Linux Baseline Hardening Document

For
BHARTI TELESOFT
About This Document

This document presents the steps for hardening of Linux Server before the
applications are installed.

NOTE: Please Follow those step that we required for low level Hardening. This
Document include High level hardening step that mainly not useful for us.
 Table of Contents

Securing Linux Server ........................................ .....................1

Securing Linux Server ........................................ .....................1

1. Security Patches....................................................................................1
1. Security Patches....................................................................................1
2. File system security...............................................................................1
2. File system security...............................................................................1
1.1. BIOS Security is not enabled................................................................1
1.2. Partition security.................................................................................2
1.3. Weak system umask............................................................................3
1.4. Temporary folder permission.................................................................3
1.5. CRON and AT files security...................................................................4
1.6. Passwd, shadow and group file permission.............................................4
1.7. User home directory permission............................................................5
1.8. SUID bit is set for files.........................................................................5
1.9. Hidden files are present in Root’s path...................................................6
3. User Accounts and Policies....................................................................7
3. User Accounts and Policies....................................................................7
1.10. Password Policy.................................................................................7
1.11. Disable non-essential accounts............................................................8
1.12. Disable Accounts with empty passwords...............................................8
1.13. Duplicate root UIDs ..........................................................................9
1.14. Disable remote root login...................................................................9
1.15. Password protect single user mode....................................................10
4. Login Banner........................................................................................11
4. Login Banner........................................................................................11
1.16. FTP and Telnet banners ...................................................................11
5. Auditing and Logging...........................................................................13
5. Auditing and Logging...........................................................................13
1.17. Enable user authentication auditing...................................................13
1.18. Permission on log files......................................................................13
6. Non-essential services ........................................................................15
6. Non-essential services ........................................................................15
7. Secure FTP and TFTP settings..............................................................18
7. Secure FTP and TFTP settings..............................................................18
1.19. FTP settings are not secure...............................................................18
1.20. TFTP permission is not secured..........................................................19
8. Secure Network Settings.....................................................................20
8. Secure Network Settings.....................................................................20
1.21. Network settings.............................................................................20
1.22. Disable unauthenticated remote login by users....................................20
1.23. Route daemon service is not secured.................................................21
9. System Security options......................................................................22
9. System Security options......................................................................22
 1.24. Crtl+Alt+Del Setting........................................................................22
10. Installing SSH (Telnet is used for remote administration).................23
10. Installing SSH (Telnet is used for remote administration).................23
Securing Linux Server
1. Security Patches
Install the latest rpm packages for Linux. Check for latest RPMs at RedHat Linux
website.

http://updates.redhat.com/enterprise/3WS/en/os/SRPMS/
http://updates.redhat.com/enterprise/3AS/en/os/SRPMS/
Else go to http://updates.redhat.com/enterprise/ and select the enterprise version
running and install all patches from the link

Download the current RPMs from RedHat’s Website and install them using the
following command.

rpm –ivh file_name.rpm

2. File system security

1.1.BIOS Security is not enabled
Description:

Changes need to be made to the BIOS settings in order to increase the security
of Linux system.

Impact:

A malicious user with physical access to the machine can boot from a rescue
floppy or a CD-ROM and gain root access. Once that is done, it is easy for him to
mount and modify various filesystems, add new administrators and misuse the
system.

Solution:

In order to prevent malicious users from gaining root access, the following
changes need to be made in the BIOS:

1. Set Supervisor Password.

2. After the installation, disable booting from the Floppy or the CD-ROM
drive.
1.2.Partition security
Description:

When mounting a partition you can provide various options in the /etc/fstab file
that increase the security of your system manifold. The various options that can
be used are:

• nosuid: Do not set SUID/SGID access on this partition.

• noexec: Do not allow execution of any binaries on this partition.

• ro: Allow read-only access to the partition.

• rw: Allow read-write access to the partition.

Impact:

Without the nosuid value any user can access those file systems with privilege of
file system owner or root. Without the rw option any user can write to those file
systems.

Solution:

Edit the /etc/fstab file using text editor.

vi /etc/fstab

A typical /etc/fstab file with partitions /, /tmp, /home and /var should read as
shown below:

/dev/hda1 / ext3 defaults,ro 02

/dev/hda4 /usr ext3 defaults,ro 02

/dev/hda2 /home ext3 defaults,nosuid 02

/dev/hda3 /tmp ext3 defaults,nosuid 02

The nosuid will result in no user being able to execute a setuid file in /home and
/tmp.

The noexec bit will ensure no executable can be run in those partitions.

Also once the system is installed, users probably won’t be writing to the / and the
/usr file systems. Hence those partitions can be mounted read-only.
1.3.Weak system umask
Description:

A default umask of ‘022’ must be set for System created files during initial boot
stage.

Impact:

Malicious users can overwrite the contents of system files and cause denial of
service.

Solution:

This can be done by putting the umask entry in /etc/bashrc file.

vi /etc/bashrc

umask 022

1.4.Temporary folder permission

Description:

Ensure that sticky bit is set for /tmp, /utmp and /utmpx folders. If the sticky bit
set then only owner of a file in these folder can delete that file and other users
can only read the file but cannot delete it, even they have write permission on
the folder.

Impact:

Any user can delete other users files in temporary folders, because by default all
users have write permission on those folders.

Solution:

Set the sticky bit on temporary folder (/tmp):

ls –al (See if sticky bit is set or not)

cd /

chmod 1777 tmp

chmod 1777 utmp

chmod 1777 utmpx

1.5.CRON and AT files security
Description:

CRON and AT can be used to create scheduled tasks. Users should be given
granular permissions for scheduling tasks.

Impact:

Unauthorized access to these services can be used to run malicious processes

including backdoors.

Solution:

CRON and AT related files must be secured. Only root must be given permissions
to run CRON and AT jobs.

The files in /etc/cron.d control which users can use the cron and at facilities:

Create a /etc/cron.d/cron.allow file:

echo "root" > /etc/cron.d/cron.allow

chown root /etc/cron.d/cron.allow

chmod 600 /etc/cron.d/cron.allow

Create a /etc/cron.d/at.allow file:

cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow

Create a /etc/cron.d/cron.deny file:

cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny

chown root /etc/cron.d/cron.deny

chmod 600 /etc/cron.d/cron.deny

Create a /etc/cron.d/at.deny file:

cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny

1.6.Passwd, shadow and group file permission

Description:

In Linux OS /etc/passwd, /etc/shadow and /etc/group files are most important

files. The permission on these files should be secured.

Impact:
If an attacker has access to passwd file, he can create user in that file. Attacker
can alter the MD5 hash of the root password with a known hash in the shadow file
to get into the system or he can add a newly created user under root group in
the group file.

Solution:

Change the owner of these files to root and also change the permission using the
following commands:

cd /etc

chown root:root passwd shadow group

chmod 644 passwd group

chmod 400 shadow

1.7.User home directory permission

Description:

Check the permissions of users’ home directories and verify permissions are
secured or not.

Impact:

A user can access files of other users in their home directories.

Solution:

Change the ownership and permission on the home directories using following
command:

chown <username>:<user primary group> <user home directory>

chmod 740 <user home directory>

1.8.SUID bit is set for files

Description:

SUID (Set UID) file allows users to execute certain programs with elevated
privileges; typically as root user. SUID files can leave security loopholes in the
system.

Impact:
Often such SUID programs can provide malicious users with a root shell if forced
to exit abnormally. It is therefore important to remove the SUID bit from those
programs that do not require it.

Solution:

Once you have located an offending file with the SUID bit set, you can use chmod
to remove its SUID bit as shown below:

find / -perm 4000 -print |more

chmod 0700 <suidfilename>

The following executables do not need SUID permissions:

Ping, mount, umount, traceroute, at

1.9.Hidden files are present in Root’s path

Description:

Check and ensure that hidden files or file name started with ‘.’ are not present in
Root’s path.

Impact:

Including the current working directory ('.') or other writable directory in root's
executable path makes it likely that an attacker can gain superuser access by
forcing an administrator operating as root to execute a Trojan horse program.

Solution:

Delete the unnecessary and suspicious hidden files from /, /root and /etc path.

1. /.login
2. /etc/.login
3. /etc/default/login
4. /.cshrc
5. /etc/skel/local.login
6. /etc/skel/local.profile
7. /.profile
8. /etc/profile
3. User Accounts and Policies
1.10.Password Policy
Description:

Passwords are used to securely login to users’ account. The security of the users’
passwords can be implemented system wide by enabling MD5 and shadow
passwords.

Impact:

All accounts are vulnerable to attacks and hence the passwords should be a
stored in a secure fashion. Passwords can be retrieved if they are stored in weak
encryption format.

Solution:

Increase password security, by enabling the following:

Type 'setup' on the shell prompt.

Choose Authentication configuration.

