Slackware System Hardening
Copyright (c) 2002 Jeffrey Denton
Written by Jeffrey Denton <dentonj@c2i2.com>
4 June 2002
version - 0.4
http://www.c2i2.com/~dentonj/system-hardening
This is a list of some of the steps I take to improve the security on my
Slackware systems. It is by no means complete. You can either do all of
the things I do, or you can choose only the ones you feel would help secure
your system.
WARNING: Hardening a system is a compromise between security
and usability. Some of the things I do would adversely
affect the usability of your system and may very well
break things. Please have one of the following on hand
just in case you lock yourself out of your system:
Tom's Rootboot - http://www.toms.net/rb/
The "Live" CD that comes with the official version of
Slackware.
And of course, make sure you have a bootdisk. You do
have a bootdisk, right? If you don't have one, run
/sbin/makebootdisk.
You should also make a backup of any anything that you
feel is important, would be hard to replace, or that
you simply cannot do without. If you are either new
to linux or don't know what you are doing, you could
very easily get carried away with hardening a system
and end up with a system that is unusable.
You have been warned.
Note: - Line numbers correspond to the rc.scripts in Slackware 8.0.
- The settings assume only one user is on the system, "dentonj".
- Associated man pages are listed.
- I will comment this document as I get to it.
-- Resources --
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c.html
http://www.linuxdoc.org/LDP/gawlso/Securing-Optimizing-Linux-RH-Edition-1_3.pdf
http://dsl.org/cookbook/
http://bastille-linux.sourcforge.net
http://www.suse.de/~marc/
http://sastk.sourceforge.net
http://www.google.com
http://orbit-resource.sourceforge.net/faq.html
-- Keep Current --
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages
ftp://ftp.slackware.com/pub/slackware/slackware-current/ChangeLog.txt
http://www.slackware.com/lists/
http://www.securityfocus.com/cgi-bin/vulns.pl
http://packetstorm.decepticons.org/last50.shtml
-- Disable Daemons/Close Ports --
/etc/rc.d/rc.S:
Lines 171-175: comment out isapnp.conf
Lines 193-195: comment out rc.pcmcia
/etc/rc.d/rc.M:
Lines 50-53: comment out lpd
Line 67: comment out atd
Lines 117-122: comment out apmd
Lines 141-143: comment out rc.ibcs2
#Lines 146-148: comment out rc.httpd
Lines 155-157: comment out samba
/etc/rc.d/rc.4:
Line 23 add: -udpPort 0
/etc/rc.d/rc.inet2:
Line 22: IPV4_FORWARD=0
Lines 48-51: comment out rpc.portmapper
Lines 83-88: comment out inetd
Lines 108-110: comment out rc.nfsd
Lines 114-117: comment out lpd
/etc/rc.d/:
chmod -R go-rwx /etc/rc.d
chmod 600 /usr/lib/news/bin/rc.news
/etc/inetd.conf:
grep -v "^#" /etc/inetd.conf
Comment the results
man inetd
/etc/orbitrc:
ORBIIOPUSock=1
ORBIIOPIPv4=0
ORBIIOPIPv6=0
/usr/X11R6/bin/startx:
serverargs="-nolisten tcp"
man Xserver
-- Limit Access --
/etc/lilo.conf
restricted
password=somepassword
/sbin/lilo -v
man lilo.conf
/etc/login.access:
+:root dentonj:localhost
-:ALL EXCEPT root dentonj:ALL
man login.access
/etc/login.defs:
Line 38: LOG_OK_LOGINS yes
Line 86: uncomment SULOG_FILE
Line 98: uncomment ISSUE_FILE
Line 206: UMASK 077
Line 217: PASS_MAX_DAYS 30
Line 217: PASS_MIN_LEN 8
Line 250: LOGIN_RETRIES 3
Line 285: comment out CHFN_RESTRICT
Line 319: DEFAULT_HOME no
man login.defs
/etc/suauth:
ALL:ALL EXCEPT dentonj: DENY
man suauth
/etc/porttime:
tty1,tty2,tty3,tty4,tty5,tty6:root,dentonj:Al0000-2400
*:*:
man porttime
/etc/limits:
dentonj L1K077C0
man limits
/etc/shells:
Delete the following:
/bin/csh
/bin/ksh
/bin/zsh
Add the following:
/bin/sh
/bin/false
man shells
/etc/passwd & /etc/shadow:
Delete the following:
adm
uucp
operator
Add /bin/false as the shell to the following:
bin
daemon
ftp
games
lp
mail
mysql
news
http
nobody
Note: Don't run these if you like to make the passwd and shadow
file immutabled (chattr +i ...). It gets ugly.
