A more secure RH setup

Date: Sat, 24 Nov 2002 9:16:59 EDT
From: John Weber
To: Sam Gooding
Subject: Re: Securing RH
                                                                                
There are a few things you can do make RH a little more secure than 
it is with its default configuration. Here's just a quick list of 
things I check for:

(1) Portmap.  Portmap is a service for mapping incoming remote 
procedure calls to ports.  Aside from the usual security issues 
related to RPC, this daemon is basically an advertisement of all open 
ports on your machine.  The only major service which uses RPC 
is NFS, so, if you aren't using NFS on your lan, you can safely 
stop the portmap daemon.

(2) Inetd.  The internet daemon is basically a dispatcher for all 
internet services (simplistic view of it I'm sure, but suitable for 
our purposes).  Inetd can manage internet services like ftp, http but 
it can also manage services like telnet, finger, scp, and other useless daemons. 
Make sure that you configure inetd to disable all unneeded services. 
The more open ports you have on your machine, the easier it is for an 
interested hacker to mess with.  I disable inetd all together.

(3) Telnet.  Kill it!  Aside from being a very antiquated (some say 
retarded) protocol, the openbsd ssh server is a more secure 
alternative if you need to provide users with shell access.

(4) Mail Services.  POP3, IMAP, SMTP, and most other mail protocols 
were invented a long, long time ago in a galaxy far,far away.  They 
are all simple socket/text-based protocols.  For example, a typical 
POP3 sessions goes as follows:

HELO myhost.com
USER myuser
PASS mypass
LIST
RETR 1
RETR 2
...
DELE 1
DELE 2

As you can see, this is a very simple protocol and all of the 
information is sent in clear text via port 110.  It doesn't take 
a rocket scientist to grab a whole crap load of passwords.  
If you have to provide mail service to users, think about providing 
web access to mail (via HTTPS which is encrypted) or shell access 
(via SSH which is encrypted).

(5) TCP_WRAPPERS.  Use tcp_wrapper to make  your server  secure 
against outside intrusion.  The best policy is to deny all hosts 
by putting "ALL: ALL@ALL, PARANOID" (this denies access to all 
services from all locations) in the "/etc/hosts.deny" file 
and then explicitly list  trusted hosts who are allowed to access 
your machine in the "/etc/hosts.allow" file (add for example, the 
line "ftp: 202.54.15.99 foo.com" where 202.54.15.99 is the ip address 
and foo.com the host name of client allowed to use the service ftp).
You can run the tcpdchk program to check for potential issues. 

(6) Block root.  You can and should restrict "su" to certain users. 
To do this, edit the "su" file in the "/etc/pam.d/" directory. 
For example, to restrict access to "su" to only the members of 
the wheel group, you can add the following two lines:

auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/Pam_wheel.so group=wheel

I disable access to "su" in this way, and then configure sudo to 
grant other admins lower-level priviledges.

(7) Devices.  I like to chmod the entire /dev directory so 
that only root has read/write access.  If users need access to 
certain devices, I grant them access via fstab and mount.

(8) SUID. Disable unused SUID/SGID programs.  To find all files 
with the `s' bits from root-owned programs, use the command:

[root@boolean]# find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls lg {} \;

(9) Special accounts.  Almost everyone knows the special accounts 
that are create by UNIX systems.  For example, accounts like "lp" 
or "lpr" for print services, etc.  Remove all special accounts 
or rename them if you want to run certain services with those accounts.

(10) IPTABLES.  This is by far the best way of securing your Linux 
system.  If you are just using RH as your desktop, then the best 
policy is:

## Create chain which blocks new connections, except if coming from inside.
# iptables -N block
# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
# iptables -A block -j DROP

## Jump to that chain from INPUT and FORWARD chains.
# iptables -A INPUT -j block
# iptables -A FORWARD -j block

This basically rejects all new connections from the outside, but allows 
all connections established by you or related to a previously established 
connection.  For more complicated setups, you should read the documentation 
on www.netfilter.org.


There are lots of other things you can do, but it all depends on how you 
intend to use your system.  I've tried to include a lot of different options 
so that you could choose which combination is right for you.  And, of course, 
I can't go in much depth when it comes to things like "iptables" or 
"tcp_wrappers", etc so treat this email as a reading list NOT a real 
HOWTO.

Good luck with linux,
John