Redhat Server Sekurity HowTo (r-SSH beta version 1.2.2-20.2) Contents: ---------------------------------------------------written by Gw01f (D.balia) ------------------------------------------------------------------------------------- 1.Intro 2. Installation of Redhat - Customising Installation (Server or otherwise) - Script and it's functionality - Removal of Unneccesary programs (RPM commands & /etc/rc.d/init.d) - Compile Installation neccesities 3. Kernel specification and recompilation - Why recompile the kernel - Key areas to kernel security 4. Post-compilation configuration - Key fundamentals (BIOS, Security Policy, Right Passwd, console,user timeout) - Services - inetd.conf (Super Server) - SUID Files - TCP Wrappers (hosts.deny & hosts.allow) - Sendmail - /etc/aliases - Issue.net - Ping -etc/host.conf - Source Routing -TCP SYN Cookies protection -/etc/services -/etc/pam.d/su - Resource Limits - /etc/pam.d/login - Special Accounts - /etc/securetty - RPM binary - Shell logging - /etc/lilo.conf - ctrl + alt + del - Logs and backups - Finding unsual programs 5. Third Party Security tools 6. Media - Websites and recommended reading 7. Conclusion ------------------------------------------------------------------------------------------------ --------------------------------------------Gw01f------------------------------------------- Introduction: This is written in attempt: 1. ...to prove to my collegeaus that Redhat Linux can be made more secure than some off their own damn servers.....u fools know who u are......(BSD) :) 2. .... to help with the realisation that security is merely a level of ignorance........it just all depends on what level your on. So, there's always much more to what u know or what you thought you knew! 3. ....facilitate sysadmins in their attempts at sekuring redhat boxes. 4. ....to put all the Redhat security information from all my years of reading and experimenting into one body of knowledge. You gotta love em security tex filez. ------------------------------------------------------------------------------------------------ Yes, there's millions of security filez available on the NET, but I felt alot of them lacked focus and their were to many that had a newbie appeal. Who am I u may ask, ahem, I am merely a particle thrust into the vacuum of life, seeking but only one thing and giving my all to it's final achievement.............. !!!!!! Gw01f :) PLEASE NOTE : This is focused to the sysadmin and implementation of security thereof, on ``Redhat Linux Servers.'' Also, it is also assumed that the reader is well aware of Redhat installation, expierenced in the use of Linux or Unix and has some grasp of networking. Of course this can be applied conceptually to all other distro's(distribtuions) of linux. I tried at best to cover as much security as possible, so please mail me with requests or whatever you think this doc lacks: gw01f@hotmail.com (seKure seRver iSn't it!!!!) ------------------------------------------------------------------------------------------------ 1. Installation of Linux: ------------------------------ Hehe, u got another thing coming if u think I'm gonna walk u through the Redhat Linux installation...... *kick*. Firstly, to note, that Redhat installation, whichever method u choose to install ... from GNOME to CUSTOM, alot of unneccesary packages/proggies will be installed and configured. It is thus the aim of this section to remove the unneccessary and leave you with what's important from a security point of view. ------------------------------------------------------------------------------------------------ When u are prompted for partition requirements, please consider having multiple partitons for security and server efficiency. This also assists in making more data independent and more secure in case of partition damage or removal. I suggest: /boot (kernel images) /usr (linux binaries) /home (users) /chroot (DNS services) /cache (SQUID - proxy) /var (constanly changing files - eg. log files) (Virtual Memory) /tmp (Temporary storage) / (root) OK, u begin your Server Installation, it is of course necessary that u have already determined and are aware of all your hardware components and their configurations. Now, your are prompted for type of installation - * GNOME (gnome wm based installation) * KDE (kde wm based installation) * SERVER (server installation with standerd server required components) * CUSTOM (for more specific configurations and setup) * UPGRADE (as it says) ------------------------------------------------------------------------------------------------ It is here, that u choose CUSTOM. The default server installation provided by Redhat,is both very bulky and if installled, needs much more attention in getting it secure and to a efficient level of functionality. The aim is to achieve a barebone server, running only what needs to be run, to service the clients and at the sametime ensuring it's security. Ok, under custom, it's left totally up to u, to determine what the necessary requirements are for u're server (in relation to packages), but I suggest only selecting thefollowing from the menu, * Networked Workstation * Network Management Workstation * Utilities ------------------------------------------------------------------------------------------------ Anything more, would be problematic, of course if there is anything u may see a need to install later, can be done with ease via the RPM(red hat package manager) binary system provided by Redhat. It's vital that as sysadmin, you are aware of every single piece of software running on your server. With saying that, ensure that your software/proggies being run from BIND to X-windows, is patched for all bugs and updated frequently.Look for patches and fixes at http://www.redhat.com or join their security mailing lists. I CANNOT STRESS THIS ENUFF !!!!!! During installation of custom, I suggest you deselect the following packages: 1. App/File - git 2. App/Internet - finger, ftp, fwhois, ncftp, rsh, rsync, talk, telnet 3. App/Publish - ghostscript, ghostscript-fonts, mpage, rhs-printfilters 4. App/System - arpwatch, bind-utils, knfsd-clients, procinfo, rdate, rdist, screen, ucd-snmp-utils 5. Doc - indexhtml 6. Sys En Base - chkfont-path, yp-tools 7. Sys E /Daemons - XFree86-xfs, lpr, identd, portmap, routed, rusers, rwho, rftp, ucd-snmp, ypbind 8. Sys E / Lib - Xfree86-libs, libpng 9. User Interface/X - Xfree96-75dpi-fonts, urw-fonts Before you delete everything, I suggest only deselecting those files/packages that you won't be using. If you are not sure, I suggest learning what each one does first then modifying and select-installing you system. Please do not install any X-Window system for you server, it is both unstable and a major security risk. ------------------------------------------------------------------------------------ Script and it's functionality: (yes, your idea Lee) --------------------------------- Script, basically, makes a typescript of everything printed on your terminal. It is useful for students who need a hardcopy record of an interactive session as proof of an assignment, as the typescript file can be printed out later. However this is much more powerful, when working and configuring your Linux; as it's a good terminal logger, logging every thing you do, from editing of files to running of menuconfigs. The advantages for this feature are endless and more importantly can help you backtrack if you have made errors or messed up the system. Script can be run at shell(system) prompt: [Gw01f@sek /Gw01f]# script Script started, file is typescript This should tell you that your logging will now begin, and the file will sit in the directory or path you actually ran script from. The default name of the file would be called typescript. [Gw01f@sek /Gw01f]# exit Script done, file is typescript This is the command to stop script logging. And you should receive the following message in relation to the state of script. Remember it can be found in the CWD (current working directory) you ran script in/from. --------------------------------------------------------------------------------------- Removal of Unneccesary programs (RPM commands & /etc/rc.d/init.d): --------------------------------------------------------------------------------------------- Before we remove packages that come pre-installed with installation, I'll run u through a few basic commands we will be using later on, and will always be handy and vital. RPM commands: ------------------------- 1. INSTALL : [Gw01f@sek /Gw01f]# rpm -ivh foo-ver.no.rpm 2. UPGRADE: [Gw01f@sek /Gw01f]# rpm -uvh foo-ver.no.rpm 3. UNINSTALL: [Gw01f@sek /Gw01f]# rpm -e foo 4. QUERY: [Gw01f@sek /Gw01f]# rpm -q foo 5. PACKAGE INFO: [Gw01f@sek /Gw01f]# rpm -qi foo 6. LIST FILES: [Gw01f@sek /Gw01f]# rpm -ql foo If u need any more help and u feel this is not enuff, go read the man :). yes, [Gw01f@sek /Gw01f]# man rpm or [Gw01f@sek /Gw01f]# rpm --help (for the syntax listing) ------------------------------------------------------------------------------------------------ Starting and Stopping Daemon Services: ------------------------------------------------------ Before we remove services or daemons, we must ensure that those we are going to delete, are stopped from running, first. These daemons or services can be found in /etc/rc.d/init.d. There are 3 basic commands u run on these daemons/services: 1. start 2.stop 3. restart Eg. - 1. Start httpd - [Gw01f@sek /Gw01f]# /etc/rc.d/init.d/httpd start 2. Stop httpd - [Gw01f@sek /Gw01f]# /etc/rc.d/init.d/httpd stop 3. Restart httpd - [Gw01f@sek /Gw01f]# /etc/rc.d/init.d/httpd restart ------------------------------------------------------------------------------------------------ Uninstall the ffg, note determine what u will and won't use. :) pump mt-st eject mailcap apmd kernel-pcmcia-cs linuxconf getty_ps setconsole isapnptools setserial kudzu raidtools gnupg redhat-logos redhat-release gd pciutils rmt Note, apmd, sendmail and kudzu are daemons/services running at present on your system, so stop them before u remove them. Remember to uninstall a package : [Gw01f@sek /Gw01f]# rpm -e foo If things get complicated, and requets are made for dependencies : [Gw01f@sek /Gw01f]# rpm -e --nodeps - is any file/package you want to uninstall That should uninstall with ease :) ------------------------------------------------------------------------------------------ Note, after ensuring u have configured all of these items below and your hardware correctly, - keyboard - mouse - time commence with removal of all those MENUCONFIG binaries and utilities. Once you're server is up and running, you will not need these menus...the less there is, the fewer security risks there are available. Uninstall all of these: kbdconfig mouseconfig timeconfig authconfig ntsysv setuptool ------------------------------------------------------------------------------------------ - Compile Installation neccesities ----------------------------------------- Ok, so your server is now beginning to take shape, as you will notice, we are slowly trying to reduce your server, to all but the bare minimum. This means for improved security and understanding of actual processes and problem that could arise later :) Now, you will have to install these basic packages to be able to compile on a linux system: autoconf-2.13-5.noarch.rpm m4-1.4-12.i386.rpm automake-1.4.5.noarch.rpm dev86-0.14.9-1.i386.rpm bison-1.26-1.i386.rpm byacc-1.9-11.i386.rpm cdecl-2.5-9.i386.rpm cpp-1.1.2-24.i386.rpm cproto-4.6-2.i386.rpm ctags-3.2-1.i386.rpm egcs-1.1.2-24.i386.rpm ElectricFence-2.1-1.i386.rpm flex-2.5.40-7.i386.rpm gdb-4.18-4.i386.rpm kernel-header-2.2.12-20.i386.rpm glibc-devel-2.1.2.i386.rpm make-3.77-6.i386.rpm patch-2-5-9.i386.rpm Remember : [Gw01f@sek /Gw01f]# rpm -ivh foo-ver.no.rpm - is any file/package you wish to install Note install all the files @ once to satisfy dependency issues.....like so : [Gw01f@sek /Gw01f]# rpm -Uvh autoconf-2.13-5.noarch.rpm m4-1.4-12.i386.rpm automake-1.4.5.noarch.rpm dev86-0.14.9-1.i386.rpm bison-1.26-1.i386.rpm byacc-1.9-11.i386.rpm cdecl-2.5-9.i386.rpm cpp-1.1.2-24.i386.rpm cproto-4.6-2.i386.rpm ctags-3.2-1.i386.rpm egcs-1.1.2-24.i386.rpm ElectricFence-2.1-1.i386.rpm flex-2.5.40-7.i386.rpm gdb-4.18-4.i386.rpm kernel-header-2.2.12-20.i386.rpm glibc-devel-2.1.2.i386.rpm make-3.77-6.i386.rpm patch-2-5-9.i386.rpm ----------------------------------------------------------------------------------------- Note when complete, check the install.log in /tmp :) Just to ensure all was successful. To verify the list of all installed