/usr/bin/passwd -x 30 -w 7 root
/usr/bin/passwd -x 30 -w 7 dentonj
man 1 passwd
man 5 passwd
man 5 shadow
/etc/group:
Delete the following:
adm
lp
uucp
/usr/sbin/pwck
/usr/sbin/grpck
man group
man grpck
man pwck
The above may create a long list of programs that no longer
belong to any group.
find / -nouser -o -nogroup -ls > nouser
chown root.root <the results>
/etc/sudoers:
ALL ALL=/usr/local/sbin/logit
ALL ALL=/usr/bin/tail
man sudo
man sudoers
man visudo
/etc/ftpusers:
Add the following:
bin daemon
adm lp
sync shutdown
halt mail
operator games
mysql gdm
nobody man
man ftpusers
/etc/host.conf:
nospoof on
spoofalert on
man host.conf
/etc/hosts.allow:
ALL:ALL:DENY
man hosts_access
/etc/hosts.deny:
ALL:ALL@ALL EXCEPT localhost, PARANOID
/usr/sbin/tcpdchk
man hosts_access
/etc/hosts.lpd:
touch /etc/hosts.lpd
/etc/hosts.equiv:
Make sure file is empty
man hosts.equiv
/etc/mail/aliases:
Comment ALL except MAILER_DAEMON and postmaster
/usr/bin/newaliases
man aliases
man newaliases
/etc/X11/xdm/Xaccess:
Make sure all lines are commented
man xdm
/etc/opt/gnome/gdm/gdm.conf:
[security]
AllowRemoteRoot=false
[xdmcp]
Enabled=false
Port=0
-- Logging --
/etc/rc.d/rc.M:
Line 45: /usr/sbin/syslogd -m 0
Line 48: /usr/sbin/klogd -c 3 -p
man syslogd
man klogd
/etc/rc.d/rc.inet2:
Line 74: /usr/sbin/syslogd -m 0
Line 78: /usr/sbin/klogd -c 3 -p
man syslogd
man klogd
/etc/syslog.conf:
#.info;*.notice;mail.none;authpriv.none /var/log/messages
*.debug /var/log/debug
authpriv.*;auth.* /var/log/secure
mail.* /var/log/mail
cron.* /var/log/cron
*.emerg *
*.warn /var/log/syslog
*.err /var/log/syslog
*.* /dev/tty12
touch /var/log/mail
touch /var/log/faillog
man syslog.conf
man 5 faillog
man 8 faillog
/etc/rc.d/rc.S:
Line 168: comment out overwritting motd
/etc/motd, /etc/issue.net, and /boot/boot_message.txt:
****************************************************************
Unauthorized access prohibited; all access and activities not
explicitly authorized by the administrator are unauthorized.
All activities are monitored and logged. There is no privacy
on this system. Unauthorized access and activities or any
criminal activity will be reported to appropriate authorities.
****************************************************************
/sbin/lilo -v
man issue
man motd
-- Filesystem --
/etc/rc.d/rc.inet2:
Lines 58,60: comment out mounting NFS
Lines 65,67: comment out mounting smbfs
/etc/exports:
Make sure it's empty.
