Securing Linux Opearting System - Bare minimum checklist

Securing Linux Opearting System - Bare minimum checklist

Please find below the bare minimum checklists for Linux Hardening Guide.

Network Configuration :

ZEROCONF:

On by default. Used by avahi for local service discovery. Disable this service. Edit /etc/sysconfig/network. Add NOZEROCONF=yes . Then remove the avahi package and its dependencies

/etc/sysctl.conf settings :

Don't reply to broadcasts. Prevents joining a smurf attack. net.ipv4.icmp_echo_ignore_broadcasts = 1

Enable protection for bad icmp error messages. net.ipv4.icmp_ignore_bogus_error_responses = 1

Enable syncookies for SYN flood attack protection. net.ipv4.tcp_syncookies = 1

Log spoofed, source routed, and redirects packets. net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1

Don't allow source routed packets. net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0

Turn on reverse path filtering. net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1

Don't allow outsiders to alter the routing tables. net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0

Don't pass traffic between networks or act as a router. net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0

XINETD configuration

Disable any service, application and/or user accounts that are not being utilized

Limit connections to service running on the host for authorized users

Unused Daemon Removal

Remove all daemons / packages not being used

Viewing : Chkconfig list

Disabling Chkconfig off

System Time

Keep system time in sync

If require , create a cron job to sync with local NTP server

Configuration example for some Daemon :

At and Cron

Only allow root and people with verified need to run cron jobs

Setup cron.allow and cron.deny

SSHD

Enable only ssh2 protocol (this is default in RHEL5)

Do not allow root logins

BIND

Use chroot package

Use ACLs

Do not allow ZONE TRANSFER

Init

Disable interactive boot by editing /etc/sysconfig/init Make PROMPT=no

Add password to Single user mode. Add the following: S: wait:/sbin/sulogin

Access Control :

Do not allow ROOT login over SSH or gdm

Check the desired settings for :

Pam_tally2

Pam_access

Pam_time

Pam_limits

Pam_loginuid

Secure PHYSICAL machine :

Disable boot to anything except hard drive

Disable any hardware unused

Set BIOS/firmware with PASSWORD

Set "GRUB" boot loader password

Install Anti Virus (depends upon the criteria). If installed, schedule daily update.

Apart from the above all, from the OS hardening perspective, if anyone wish to install and configure Bastille, s/he is most welcome.

POST COMMENT

Watch Three Colors: Red Streaming Baltimore Luxury Suites Aren't Always Out Of Reach Read These Strategies On Ways To Nab Red Hot Rate Linux Data Recovery to Undelete Accidentally Deleted Important Linux Files Windows VPS Vs Linux VPS How To Fix Red Ring Of Death - Quick Repair For You Xbox Red Ring Of Death - How To Get My Xbox 360 Repaired Today No need training study efforts, 100% pass CompTia certification A+ Network+ Security+ Linux+ Server+ Project+ CTT+ PDI+ Nokia X6 Red - Absolute Genius VPS Hosting With Debian Linux VPS Nokia 5530 Xpressmusic Red - The Right Choice Fix PS3 Flashing Red Light -Save Money Linux VPS Vs Windows VPS - What type Is way better? Sizzling The Red Carpet With Right Ensemble