Local and User Security
Lock down the su command so that it is only usable by members of the wheel
group. Add appropriate users to the wheel group.
# groupadd wheel
# chgrp wheel /bin/su
# chmod 4750 /bin/su
# usermod -G wheel user_name
Lock down the files .rhosts, .netrc, and /etc/hosts.equiv. The r commands
use these files to access systems. To lock them down, touch the files,
then change the permissions to zero, locking them down. This way no one can
create or alter the files.
# /bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv
# /bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv
BASH
#~/.bashrc
HISTFILESIZE=0
# rm -f .bash_history
# ln -s /dev/null .bash_history
Network Security
Turn off all unnecessary services in the file /etc/inetd.conf. Place comment
symbols (#) in front of each service you would like to disable. For each
service that is running, carefully consider what networks should have access
to the service and configure them in the /etc/hosts.allow file. Inetd will
check this file (after checking /etc/hosts.deny) and spawn the service based
on this file. Remember some services do not use the inetd daemon (httpd,
sendmail, sshd, etc.).
#/etc/hosts.deny
ALL: ALL
#/etc/hosts.allow
ALL: 127. 192.168.1.
in.telnetd: ALL
in.ftpd: ALL
in.identd: ALL
ipop3d: ALL
in.fingerd: 127. 192.168.1.
swat: 127. 192.168.1.
#in.talkd: ALL
#in.ntalkd: ALL
PortSentry
Configure the /etc/portsentry/portsentry.conf file. You will most likely not
need to make any changes to this file. Do add all computers that should be
ignored by portsentry in the file /etc/portsentry/portsentry.ignore.
Sendmail
#/etc/sendmail.cf
SmtpGreetingMessage=
PrivacyOptions=authwarnings noexpn novrfy needmailhelo noetrn
HelpFile=
#/etc/mail/access
sapphire RELAY
Run make (must install make on RH6.1) from /etc/mail directory to hash the
access file.