man exports
/etc/fstab:
/dev/hdb1 swap swap defaults 0 0
/dev/hdb5 / ext3 defaults 1 1
/dev/hdb6 /var ext3 rw,nosuid,nodev 0 2
/dev/hdb7 /tmp ext3 rw,nosuid,nodev,noexec 0 2
/dev/hdb8 /usr ext3 defaults 0 2
/dev/hdb9 /home ext3 rw,nosuid,nodev 0 0
/dev/hda1 /mnt/windows vfat rw,nosuid,nodev,noexec,noauto 0 0
/dev/hda2 /mnt/slack ext2 rw,noauto 0 0
/dev/fd0 /mnt/floppy auto rw,nodev,noauto 0 0
mkdir /mnt/windows
mkdir /mnt/slack
mkdir /mnt/floppy
man fstab
man nfs
Change how often fsck is run during boot:
for i in hdb5 hdb6 hdb7 hdb8 hdb9; do
tune2fs -c 0 /dev/$i
tune2fs -i 1m /dev/$i
done
man tune2fs
-- File Permissions --
Obscurity:
chattr +i /etc/exports
chattr +i /etc/hosts.equiv
chattr +i /etc/hosts.lpd
chattr +i /etc/inetd.conf
chattr +i /etc/lilo.conf
chattr +i /etc/login.access
chattr +i /etc/login.defs
chattr +i /etc/porttime
chattr +i /etc/protocols
chattr +i /etc/securetty
chattr +i /etc/services
chattr +i /etc/suauth
man chattr
Remove unneeded files:
rm /etc/csh.cshrc /etc/csh.login
man tcsh
chmod a long list of files:
chmod 750 /bin/mt-st
chmod 600 /etc/ftpusers
chmod 600 /etc/hosts.allow
chmod 600 /etc/hosts.deny
chmod 600 /etc/inetd.conf
chmod 600 /etc/inittab
chmod 600 /etc/lilo.conf
chmod 600 /etc/login.defs
chmod 600 /etc/securetty
chmod 600 /etc/suauth
chmod 440 /etc/sudoers
chmod 600 /etc/syslog.conf
chmod 750 /sbin/badblocks
chmod 750 /sbin/debugfs
chmod 750 /sbin/depmod
chmod 750 /sbin/dumpe2fs
chmod 750 /sbin/explodepkg
chmod 750 /sbin/fdisk
chmod 750 /sbin/fsck
chmod 750 /sbin/fsck.ext2
chmod 750 /sbin/fsck.minix
chmod 750 /sbin/ftl_check
chmod 750 /sbin/ftl_format
chmod 750 /sbin/halt
chmod 750 /sbin/hwclock
chmod 750 /sbin/ifconfig
chmod 750 /sbin/ifport
chmod 750 /sbin/ifuser
chmod 750 /sbin/init
chmod 750 /sbin/insmod
chmod 750 /sbin/installpkg
chmod 750 /sbin/isapnp
chmod 750 /sbin/killall5
chmod 750 /sbin/lilo
chmod 750 /sbin/makepkg
chmod 750 /sbin/mke2fs
chmod 750 /sbin/mkfs
chmod 750 /sbin/mkfs.minix
chmod 750 /sbin/mkdosfs
chmod 750 /sbin/mkraid
chmod 750 /sbin/mkswap
chmod 750 /sbin/modinfo
chmod 750 /sbin/netconfig.color
chmod 750 /sbin/netconfig.tty
chmod 750 /sbin/pkgtool
chmod 750 /sbin/pnpdump
chmod 750 /sbin/removepkg
chmod 750 /sbin/rpc.portmap
chmod 750 /sbin/quotaon
chmod 750 /sbin/rdev
chmod 750 /sbin/runlevel
chmod 750 /sbin/setserial
chmod 750 /sbin/swapon
chmod 750 /sbin/tune2fs
chmod 750 /sbin/upgradepkg
chmod 750 /sbin/uugetty
chmod 750 /usr/bin/eject
chmod 4750 /usr/bin/gpasswd
chmod 750 /usr/bin/lpq
chmod 750 /usr/bin/lprm
chmod 4750 /usr/bin/lpr
chmod 750 /usr/bin/minicom
chmod 700 /usr/bin/nohup
chmod 700 /usr/bin/script
chmod 500 /usr/lib/news/bin/inndstart
chmod 500 /usr/lib/news/bin/startinnfeed
chmod 750 /usr/lib/setup/cpkgtool
