As all the packets to the system is dropped by default. We are going to implement a Stateful Inspection Firewall.

The below rule is going to allow all the packets that are related to established and related connections.  All other type of connections are dropped (ex : new, invalid, etc.,)

#iptables –A whitelist –m state –state ESTABLISHED, RELATED –j ACCEPT

Here we are going to allow new connection only to the required services that are to be accessed over the network/ internet.

To allow connections to HTTP protocol(change the port numbers if it is customized)

#iptables –A whitelist –p tcp –m state –state NEW –d <destination ip/usually the server ip> –dport 80 –j ACCEPT

#iptables –A whitelist –p tcp –m state –state NEW –d <destination ip/usually the server ip> –dport 8080 –j ACCEPT

To allow connections to HTTPS protocol (change the port numbers if it is customized)

#iptables –A whitelist –p tcp –m state –state NEW –d <destination ip/usually the server ip> –dport 443 –j ACCEPT

OR

We can even added one rule for allowing multiple ports

#iptables -A whitelist -p tcp –m comment –comment “To allow HTTP, HTTPS access”  -m multiport –destination-port 80,8080,443 –j ACCEPT

To allow access to the SSH server.

#iptables –A whitelist –p tcp –m state –state NEW –d <destip/serverip> –dport 22 –j ACCEPT

Note : Same type of rules can be configured to provide access to other services that are running

To provide access to services that are using loopback interface

#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

To provide access to multicast address if needed from lan

#iptables –A whitelist –m iprange –iprange 224.0.0.0-239.255.255.255 –j ACCEPT

To log all the Bad packets. I am creating a separate chain called log and link to the built in chains later, Here all the bad packets can be seen in /var/log/messages.

#iptables  -N Log

#iptables –A Log –m limit --limit 5/m --limit-burst 7 –j LOG –log-level 4  –log-prefix “Bad packets”

Log Nmap Scans

#iptables –N Antihacker_log

Null-scan

#iptables –A Antihacker_log -p tcp –tcp-flags ALL NONE -j LOG –log-prefix “Null Scan Detected”

Xmas-scan

#iptables –A Antihacker_log -p tcp –tcp-flags ALL ALL -j LOG –log-prefix “XMAS Scan Detected”

Syn fin-scan

#iptables –A Antihacker_log  -p tcp –tcp-flags ALL SYN,FIN -j LOG –log-prefix “SYNFIN-Scan Detected “

nmap-xmas-scan

#iptables –A Antihacker_log -p tcp –tcp-flags ALL URG,PSH,FIN -j LOG –log-prefix “NMAP-XMAS-SCAN Detected”

fin-scan

iptables –A Antihacker_log -p tcp –tcp-flags ALL FIN -j LOG –log-prefix “FIN-SCAN detected”

Link the User Defined Chain to Build-in chain

Iptables –A INPUT –j Antihacker

#iptables –N Limit

Will limit the ping packets to 4, 1 per second. Packet size with a range of 84 to 102

#iptables –A Limit –p icmp  –icmp-type  echo-reply –m comment –comment “limit 4 echoreply to the server” –m limit –limit 1/s –limit-burst 4 –m length –length 84:102 –j ACCEPT

#iptables –A Limit –p icmp  –icmp-type echo-request –m comment –comment “limit 4 echorequest to the server” –m limit –limit 1/s –limit-burst 4 –m length –length 84:102 –j ACCEPT

19. Selinux Configuration for securing files and services

# Edit /etc/sysconfig/selinux

Do the changes as show below

SELINUX=enforcing  (will enable the Selinux)

SELINUXTYPE=targeted (this provides security to the daemon and the processes that are running. Under the targeted policy, interactive processes are given the type unconfined t, so interactive users are not constrained by SELinux even if they attempt to take strange or malicious actions.)

Can stop attacks before they become complete system breaches

Alternate is yum install selinux-policy-strict (the specified package has to be installed)

SELINUXTYPE=strict ( full protection for all daemons, Security contexts are defined for all subjects and objects, and every single action is processed by the policy enforcement server)

Or

# setenforce 1 ( Modifies in real-time the mode Selinux is running. Here selinux is put into enforcing mode)

20. Password policies

20.1 Enabling Password History

Enabling Password history will not allow users to use there old password again. Procedure for mainintaing a password History

#touch /etc/security/opasswd

#chown root:root /etc/security/opasswd

#chmod 600 /etc/security/opasswd

This opasswd file will maintain the password history

password sufficient pam_unix.so md5 remember=12 use_authtok

This entry should be added to /etc/pam.d/system-auth file

20.2 Password Complexity

The Below specified line should be added to /etc/pam.d/system-auth file.

password required pam_cracklib.so retry=3 minlength=10 difok=2 lcredit=1 ucredit=1 dcredit=1 ocredit=2

Here the password minimum length to be 10 characters(some passwords can be 8 characters too) with 1 lowercase 1 uppercase 1 digit and 2 special characters.

Note: Any misconfiguration in system-auth file will lock all users access including Root User. (this can be fixed by running authconfig command from Single user mode

20.3 Lock account after certain number of failed login attempts

Configuration Follows below

auth        required      pam_env.so

auth        required      pam_tally.so onerr=fail deny=3 unlock_time=60

The above line as to be added to  /etc/pam.d/system-auth file

# faillog –u <username> will display number of failed login attempts.

#faillog –r –u  <username> will reset the counter for the specified  user and unlocks the account

This Line in the bold will configure account lockout after 3 failed login attempts. The account will be locked for 1 minute

All the Best🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: