Skip to content

Tight Up NFS

Monday, October 9, 2006

Configure the /etc/exports file with the most restrictive access possible. This means not using wildcards, not allowing root
write access, and mounting read-only wherever possible.
 Edit the exports file (vi /etc/exports) and add:
As an example:
/dir/to/export host1.mydomain.com(ro,root_squash)
/dir/to/export host2.mydomain.com(ro,root_squash)
Where /dir/to/export is the directory you want to export, host1.mydomain.com is the machine allowed to log in this directory, the option mean mounting read-only and the option for not allowing root write access in this directory.
* root_squash – Maps the root user to the nobody user. This has the effect of not allowing a root user on a client to gain root file access permissions on the server.
* all_squash – Maps all the UIDs and GIDs to the nobody user. This is useful if the share is to have anonymous access, much like an anonymous FTP server.

 For this change to take effect you will need to run this command on your terminal:
#/usr/sbin/exportfs -a

Share
Filed in Linux | | Comments (0)

Tightup /etc/fstab

Monday, October 9, 2006

- Mounting boot partition read only, increases security of kernel. This how you do it in /etc/fstab

LABEL=/boot /boot ext2 defaults,ro 1 2

And reload changes
# mount /boot -oremount

And yes, make it writable when you are planning kernel upgrade. Otherwise new kernel wont be able to enter :)

Other security options in the fstab file are:
 defaults Allow everything (quota, read-write, and suid) on this partition.
 noquota Do not set users quotas on this partition.
 nosuid Do not set SUID/SGID access on this partition.
 nodev Do not set character or special devices access on this partition.
 noexec Do not set execution of any binaries on this partition.
 quota Allow users quotas on this partition.
 ro Allow read-only on this partition.
 rw Allow read-write on this partition.
 suid Allow SUID/SGID access on this partition.

Some useful examples:
LABEL=/cache /cache ext2 defaults,nodev 1 2
LABEL=/tmp /tmp ext2 defaults,nosuid,noexec 1 2

# mount /cache -oremount
# mount /tmp -oremount

 To verify if the modifications have been correctly applied:
# cat /proc/mounts

Share
Filed in Linux | | Comments (0)

Tightup /etc/rc.local

Monday, October 9, 2006

By default, when you login to a Linux machine, it tells you the Linux distribution name, version, kernel version, and the name of the server. This is giving away too much info. We’d rather just prompt users with a “Login:” prompt.

To do this, edit the rc.local file (vi /etc/rc.local) and place “#” in front of the following lines as shown:

# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.
#echo “” > /etc/issue
#echo “$R” >> /etc/issue
#echo “Kernel $(uname -r) on $a $(uname -m)” >> /etc/issue
##cp -f /etc/issue /etc/issue.net
#echo >> /etc/issue

Then, remove the following files: issue.net and issue under /etc/ directory:
# rm -f /etc/issue
# rm -f /etc/issue.net

Share
Filed in Linux | | Comments (0)

Tightup SETUID/SETGID

Monday, October 9, 2006

To find all files with the ‘s’ bits from root-owned programs, use the command:
# find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -l {} \;

software named “sXid�? that will do the job for you automatically each
day and report the results via mail.
To disable the suid bits on selected programs above, use chmod a-s :
# chmod a-s /usr/bin/chage

Share
Filed in Linux | | Comments (0)

TightPAM /etc/pam.d/

Monday, October 9, 2006

The password length

Edit the passwd file (vi /etc/pam.d/passwd) and remove the following line:
password required /lib/security/pam_stack.so service=system-auth

Edit the system-auth file (vi /etc/pam.d/system-auth) and remove the lines:
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so

Now add the following lines to /etc/pam.d/passwd. We use the PAM “pam_cracklib�? module here with the argument “minlen�? to enforce the password length.
password required /lib/security/pam_cracklib.so retry=3 minlen=12
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so

Share
Filed in Linux | | Comments (0)

Tightup /etc/rc.d/init.d/

Monday, October 9, 2006

Fix the permissions of the script files that are responsible for starting and stopping all your normal processes that need to run at boot time.
To fix the permissions of those files, use the following command:
[root@deep /]# chmod -R 700 /etc/init.d/*
Which means just the super-user “root�? is allowed to Read, Write, and Execute scripts files on this directory. I don’t think regular users need to know what’s inside those script files.
WARNING: If you install a new program or update a program that use the init system V script located under /etc/rc.d/init.d/ directory, don’t forget to change or verify the permission of this script file again.

Share
Filed in Linux | | Comments (0)

Secure Log files

Monday, October 9, 2006

http://www.securityfocus.com/infocus/1613

Share
Filed in Linux | | Comments (0)

Hidden files

Monday, October 9, 2006

It is important to look everywhere on the system for unusual or hidden files (files that start with a period and are normally not shown by the “ls�? command), as these can be used to hide tools and information (password cracking programs, password files from other systems, etc.). A common technique on UNIX systems is to put a hidden directory or file in a user’s account with an unusual name, something like ‘…’ or ‘.. ‘ (dot dot space) or ‘..^G’ (dot dot control-G). The find program can be used to look for hidden files.

To look for hidden files, use the following commands:
# find / -name “.. ” -print -xdev
# find / -name “.*” -print -xdev | cat -v

Share
Filed in Linux | | Comments (0)