From ChekMate Security Group

Contents 1 BEFORE INSTALLATION 1.1 DETERMINE THE SECURITY NEEDS 1.1.1 Define security policies 1.2 PHYSICALLY SECURE THE COMPUTER 1.3 BIOS SECURITY : PASSWORD PROTECTION,LIMITING REBOOTS 1.3.1 Disable “AUTO” settings 1.3.2 Disable booting from removable media 1.3.3 Set a BIOS password 1.3.4 SCSI BIOS setups 1.3.5 Document BIOS settings 2 INSTALL LINUX 2.1 DISCONNECT THE MACHINE FROM THE NETWORK 2.2 SELECT INSTALLATION CLASS : WORKSTATION, SERVER, OR CUSTOM 2.3 DEFINE PARTITIONS 2.3.1 Define Workstation partitions 2.3.2 Define Server partitions 2.3.3 Document the partition scheme 2.4 SELECT PACKAGES TO INSTALL 2.4.1 Workstation packages 2.4.2 Server packages 2.4.3 Let the installation proceed 2.5 CONFIGURE THE SYSTEM SECURITY AND ACCOUNT POLICIES 2.5.1 Shadow Passwords with MD5 hashing 2.5.2 Set passwords for root and all user accounts 2.6 FINAL LINUX INSTALLATION RECOMMENDATIONS 2.6.1 Create a boot diskette 2.6.2 Tighten up settings in /etc/inittab 2.6.3 Password protect LILO boots 2.7 SET SYSTEM ACCESS SECURITY POLICIES 2.7.1 Check that remote root logins are disabled for TELNET 2.7.2 Check that remote root logins are disabled for FTP 2.7.3 Configure the system accounts that can/cannot log into the system 2.7.4 Configure the system groups that can/cannot use specific resources 2.8 CONFIGURE LOGGING 2.8.1 Optimize SYSLOG settings 2.8.2 Configure real-time logging to VTYs 2.8.3 Configure log rotation 2.8.4 Configure remote logging 2.8.5 Synchronize system clock with log server 3 STEP 3 SECURING WORKSTATION NETWORK CONFIGURATIONS 3.1 DISABLE INTERNET DAEMON SERVICES 3.1.1 Edit /etc/inetd.conf and comment out all services 3.1.2 Turn off inetd if there are no services 3.2 USE TCP WRAPPERS TO CONTROL ACCESS TO REMAINING INETD SERVICES 3.2.1 Set the default access rule to deny all 3.2.2 Allow access to only specific hosts for specific services 3.2.3 Check the syntax of the access lists with tcpdchk 3.2.4 Set up banners for TCP wrapped services 3.3 DISABLE RUN-TIME NETWORK SERVICES 3.3.1 Determine which network services are running 3.3.2 Eliminate unnecessary services 3.3.3 Check for any remaining services 3.4 GET THE LATEST VERSIONS OF SOFTWARE 3.4.1 Find security-related updates 3.4.2 Download updates 3.4.3 Install updates 3.4.4 Automate the process 3.4.4.1 Use AutoRPM to automate updates 3.4.5 Subscribe to security-related mailing lists 3.5 CACHING-ONLY DOMAIN NAME SERVICE (DNS) 3.5.1 Disable and remove DNS server software 3.5.2 Set primary and secondary name servers 3.6 ELECTRONIC MAIL 3.6.1 Turn off sendmail daemon mode 3.6.2 Define SMTP server for mail clients 3.6.2.1 Set out-bound SMTP server for sendmail 3.6.2.2 Set out-bound SMTP server for other mail clients 3.7 NFS CLIENT-SIDE SECURITY 3.7.1 Turn off NFS exports and remove NFS daemons 3.7.2 Configure local NFS mounts 3.8 LIMIT WORLD WIDE WEB SERVICES TO THE LOCAL HOST 3.8.1 Turn off HTTP and remove the server software 3.8.2 Limit HTTP access to localhost only 3.9 REMOVE ANONYMOUS FTP SERVICE 4 SECURING SERVER NETWORK CONFIGURATIONS 4.1 SERVERS: SEE STEPS3.1, 3.2, 3.3, AND 3.4 FOR DISABLING ALL UNNECESSARY SERVICES, SETTING WRAPPERS, AND UPDATING SOFTWARE 4.2 INSTALL SECURE SHELL FOR REMOTE ACCESS 4.2.1 Download, compile, and install SSH 4.2.2 Start the SSH daemon 4.2.3 Set up /etc/hosts.allow for SSH access 4.2.4 Generate SSH keys 4.2.5 Use SSH and SCP for remote access 4.2.6 Replace ‘r’ programs with SSH 4.3 DOMAIN NAME SERVICE AND BIND VERSION 8 4.3.1 Restrict zone transfers 4.3.2 Restrict