Click next, and configure

MD5 Passwords [Allows passwords up to 256 characters]

Password Shadowing [Prevents users from obtaining the encrypted

passwords]

Edit /etc/login.defs file and set the following password configuration:

Set minimum password length to

PASS_MIN_LEN=8

Set password expiry to

PASS_MAX_DAYS=45

PASS_MIN_DAYS=1

PASS_WARN=14
1.11.Disable non-essential accounts
Description:

Unnecessary user accounts should be tracked and be deleted from the system.

Impact:

Attackers can use these accounts to harm the system.

Solution:

Use the following command to delete non-essential accounts.

cat /etc/passwd | cut –d : -f 1

userdel <unnecessary Username>

Non-essential accounts
Lp uucp ftp
Sync operator nobody
shutdown games nscd
Halt gopher nfsnobody
news adm

1.12.Disable Accounts with empty passwords

Description:

Check the login accounts in the system with empty password.

Impact:

Accounts with empty passwords pose a grave security risk to the system because
all that is needed to login to such an account is knowledge of the login name.

Solution:

Check for lines with no passwd and set password for these accounts using the
following command.

cat /etc/shadow | cut –d : -f 1,2

Assign password for this type of account using the following command:

passwd <username>
1.13.Duplicate root UIDs
Description:

Accounts in the system are mapped to UIDs. At times UID corresponding to root
account is mapped to multiple login accounts.

Impact:

A low privileged user with the same UID as that of root account can compromise
the system.

Solution:

Ensure that accounts with same UID as that of root are authorized system
administrators. In the /etc/passwd file change the UID of such accounts.

Check /etc/passwd and /etc/group files and check for the accounts with same uid
and gid as root and change their ID using following command

usermod –u <changed UID> username

1.14.Disable remote root login

Description:

Root user must not be able to login from a remote console. The login command is
part of the authentication process to access a local Linux Operating Environment
account. Any action requiring direct login to the system using ‘root’ should be
restricted to the local console.

Impact:

Login to the system through telnet session can reveal the clear text password of
root user. Allowing remote login for root also enables a malicious user to attempt
access to the system leading to system compromise.

Solution:

Ensure that /etc/securetty file contains the list of all terminals from where root is
not allowed to remotely login. The available terminals are:

[root@localhost root]# less /etc/securetty

vc/1 tty0 tty11 tty22
vc/2 tty1 tty12 tty23
vc/3 tty2 tty13 tty24
 [root@localhost root]# less /etc/securetty
vc/4 tty3 tty14 tty25
vc/5 tty4 tty15 tty26
vc/6 tty5 tty16 tty27
vc/7 tty6 tty17 tty28
vc/8 tty7 tty18 tty29
vc/9 tty8 tty19 tty30
vc/10 tty9 tty20 tty31
vc/11 tty10 tty21

1.15.Password protect single user mode

Description:

Linux provides a mechanism for system maintenance via “Single user mode”
which is typically started when the system is booting.

Impact:

This allows an attacker at the console to bypass any system protection and move
into run level 1 as root and change system settings.

Solution:

Edit /etc/inittab file to have entry as shown below.

vi /etc/inittab

id:5:initdefault:

~~:S:wait:/sbin/sulogin

Save the changes and restart the service:

/sbin/init q
4. Login Banner
Description:

An appropriate login message must be displayed to the user when he/she tries to
login to the system. This file should contain warnings about inappropriate and
unauthorized use of the system. It should also warn users that their sessions and
accounts may be monitored for illegal or inappropriate use.

Impact:

Displaying appropriate warning messages when users access a system will assist
in processing computer crime cases and will also act as an effective deterrent.

Solution:

Create or modify the /etc/issue, /etc/issue.net, /etc/motd files with appropriate

statutory warning.

vi /etc/issue

“This system is for the use of authorized users only. Individuals using this
computer system without authority, or in excess of their authority, are subject to
having all their activities on this system monitored and recorded by system
personnel."

Same process for editing the files

/etc/issue.net

/etc/motd

1.16.FTP and Telnet banners

Description:

If FTP or TELNET services are required to run on the system then ensure that the
services do not advertise the operating system version when users connect to the
system.

Impact:

Attackers can easily get the fingerprint of the OS from the banner and using the
information they can start some specific attacks to the system.
Solution:

Create files telnetd and ftpd in /etc/default with the entry below to mask the OS
version number in the banner,

Vi /etc/default/telnetd

Vi /etc/default/ftpd

BANNER=”” (Append this to both the above files)

5. Auditing and Logging

1.17.Enable user authentication auditing

Description:

Syslog facility is used to log system activities. Syslog daemon receives log
messages from several sources and directs them to the appropriate location
based on the configured facility and priority. It can be used to capture all
successful and failed logins.