RPM's : rpm -qa > installed_rpm Or whatever u want to name the file. ------------------------------------------------------------------------------------------ 3. Kernel specification and recompilation -------------------------------------------------- Hopefully things have gone smoothly for u, and u're right on track :) Ok, next, I'm gonna discuss our basic kernel. The Unix kernel as described by Brian Ward - The Linux Kernel Howto, ``...acts as a mediator for your programs and your hardware. First, it does(or arranges for) the memory management for all of the running programs, and makes sure that they all get a fair share of the processor's cycles'' It would be vital before u compile to read this howto which should be available @ http://www.redhat.com/docs ------------------------------------------------------------------------------------------ -Why recompile the kernel: --------------------------------- Our aim with the re-compilation of the kernel, is 1. To attain and run the latest kernel available, which would be more stable, more efficient and fix em little bugs 2. To run security patches for the kernel 3. To customize the kernel for our use and optimum server functionality and effiency I'm not going into detail of the actual recompilation of the kernel, well cause the HOWTO is already written, but what I will do is advise you on the required changes neccesary to achieve a functional yet secure kernel. ------------------------------------------------------------------------------------------ -Key areas to kernel security: ------------------------------------ Note, before any kernel configs or recompiles, make an emergency boot disk.Yes yes, mkbootbisk --device blah blah, read the man. Ok, the latest kernel can be downloaded from : http://www.kernel.org Also, a great way to prevent Buffer Overflows and other security flaws in the kernel, is to download the latest security patches from: http://www.openwall.com/linux They usually take care of the security issue to the kernel :), also take a look at their other patches for BIND. Ok, once u removed or backed up, your old linux kernel, (/usr/src/linux), then, untar the newly updated kernel. Once the sources have been installed, we start to go to work. Ok, there is a lot of optimisations you can make to the kernel, I suggest you read the book, Securing and Optimizing Redhat Linux. It covers every step, from changes to the kernel to the application of various patches. Http://www.amazon.com ------------------------------------------------------------------------------------------ During Kernel Configuration it is vital, that the following flags to the monolithic kernel are set (in terms of yes and no) unless of course it applies to u: ------------------------------------- Processor type and Features: -Symmetric multi-processing support (config_smp) N Loadable module Support: -Enable Loadable Module support(config_modules) N ----------------------------------------------------------------------------------- General Setup: - PCI quirks (config_pciquirks) N - Backward-compatible /proc/pci (config_pci_old_proc) N -------------------------------------------------------------------------------------- Block Devices: - CMD640 chipset bugfix/support (config_blk_dev_cmd640) N - RZ1000 chipset bugfix/support (config_blk_dev_rz1000) N ------------------------------------------------------------------------------------- Netwoking Options: - Network Firewalls (config_firewall) Y - IP: TCP syncookie support (config_syn_cookies) Y - IP: Firewalling (config_ip_firewall) Y --------------------------------------------------------------------------------------- SCSI Support: - Proble all LUNS on each SCSI device (config_SCSI_MULTI_LUN) N - VERBOSE SCSI error reporting (kernel size +=12k) (config_scsi_constants) N -------------------------------------------------------------------------------------- SCSI Low-level devices: - Adaptec AIC7xxxx Support ( Config_scsi_aic7xxx) Y - Enable tagged command queing (TCQ) by default Y - SYM53C*xx SCSI support (config_scsi_sym53c8xx) N ---------------------------------------------------------------------------------------- Character devices: - Maximum number of UNIX98 PTY's in use (02048) (config_unix98_pty_count) 128 -------------------------------------------------------------------------------------- MICE: - C&T 82c710 mouse port support(config_82c710_mouse) N --------------------------------------------------------------------------------------- Filesystems: - Kernel automounter support (config_autofs_fs) N -quota support (config_quota) Y --------------------------------------------------------------------------------------- Network Filesystems: - NFS Filesystem Support (config_nfs_fs) N --------------------------------------------------------------------------------------- Security options: ( will only appear if u installed openwall security patch) - restricted /proc (config_secure_proc) Y - destroy shared memory segment not in use (config_secure_shm) Y ------------------------------------------------------------------------------------------ Note, there is a listing of much more options then specified, but these are the key ones focused at optimisations and security. Please, please understand the functioning of your kernel and read the kernel-howto before attempting any kernel changes, especially if editing the kernel source. Here on after u recompile, make dep, make clean and make bzimage :-) I think that's enuff on kernel config for securtiy reasons. ---------------------------------------------------------------------------------------- 4 .Post-compilation configuration ----------------------------------------- This section will discuss general system security: Key fundamentals (BIOS, Security Policy, Right Passwd, console, user timeout) ------------------------------------------------------------------------------------------ BIOS security: ------------------ Setting a BIOS security password is vital, cause physical hacking of the machine is much a real threat as any. Securing the BIOS with a password should ensure your servers safety. Also, the main aim here, is to prevent booting from floppies or cdroms. ------------------------------------------- Security Policies: --------------------- Next and not very often