By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 1 Hardening Linux Copyright © 2005 RICIS, Inc....

04/10/23Slide # 1

Hardening Linux Copyright © 2005 RICIS, Inc.™ and Uniforum

By Gregg Rosenbergand Lee Leahu

Hardening Linux


04/10/23Slide # 2



Contact Information

RICIS, Inc.

8018 Mallow Drive

Tinley Park IL 60477-2697

866-742-4777 Voice

708-444-2690 Voice

866-997-4247 Fax

708-444-2697 Fax

Gregory D. Rosenberg

[email protected]

Lee Leahu

[email protected]

04/10/23Slide # 3



What You Will Learn

• A review of basic security principals

• An overview of Common Criteria security certifications

• An introduction to hardening servers reasonably close to the CC EAL 4+ security assurance level.

04/10/23Slide # 4



Achieving a State of Security

• Identify the assets you want to protect• Identify the risks to those assets• Identify who & how assets are accessed• Establish checks and balances• Develop an enforceable security policies• Use a layered approach• Plan for disasters• Get managements sign-off

04/10/23Slide # 5



Why Security Policies Fail

• They impair user productivity

• No or Insufficient user education

• No policies for handling the unexpected

• No support from management

• Security policies are not enforced

• Laxed monitoring & auditing practices

• Users having too many privileges

04/10/23Slide # 6



The Real Threat

• Non malicious damage resulting from:– Human error– Denial of service– Inappropriate disclosure

• Policy Breakdown– Key under the doormat– Checks and balances bypassed– Rogues on your network

04/10/23Slide # 7



The Basic Security Tenet

Deny all except that which is specifically permitted

04/10/23Slide # 8



Security Policy Lifecycle

1. Identify the assets you are protecting

2. Assess risk to those assets

3. Develop security policy

4. Implement and test the security policy

5. Educate your user population

6. Monitor and enforce security policy

7. Audit security policy, go back to step 1

04/10/23Slide # 9



Evaluation Criteria

• TCSEC (aka Orange Book)

• FIPS 140

• Common Criteria

• SSE-CMM

04/10/23Slide # 10



CC Evaluation Assurance Levels

• EAL 1: Functionally tested• EAL 2: Structurally tested• EAL 3: Methodically tested and checked• EAL 4: Methodically designed, tested, reviewed• EAL 5: Semi-formally designed and tested• EAL 6: Semi-formally verified design and tested• EAL 7: Formally verified design and tested

04/10/23Slide # 11



Planning for Disasters• Securely install your operating system• Accurate time source• Know every file on your system• Validate system integrity• Centralize logging• Monitor and audit your system regularly• Documentation and procedures• Emergency response team• Backup, backup, backup (Make sure you test

your restore procedures periodically)

04/10/23Slide # 12



Linux Security Certifications

• SUSE Linux Enterprise Server archieves– CC EAL 2 in August 2003 (SLES8)– CC EAL 3+ in December 2003 (SLES8)– CC EAL 4+ in December 2004 (SLES9)– CC EAL 5 in March 2005 (SLES9)

• Red Hat Linux is nearly a year behind SUSE LINUX, but catching up fast

• IBM, HP, and others are helping both

04/10/23Slide # 13



Overview of Security Functions

• Identification and authentication

• Audit

• Object reuse

• Discretionary Access Control

• Security management and system protection

• Secure communication

04/10/23Slide # 14



Identification and Authentication

• Pluggable Authentication Module (PAM)

• OpenSSH

• vsftpd

• su

• sudo

04/10/23Slide # 15



Linux Auditing Subsystem (LAUS)

• The audit subsystem was implemented by the SUSE Security Team members Olaf Kirch and Thomas Biege

• The audit subsystem is intended to be the central interface for collecting and viewing the record of security relevant events

• All authentication done through the PAM library, including the identity and location of the user and the success or failure result.

04/10/23Slide # 16



Linux Auditing Subsystem (2)• Use of su to change identity. All actions done as

part of a su session are marked in the audit record with the original user’s login user ID.

