os hardening checklist for linux servers in kale1


OS Hardening Checklist for Linux Servers in Kale

  1. Banner

/etc/ssh/sshd_config

This line should be present Banner /etc/issue.net

In above file below entries should be present.

cat /etc/issue.net

WARNING!!

This system is the property of the Kale Consultants Ltd. and should be accessed only by authorized users. Unauthorized use of this system is strictly prohibited and will be subject to disciplinary action and prosecution. Systems and Technology Department may monitor any activity or communication on this system and retrieve any information stored within the system.

  1. Password Policy

/etc/login.defs

Below 4 Values should be present.

PASS_MAX_DAYS 30 (Maximum number of days a password may be used. If the password is older than this, a password change will be forced.)

PASS_MIN_DAYS 0 (Minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected)

PASS_MIN_LEN 8 (Minimum Passwd Length)

PASS_WARN_AGE 15 (Number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.)

  1. Log file retention period

/etc/logrotate.conf

# rotate log files weekly

weekly

# keep 4 weeks worth of backlogs

rotate 5

# uncomment this if you want your log files compressed

compress

  1. Anonymous ftp Account

/etc/vsftpd/vsftpd.conf

anonymous_enable=NO

IF its a ftp server below entries should be made.

# You may fully customise the login banner string:

ftpd_banner=Welcome to Kale Consultants FTP Server.

pam_service_name=vsftpd

userlist_enable=YES

tcp_wrappers=YES

use_localtime=YES

pasv_enable=YES

cat /etc/vsftpd/user_list

# vsftpd userlist

# If userlist_deny=NO, only allow users in this file

# If userlist_deny=YES (default), never allow users in this file, and

# do not even prompt for a password.

# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers

# for users that are denied.

root

bin

daemon

adm

lp

sync

shutdown

halt

mail

news

uucp

operator

games

nobody

cat /etc/vsftpd/ftpusers

# Users that are not allowed to login via ftp

root

bin

daemon

adm

lp

sync

shutdown

halt

mail

news

uucp

operator

games

nobody

  1. Disable rsh service status

cat /etc/xinetd.d/rsh

disable = yes

Check for # chkconfig --list rsh

rsh off

  1. Telnet service status

cat /etc/xinetd.d/telnet

disable = yes

Check for # chkconfig --list telnet

telnet off

  1. Disable CTRL+ALT+DEL

/etc/inittab |grep ctrl

#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

Comment out above line in inittab to disable ctrl+alt+del key sequence which can reboot the system

  1. NTP status

# chkconfig --list ntpd

ntpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off

IF not enable in runlevel 3 and 5

# service ntpd status

# vi /etc/ntp

Add below entries just below #server 0.rhel.pool.ntp.org and comment all the other enteries

server 10.161.2.23

server 10.161.2.27

server 10.1.2.10

# ntpdate 10.161.2.23 This will error like below

1 Dec 12:43:12 ntpdate[21563]: the NTP socket is in use, exiting

# service ntpd stop

Shutting down ntpd: [ OK ]

ntpdate 10.161.2.23

1 Dec 12:49:57 ntpdate[21629]: step time server 10.161.2.23 offset 348.251262 sec

# service ntpd start

Starting ntpd: [ OK ]

  1. Permit root login=no

vi /etc/ssh/sshd_config |grep PermitRoot

#PermitRootLogin no

PermitRootLogin no

Above line disables remote login of Root via SSH

Also FTP users can be denied by adding their names into this files. Example below:

DenyUsers UserNameToBeDenied

If above directive is not there we can add to effectively restrain ftp users to login through ssh

  1. Audit rules enabled

vi /etc/audit/audit.rules

Add below lines, more can also be customized as per requirement

-a exit,always -F path=/bin/rm -k rmcommand

-a exit,always -F path=/bin/mv -k mvcommand

-a exit,always -F path=/bin/kill -k killcommand

-a exit,always -F path=/usr/bin/passwd -k passwdcommand

-a exit,always -F path=/bin/chown -k chowncommand

-a exit,always -F path=/bin/chmod -k chmodcommand

# service /etc/audit /au

  1. PAM

/etc/pam.d/system-auth

Enter this entry

password requisite pam_cracklib.so retry=5 minlen=8 lcredit=1 ucredit=1 dcredit=1 ocredit=1 difok=3


Wyszukiwarka

Podobne podstrony:
Hardening Tips For Default Installation of Red Hat Enterprise Linux 5 rhel5 pamphlet i731
Hardening the Linux server(1)
AUTOMATED SECURITY HARDENING OF RED HAT ENTERPRISE LINUX V5 IN ACCORDANCE WITH DISA STANDARDS CSC Pa
alcatel support document for cable system in cuba
Basic setting for caustics effect in C4D
Is sludge retention time a decisive factor for aerobic granulation in SBR
A picnic table is a project you?n buy all the material for and build in a?y
The need for Government Intervention in?ucation Reform
19 Non verbal and vernal techniques for keeping discipline in the classroom
A Strategy for US Leadership in the High North Arctic High North policybrief Rosenberg Titley Wiker
Phuong Adopting CALL to Promote Listening Skills for EFL Learners in Vietnamese Universities
Heathen Bookhoard A recommended reading list for anyone interested in Heathen religion
100 sposobów na Linux Server
alcatel support document for cable system in cuba
Basic setting for caustics effect in C4D
Is sludge retention time a decisive factor for aerobic granulation in SBR
100 sposobow na Linux Server Wskazowki i narzedzia dotyczace integracji monitorowania i rozwiazywani
the role of interpersonal trust for enterpreneurial exchange in a trnsition economy

więcej podobnych podstron