queries 4.3.3 Run named in a chroot jail 4.3.3.1 Create the new user and group 4.3.3.2 Prepare the chroot directory 4.3.3.3 Copy configuration files and programs 4.3.3.4 Copy shared libraries 4.3.3.5 Set syslogd to listen to named logging 4.3.3.6 Edit the named init script 4.3.3.7 Specify a new control channel for ndc 4.4 ELECTRONIC MAIL 4.4.1 Turn off SMTP vrfy and expn commands in /etc/sendmail.cf 4.4.2 Define hosts allowed to relay mail 4.4.2.1 Check that the access database is active 4.4.2.2 Set access for domains allowed to relay 4.4.3 Set domain name masquerading 4.4.4 Install an alternative MTA 4.4.5 Secure the POP and IMAP daemons 4.4.5.1 Get the latest version of POP and IMAP daemons 4.4.5.2 Control access to POP and IMAP with TCP wrappers 4.4.5.3 Install an alternative POP or IMAP daemon 4.4.5.4 Install an SSL wrapper for secure POP/IMAP connections 4.5 PRINTING SERVICES 4.5.1 List allowed remote hosts in /etc/hosts.lpd 4.5.2 Replace Berkeley lpr/lpd with LPRng 4.5.2.1 Download and install LPRng 4.5.2.2 Set remote hosts and/or networks that are allowed access 4.6 NETWORK FILE SYSTEM 4.6.1 Set access to RPC services in /etc/hosts.allow 4.6.2 Limit exports to specific machines with specific permissions 4.7 SERVER MESSAGE BLOCK (SMB) SAMBA SERVER 4.7.1 Get the latest version of Samba 4.7.2 Limit access to specific hosts 4.7.3 Use encrypted passwords 4.7.4 Remove “guest” or anonymous shares 4.7.5 Set default file creation masks 4.8 CENTRAL SYSLOG HOST 4.8.1 Configure syslogd to accept remote log messages 4.8.2 Configure log rotation 4.9 FILE TRANSFER PROTOCOL (FTP) 4.9.1 Limit access with TCP wrappers 4.9.2 Limit permitted operations in /etc/ftpaccess 4.9.3 Protect incoming directory 4.10 HYPER TEXT TRANSFER PROTOCOL (HTTP) SERVER 4.10.1 Set basic access to default deny 4.10.2 Selectively open access to specific directories 4.10.3 Selectively allow options on specific directories 4.10.4 Selectively use .htaccess to override access control 4.10.5 Use password protection for sensitive data 4.10.6 Use SSL for secure HTTP communications 4.10.6.1 Download OpenSSL and mod_ssl 4.10.6.2 Build OpenSSL 4.10.6.3 Build Apache with mod_ssl module 4.10.6.4 Start Apache with mod_ssl and test 4.10.6.5 Read the mod_ssl documentation 5 TUNING AND PACKET FIREWALLS 5.1 KERNELS : THOUGHTS ABOUT CONFIGURATION, RECOMPILING, AND INSTALLING A NEW KERNEL 5.2 System optimizations 5.2.1 TCP/IP Receive Window size 5.3 PACKET FIREWALLS AND LINUX IP MASQUERADING 5.3.1 Getting more from your external connection with IP Masquerade 5.3.2 A strong /etc/rc.d/rc.firewall ruleset 5.3.3 Double check, install, and test the firewall 5.3.3.1 Make the ruleset executable 5.3.3.2 Load the ruleset while at the console of the Linux server 5.3.3.3 Test the firewall ruleset 5.3.4 Analyze a typical IPCHAINS firewall ruleset hit 5.3.5 Running the firewall ruleset upon every reboot 6 TOOLS 6.1 HOST-BASED MONITORING AND INTRUSION DETECTION 6.1.1 Swatch, the Simple WATCHer 6.1.2 Psionic Logcheck 6.1.3 Tripwire 6.1.3.1 Tripwire databases 6.1.3.2 Running Tripwire 6.1.3.3 Use rpm to verify package files 6.1.4 Psionic PortSentry 6.2 HOST-BASED VULNERABILITY ANALYSIS: LOOKING FROM THE INSIDE OUT 6.2.1 Tiger, the Texas A&M system checker 6.2.2 Install and configure Tiger 6.2.3 Running Tiger 6.2.4 Changing Tiger checks 6.2.5 TARA, an updated version of Tiger 6.3 NETWORK-BASED VULNERABILITY ANALYSIS: LOOKING FROM THE OUTSIDE IN 6.3.1 SATAN derivatives: SARA and SAINT 6.3.2 Nessus 6.3.3 Nmap port scanner 6.3.4 Commercial products

