10). Uninstall telnetd and use OpenSSH

Disable root login in /etc/ssh/sshd_config:

=> PermitRootLogin no

Disable the ability to use SSH1 protocol in /etc/ssh/sshd_config
and in /etc/ssh/sshd_config

=> Protocol 2

Make ssh check the Host IP address to detect DNS spoofing in
/etc/ssh/ssh_config:

=> CheckHostIP yes

Disable lastlog message /etc/ssh/sshd_config:

=> PrintLastLog no

11). Install a firewall

Install at least a packet filter firewall (ipchains) or a stateful
firewall (iptables) and authorize only needed traffic by port/ip/protocol

12). Get rid of buggy daemons/services

- Replace wu-ftpd or beroftpd by ProFTPD or PureFTPd
The best practice is to avoid installing an ftp daemon

- Replace sendmail by qmail or Postfix

- Replace bind by MaraDNS or djbdns

13). Hide your system

- If you are using telnetd, try the -h option

- Change /etc/issue and /etc/issue.net
Check that these files are not recreated during boot time
in /etc/rc.d/rc.local

- Change your apache header (ServerTokens ProductOnly)

- Change your SMTP server header and disable VRFY and EXPN commands

- Change your POP3 server header and use APOP or POP3 over SSL
=> You can find a good example with Qpopper here

- Change your tcp/ip stack fingerprint (ippersonality)

14). Avoid coredump, limit the number of process, etc.. using limits.conf

- In the following example, people with shell accounts on the system are
in group toto.

- limits.conf can be found in /etc/security/ on RedHat system

limits.conf example:

* hard core 0
* hard rss 10000
@toto hard data 131072
@toto hard memlock 41926
@toto hard nproc 40
@toto hard maxlogins 2
@toto hard nofile 20
@toto hard fsize 50000


Don't forget to put "session required /lib/security/pam_limits.so"
in /etc/pam.d/login

15). Only people in the wheel group should be authorize to use the su cmd

=> /bin/chgrp wheel /bin/su
=> /bin/chmod 4750 /bin/su

Put the following line in /etc/pam.d/su

"auth required /lib/security/pam_wheel.so use_uid"

Add toto to the wheel group: usermod -G wheel toto

16). Set a secure umask for all users

The file creation mask can be calculated by subtracting
the desired value from 777

=> The user's default umask should be 077

If you are using bash, you can add "umask 077" in /etc/bashrc

17). Force users to change their password frequently

- For example, let's force toto to change password every 20 days

=> chage -M 20 -W 5 toto

(Use chage -l toto to check)

You can make these settings permanent in /etc/login.defs by adding

"PASS_MAX_DAYS 20"
"PASS_WARN_AGE 5"

18). Force users to choose long password

Add the following line in /etc/login.defs to force
the password length minimum to 8

"PASS_MIN_LEN 8"

19). Restrict NFS

If /no/toto is the directory you want to export and X.X.X.X is
the authorized client

Add the following lines in your /etc/exports

/no/toto X.X.X.X(ro,root_squash)

20). Session Timeout

To setup a session timeout (seconds), add the following line in /etc/profile

TMOUT=600

21). Disallow the loading of kernel modules

- Download LCAP from http://pweb.netcom.com/~spoon/lcap/

=> lcap CAP_SYS_MODULE

No more modules may be loaded into the kernel until next reboot

22). Use the RPM database to check your system integrity

=> rpm -Va >> system.txt

Symbols:

S = File size changed
M = File mode changed
5 = MD5 sum differs
D = Device major/minor number mis-match
L = readLink(2) path mis-match
U = User ownership differs
G = Group ownership differs
T = mTime differs

Please keep in mind that you can only trust RPM when you get negative results.