implemented is SECURITY Policies. It is vital that a sysadmin, determine his trusted as well as the vulnerable hosts in his surrounding environment. It here that it is determined via policy, what is and what is not allowed to access the server and it's services, especially in corporate environments. Security policies may be vital and they may need to be well drawn up, but they MUST be well implemented, else it is senseless. ------------------------------------------ Passwords: -------------- Another vital mistake by sysadmin's is the quick solution to logging in by choosing passwords that are both very simple and relate to some aspect of their lives. Therefore I suggest choosing a password that is not a personal identifier and is not a single word that can be looked up in the dictionary. This is as a result of password-cracking routines just simply scanning large dictionary databases or word filez. The best passwords are one which combines upper and lowercase letters along with numbers and ease still easy to remember. For example, Gw01fhat, RedhaT99..etc. Remember passwords are a minimum of 5 characters and maximum of 8 characters are needed for login. Note, let's say, you have the password ``Linuxrocks'', this is 10 characters, to login, entry of the first 8 would be sufficient and would gain you access. Thus setting a long password is not going to aid as a successful preventative to security as such. Also, take a look at password aging and it's implementation. To prevent bad passwords, instead of a minimum of 5 character length, you can change the length to 8 for example. This can be done by editing /etc/login.defs. Search for the line: PASS_MIN_LEN 5 Change it to: PASS_MIN_LEN 8 This is just a key note and reminder, check for the latest updates or patches to software that is installed on you machine. :) Try and maintain a machine that is as bug-free as possible. Notice I said this twice :) ------------------------------------------------------------------------------------------ Disable Console Program Access: Note, to disable console-equivalent applications, to prevent physical access of key programs by users who actually may make use of the console for whatever purpose - [Gw01f@sek /Gw01f]# rm -f /etc/security/console.apps/ Where - is the name of the program to which you wish to disable console equivalent access to. Example: [Gw01f@sek /Gw01f]# rm -f /etc/security/console.apps/shutdown [Gw01f@sek /Gw01f]# rm -f /etc/security/console.apps/poweroff [Gw01f@sek /Gw01f]# rm -f /etc/security/console.apps/reboot etc...... ------------------------------------------------------------------------------------------ Account Timeout: ---------------------- I find this one handy, however, this is not a favourite amongst users of the system. On Linux in general, most users sometimes even pesky root, sits idle for days. This is both a security risk and process intensive to a certain extent. Therefore, at the outset determine, whether you would like this feature to be disabled, where, if you are idle for an extended period of time, and your account will timeout and you will be dropped. The configuration can be found in /etc/profile: (add this line after ``HISTFILESIZE='') TMOUT=7200 Please note 7200 is in relation to seconds, which is 2 hours. ------------------------------------------------------------------------------------------ Services - inetd.conf: ------------------------------------------- /etc/inetd.conf is basically the configuration file for the inetd daemon. This daemon listens for internet socket connections on certain ports and decides or determines what services are to be invoked, when a connection is made. (read man for inetd) ------------------------------------------------------------------------------------------ # # inetd.conf This file describes the services that will be available # through the INETD TCP/IP super server. To re-configure # the running INETD process, edit this file, then send the # INETD process a SIGHUP signal. # # Version: @(#)/etc/inetd.conf 3.10 05/27/93 # # Authors: Original taken from BSD UNIX 4.3/TAHOE. # Fred N. van Kempen, # # Modified for Debian Linux by Ian A. Murdock # # Modified for RHS Linux by Marc Ewing # # # # Echo, discard, daytime, and chargen are used primarily for testing. # # To re-read this file after changes, just do a 'killall -HUP inetd' # #echo stream tcp nowait root internal #echo dgram udp wait root internal #discard stream tcp nowait root internal #discard dgram udp wait root internal #daytime stream tcp nowait root internal #daytime dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal #time stream tcp nowait root internal #time dgram udp wait root internal # # These are standard services. # ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a #telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -h # # Shell, login, exec, comsat and talk are BSD protocols. # #shell stream tcp nowait root /usr/sbin/tcpd in.rshd #login stream tcp nowait root /usr/sbin/tcpd in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd in.rexecd #comsat dgram udp wait root /usr/sbin/tcpd in.comsat talk dgram udp wait nobody.tty /usr/sbin/tcpd in.talkd ntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkd #dtalk stream tcp wait nobody.tty /usr/sbin/tcpd in.dtalkd # # Pop and imap mail services et al # #pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d #imap stream tcp nowait root /usr/sbin/tcpd imapd # # The Internet UUCP service. # #uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/ lib/uucp/uucico -l # # Tftp service is provided primarily for booting. Most sites # run this only on machines acting as "boot servers." Do not uncomment # this unless you *need* it. # #tftp dgram udp wait root /usr/sbin/tcpd in.tftpd #bootps dgram udp wait root /usr/sbin/tcpd bootpd # # Finger, systat and netstat give out user information which may be # valuable to potential "system crackers." Many sites choose to disable # some or all of these services to improve security. # finger stream tcp nowait root /bin/cat cat /etc/finger #cfinger stream tcp nowait root /usr/sbin/tcpd in.cfingerd #systat stream tcp nowait guest /usr/sbin/tcpd /bin/ ps -auwwx #netstat stream tcp nowait guest /usr/sbin/tcpd /bin/ netstat -f inet # # Authentication # auth stream tcp wait root /usr/sbin/in.identd in.identd -e -o # # End of inetd.conf ------------------------------------------------------------------------------------------ Again we only select those key services and comment out those that are unneccessary. I commented out the first 4 services in particular, as these can lead to major Dos (denail of service) attacks. Redhat's default inetd.conf is quite ``up to scratch'' in terms of security but it vital, that u include only what u need. A major problem for services and I suggest you take care of it now, is the telnetd (telnet daemon).Alot of servers provide this functionality, and it does provide some ease of use, but i suggest u rethink ure need for telnet and try to avoid it's use. This is due to the mere fact that telnet streams data across the network in text-based format. A simple sniffer (linuxsniffer.c, :) )would thus pick up your login process and as such, get both your password and login or basically any data passed from the telnet daemon to u the client. Telnet in.telnetd (comment this line out) #Telnet in.telnetd I insist you also disable, shell, talk, ntalk, imap, pop2. i usally comment out the finger daemon, but from my above inetd.conf file, you can see I decided to have a little more fun. ---------------------------------------------------------------------------------------- nobody /usr/bin/cat cat /etc/finger.txt Instead of returning a normal finger reply, it will echo the data you specify in the file /etc/finger.txt. Note, make sure inetd.conf has the proper permissions on it, you don't want this file being tampered with at all. Simply : [Gw01f@sek /Gw01f]# chmod 600 /etc/inetd.conf To double check the permissions on the file: [Gw01f@sek /Gw01f]# stat /etc/inetd.conf After you have done that, set the immutable flag to the inetd.conf file. This is done with the ``chattr'' command. This will prevent any changes accidental or otherwise to inetd.conf. Files with this flag, cannot be modified, deleted, sym-linked or renamed. [Gw01f@sek /Gw01f]# chattr -i /etc/inetd.conf Also, after you have configured your /etc/inetd.conf file, don't forget to restart inetd daemon: [Gw01f@sek /Gw01f]# ps -ax | grep inetd 349 ? S 0:00 inetd Once you have determined inetd process ID, send the -SIGHUP flag. [Gw01f@sek /Gw01f]# kill -SIGHUP 349 This should kill the inetd daemon and start it up again. -------------------------------------------------------------------------------------- SUID Files ------------- This is a risk of note, and before your users can step onto the system it is advisable you find, locate and determine every suid file. This can be done in the ffg. way: [Gw01f@sek /security]# touch suid.txt (touch used to create a new file) ----------------------------------------------------------------------------------------- [Gw01f@sek /security]# find / -perm 4000 >> /security/suid.txt [Gw01f@sek /security]# find / -perm 4700 >> /security/suid.txt [Gw01f@sek /security]# find / -perm 4777 >> /security/suid.txt [Gw01f@sek /security]# find / -perm 4755 >> /security/suid.txt [Gw01f@sek /security]# find / -perm 4770 >> /security/suid.txt [Gw01f@sek /security]# find / -perm 4750 >> /security/suid.txt [Gw01f@sek /security]# find / -perm 4751 >> /security/suid.txt [Gw01f@sek /security]# find / -perm 4555 >> /security/suid.txt [Gw01f@sek /security]# find / -perm 4550 >> /security/suid.txt [Gw01f@sek /security]# find / -perm 4551 >> /security/suid.txt ---------------------------------------------- You can know view the text file and determine exactly what your suid filez are, and decide what you need, and which ones u want your users to make use of. On my servers I leave the ffg. files SUID, and `chmod 000' the rest. gpasswd passwd ping traceroute screen su chage pwdb_chkpwd ------------------------------------------------------------------------------------------ TCP Wrappers (hosts.deny & hosts.allow) ------------------------------------------------- This is based around the ``tcpd'' daemon, it's what we use to cut-off certain services to non-trustworthy users or clients. tcpd is called into action from another daemon, inetd, whenever someone tries to access a service like in.telnetd etc..., tcpd's job is to look at the 2 files (/etc/hosts.allow & /etc/hosts.deny) and determine if the person who is trying to access the service has permission or not. Here's how it works: 1. A user tries to access a service tcpd is monitoring. 2. tcpd wakes up, and makes a note of this attempt in the syslog (syslogd) 3. tcpd then looks in /etc/hosts.allow (if tcpd finds a match, it allows user to access the service) 4. tcpd now takes a look at hosts.deny (if it finds a match, tcpd will close the users connection) 5. If tcpd, cant find a matchy in either file, it will allow the service to be run and give the user access ------------------------------------------------------------------------------------------ The man files are 1) hosts_allow 2) hosts_deny Note, in /etc/hosts; it would be wise to put in your trusted host DNS and IP entries here, as this will prevent the DNS lookup to time out, before you get to the login prompt. The basic syntax is as follows: daemon_list : client_list ------------------------------------------ daemon_list : list of one or more daemon process names client_list : is a list of one or more host names, host addresses, patterns or wildcards The rules for determining host patterns are as follows: a) if u want to match all IP's in a domain, put a ``.'' at the end. - Eg. 196.21.225. will match any IP from this c-class ip range (196.21.225.206 etc) b) if u want to match all hosts in a domain, put a ``.'' at the front. - Eg. .foo.com will match ``gw01f.foo.com, winblows.foo.com....etc'' ---------------------------------------------------------------- Last but not least, your wildcards: a) ALL matches everything ALL : ALL would match any machine trying to gain access to services b) Local matches hostnames that don't have a dot in them ALL : LOCAL would match any machine that is inside the domain or search aliases given in /etc/resolv.conf :) ---------------------------------------------------------------- An example: # /etc/hosts.deny for sek.redhat.com ALL : ALL This would deny all access of any machine within or outside the LAN --------------------------------------------------------------- An