Impact:

Malicious login attempts cannot be monitored.

Solution:

Add the following entry to /etc/syslog.conf for capturing syslog events sent to
LOG_AUTH. This contains information on unsuccessful login attempts, successful
and failed su (switch user) attempts.

vi /etc/syslog.conf

authpriv.* /var/log/secure

Use TAB key to separate auth.info from /var/log/secure and not space.

Create /var/log/secure by executing the following commands

touch /var/log/secure

chown root /var/log/secure

chmod 600 /var/log/secure

1.18.Permission on log files

Description:

Linux maintains extensive logs of various system activities in the directory

/var/log. Often suspicious entries in the log files are the first indication that
something is wrong with the system.

Impact:

Attackers can easily delete those file from the system to remove the trace of
attacks.
Solution:

Enable logging in the syslog.conf file. Secure the permission of the above files
and give them permission like 622. Use programs like logcheck and swatch to
filter out the suspicious entries in the log files.

Check the permission on the following files. The safe permission is 622,

ls –l /var/log/messages

ls –l /var/log/secure

ls –l /var/log/wtmp

ls –l /var/log/xferlog

ls –l /var/spool/cron

ls –l /var/log/lastlog
6. Non-essential services
Description:

Linux by default has a number of services available. Some services are not necessary
to system operation and should be disabled.

Impact:

New/Old vulnerabilities found in unused applications/services can be used by

malicious users for break in.

Solution:

Disable all services as given in the table below. The services run on a Linux machine
depend a lot on what it is being used for. So the system administrator will have to
activate services on a server-to-server basis using his discretion.

Run setup

System Services

Chose the services to be disabled, uncheck box.

Run Tool

Service
Remarks
Name
A service used for testing networks. Not required in production
Chargen
systems.
Comsat is the server process which receives reports of incoming
Comsat
mail and notifies users if they have requested this service.
A service used for testing networks. Not required in production
Daytime
systems.
A service used for testing networks. Not required in production
Discard
systems.
A service used for testing networks. Not required in production
Echo
systems.
Rexecd is the server for the rexec(3) routine. The server provides
Exec remote execution facilities with authentication based on user names
and passwords. Disable this service.
Service
Remarks
Name
Finger Enabling finger is a security risk. Provides info to potential crackers.
ftp Use sftp instead
Identd Provides server identity.
Talkd and ntalkd are the servers that notify a user that someone
else wants to initiate a conversation. It acts a repository of
talk/ntalk/ko
invitations, responding to requests by clients wishing to rendezvous
talk/talk
to hold a conversation. In a production system these services are
usually not required and can be safely disabled.
Lpd Print Daemon, not required.
Rlogind is the server for the rlogin program. The server provides
remote login facility with authentication based on privileged port
Rlogin numbers from trusted hosts. This service does not usually prompt
the user for a password and hence a security threat. SSH is a safer
alternative and this service can be safely disabled.
netfs/nfs/nfsl
Unless a machine is an NFS server, there is no need to run NFS.
ock/portmap
Radvd Router Advertising Daemon.
rexec/rsh/rlo
Huge security risk. Disable the service
gin/rcp
rquotad is an rpc server which returns quotas for a user of a local
filesystem which is mounted by a remote machine over the NFS. It
Rquotad also allows setting of quotas on NFS mounted filesystem. In your
environment if you are not assigning quota in NFS mounts then this
service can be safely disabled.
Rhnsd Connects to a Redhat Server for updates.
SMTP service used for relaying mails. Not required on servers which
Smtp
do not transfer mails.
The SNMP services daemon and agent. If the machine is required to
snmp/snmptr
respond to SNMP get and set queries. Then this service can be
ap
safely disabled.
This is a service catered to by the xinetd server which returns the
Time time of the day for client programs. This service can be safely
disabled.
telnet A service used to connect remotely to the machine. As passwords of
Service
Remarks
Name
users are transmitted in clear text. It presents a security threat,
use SSH instead.
Trivial File transfer protocol. Not required in production systems.
Tftp
Must be disabled.
Wall sends a message to everybody logged in to the server. If this is
Walld
not being used in the production server it can be safely disabled.
A secure version of the Internet Daemon service. This is a super
daemon which caters to other services like telnet, rlogin, rsh, finger
Xinetd
etc. If you do not require any of these services then this can be
safely disabled.
Ypserv/yppas NIS services. If this server is not part of a NIS domain. Then this
sword service can be safely disabled.
Unix to Unix system copy server program. This service is usually
Uucp
not required in Production environments and can be safely disabled.
7. Secure FTP and TFTP settings

1.19.FTP settings are not secure

Description:

All local accounts users have FTP access to the system by default. FTP banner
should be set to warn the user about the FTP access. Permission on FTP upload
and download folder should be secured.