BEFORE INSTALLATION

DETERMINE THE SECURITY NEEDS

Define security policies

PHYSICALLY SECURE THE COMPUTER

BIOS SECURITY : PASSWORD PROTECTION,LIMITING REBOOTS

Disable “AUTO” settings

Disable booting from removable media

Set a BIOS password

SCSI BIOS setups

Document BIOS settings

INSTALL LINUX

DISCONNECT THE MACHINE FROM THE NETWORK

SELECT INSTALLATION CLASS : WORKSTATION, SERVER, OR CUSTOM

DEFINE PARTITIONS

Define Workstation partitions

Define Server partitions

Document the partition scheme

SELECT PACKAGES TO INSTALL

Workstation packages

Server packages

Let the installation proceed

CONFIGURE THE SYSTEM SECURITY AND ACCOUNT POLICIES

Shadow Passwords with MD5 hashing

Set passwords for root and all user accounts

FINAL LINUX INSTALLATION RECOMMENDATIONS

Create a boot diskette

Tighten up settings in /etc/inittab

Password protect LILO boots

SET SYSTEM ACCESS SECURITY POLICIES

Check that remote root logins are disabled for TELNET

Check that remote root logins are disabled for FTP

Configure the system accounts that can/cannot log into the system

Configure the system groups that can/cannot use specific resources

CONFIGURE LOGGING

Optimize SYSLOG settings

Configure real-time logging to VTYs

Configure log rotation

Configure remote logging

Synchronize system clock with log server

STEP 3 SECURING WORKSTATION NETWORK CONFIGURATIONS

DISABLE INTERNET DAEMON SERVICES

Edit /etc/inetd.conf and comment out all services

Turn off inetd if there are no services

USE TCP WRAPPERS TO CONTROL ACCESS TO REMAINING INETD SERVICES

Set the default access rule to deny all

Allow access to only specific hosts for specific services

Check the syntax of the access lists with tcpdchk

Set up banners for TCP wrapped services

DISABLE RUN-TIME NETWORK SERVICES

Determine which network services are running

Eliminate unnecessary services

Check for any remaining services

GET THE LATEST VERSIONS OF SOFTWARE

Find security-related updates

Download updates

Install updates

Automate the process

Use AutoRPM to automate updates

Subscribe to security-related mailing lists

CACHING-ONLY DOMAIN NAME SERVICE (DNS)