• Adding, changing, or deleting users or groups

• Changes and change attempts to the contents of security critical files

• Changes to the access permissions or ownership of any files or IPC objects

• Binding network ports and accepting connections

04/10/23Slide # 17



Discretionary Access Control• Linux is a multi-user operating system. You can

control which other users will be able to read or modify your files by setting the Unix permission bits and user/group IDs

• You can achieve more precise control using POSIX-style access control lists (ACLs).

• The administrators (’root’) are able to override these permissions and access all files on the system.

• Use of encryption is RECOMMENDED for additional protection of sensitive data.

04/10/23Slide # 18



Objects Reuse

• the kernel automatically ensures that new objects (disk files, memory, IPC) do not contain any traces of previous contents

04/10/23Slide # 19



Installation Considerations

• Ensure the hardware clock is accurately set to the current date, time, and time zone.

• Install the latest system BIOS and firmware• Ensure that all hardware interfaces or devices

that are not required are disabled in BIOS• Password protect BIOS and boot menus• Consider using a remote management solution

and losing the keyboard, and mouse• Carefully consider disk controllers / spindles

04/10/23Slide # 20



Installation Considerations (2)• Carefully plan your partition layout before

beginning your base operating system installation

• Verify your installation source is authentic• Build and harden the system before plugging it

into your network• You can also build from a package distribution

server if you and it are on a trusted internal network

• Do a less than minimum installation• Do not install a GUI

04/10/23Slide # 21



Example MD5 Checksums• SLES-9-i386-RC5-CD1.iso

cc419d86f3f5ff99395ca4de9d967600• SLES-9-i386-RC5-CD2.iso

86e97184aae42ba6013ea7460372ffe5• SLES-9-i386-RC5-CD3.iso

f880b3ba92fc43add18259c9437f648d• SLES-9-i386-RC5-CD4.iso

bc7b88f34a8142bacbdd4d1fddd3fc50• SLES-9-i386-RC5-CD5.iso

7844c76fc9f39a2af9ef6751ec18af60• SLES-9-i386-RC5-CD6.iso

9e0fdd835e52f53906dff110515eb002

04/10/23Slide # 22



Partition Layout

• /boot 128MBs• SWAP 1GBs => 1 to 1.5 times the

amount of physical memory or more• / Size as required (i.e. 12GBs)• /tmp 512MBs, size as required • /home 512MBs, size as required• /var Size as required (i.e. 4GBs)• /var/log Size as required (i.e. 20GBs)

04/10/23Slide # 23



Partition Layout (2)

• Although it violates the rules • /usr Size as required (i.e. 4GBs)• /opt Size as required (i.e. 2GBs)• Set file system type to ext3, although xfs is

considered more secure by many.• In Fstab options enable Access Control

Lists, Optionally enable “No access times”, “Mount read-only”, and “Extended User Attributes” as required.

04/10/23Slide # 24



Trusted, Tolerated, and Unknown Software

• Trusted software has been evaluated and can be well trusted.

• Tolerated software has been evaluated, but should be carefully considered before use.

• Unknown software is any other software you intend to install on the system that has not been formally evaluated

04/10/23Slide # 25



Additional Required Packages

• laus - The Linux Audit System

• laus-64bit - ONLY for ppc64 (pSeries, iSeries) systems

• pam-laus - Audit-enabled version of the PAM libraries

• The above packages should be installed after you finish the base minimum install.