23). Use the RPM database to check that a file belongs to a package

=> rpm -qf /toto/path_to_file

24). Scan for rootkits

The best tool is checkrootkit that checks system binaries for rootkit modification.
chkrootkit.org

25). Protect your crontab

Create a cron.allow file in /etc and make it readable only for root

(as root)
=> touch /etc/cron.allow
=> chmod 600 /etc/cron.allow
=> echo "root" >> /etc/cron.allow

The cron.allow file list users allowed to use the cron daemon

26). Restrict Samba

In this example, our local network is 192.168.2.0/24

Edit the smb.conf file and add the following lines:

interfaces = 192.168.2.1/255.255.255.0
bind interfaces only = yes
socket address = 192.168.2.1
allow hosts = 192.168.2.0/255.255.255.0

27). Disable magic SysRq key

=> /sbin/sysctl -w kernel.sysrq=0

28). Use a restricted shell for untrusted users

In this exemple, the untrusted user is toto

As root, Let's prepare rbash:

=> ln -s /bin/bash /bin/rbash
=> echo "/bin/rbash" >> /etc/shells

Now restrict toto:

=> chsh -s /bin/rbash toto

you can also setup menu-based shells with pdmenu or flash

System installation and maintenance:

1). PRE-install rules

It can be quite long but choose every package and install only needed

!! Security starts with the installation !!

2). POST-install rules

- Move /tmp/install.log in a safe place
- Use install.log to remove unwanted packages
- update install.log in live, you must know exactly what is running
on your system !!!

3). Uninstall every not needed daemons in /etc/rc.d/rc3.d, rc5.d, ...

...

4). Uninstall every remote control daemons like rcp, rlogin, ...

...

5). Uninstall dangerous and persmissive daemons

Remove portmap if you don't use RPC
Remove fingerd, ruserd, statd
Remove netfs if you don't use nfs
Remove identd

6). Check for updates

If you are using a RedHat for example: http://www.redhat.com/errata/
(rpm -Fvh and not rpm -Uvh)

7). Subscribe to a security mailing list

http://www.linuxsecurity.com
http://www.securityfocus.com
http://www.cert.org

8). Check /var/log/messages everyday

...

9). Do no install X on public HTTP/DNS/NTP/SMTP/.. servers

...

10). Install a script to check periodically some security issues

I am using myself secheck , if you know a better one, please let me know.

Network Security:

1). Activate SynCookies protection

It works by sending out 'syncookies' when the
syn backlog queue of a socket overflows.

=> echo 1 >/proc/sys/net/ipv4/tcp_syncookies

or

=> /sbin/sysctl -w net.ipv4.tcp_syncookies=1

2). Disable source routing

=> for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

or

=> /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0

3). Reverse Path Filtering

Reject incoming packets if their source address doesn't match
the network interface that they're arriving on

=> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

or

=> /sbin/systcl -w net.ipv4.conf.all.rp_filter=1

4). Log RP filter dropped packets (martians)

=> for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done

or

=> /sbin/sysctl -w net.ipv4.conf.all.log_martians=1

5). Maximal number of remembered connection requests

=> /sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=256

6). How may times to retry before killing TCP connection

(default 7 on most systems)

=> /sbin/sysctl -w net.ipv4.tcp_orphan_retries=4

7). Number of SYN packets the kernel will send before giving up

=> /sbin/sysctl -w net.ipv4.tcp_syn_retries=5

8). Disable broadcast icmp reply

=> /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

9). Ignore Bogus icmp packets

=> /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

10). Disable ICMP redirect

=> echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
=> echo 0 >/proc/sys/net/ipv4/conf/all/send_redirects

or

=> /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
=> /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0

11). Disable timestamps

=> echo 0 >/proc/sys/net/ipv4/tcp_timestamps

or

=> /sbin/sysctl -w net.ipv4.tcp_timestamps=0

12). Reduce DOS ability by reducing timeouts

=> echo 30 >/proc/sys/net/ipv4/tcp_fin_timeout
=> echo 1800 >/proc/sys/net/ipv4/tcp_keepalive_time
=> echo 0 >/proc/sys/net/ipv4/tcp_window_scaling
=> echo 0 >/proc/sys/net/ipv4/tcp_sack

or

=> /sbin/sysctl -w net.ipv4.tcp_fin_timeout=30
=> /sbin/sysctl -w net.ipv4.tcp_keepalive_time=1800
=> /sbin/sysctl -w net.ipv4.tcp_window_scaling=0
=> /sbin/sysctl -w net.ipv4.tcp_sack=0