OS Hardening Checklist for Linux Servers in Kale
Banner
/etc/ssh/sshd_config
This line should be present Banner /etc/issue.net
In above file below entries should be present.
cat /etc/issue.net
WARNING!!
This system is the property of the Kale Consultants Ltd. and should be accessed only by authorized users. Unauthorized use of this system is strictly prohibited and will be subject to disciplinary action and prosecution. Systems and Technology Department may monitor any activity or communication on this system and retrieve any information stored within the system.
Password Policy
/etc/login.defs
Below 4 Values should be present.
PASS_MAX_DAYS 30 (Maximum number of days a password may be used. If the password is older than this, a password change will be forced.)
PASS_MIN_DAYS 0 (Minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected)
PASS_MIN_LEN 8 (Minimum Passwd Length)
PASS_WARN_AGE 15 (Number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.)
Log file retention period
/etc/logrotate.conf
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 5
# uncomment this if you want your log files compressed
compress
Anonymous ftp Account
/etc/vsftpd/vsftpd.conf
anonymous_enable=NO
IF its a ftp server below entries should be made.
# You may fully customise the login banner string:
ftpd_banner=Welcome to Kale Consultants FTP Server.
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
use_localtime=YES
pasv_enable=YES
cat /etc/vsftpd/user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
news
uucp
operator
games
nobody
cat /etc/vsftpd/ftpusers
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
news
uucp
operator
games
nobody
Disable rsh service status
cat /etc/xinetd.d/rsh
disable = yes
Check for # chkconfig --list rsh
rsh off
Telnet service status
cat /etc/xinetd.d/telnet
disable = yes
Check for # chkconfig --list telnet
telnet off
Disable CTRL+ALT+DEL
/etc/inittab |grep ctrl
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Comment out above line in inittab to disable ctrl+alt+del key sequence which can reboot the system
NTP status
# chkconfig --list ntpd
ntpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
IF not enable in runlevel 3 and 5
# service ntpd status
# vi /etc/ntp
Add below entries just below #server 0.rhel.pool.ntp.org and comment all the other enteries
server 10.161.2.23
server 10.161.2.27
server 10.1.2.10
# ntpdate 10.161.2.23 This will error like below
1 Dec 12:43:12 ntpdate[21563]: the NTP socket is in use, exiting
# service ntpd stop
Shutting down ntpd: [ OK ]
ntpdate 10.161.2.23
1 Dec 12:49:57 ntpdate[21629]: step time server 10.161.2.23 offset 348.251262 sec
# service ntpd start
Starting ntpd: [ OK ]
Permit root login=no
vi /etc/ssh/sshd_config |grep PermitRoot
#PermitRootLogin no
PermitRootLogin no
Above line disables remote login of Root via SSH
Also FTP users can be denied by adding their names into this files. Example below:
DenyUsers UserNameToBeDenied
If above directive is not there we can add to effectively restrain ftp users to login through ssh
Audit rules enabled
vi /etc/audit/audit.rules
Add below lines, more can also be customized as per requirement
-a exit,always -F path=/bin/rm -k rmcommand
-a exit,always -F path=/bin/mv -k mvcommand
-a exit,always -F path=/bin/kill -k killcommand
-a exit,always -F path=/usr/bin/passwd -k passwdcommand
-a exit,always -F path=/bin/chown -k chowncommand
-a exit,always -F path=/bin/chmod -k chmodcommand
# service /etc/audit /au
PAM
/etc/pam.d/system-auth
Enter this entry
password requisite pam_cracklib.so retry=5 minlen=8 lcredit=1 ucredit=1 dcredit=1 ocredit=1 difok=3