• Star - Data archival tool with ACL support

04/10/23Slide # 26



Recommended Packages

• texinfo - Info documentation viewer

• man-pages - Manual pages

• howtoenh - how-to documentation (HTML format)

• sles-admin_en - Administrator Manual

04/10/23Slide # 27



Optional Packages

• lprng - Print spooler• cups – May be a better choice, but it is not on

the trusted or tollerated list.• xinetd - XInetd (only used for vsftpd)• vsftpd - FTP daemon (needs xinetd)• stunnel - set up encrypted SSL tunnels

There are additional packages on the trusted or tolerated list that can be installed

04/10/23Slide # 28



Hardware• Any storage devices and backup devices supported by

the operating system, but not USB storage devices• All Ethernet and Token Ring network adapters

supported by the operating system• You can use a USB keyboard and mouse, as long as they installed before booting the system.• Any printers supported by the operating system• Operator console consisting of a keyboard, video

monitor, and optionally mouse, as well as a serially attached terminal

• but not modems, ISDN cards, or other remote access terminals

04/10/23Slide # 29



Installation

• Disconnect network cables

• Verify authenticity of installation source

• Boot from Service Pack 2 CD # 1

• Launch installer

• You may use text mode or a serial console

• Accept EULA

• Select English language

04/10/23Slide # 30



Installation (2)

• On the “Installation Settings” screen: • Select “New Installation” for mode• Select appropriate keyboard • Customize partitioning• Select minimum software installation and add /

remove additional packages discussed in the prior slides

• Keep default boot options (no other OS allowed)

04/10/23Slide # 31



Installation (3)

• Keep hardware clock on UTC and select your local time zone

• Choose “Accept” to start installation

• The installer will reboot

• Secure boot settings in BIOS to HDD only

• Configure network interface with static IP, host name, default gateway, no DHCP

• Do not enable LDAP, use local only

04/10/23Slide # 32



Secure Initial System Config• Enable the SUSE Firewall 2 and only permit

ssh. Later you can open other ports that are required.

• Setup /etc/hosts.allow to restrict access further.• Lockdown removable media (CD/DVD) devices,

-t ISO9660 -o ro,nodev,nosuid,noauto• Disable usbfs• Disable all unneeded services• Remove or rename links to their startup and

shutdown scripts in /etc/init.d

04/10/23Slide # 33



Secure Initial System Config (2)

• If not using NIS, removed NIS on the automount line in /etc/nsswitch.conf.

• It is a good idea to setup an ntp client to draw time from a reliable and accurate local time source.

• You can use the “ntpq –c peer” command to verify that time synchronization is working correctly.

04/10/23Slide # 34



Secure Initial System Config (3)

• Install the optional CC EAL 4+ Security Update.rpm -Uvh /root/rpm/certification-sles-ibm-eal4*.noarch.rpm

• Please check the file/usr/share/doc/packages/certification-sles-ibm-eal4/README-eal4.txt from the certification-sles-ibm-eal4.rpm for the latest errata information.

04/10/23Slide # 35



Disable Services

• Disable the following services using the run level editor:– Nfs– Nfsboot– Powersaved– ACPI modules– Slpd– xdm - although it is not installed– fbset

04/10/23Slide # 36



Disable Services (2)• The system runlevel as

specified in the ’initdefault’ entry in /etc/inittab MUST BE ’3’

• The following services are REQUIRED for runlevel 3:atd auditcoldplug cronhwscan networkrandom syslogrpmconfigcheck

• The following services are OPTIONAL for runlevel 3:hotplug kbdlpd postfixsshd xinetd

– Disable usbfs

04/10/23Slide # 37



Restricted Execution Environment

• Setup a chroot directory structure

• Enable chroot support for those services that can be chroot’d

• Some services can be installed into your chroot’d environment

04/10/23Slide # 38



Remove SUID/SGID• Remove SUID / SGID root settings from binaries

find / $ ! -fstype ext3 -prune -false $ -o \-type f $ -perm -4000 -o -perm -2000 $ \-exec chmod u-s,g-s {} \; -print

• Make sure that /etc/sysconfig/security has the following two variables set:– CHECK_PERMISSIONS=set– PERMISSION_SECURITY="eal4"

• Then run “chkstat -set /etc/permissions.eal4” to set the needed SUID and SGID bits.

