Monday, June 15, 2015

Securing Linux


Stop all unwanted services
#chkconfig --list |grep '3:on'

#chkconfig cups off
#chkconfig postfix off
#chkconfig atd off
#chkconfig ip6tables off
#chkconfig lvm2-monitor off
#chkconfig mdmonitor off
#chkconfig rpcidmapd off
#chkconfig nfslock off
#chkconfig mcelogd off
#chkconfig xinetd off
#chkconfig inetd off

Remove all unwanted packages
#rpm -e

Disable Root login
#vi /etc/ssh/sshd_config
PermitRootLogin no
#service sshd restart

Create a service account with Sudo Access

  • Create a service account
#useradd
#passwd
(provide a strong password)

  • Provide Sudo Access to service account _ In this case i have given all root access
#visudo
lbadmin ALL=(ALL)       ALL


Disable alt+ctrl+del key switch for reboot

#vi "/etc/init/control-alt-delete.conf"

Hash both the lines
#start on control-alt-delete
#exec /sbin/shutdown -r now "Control-Alt-Delete pressed"

Allow ssh access only from specific subnets or IP address

#vi /etc/hosts.allow
sshd:


#vi /etc/hosts.deny
sshd: ALL

 Restrict access to server for specific subnet.

# Generated by iptables-save v1.4.7 on Fri Jun 12 15:39:00 2015
*filter
:INPUT ACCEPT [75:5272]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [68:5268]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p udp --dport 123 -j ACCEPT
-A INPUT -p udp --sport 123 -j ACCEPT
-A OUTPUT -p tcp --dport 123 -j ACCEPT
-A INPUT -p tcp --sport 123 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Set IP tables to start at reboot
#chkconfig iptables on

Apply the new IP table rules by running command
#service iptables start

Check all accounts have password set to them. No account should be without password less loging
grep -v ':x:' /etc/passwd