example: #/etc/hosts.allow for sek.redhat.com ALL : .redhat.com # this will allow all machines/users with hostaddresses with a "redhat.com" in them wu.ftpd : ALL This will allow all users within and outside the network to use the ftp service provided by the server Note after your done with both files run tcpdchk . [Gw01f@sek /Gw01f]# tcpdchk This will examine your tcp wrapper configuration and reports all potential and real problems it can find. --------------------------------------------------------------- Sendmail: ------------ The most commonly used e-mail program is sendmail, which is supplied with most Linux versions. The sendmail system is extremely powerful and flexible, but it can at times be annoying and difficult to configure and administer because of it's attributes. Being the most popular doesn't always have its perks, as their are numerous fixes and bugs to sendmail itself. Most administrators have no idea to the power behind sendmail especially in version 8 which has powerful anti-spam features.The best manual or reference available for sendmail is 800 pages. I seriously advise reading more bout sendmail config and it's functional capabilities. Unfortunately, this manual has a focus on security so I won't be discussing sendmail and it's configuration. Sendmail configuration can be found in the file /etc/sendmail.cf , (make the following adjustments): ---------------------------------------- * PrivacyOptions=authwarnings To : * PrivacyOptions=authwarnings,noexpn,novrfy thereafter, change: * SmtpGreetingMessage=$j Sendmail $v/$z; $b To: SmtpGreetingMessage=$j Sendmail $v/$z; $b NO UCE C=xx L=xx C = country (SA) L = location code (ZA) ---------------------------------------- - /etc/aliases (aliases for sendmail): ------------------------------------------- This file describes user ID aliases used by /usr/sbin/sendmail. A snippet : # # @(#)aliases 8.2 (Berkeley) 3/5/94 # # Aliases in this file will NOT be expanded in the header from # Mail, but WILL be visible over networks or from /bin/mail. # # >>>>>>>>>> The program "newaliases" must be run after # >> NOTE >> this file is updated for any changes to # >>>>>>>>>> show through to sendmail. # # Basic system aliases -- these MUST be present. MAILER-DAEMON: postmaster postmaster: root # General redirections for pseudo accounts. bin: root daemon: root #games: root #ingres: root nobody: root system: root #toor: root #uucp: root # Well-known aliases. #manager: root #dumper: root #operator: root # trap decode to catch security attacks #decode: root # Person who should get root's mail root: gw01f Pending your installation I suggest commenting out the following: #games #ingres #system # uucp #manager #operator #dumper #decode ---------------------------------------- For this to take effect: [Gw01f@sek /Gw01f]# /usr/bin/newaliases ------------------------------------------------------------------------------------------ -Issue.net: ------------- Note /etc/issue.net and /etc/issue files can be important in hiding or disguising key information from the ``system cracker''. Alot of the time, a person will telnet into a box and at login prompt, determine what Operating system the server is running. By changing the issue file instead of telnet showing this: Red Hat Linux Release 6.1 (Cartman) Kernel 2.2.12-20 on an i586 ------------------------------- Both files are both ASCII, so you can simply edit it with what you want, like mine: W0|fLinux Release 1.2 (Gw01f) Micr0swAp Kernel 2.3 on an i386 ------------------------------------ Please note, /etc/rc.d/init.d/rc.local will overwrite /etc/issue at every bootup of the server. You can edit this file as you so desire, or you can be lazy like me, and completely comment it out or: [Gw01f@sek /Gw01f]# echo > /etc/rc.d/rc.local That should completely empty the file. However it is good practice to make a backup of files in case you make a major fumble. Also not so fun, but never the less effective, is to prevent the /etc/issue.net from being viewed at all. This can be done by editing the line in the /etc/inetd.conf : telnetin.telnetd To: telnetin.telnetd -h The -h flag will stop the /etc/issue.net from being displayed. Of course, you need to have telnet to be running. ---------------------------- - Ping --------- This is aimed at specifically preventing your server from responding to a ping request.Note the application of this pends the requirements and the purpose of your server. But it is amazingly effective to ``script kiddies'' who will ping your server to determine if it's alive or exists. It's not a major achievement, but in some cases it proves very effectve. ------------------- [Gw01f@sek /Gw01f]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all This will basically set the present value /proc/sys/net/ipv4/icmp_echo_ignore_all to true so that all ping requests are ignored. You can take it a step further and stick this line in /etc/rc.d/rc.local, ensuring this condition is constantly applied at every boot up. ----------------------------------------------------------------------------------------- -/etc/host.conf ------------------- host.conf specifies how names are resolved. Basically names in the host.conf tell the resolver library (to obtain IP addresses corresponding to a host name) what service to use, and in what order, to resolve the hostnames. -------------------------------------- Edit and Add: # Lookup names via DNS then fall back to /etc/hosts order bind, hosts # Machines with multiple IP addresses multi on # Check for IP address spoofing nospoof on -------------------------------------- order ------------> sets the order of the services bind -------------> checks the name server multi ------------> determines whether a host in the ``/etc/hosts'' file can have multiple IP addresses nospoof ---------> indicates to take care of and not permit IP spoofing on this machine. ------------------------ - Routing Protocols ------------------------ Our focus here is primarily to disable IP source routing in the Linux kernel. IP source routing, is when an IP packet contains details of the path to it's intended destination, this is dangerous because as it stipulates in RFC 1122, that the destination host must respond along the same path. Now, if an attacker was able to send a