Disable and remove DNS server software

Set primary and secondary name servers

ELECTRONIC MAIL

Turn off sendmail daemon mode

Define SMTP server for mail clients

Set out-bound SMTP server for sendmail

Set out-bound SMTP server for other mail clients

NFS CLIENT-SIDE SECURITY

Turn off NFS exports and remove NFS daemons

Configure local NFS mounts

LIMIT WORLD WIDE WEB SERVICES TO THE LOCAL HOST

Turn off HTTP and remove the server software

Limit HTTP access to localhost only

REMOVE ANONYMOUS FTP SERVICE

SECURING SERVER NETWORK CONFIGURATIONS

SERVERS: SEE STEPS3.1, 3.2, 3.3, AND 3.4 FOR DISABLING ALL UNNECESSARY SERVICES, SETTING WRAPPERS, AND UPDATING SOFTWARE

INSTALL SECURE SHELL FOR REMOTE ACCESS

Download, compile, and install SSH

Start the SSH daemon

Set up /etc/hosts.allow for SSH access

Generate SSH keys

Use SSH and SCP for remote access

Replace ‘r’ programs with SSH

DOMAIN NAME SERVICE AND BIND VERSION 8

Restrict zone transfers

Restrict queries

Run named in a chroot jail

Create the new user and group

Prepare the chroot directory

Copy configuration files and programs

Copy shared libraries

Set syslogd to listen to named logging

Edit the named init script

Specify a new control channel for ndc

ELECTRONIC MAIL

Turn off SMTP vrfy and expn commands in /etc/sendmail.cf

Define hosts allowed to relay mail

Check that the access database is active

Set access for domains allowed to relay

Set domain name masquerading

Install an alternative MTA

Secure the POP and IMAP daemons

Get the latest version of POP and IMAP daemons

Control access to POP and IMAP with TCP wrappers

Install an alternative POP or IMAP daemon

Install an SSL wrapper for secure POP/IMAP connections

PRINTING SERVICES

List allowed remote hosts in /etc/hosts.lpd

Replace Berkeley lpr/lpd with LPRng

Download and install LPRng

Set remote hosts and/or networks that are allowed access

NETWORK FILE SYSTEM

Set access to RPC services in /etc/hosts.allow

Limit exports to specific machines with specific permissions

SERVER MESSAGE BLOCK (SMB) SAMBA SERVER

Get the latest version of Samba

Limit access to specific hosts

Use encrypted passwords

Remove “guest” or anonymous shares

Set default file creation masks

CENTRAL SYSLOG HOST

Configure syslogd to accept remote log messages

Configure log rotation

FILE TRANSFER PROTOCOL (FTP)

Limit access with TCP wrappers

Limit permitted operations in /etc/ftpaccess

Protect incoming directory

HYPER TEXT TRANSFER PROTOCOL (HTTP) SERVER

Set basic access to default deny

Selectively open access to specific directories

Selectively allow options on specific directories

Selectively use .htaccess to override access control

Use password protection for sensitive data

Use SSL for secure HTTP communications

Download OpenSSL and mod_ssl

Build OpenSSL

Build Apache with mod_ssl module

Start Apache with mod_ssl and test

Read the mod_ssl documentation

TUNING AND PACKET FIREWALLS

KERNELS : THOUGHTS ABOUT CONFIGURATION, RECOMPILING, AND INSTALLING A NEW KERNEL

System optimizations

TCP/IP Receive Window size

PACKET FIREWALLS AND LINUX IP MASQUERADING

Getting more from your external connection with IP Masquerade

A strong /etc/rc.d/rc.firewall ruleset

Double check, install, and test the firewall

Make the ruleset executable

Load the ruleset while at the console of the Linux server

Test the firewall ruleset

Analyze a typical IPCHAINS firewall ruleset hit

Running the firewall ruleset upon every reboot

TOOLS

HOST-BASED MONITORING AND INTRUSION DETECTION

Swatch, the Simple WATCHer

Psionic Logcheck

Tripwire

Tripwire databases

Running Tripwire

Use rpm to verify package files

Psionic PortSentry

HOST-BASED VULNERABILITY ANALYSIS: LOOKING FROM THE INSIDE OUT

Tiger, the Texas A&M system checker

Install and configure Tiger

Running Tiger

Changing Tiger checks

TARA, an updated version of Tiger

NETWORK-BASED VULNERABILITY ANALYSIS: LOOKING FROM THE OUTSIDE IN

SATAN derivatives: SARA and SAINT

Nessus

Nmap port scanner

Commercial products