Linux - Misc

Two NIC cards per server machine

At least one server with complete local IP (no valid IP) to act as a log server. Each other server will be running a log client which report to the log server. Popular logging software on Unix is syslog. Consider using Splunk as well.

Set boot loader (lilo, grub) to require password

Set bios to disable booting from floppy & require password

Never create a .rhost for root

/etc/securetty contains a list of terminals that root can log in from

Edit /etc/fstab to use nosuid, nodev, and noexe on /home, and /var

/etc/exports

configure umask setting

Edit /etc/pam.d/limits.conf:

@users hard core 0 // prohibit creation of core file
@users hard nproc 50 // restrict the number of process to 50
@users hard rss 5000 // restrict memory usage to 5M

/var/log/wmtp and /var/log/utmp contains login record for all users. These file should have permission 644.

Set immutable bit on files to prevent accidental delete, and prevent someone from creating symbolic link. See chattr(1) man page for information on immutable bit.

Check for suid and sgid programs:

find / -type f \(-perm -0400 -o -perm -0200\)

You can remove SUID and SGID permission on suspicious program with chmod.

To find all world-writable files on your system:

find / -perm -2 ! -type l -ls

To find file that have no owner:

find / -nouser -o -nogroup -print

find /home -name .rhost -print

Setting umask to 077 in /etc/profile and take away the write permission on those skeleton files. Be sure to make root's umask 077. In this case, newly created directory would have 744, and newly created file would have permission 644.

Set the sticky bit on world-writable directory /tmp. With the sticky bit on directory, the user may only delete files that he owns or for which he has write permission granted, even when he has the write access to the directory.

SGID on directory (chmod g+s): file created in this directory will have the group id set to the directory group id.

System configuration file (usually in /etc) are usually mode 640 and owned by root.

finger, showmount, rpcinfo, whois, smtp, ftp, uucp

ruser -l
showmount -e victim.com
mount victim.com !/export/foo /foo
cd /foo
echo guest:x:1000:1:temporary breakin account:/: ยป /etc/passwd

Never leave any system file writable by group or everyone else. Some system file (including /etc/shadow) should be readable by root, and directories in /etc should not be accessible by others.

Integrity checker / Intrusion detection: snort, Tripwire, Aide, Osiris, SATAN, COPS, tiger, ISS

/etc/inetd.conf
/etc/services

disable rsh, rlogin, rcp (including login, shell, and exec) from /etc/inetd.conf

check /etc/rc.d/rc[0-9]

netstat -ta to find a list of all services that your machine is offering

Use software such as SystemImager (see Tools) to make installation and deployment of new server easier.

Run identd but block all request except for your requests.

Remove NFS

SATAN from metalab
ISS
Abacus
SAINT
Nessus
Crack and John the Ripper
http://www.10pht.com
http://www.false.com/security/john/index.html
http://www.rootshell.com
http://csrc.nist.gov/nistpubs/800-10/main.html
http://www.rustcorp.com/linux/ipchains/HOWTO.html

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License