Check security groups for new found expolits and your distribution vendor
for version updates. These notices and updates are often listed in their
"errata" section.
First we will create the wheel group. The wheel group is a group of select
individuals that can execute powerful commands, such as /bin/su. By limiting
the people that can access these commands, you enhance the system security.
To create the group, vi the file /etc/group, create the group wheel, and add
the system admins to the group. Then identify critical system binaries, such
as /bin/su. Change the group ownership to wheel, and the permissions to owner
and group executable only (be sure to maintain the suid or guid bit for
specific binaries). For /bin/su, the commands would be:
% /bin/chgrp wheel /bin/su
% /bin/chmod 4750 /bin/su
Second, we will lock down the files .rhosts, .netrc, and /etc/hosts.equiv.
The r commands use these files to access systems. To lock them down, touch
the files, then change the permissions to zero, locking them down. This way
no one can create or alter the files. For example:
% /bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv
% /bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv
Third, we configure /etc/shadow to use MD5 hashes instead of the crypt(3)
function. This makes the encrypted password file far more difficult to
crack. This is done by modifying the PAM modules. PAM (Pluggable
Authentication Modules) is a suite of shared libraries that enable you to
choose how applications authenticate users. To learn more about PAM, check
out ftp://ftp.us.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html.
In the old days, you had to manually modify the PAM modules to use MD5 hashes.
However, with Red Hat 6.0 or greater, you can select MD5 hashes with the setup
utility. Just type "setup" at the command prompt, then select "authentication
configuration". From there, you can choose to use MD5 hashes. However, the
MD5 hashes will not take effect until the user re-enters their password. For
those of you who do not have the setup utility (or have Red Hat 5.2 or earlier),
you can still modify the PAM modules manually (example G).
The "/home/httpd/html" directory is owned by root as default. This forces
one to make changes to this directory as the root user. The ownership of
these files can be changes to an ordinary user (either existing or create
a new user) so that you can make changes to the folder without having to
log in as the root user.
For us bash users, I'm not a big fan of the .bash_history file. I do not want
people (including root) to know my command history. So, in my .bash_profile,
I export the following entry:
HISTFILESIZE=0
You may also choose to spoof the bash history file by creating a symbolic
link of the .bash_history file to the /dev/null file. This will ensure that
any history logging that may occur will be sent to the land of void.
% rm -f .bash_history
% ln -s /dev/null .bash_history
System Services
Many of the services run by inetd pose serious security threats, such as
popd, imapd, and rsh.
With Redhat software, you can use the "/usr/sbin/setup" utility to turn
off system services; run the program and select "System Services".
To check running services:
% netstat -na --ip