04/10/23Slide # 39



Set User ID (SUID)

Only the following may have SUID bits set

• /bin/ping• /bin/su• /usr/bin/at• /usr/bin/chage• /usr/bin/chfn

• /usr/bin/chsh• /usr/bin/crontab• /usr/bin/gpasswd• /usr/bin/lpq• /usr/bin/lpr• /usr/bin/lprm• /usr/bin/lpstat• /usr/bin/passwd

04/10/23Slide # 40



Set Group ID (SGID)

The SGID bit MUST NOT be used to give group ”root” privileges to any binary.

• /usr/sbin/postdrop - group "maildrop"

• /usr/sbin/postqueue - group "maildrop"

• /usr/sbin/utempter - group "tty"

04/10/23Slide # 41



Disable root Login Over Network

• Login from the network with user ID 0 (’root’) MUST NOT be permitted over the network.

• Administrators MUST use an ordinary user ID to log in, and then use the /bin/su - command to switch identities.

• The restriction for direct root logins is enforced through two separate mechanisms.

• For network logins using ssh, the PermitRootLogin no entry in /etc/ssh/sshd config MUST be set.

• logins use the pam securetty.so PAM module in the /etc/pam.d/login file that verifies that the terminal character device used is listed in the file /etc/securetty.

04/10/23Slide # 42



Reminder Alias for su

• It is RECOMMENDED that you remind administrators of this by adding the following alias to the bash configuration file /etc/bash.bashrc.local that disables the pathless ’su’ command:

alias su="echo \"Always use ’/bin/su -’ (see Configuration Guide)\""

• This alias can be disabled for the root user in /root/.bashrc:

unalias su

04/10/23Slide # 43



Update permissions for su

• The ’su’ binary MUST be restricted to members of the ’trusted’ group. This will be enforced both with PAM configuration (configured later) and the binary’s permissions.– chgrp trusted /bin/su– chmod 4750 /bin/su

• You MUST have at least one user account other than ’root’ configured to be a member of the ’trusted’ group, otherwise system administration will ONLY be possible from the system console.

04/10/23Slide # 44



Setting up ssh• SSH protocol version 1 MUST be disabled. • The ssh client MUST NOT be set up SUID root • The SSH Server MUST be configured to reject attempts

to log in as root.• The permitted authentication mechanisms are per-user

(nonempty) passwords and per-user RSA/DSA public key authentication. All other authentication methods MUST be disabled.

• The setting PAMAuthenticationViaKbdInt MUST be disabled, since this would otherwise circumvent the disabled root logins over the network.

04/10/23Slide # 45



/etc/ssh/sshd.conf# Cryptographic settings. Disallow obsolete insecure protocol version 1, and hardcode a strong cipher.

Protocol 2Ciphers aes256-cbc

# Configure password-based login. This MUST use the PAM library# exclusively, and turn off the builtin password authentication code.

UsePAM yesChallengeResponseAuthentication yesPasswordAuthentication noPermitRootLogin noPermitEmptyPasswords no

# No other authentication methods allowedIgnoreRhosts yesRhostsRSAAuthentication noHostbasedAuthentication noPubkeyAuthentication yesRSAAuthentication noKerberosAuthentication noGSSAPIAuthentication no

# Other settings, MAY change "X11Forwarding" to "yes"X11Forwarding noSubsystem sftp /usr/lib/ssh/sftp-server

04/10/23Slide # 46



Setting up the Audit Subsystem

• Setting up the audit configuration files• For all platforms, it is RECOMMENDED to use the following settings

in the /etc/sysconfig/audit file:AUDIT_ALLOW_SUSPEND=1AUDIT_ATTACH_ALL=0AUDIT_MAX_MESSAGES=1024AUDIT_PARANOIA=0

• The laus package by default installs these files with the RECOMMENDED contents:/etc/audit/audit.conf/etc/audit/filter.conf/etc/audit/filesets.conf

• Make auditd start at boot, insserv audit

04/10/23Slide # 47



Ensure PAM is Audit Enabledgrep laus_open ‘ldd /bin/login | awk

’/libpam.so/ { print $3 }’‘• Binary file /lib/libpam.so.0 matches• If the grep command produces no output, you

MUST reinstall the pam-laus package from CD #2

• # ’cd’ to the directory containing the RPM file,• # then reinstall the package:

rpm --oldpackage --force --nodeps -Uhv pam-laus-0.77-4.3.i586.rpm

04/10/23Slide # 48



Configure PAM• The ’other’ fallback MUST be disabled by

specifying the pam deny.so module for each module-type in the ’other’ configuration.