chmod 750 /usr/lib/setup/hdsetup
chmod 750 /usr/sbin/atd
chmod 750 /usr/sbin/atrun
chmod 750 /usr/sbin/crond
chmod 750 /usr/sbin/ctrlaltdel
chmod 750 /usr/sbin/dhcpd
chmod 750 /usr/sbin/dhcrelay
chmod 750 /usr/sbin/edquota
chmod 750 /usr/sbin/groupadd
chmod 750 /usr/sbin/groupdel
chmod 750 /usr/sbin/groupmod
chmod 750 /usr/sbin/grpck
chmod 750 /usr/sbin/grpconv
chmod 750 /usr/sbin/grpunconv
chmod 750 /usr/sbin/hdparm
chmod 750 /usr/sbin/imapd
chmod 750 /usr/sbin/in.comsat
chmod 755 /usr/sbin/in.fingerd
chmod 755 /usr/sbin/in.identd
chmod 750 /usr/sbin/in.talkd
chmod 000 /usr/sbin/in.rexecd
chmod 000 /usr/sbin/in.rlogind
chmod 000 /usr/sbin/in.rshd
chmod 750 /usr/sbin/in.telnetd
chmod 000 /usr/sbin/in.tftpd
chmod 750 /usr/sbin/in.timed
chmod 750 /usr/sbin/inetd
chmod 750 /usr/sbin/ipop3d
chmod 750 /usr/sbin/klogd
chmod 2750 /usr/sbin/lpc
chmod 740 /usr/sbin/lpd
chmod 750 /usr/sbin/lpf
chmod 550 /usr/sbin/makemap
chmod 750 /usr/sbin/mouseconfig
chmod 750 /usr/sbin/named
chmod 750 /usr/sbin/newusers
chmod 750 /usr/sbin/nmbd
chmod 750 /usr/sbin/ntpdate
chmod 750 /usr/sbin/ntpq
chmod 750 /usr/sbin/ntptime
chmod 750 /usr/sbin/ntptrace
chmod 750 /usr/sbin/pppd
chmod 750 /usr/sbin/pwck
chmod 750 /usr/sbin/pwconv
chmod 750 /usr/sbin/pwunconv
chmod 550 /usr/sbin/quotastats
chmod 750 /usr/sbin/rpc.bootparamd
chmod 750 /usr/sbin/rpc.mountd
chmod 750 /usr/sbin/rpc.nfsd
chmod 750 /usr/sbin/rpc.rusersd
chmod 750 /usr/sbin/rpc.rwalld
chmod 750 /usr/sbin/rpc.yppasswdd
chmod 750 /usr/sbin/rpc.ypxfrd
chmod 750 /usr/sbin/rpcinfo
chmod 750 /usr/sbin/showmount
chmod 750 /usr/sbin/smbd
chmod 750 /usr/sbin/syslogd
chmod 750 /usr/sbin/tcpd
chmod 750 /usr/sbin/tcpdchk
chmod 750 /usr/sbin/tcpdmatch
chmod 750 /usr/sbin/tcpdump
chmod 750 /usr/sbin/timeconfig
chmod 750 /usr/sbin/useradd
chmod 750 /usr/sbin/userdel
chmod 750 /usr/sbin/usermod
chmod 750 /usr/sbin/vipw
man chmod
To make things easier, you can download a file that contains the
above list and run the short awk command below:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/sastk/SAStk/src/fileperm
awk -F: '{
print "chmod "$1" "$4
system ("/bin/chmod "$1" "$4)
print "chown "$2"."$3" "$4
system ("/bin/chown "$2"."$3" "$4)
}' < fileperm
man chmod
man chown
man gawk
More chmod:
chmod -R o-rwx /var/log
chmod -R go-rwx /home/dentonj
chmod -R go-rwx /root
man chmod
Find SUID/SGID files and directories:
find / -type f \( -perm -4000 -o -perm -2000 \) -ls > suid_files.out
find / -type d \( -perm -4000 -o -perm -2000 \) -ls > suid_dir.out
chmod ug-s <file> # To remove the SUID/SGID bit
man chmod
man find
Find world and group writable files and directories:
find / -type f \( -perm -2 -o -perm -20 \) -ls > write_files.out
find / -type d \( -perm -2 -o -perm -20 \) -ls > write_dir.out