source routed packet into your network, then he would be able to intepret the replies and fool your host into thinking it's communicating with a trusted host. --------------------------------------- Thus to disable source routing: [Gw01f@sek /Gw01f]# for f in /proc/sys/net/ipv4/conf/default/accept_source_route; do > echo 0 > $f > done [Gw01f@sek /Gw01f]# for f in /proc/sys/net/ipv4/conf/lo/accept_source_route; do > echo 0 > $f > done [Gw01f@sek /Gw01f]# for f in /proc/sys/net/ipv4/conf/all/accept_source_route; do > echo 0 > $f > done This will disable source routing on all interfaces (ethN or pppN).Note again, to apply this condition continiously with boot-up, input the above lines of code into /etc/rc.d/rc.local. PLEASE NOTE, this does not apply, if you are intending to make use of IPCHAINS. ------------------------------------------------------------------------------------------ - TCP SYN Cookies protection ------------------------------------- This is on the consideration that upon your kernel re-compile you said yes to TCP SYN Cookies protection option. This is aims to prevent against ``SYN Attacks''.You would recognise SYN(flag) from the TCP/IP Three-handshake protocol. You can read up on SYN attacks in ``Phrack Volume Seven Issue Forty-Eight, file 13 of 18'', it's done in detail and to perfection. http://www.phrack.com ------------------------------ To ensure your server is protected from these types of attacks run the ffg at prompt: [Gw01f@sek /Gw01f]# echo 1 > /proc/sys/net/ipv4/tcp_syncookies As usual, u know what I'm gonna say, if you want this condition as a permanent, ensure that you put this line in the /etc/rc.d/rc.local. PLEASE NOTE, this is senseless if your going to implement IPCHAINS. ------------------------------------------------------------------------------------------ - /etc/services ------------------- This file lists the ports on your system that have services connected to them. This file is large and basically lists port numbers with the protocol and the service attached to each port. You can also edit this file with a `#' to ensure that no remote exploits are being run on those ports that are not being used. Note, every network program should look into this file to get the port number (and protocol) for it's service. Ensure here that you tailor the services file to suit your server requirements. I cannot stress this enough....only barebone services and nothing else. ------------------------------------------------------------------- - /etc/pam.d/su ---------------------- PAM (Pluggable Authentication Modules) is a suite of shared libraries that allow the sysadmin to determine how applications authenticate users. The great feature to this , is the ability to change the entire authentication system without even touching the applications themselves. Using pam.d we will try to block users from making use of su(substitute user). su, is a deadly file, and it's mis-management could leave you rooted. su trojans are a reality, especially in rootkits. We will therefore be working with /etc/pam.d/su. Step1: #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow use_authtok nullok session required /lib/security/pam_pwdb.so session optional /lib/security/pam_xauth.so Insert the following lines at the top of /etc/pam.d/su: --------------------------------------------------------------- #%PAM-1.0 auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/pam_wheel.so debug auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow use_authtok nullok session required /lib/security/pam_pwdb.so session optional /lib/security/pam_xauth.so These two lines basically mean, those of the group ``wheel'' will only be allowed to su to root. -------- Step2: To allow a specific user to su to root, you need to make use of the command usermod. Assume the user admin already exists and is the user assigned to adminstration of the machine. This is a GOOD time to mention, that never ever, use ``root'' unless it's really neccessary. Rather change user group to admin, sys, etc, and use that account to administrate the server. More importanly if you gonna su to root over a telnet or remote login session, make use of SSH (secure shell). Or instead of su, make use of SSH's root binary. {Gw01f@sek /Gw01f]# usermod -G10 admin usermod, basically modifies a user account. G - means supplementary group 10 - is the group number for ``wheel'' This basically changes the admin user, to the wheel group. Allowing him/her to su to root. ---------------------- - Resource Limits ---------------------- /etc/security/limits.conf, is used to control and limit resources available for users on the server or your system. Snapshot of limits.conf: # /etc/security/limits.conf # #Each line describes a limit for a user in the form: # # # #Where: # can be: # - an user name # - a group name, with @group syntax # - the wildcard *, for default entry # # can have the two values: # - "soft" for enforcing the soft limits # - "hard" for enforcing hard limits # # can be one of the following: # - core - limits the core file size (KB) # - data - max data size (KB) # - fsize - maximum filesize (KB) # - memlock - max locked-in-memory address space (KB) # - nofile - max number of open files # - rss - max resident set size (KB) # - stack - max stack size (KB) # - cpu - max CPU time (MIN) # - nproc - max number of processes # - as - address space limit # - maxlogins - max number of logins for this user # - priority - the priority to run user process with # # # #* soft core 0 #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 #@student - maxlogins 4 # End of file ------------------------- Edit the file to read: # /etc/security/limits.conf # #Each line describes a limit for a user in the form: # # # #Where: # can be: # - an user name # - a group name, with @group syntax # - the wildcard *, for default entry # # can have the two values: # - "soft" for enforcing the soft limits # - "hard" for enforcing hard limits # # can be one of the following: # - core - limits the core file size (KB) # - data - max data size (KB) # - fsize - maximum filesize (KB) # - memlock - max locked-in-memory address space (KB) # - nofile - max number of open files # - rss - max resident set size (KB) # - stack - max stack size (KB) # - cpu - max CPU time (MIN) # - nproc - max