Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Hardeing a UNIX box HOWTO (Was Re: Hardening RH 7.2)
From: Carson Gaspar <carson () taltos org>
Date: Tue, 16 Jul 2002 17:26:09 -0400
--On Tuesday, July 16, 2002 2:26 PM -0400 Jon Czerwinski <joncz () mindspring com> wrote: 


Any recommended websites or documents detailing hardening a RedHat
7.2 server?
I've seen various forms of this question for a while. Here's the approach I take (and have some scripts that automate the process). It's seems a lot more straightforward (and more draconian) than a lot of the docs I've read, and is much shorter ;-) 

To harden a UNIX box:

- Install the OS (full install if you feel like it)
- Remove the setuid bit from all files
- Remove the setgid bit from all files
- Remove group writability from all files and directories
- Remove world writability from all files and directories
- Make all files and directories owned by root

Now this is where it starts to vary by platform:
- Disable all non-essential start scripts (or portions thereof, for the rc.local folks out there) - Re-add permissions to the small number of files/dirs that actually need them. A good starting list (from Solaris - YMMV): 

World Writeable Directories (all should be mode 1777):

/tmp
/var/tmp
/var/preserve (if you use vi, and care)

SetUID binaries (mode 4111 through 4755, depending on paranoia)

su
passwd
pt_chmod (or equivilant helper binary, if your platform needs it)
utmp_update (as above)

Group writeable directories (mostly mode 660, or 2660)

/tmp/ps_data
You also may want to create an "operator" group, to allow non-root users to run diagnostic tools. If so, you probably want to make the following setuid root (mode 4110 - mode 4750), group operator. If you have file system ACLs, you can make some of them setgid sys/mem/whatever instead, with an ACL enabling the operator group to execute them. 

netstat
ping
traceroute
tcpdump
prtconf
top
ps
sysdef

- Reboot your machine
- You should now have a minimally functional system (console text login as root or as a non-root user) - Run "netstat -na". You should see nothing listening (unless you left something enabled on purpose, such as sshd) 

Now this part _really_ requires expertise:
- Enable each service you require, understanding the security requirements of each. E-mail can be particularly tricky, requiring world and/or group writable directories, and setuid and/or setgid binaries. 

--
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]