########################################################################### # Security Notes # # Anuradha Weeraman, 24 September 2002 # # $Id: security-notes.txt,v 1.1 2004/06/02 21:17:54 anuradha Exp $ # ########################################################################### ----- patching redhat download all recent patches to a directory, eg. /tmp/patches use the 'fresh' option of the rpm program, this will update the program only if an older version of the rpm is installed on the machine : rpm -Fvh /tmp/patches/* ---------- ----- umask change the default umask in /etc/profile to 027 rwxr-x--- ---------- ----- init scripts only root should be able to read, write and execute the /etc/init.d scripts chmod 770 /etc/init.d/* ---------- ----- bios enable BIOS password and disable booting from floppy ---------- ----- passwd passwords in some old distributions could only be 8 characters long, so anuradha anuradhaweeraman were the same to unix. most new distributions has fixed this problem. ---------- ----- /tmp enable the sticky bit, if not already set : chmod 1777 /tmp ---------- ----- ctrlaltdel disable ctrlaltdel rebooting from /etc/inittab by commenting out the particular line and restarting init by init q ---------- ----- necessary tools vlock - for locking the terminals without having to log out ---------- ----- services remove unnecessary services from the startup runlevel directory (SysV) or comment out unused services in the /etc/rc.d files (BSD). its safer to just get rid of the package altogether. get rid of unused services from /etc/inetd.conf or set the 'disable = yes' in unused services in the /etc/xinetd.d directory. ---------- ----- tcp/wrappers tighten access control by editing : /etc/hosts.allow /etc/hosts.deny do NOT use DNS names for the hosts as DNS can be spoofed. use IP addresses instead. tcp wrappers have advanced logging features and can be configured to log, mail or notify the admin of possible attempts. see chapter 8 of TrinityOS. ---------- ----- anonymous ftp disable anonymous ftp by editing /etc/ftpaccess and removing the words guest, anonymous ---------- ----- passwd make sure shadow passwords is enabled. pwconv pwunconv can be used to create and remove the shadow password file. make sure PAM uses MD5 for encrypting the passwords by editing /etc/pam.d/passwd and appending 'md5' to one of the lines. ---------- ----- telnet/ssh disable root telnet and ssh logins. if you do need to login remotely, add the terminal devices to /etc/securetty : /dev/ttyp0 /dev/ttyp1 /dev/ttyp2 if you are using DevFS : vc/1 vc/2 ---------- ----- ftp disable root ftp access by adding 'root' to /etc/ftpusers ---------- ----- cron disable unnecessary crontab entries from /etc/cron.* directories. remove the whole package if it isn't being used. ---------- ----- permissions be restrictive when it comes to file permissions. don't allow access to anything that might be suspect. make sure there aren't any suid programs that run as root and is writable as any other user : find / -type f \( -perm -04000 -o -perm -02000 \) -ls ---------- ----- R-commands keep an eye out for R-command files. they are extremely bad practice and ssh should be used in its place. either weed out r commands periodically using : find /home -name "*.rhosts" -exec rm -f {} \; or create an .rhosts file in every homedirectory that is owned by root and not writable by anybody else and is empty. ----------