• Add the pam wheel.so module to the ’auth’ configuration for the ’su’ service

• You MUST add the pam tally.so module to the auth and account module type configurations of login, sshd, and vsftpd (not good for remotely managed machines.)

• You MUST use the pam passwdqc.so password quality checking module w/ use the ’md5’ and ’use cracklib’ options

04/10/23Slide # 49



Configuring PAM (2)

• The ’remember=XX’ option must be added to the /etc/security/pam pwcheck.conf file to force users to create new passwords and not re-use

• In general, you MAY add PAM modules that add additional restrictions. You MUST NOT weaken the restrictions

04/10/23Slide # 50



Setup Login Controls

• Disable login if we can’t cd to the home directory• Set a 3 second delay before being allowed

another attempt after a login failure• Disable logging and display of /var/log/faillog

login failure info.• Enable logging and display of /var/log/lastlog

login time info.• Disable display of unknown usernames when

login failures are recorded.

04/10/23Slide # 51



Setup Login Controls (2)

• Set max number of login retries to <= 3 if password is bad

• Set max time to <= 60 seconds for login

• Require password before chfn/chsh can make any changes.

• Restrict fields to “rwh” that may be changed by regular users using chfn

04/10/23Slide # 52



Setup Login Controls (3)

• The default umask for logged-in users is set in the /etc/profile file, not here.

• Umask to 077 which is used by useradd and newusers for creating new home directories.

• Password aging controls (used by useradd): – PASS_MAX_DAYS 60– PASS_MIN_DAYS 1– PASS_WARN_AGE 7– PASS_MIN_LEN 8

04/10/23Slide # 53



Configure the Boot Loader• Ensure the system boots exclusively from the

disk partition containing Linux• Make sure you use BIOS password to protect

access to this configuration.• Use the password command in

/boot/grub/menu.lst to prevent unauthorized use of the boot loader interface.

• Use md5 encoded passwords, run the command grub-md5-crypt to generate the encoded version of a password.

04/10/23Slide # 54



Configure the Boot Loader• Protect all menu entries other than the default

SLES boot with the lock option• Add a line containing just the keyword lock after

the title entry in the /boot/grub/menu.lst file• Remove group and world read permissions from

the grub configuration file if it contains a password chmod 600 /boot/grub/menu.lst

• All changes to the configuration take effect automatically on the next boot

04/10/23Slide # 55



Adding Additional Software• Kernel modules other than those provided as

part of the evaluated configuration MUST NOT be installed or loaded.

• You MUST NOT load the tux kernel module (the in-kernel web server is not supported).

• You MUST NOT add support for non-ELF binary formats or foreign binary format emulation that circumvents system call auditing.

• You MUST NOT activate knfsd or export NFS file systems.

04/10/23Slide # 56



Adding Additional Software (2)• Device special nodes MUST NOT be added to

the system• SUID root or SGID root programs MUST NOT be

added to the system. • Programs which use the SUID or SGID bits to

run with identities other than ’root’ MAY be added.

• The content, permissions, and ownership of all existing file-system objects (including directories and device-nodes) that are part of the evaluated configuration MUST NOT be modified.

04/10/23Slide # 57



Adding additional Software (4)

• Programs automatically launched with ’root’ privileges MUST NOT be added to the system.