man find
-- rc.local --
/etc/rc.d/rc.local:
# Network hardening
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $i
done
for i in /proc/sys/nit/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i
done
# Network optimizing
echo "32768-64000" > /proc/sys/net/ipv4/ip_local_port_range
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
# Obscrurity
echo 255 > /proc/sys/net/ipv4/ip_default_ttl
# System optimizing
echo "100 1200 128 512 500 5000 500 1884 1" \
> /proc/sys/vm/bdflush
echo "80 10 60" > /proc/sys/vm/buffermem
echo 6144 > /proc/sys/fs/file-max
echo 24576 > /proc/sys/fs/inode-max
# Start various security programs
#/usr/psionic/portsentry/portsentry -atcp
#/usr/psionic/portsentry/portsentry -sudp
/usr/sbin/icmpinfo -vv -s -l
/usr/local/sbin/accton /var/accout/pacct
/usr/local/sbin/iplog
/etc/rc.d/rc.firewall start
if [ -x /usr/sbin/logoutd ]; then
/usr/sbin/logoutd
fi
# Various system settings
/usr/bin/setleds -D +num
# This is harddrive specific
/usr/sbin/hdparm -c3 -A1 -m16 -d1 /dev/hdb
man hdparm
man logoutd
man setleds
-- Cron --
/var/spool/cron/crontabs/root:
# Sync clocks
0 0 * * * /usr/sbin/ntpdate clock.via.net; hwclock --systohc
# Security programs
0 0 * * * /usr/local/etc/logcheck.sh
#1 1 * * * /usr/local/sbin/tripwire -m c | mail -s \
"Tripwire report for $HOSTNAME" root@localhost 2> /dev/null
0 4 * * * /usr/local/sbin/sxid
0 23 * * * cd /usr/local/sbin/; ./chkrootkit | mail -s \
"Chkrootkit report from $HOSTNAME" root@localhost
0 22 * * * /usr/local/sbin/aide --config=/etc/aide.conf | mail -s \
"AIDE report from $HOSTNAME" root@localhost
0 0 * * * /usr/local/seccheck/security-control daily&
0 1 * * 1 /usr/local/seccheck/security-control weekly&
0 4 1 * * /usr/local/seccheck/security-control monthly&
# System cleanup
0 3 * * * /usr/bin/find -type f -name core \
-exec /bin/rm -rf {} \; 2> /dev/null
0 3 * * * /usr/bin/find /tmp -atime +7 \
-exec /bin/rm -rf {} \; 2> /dev/null
0 3 * * * /usr/bin/find /var/temp -atime +7 \
-exec /bin/rm -f {} \; 2> /dev/null
0 3 * * * /usr/bin/find /var/spool/lpd \( -name "cf*" -o -name "df*" \) \
-type f -atime +2 -exec /bin/rm -f {} \; 2> /dev/null
# Paranoid checks
0 3 * * * /bin/chmod -R go-rwx /home/dentonj
0 3 * * * /bin/chmod -R go-rwx /root
0 3 * * * /bin/rm -f /home/*/dead.letter
0 3 * * * /usr/bin/find / -name .rhosts -o -name .forward -ls \
-exec /usr/bin/cat {} \; | mail -s \
".rhosts or .forward files on $HOSTNAME" root@localhost 2> /dev/nul
man crond
man crontab
-- Bash --
/etc/profile:
Lines 26-28: comment out section adding "." to PATH
Lines 57-58: comment out and add:
elif [ `id -u` = "0" ]; then
PS1="\[\033[1;31m\[\t [\j]:\w\$\[\033[0m\] "
else
PS1="\[\033[1;32m\[\t [\j]:\w\$\[\033[0m\] "
