faqts : Computers : Operating Systems : Linux : Security

+ Search
Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

5 of 7 people (71%) answered Yes
Recently 5 of 7 people (71%) answered Yes

Entry

How do I secure an out-of-the-box Red Hat system?

Jan 9th, 2002 15:38
Kagan (Kai) MacTane,


Red Hat Linux (RHL) is one of the most popular Linux distributions.
However, its default, out-of-the-box (OOB) installation is NOT very
secure. Following are steps to make it at least minimally secure, along
with discussion of a few ways to increase security even further.
This diocument assumes that you already know the basics of system
administration, such as how to install software from a tarball or turn
off a service in inetd.conf. If you need help with those sorts of tasks,
try looking around the FAQTs Web site.
I also assume that you're running a server, not desktop, machine, and
that you're providing a few standard services on standard ports: Web,
email, possibly FTP, remote access and/or DNS. If your machine is a
desktop, you can afford to turn off many of the services I talk about
here, and you could just put the whole thing behind a firewall.
1) Install SSH and turn off telnet. 
Telnet is an inherently insecure connection method, dating from the ages
long past, when the Internet was a much safer and friendlier place. In
the modern era, you should use ssh (Secure SHell) for remote connectivity.
OpenSSH, available from http://www.openssh.com, is an open-source SSH
implementation. It can be downloaded in either source (tarball) or RPM form.
If you're doing your administration remotely, you'll want to install and
test SSH first, *then* turn off telnet (by commenting out the relevant
line in /etc/inetd.conf and HUPping inetd). Otherwise, you'll be stuck
with no way to contact your own server.
However, if you've got console access, you might as well start by
turning off telnet, then download and install SSH from the console.
2) Turn off other unnecessary inetd services.
While you're inside /etc/inetd.conf turning off telnet, you may as well
turn off everything else you don't need. Finger? Rlogin? Chargen? All
those things that Red Hat turns on by default? You don't need nearly
*any* of them. Turn 'em all off.
Most likely, the only things in inetd.conf that you *do* need are ftp,
and possibly POP3 and/or IMAP. (Note that if you're running a Web server
on this machine, you'll want to allow FTP so people can upload files for
the Web site.)
Remember to HUP inetd when you're done.
3) Portscan your own machine.
This is a great way to see what else is open. One of the best
port-scanners out there is nmap, available from
http://www.insecure.org/nmap/. Download and install it, then run "nmap
localhost". Within moments, it will give you a list of what ports you
have open.
On an OOB RHL installation, it's fairly likely you'll have ports like
515 printer and 111 sunrpc open. Unless you actually *have* a printer
attached to your server (*and* you want people to be able to send print
jobs to it from other machines!) you don't need port 515 open. Unless
you're actually using any Sun RPC (Remote Procedure Calls) software on
your site (and if you're at all in doubt, you're not), you *definitely*
don't want port 111 open.
Check around, see what processes are running that might have opened
those ports, shut them down, and take them out of your init scripts.
When I'm disabling something I'm not sure of, and might want to put back
later, I usually just change the name of the symlink in /etc/rc.d/rc3.d:
for example, by turning S80sendmail into dontstart80sendmail.
When you're done with this part, you may want to shut down the machine
and restart it, then redo the portscan -- just to make sure of what
stuff gets started by default.
4) Toss any insecure daemons.
One of the first things that should go is wu-ftpd. It's riddled with
security holes. Pure-ftpd, available from
http://pureftpd.sourceforge.net/, is secure and is released under the
GPL. Unlike wu-ftpd, pure-ftpd likes to run as a standalone process,
rather than through inetd.
Some people like to avoid Sendmail as their mail server, partly because
it used to be horribly insecure (as in, a new remote root exploit got
discovered roughly once a month for a year or two). Qmail (from
http://www.qmail.org) and Postfix (from http://www.postfix.org) are a
pair of replacement programs for Sendmail that were written with
security foremost in mind. They both represent complete divergences from
Sendmail, in terms of coding design and architecture, and running any of
the three is totally unlike running either of the other two.
Please note that using either Qmail or Postfix will probably entail
making changes to inetd.conf. You may find, when you're done, that
you're running your FTP, POP3, SMTP, and IMAP (if any) processes all as
standalone servers. In that case, you can always just turn off inetd
(and rename the symlink that starts it in /etc/rc.d/rc3.d, usually
S50inetd).
If you're running Web services, you're probably doing it using Apache.
An OOB installation of Apache is pretty secure these days, so no worries
there.