• Processes that immediately and permanently switch to a non privileged identity on launch are permitted,

• Automatic launch mechanisms are:• – Entries in /etc/inittab• – Executable files or links in /etc/init.d/ and its

subdirectories

04/10/23Slide # 58



Document your system

• Rebooted server to implement new SMP kernel.# uname –a

Linux avflyer-asp 2.6.5-7.201-smp #1 SMP Thu Aug 25 06:20:45 UTC 2005 i686 i686 i386 GNU/Linux

• List services now running on the system.# chkconfig | grep -v "off" | more

• List directories with the sticky bit set# find / -type d -perm -1000 -ls

04/10/23Slide # 59



Document Your System (2)• List files with Set User ID (SUID) bit set.

find / -type f -perm -4000 -ls

• List files with Set Group ID (SGID) bit set.find / -type f -perm -2000 –ls

• List files that are world writeable.find / -type f -perm -0002 -ls

• List all installed packages.rpm -qa --qf '%-25{NAME}\t%-20{VERSION}\t%-

8{RELEASE}\t%{Summary}\n' | sort > /root/rpmpackagelist

04/10/23Slide # 60



Security monitoring & management

• Setup tripwire to monitor system file integrity and to audit changes.

• Setup and implement log file rotation policies.

• Setup a central syslog server (syslog-ng)

• Use a log analyzer, such as logcheck.

• Setup a monitoring system like Nagios or Argus on your network.

04/10/23Slide # 61



Sec Monitoring & Management (2)

• Created /var/log/btmp to log bad login attempts.# touch /var/log/btmp

# lastb

btmp begins Sun Sep 11 13:58:05 2005

04/10/23Slide # 62



Log and Status Files• In addition to the syslog messages, various

other log files and status files are generated in /var/log by other programs:

• File - Source• YaST2 Directory for YaST2 log files• audit.d Directory for LAuS logs• boot.msg Messages from system startup• lastlog Last successful log in (see lastlog(8))• vsftpd.log Transaction log of the VSFTP

daemon

04/10/23Slide # 63



Log and Status Files (2)• localmessages - Written by syslog.• mail - Written by syslog, contains messages

from the MTA (postfix).• messages - Written by syslog, contains

messages from su and ssh.• News - syslog news entries.• warn - Written by syslog.• wtmp - Written by the PAM susbystem.• btmp – Written by the PAM subsystem.• xinetd.log Written by xinetd, logging all

connection.

04/10/23Slide # 64



Auditing Your System• It is RECOMMENDED that you review the

system’s configuration at regular intervals to verify if it still agrees with the evaluated configuration.

• This primarily concerns those processes that may run with ’root’ privileges.

• The permissions of the device files /dev/* MUST NOT be modified.

• In particular, review settings in the following files and directories to ensure that the contents and permissions have not been modified:

04/10/23Slide # 65



System Files to Review• /etc/at.allow• /etc/at.deny• /etc/audit/*• /etc/cron.d/*• /etc/cron.daily/*• /etc/cron.hourly/*• /etc/cron.monthly/*• /etc/cron.weekly/*• /etc/crontab• /etc/ftpusers• /etc/group

• /etc/gshadow• /etc/hosts• /etc/init.d/*• /etc/inittab• /etc/ld.so.conf• /etc/login.defs• /etc/modules.conf• /etc/pam.d/*• /etc/passwd• /etc/securetty• /etc/security/opasswd

04/10/23Slide # 66



System Files to Review (2)• /etc/security/

pam_pwcheck.conf• /etc/security/

pam_unix2.conf• /etc/shadow• /etc/ssh/ssh_config• /etc/ssh/sshd_config• /etc/stunnel/*• /etc/sysconfig/*• /etc/vsftpd.conf

• /etc/xinetd.conf• /usr/lib/cracklib_dict.*• /var/log/audit.d/*• /var/log/faillog• /var/log/lastlog• /var/spool/atjobs/*• /var/spool/cron/*• /var/spool/cron/allow• /var/spool/cron/deny

04/10/23Slide # 67



Auditing Your System (2)

• Use the command lastlog and lastlogb to detect unusual patterns of logins.