Line 70: umask 077
# Limit history for root and the user that can su to root
if [ `id -u` = "0" -o `echo $USER` = "dentonj" ]; then
HISTSIZE=20
HISTFILESIZE=20
export HISTSIZE HISTFILESIZE
fi
# Logout if a root terminal is left unused for too long
if [ `id -u` = "0" ]; then
TMOUT=1200
export TMOUT
fi
# Misc settings:
shopt -s cdspell
shopt -s cmdhist
shopt -s dotglob
shopt -s extglob
setterm -bfreq 0
typeset -r HISTFILE
typeset -r HISTFILESIZE
typeset -r HISTSIZE
typeset -r HISTNAME
typeset -r USER
typeset -r LOGNAME
# Aliases:
# shred doesn't delete recursively, use "/bin/rm -rf ..."
alias rm="shred -uz"
man bash
/root/.bash_logout:
clear && rm /root/.bash_history
man bash
-- Misc --
/etc/rc.d/rc.M:
Line 18: /bin/setterm -blank 0
man setterm
/etc/modules.conf:
alias net-pf-9 off
man modules.conf
/etc/issue:
Welcome to \s (\l) \t - \U
man issue
/etc/inittab:
Line 35: comment out ctrlaltdel
man init
man inittab
/etc/inputrc:
set show-all-if-ambiguous on
set visible-stats on
set mark-modified-lines on
man bash
faillog:
faillog -u dentonj -m 5
man faillog
Make a backup of commonly trojaned commands:
Note: Only do this after a fresh install. Making copies of
already trojaned commands will just ruin your day.
Otherwise, copy the commands from the "Live CD" that
comes with the official version of Slackware.
cd /root
mkdir bin
Copy the following to /root/bin:
agetty egrep in.fingerd killall ps tcpd
basename env in.identd login pstree top
biff explodepkg in.pop3d ls removepkg traceroute
chfn find in.rlogind lsattr rpcinfo upgradepkg
chsh getty in.rshd mail sendmail write
crontab gnu-pop3d in.telnetd makepkg ssh
date gpm in.timed named sshd
dirname grep inetd netstat su
du hdparm installpkg passwd syslogd
echo ifconfig kill pidof tar
cd /root/bin
md5sum * >> md5sum
cd /root
tar zcvf bin.tar.gz ./bin
cp bin.tar.gz /dev/fd0
-- Program Hardening --
/etc/mail/sendmail.cf:
Lines 220-221: comment out DaemonPortOptions
Add: O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA
Line 178: O Helpfile=
Line 227: O PrivacyOptions=goaway
Line 356: O SmtpGreetingMessage=HI You look lost. Please return
to your little corner of the internet.
rm /etc/mail/helpfile
man sendmail
/etc/ssh/ssh_config:
Host *
ForwardAgent no
ForwardX11 no
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh no
BatchMode no
CheckHostIP yes
StrictHostKeyChecking no
IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_dsa
IdentityFile ~/.ssh/id_rsa
Port 22
Protocol 2
Cipher blowfish
Compression yes
CompressionLevel 6
KeepAlive no
EscapeChar ~
man ssh
/etc/ssh/sshd_conf:
Port 22
Protocol 2
ListenAddress 192.168.1.1
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
PermitRootLogin no
StrictModes yes
PasswordAuthentication yes
PermitEmptyPasswords no
#RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
RhostsAuthentication no
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
AllowUsers dentonj
X11Forwarding no
X11DisplayOffset 10
AllowTcpForwarding yes
PrintMotd yes
PrintLastLog no
KeepAlive no
#UseLogin no
Banner /etc/issue.net
ReverseMappingCheck yes
Subsystem sftp /usr/libexec/sftp-server
man sftp
man sftp-server
man sshd
-- Security Programs/Scripts --
Install the following programs:
Accton
AIDE
Chkrootkit
Iplog
Kernel patches: (only apply one)
Openwall Patch
GRSecurity
lcap
libsafe
LogSentry
lsof
Nessus
nmap
Openwall kernel patch
PortSentry
rc.firewall
Snort
sXid
Accton:
http://packages.debian.org/unstable/admin/acct.html
acct-6.3.5-29
mkdir /var/account
touch /var/account/pacct
touch /var/account/savacct
touch /var/acocunt/useracct
AIDE:
http://www.cs.tut.fi/~rammer/aide.html
/etc/aide.conf:
database=file:///etc/aide.db
database_out=file:///etc/aide.db.new
/boot R
/dev R
/etc R
/bin R
/opt R
/sbin R
/usr R
/var R
/var/spool/cron R
!/var/account
!/var/log
!/var/run
!/var/spool
chattr +i /etc/aide.conf
chattr +i /etc/aide.db
Chkrootkit:
http://www.chkrootkit.org
Install the following to /usr/local/sbin/:
chklastlog
chkproc
chkrootkit
chkutmp
ifpromisc
Iplog:
http://ojnk.sourceforge.net
touch /var/log/iplog
mkdir /var/run/iplog
/etc/iplog.conf:
user nobody
group nobody
pid-file /var/run/iplog/iplog.pid
logfile /var/log/iplog
facility log_daemon
priority log_info
set log_ip true
set log_dest true
set ignore_dns true
interface eth0
set frag true
set smurf true
set bogus true
set fin_scan true
set syn_scan true
set udp_scan true
set portscan true
set xmas_scan true
set null_scan true
set traceroute true
set fool_nmap true
set syn_flood true
set ping_flood true
set verbose true
ignore tcp dport 80
Kernel:
Disable Loadable Kernel Module support.