Impact:

An intruder can download important files, delete files or upload malicious

software to the system.

Solution:

Configure secure settings. Restrict access to authorized users in the following

way:

To restrict the FTP access for the all users, use the following commands:

touch /etc/vsftpd.ftpusers

chown root /etc/vsftpd.ftpusers /etc/vsftpd.user_list

chgrp root /etc/vsftpd.ftpusers /etc/vsftpd.user_list

chmod 600 /etc/vsftpd.ftpusers /etc/vsftpd.user_list

cat /etc/passwd | cut –d : -f 1 > /etc/vsftpd.ftpusers

cat /etc/passwd | cut –d : -f 1 > /etc/vsftpd.user_list

The above step will deny all accounts for ftp access; remove accounts that
require ftp access.

Create a banner file which does not reveal information about the Operating
system. To change the greeting banner for wu-ftpd, add the following directive to
/etc/vsftpd.ftpusers at the start of the file:

greeting text <insert_greeting_here>

Ensure that the permissions on the download folder are set to umask 022. If you
want to allow anonymous users to upload IN WU-FTPD, it is recommended you
create a write-only directory within /var/ftp/pub/. To do this type:

mkdir /var/ftp/pub/upload

Next change the permissions so that anonymous users cannot see what is within
the directory by typing

chmod 744 /var/ftp/pub/upload

A long format listing of the directory should look like this:

drwxr--r-- 2 root ftp 4096 Aug 20 18:26 upload

1.20.TFTP permission is not secured

Description:

If the TFTP service is required, one should create a directory called /tftpboot for
uploading and downloading data.

Impact:

Attacker can easily steal or delete the data from TFTP server.

Solution:

Assign 754 permission on the /tftpboot directory using chmod command.

mkdir /tftpboot

chmod 754 /tftpboot

8. Secure Network Settings

1.21.Network settings
Description:

There are several kernel options in Red Hat Linux that can be configured to
increase the overall network security. The kernel can be modified by editing
/etc/sysctl.conf file. The file is loaded whenever the server reboots or an
administrator manually restarts the network services.

Impact:

If these parameters are not set properly attackers can easily attack the server
remotely.

Solution:

Set the value of the parameters as following in /etc/sysctl.conf file

vi /etc/sysctl.conf (Configure the following settings)

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.tcp_max_syn_backlog = 4096

net.ipv4.tcp_syncookies = 1

1.22.Disable unauthenticated remote login by users

Description:

Hosts.equiv file in the system allows unauthenticated user to remote login into
the system.

Impact:

Unauthorized access to system.

Solution:

Remove /etc/hosts.equiv file if not required.

rm /etc/hosts.equiv

1.23.Route daemon service is not secured

Description:

If route daemon is required to be running secure it by running it in the quite

mode. i.e. The route daemon should be configured to not advertise routes.

Impact:

Attackers can easily get the information of system’s routing table.

Solution:

The routed daemon should be run by the –q option

vi /etc/rc.d/init.d/routed (/etc/rc.d/init.d/routed file search for “start”)

SILENT=true (put this entry before “start”)

When routed daemon is started, it will run with the –q option.

9. System Security options

1.24.Crtl+Alt+Del Setting
Description:

By default CTRL+ATL+DEL to reboot the machine functionality is enabled in the

system. This allows any user to reboot the machine.

Impact:

This function allows an unauthorized user to reboot the server.

Solution:

Edit /etc/inittab file comment the following line:

vi /etc/innittab

ca::ctrlaltdel:/sbin/shutdown –t3 –r –now

Save the change and restart init service for the change to take effect:

/sbin/init q
10.Installing SSH (Telnet is used for remote administration)
Note : If the SSH is installed on the system then there is no need to follow this step.

Description:

Telnet is used for remote administration in Linux. But the telnet protocol sends
authentication credential and data in clear text to the server. SSH is a similar kind of
protocol of telnet. But it is more secured. It sends all the traffic in encrypted format.
FTP is used for file transfer.

Impact:

Attackers can get the sensitive data like username and password using simple packet
sniffer.

Solution:

SSH can be used instead of telnet and FTP.

Download the latest rmps for these packages from RedHat’s website or
www.openssh.org website and install those using rpm –ivh <package_name>
command. Configure the service to start at system start-up. Install the SSH client
software at the client end.

Run Netstart command check for port 22.