• Also verify the output of the following commands (run as ’root’):# atq

# crontab -l

# find / $ -perm -4000 -o -perm -2000 $ -ls

# find / $ -type f -o -type d -o -type b $ -perm -0002 -ls

# find /bin /boot /etc /lib /sbin /usr \

! -type l $ ! -uid 0 -o -perm +022 $

04/10/23Slide # 68



Auditing Your System (3)• Use the aucat(8) and augrep(8) tools to retrieve

information from the audit logs. The information available for retrieval depends on the active filter configuration.– # view the last 100 audit records

aucat | tail -100– # view all successful PAM authentications

augrep -e TEXT -U AUTH_success– # all actions recorded for a specified login UID (this includes– # actions done by this user with a different effective UID,– # for example, via SUID programs or as part of a "su" session)

augrep -l kw– # file removals

augrep -e SYSCALL -S unlink

04/10/23Slide # 69



Secure Communication

• SSH V2

• Stunnel with OpenSSL

• X11 Forwarding through an SSH tunnel

• Secure FTP

• Externally signed SSL certificate

04/10/23Slide # 70



System maintenance

• Download, verify, and carefully review each patch before you install it.

• If possible test patches in a non-production environment.

• Keep a manual logbook, as well as a README file in the /root home directory with any updates or changes you make to the system.

04/10/23Slide # 71



Considerations for Servers• Customize firewall (iptables)• Port restrictions• Ensure current directory is not in any ones (root or a

regular user) path• Configures standard system cron jobs, like deletion of

old files in /tmp or update of the man databases. The settings are read by the shell scripts /etc/cron.daily/*.

• Configures some system variables for the boot process.IP_DYNIP=no # The system only has a static addressIP_TCP_SYNCOOKIES=yes # Syn Flood protectionIP_FORWARD=no # Set to yes if the system acts as a router.ENABLE_SYSRQ=no # System request key MUST be disabled.

04/10/23Slide # 72



Considerations for DNS Servers

• Enable bind chroot support.• Apply port restrictions in firewall.• Customize logging as desired.• Authoritative DNS servers should not be used as

resolving or caching DNS servers.• Disable recursive queries on authoritative

servers.• Enable numerous security settings in

/etc/named.conf to suit your environment.

04/10/23Slide # 73



Considerations for Email Servers

• Chroot postfix (manual process)

• Ensure unauthorized parties can’t relay

• Establish port restrictions and access control with iptables.

• Configure smtp restrictions in postfix.

• Use ldap or access file to restrict inbound mail to valid users

• Anti-virus / Anti-Spam

04/10/23Slide # 74



Useful Resources• Practical Unix & Internet Security, 3rd Edition

by Simson Garfinkel, Gene Spafford, Alan Schwartz Publisher: O'Reilly; 3 edition (February 21, 2003) ISBN: 0596003234

• Hardening Linux by John H. Terpstra, Paul Love, Ronald P. Reck Publisher McGraw Hill Osborne ISBN: 0-07-225497-1

• There are way too many books to list even a fraction of the good ones I keep handy on my shelf here.

04/10/23Slide # 75



Useful resources (2)• If there are conflicting recommendations in this guide

and in one of the sources listed here, the Configuration Guide has precedence concerning the evaluated configuration.

• SuSE Linux Enterprise Server Installation Guide,– /usr/share/doc/packages/sles-inst-x86+x86-64 en/– /usr/share/doc/packages/sles-inst-ipseries en/ – /usr/share/doc/packages/sles-inst-zseries en/

• SuSE Linux Enterprise Server Administrator Guide,– /usr/share/doc/packages/sles-admin-x86+x86-64 en/– /usr/share/doc/packages/sles-admin-ipseries en/– /usr/share/doc/packages/sles-admin-zseries en/

04/10/23Slide # 76



Questions

Questions

Date post:	27-Mar-2015
Category:	Documents
Upload:	blake-morrow
View:	216 times
Download:	0 times

By Gregg Rosenberg and Lee Leahu 3/7/2014 Slide # 1 Hardening Linux Copyright © 2005 RICIS, Inc....

Documents