Patch with one of the following patches.
Openwall Patch:
Currently for 2.0.x and 2.2.x kernels
A beta version is available for 2.4.x kernels
http://www.openwall.com/linux/
Patch kernel and compile with all of the patche's options enabled
GRSecurity Patch:
For 2.4.x kernels
I have not been impressed with this patch, so use it at your
own discretion.
http://www.grsecurity.net
LCAP:
Supposedly this will work without having to install LIDS.
http://pw1.netcom.com/~spoon/lcap
bzip2 -cd lcap-0.0.6.tar.bz2 | tar xvf -
cd lcap-0.0.6
gcc -o lcap lcap.c
cp lcap /usr/local/sbin
cp lcap.8 /usr/local/man/man8
LibSafe:
http://www.avayalabs.com/project/libsafe/index.html
/etc/ld.so.preload:
/lib/libsafe.so.2
/etc/libsafe.exclude
/usr/local/sbin/logit:
Straight from TrinityOS. Add the following:
tail -f /var/log/messages&
tail -f /var/log/access_log&
tail -f /var/log/cron&
tail -f /var/log/iplog&
tail -f /var/log/loginlog&
tail -f /var/log/mail&
tail -f /var/log/proftpd.log&
tail -f /var/log/secure&
tail -f /var/log/sulog&
tail -f /var/log/syslog&
tail -f /var/log/apache/access_log&
tail -f /var/log/apache/error_log&
LogSentry:
http://www.psionic.com/products/logsentry.html
lsof:
http://freashmeat.net/projects/lsof
Nessus:
http://www.nessus.org
NMAP:
http://www.insecure.org/nmap/index.html
PortSentry:
I noticed that PortSentry didn't always log FIN or NULL scans,
so I now use Iplog.
http://www.psionic.com/products/portsentry.html
rc.firewall:
This is one of the ipchains packet filter scripts that I've
put together. Don't ask me about iptables. If you want a
statefull packet filter, you should really be running OBSD.
http://www.c2i2.com/~dentonj/rc.firewall.example
Seccheck_slack:
Install
Snort:
http://www.snort.org
sXid:
ftp://marcus.seva.net/pub/sxid/
The following is a script that I add to the beginning of /etc/profile. While
the script is a nice idea, it's very easy for someone to avoid . I've never
had any of my systems cracked since I've started using it, so I have no idea
if this script will actually stop anyone. It would most likely catch someone
in the act, after they exploited a security hole, but before the system has
been r00ted. A r00ted system wouldn't even bother reading /etc/profile.
-- Begin script added to /etc/profile --
# Kick and ban users that are UID 0 but are NOT root!
if [ `id -u` = "0" -a `echo $USER` != "root" ]; then
# Lock the user out
passwd -l $USER
# Save some info
date >> /root/SHIT
netstat -apent >> /root/SHIT
ps auxww >> /root/SHIT
w >> /root/SHIT
w | mail -s "$USER has gained ROOT access" root@localhost
# Let EVERYONE know
wall << EOF
***********************************************************
$USER has gained ROOT access!!!
***********************************************************
EOF
for i in `ls /dev/pts/`; do
echo -e "\n$USER has gained ROOT access!!\n" >> /dev/pts/$i
done
# Log it
logger -is -f /var/log/messages "$USER has gained ROOT access!!"
# Let the luzer know
echo -e "\a\n\n You are _NOT_ root!!\\n\n\a"
# Kill the user and his processes
skill -9 -u $USER
ifconfig eth0 down
# This should be redundant
logout
exit
fi
# Attempt to catch those that su
alias su="su -"
-- End script added to /etc/profile --