number of processes # - as - address space limit # - maxlogins - max number of logins for this user # - priority - the priority to run user process with # # # #* soft core 0 hard core 0 hard rss 5000 @student hard nproc 20 #@faculty soft nproc 20 @faculty hard nproc 20 #ftp hard nproc 0 #@student - maxlogins 4 # End of file This file is self-explanatory, however, for those who are lazy like me, I will elaborate. hard core 0 - basically prevents the creation of core files ``core 0'' hard noproc 20 - restricts the number of processes to 20 hard rss 5000 - this will restrict memory usuage to the limit specified(all except root) Step2: Edit the /etc/pam.d/login ------------------------------------------------------------- #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow session required /lib/security/pam_pwdb.so session optional /lib/security/pam_console.so To the following (add at the bottom and comment out): ------------------------------------------------------------- #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow session required /lib/security/pam_pwdb.so session required /lib/security/pam_limit.so #session optional /lib/security/pam_console.so ------------------------------------------------------------- - Special Accounts: ----------------------- -- Note, it's vital as sysadmin, that you aware of all your users, keeping an exact record of the whose who, and whose to worry bout. More importantly, if an account is going to be idle, REMOVE it. Also,after Redhat installation, there exitst default vendor accounts installed, which we need to disable or completely remove. This can be done via the following commands: [Gw01f@sek /Gw01f]# userdel [Gw01f@sek /Gw01f]# groupdel Remove the following vendor accounts: adm lp sync news uucp games gopher ftp ( if no ftp server) ------------------------------------------------------------ -etc/securetty(terminal types) ------------------------------------- This file enables/allows you to satisfy which TTY devices the ``root'' user is allowed to login on. This is read by the ``login''program (in/login). Edit the file: # /etc/securetty tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 I suggest you comment out all the tty's besides tty1. This will ensure root can only login once and login only on one terminal. # /etc/securetty tty1 #tty2 #tty3 #tty4 #tty5 #tty6 #tty7 #tty8 ------------------------------------------------------------------------------------------ RPM binary (/bin/rpm) ------------------------------ RPM is the key binary to the installation of mostly all packages in Redhat Linux. You don't want your users making use of it and installing programs at their every "whim and fancy". Again it all depends on what you server is tailored for. I suggest you move the RPM binary to either floppy (/dev/fd0) or change the permissions to it. [Gw01f@sek /Gw01f]# chmod 700 /bin/rpm This will basically allow only the user to read, write and execute [Gw01f@sek /Gw01f]# ls -la /bin/rpm - rwx - - - - - ------------------------------------------------------------------------------------------------ - Shell logging ------------------- Shell logging basically covers the logging of the users interaction with his terminal, in relation to the input of commands at shell prompt. This logging as everyone know's, is called and found in ".bash_history". [Gw01f@sek /Gw01f]# man history To limit shell logging, to keep system resources especially HDD(hard drive) space low, edit the /etc/profile. The profile file, defines each and every one of the user's profiles. Individual settings can be set bu users in their home directories, ".bashrc" and ".profile". Note Redhat Linux, looks to ".bashrc" first upon logging in and defining user specifications as a default setting. Edit /etc/profile: HISTFILESIZE=20 HISTSIZE=20 ----------------------------------------------------------------------------------------------- - /etc/lilo.conf --------------------- Well, we all know what LILO(linux loader)does know don't we. Password setting for lilo can be achieved. This is done to ensure that, if a user had to gain access to your machine, and decided to go into single user mode, for whatever reason (hehe), he would be prompted for a password. This is a very handy indeed. Edit the /etc/lilo.conf and add the following: boot=/dev/hda map=/boot/map install=/boot/boot.b prompt timeout=00 #change this line to 00. Default=linux restricted # add this line. password= # add this line and put your password. image=/boot/vmlinuz-2.2.12-20 label=linux initrd=/boot/initrd-2.2.12-10.img root=/dev/hda1 read-only Next, thing to do would be to make lilo.conf non-readable to the user. [Gw01f@sek /Gw01f] chmod 600 /etc/lilo.conf Then to update /etc/lilo.conf, run: [Gw01f@sek /Gw01f] /sbin/lilo -V ---------------------------------------------------------------------------------------------- - ctrl+alt+del ( yes the same one, when winblows get's the blue screen) ---------------------------------------------------------------------------------------------- Basically, again this is a preventative to actual physical access of the server, and the threat of server uptime as a result of this access. ctrl_alt_del, as common hardware interrupt, can be a risk, therefore editing /etc/inittab, we can stop this facility. Locate the line, and comment it out: ca:ctrlaltdel: /sbin/shutdown -t3 -now To: #ca:ctrlaltdel: /sbin/shutdown -t3 -now To apply the changes: [Gw01f@sek /Gw01f]# /sbin/init q ------------------------------------------------------------------------------------------- -Logs and backups -------------------------- Logs, this is the most vital to get an understanding what your server has been doing, or what other people have been doing to your server. In Redhat Linux (or just general linux), we have 2 basic daemons running, that being syslogd (for system logging), and klogd(for kernel logging). Note, as soon as a "syscracker" has r00ted your box, he will begin to remove his traces of his break-in and his success. He will begin with the logs. This is common with most rootkits. I suggest you ensure, your logs are secure and backed-up. This is even more vital when running tcpdump or logcheckd....etc. I insist that you read and assess your logs as often as possible. This is the key to being a good admin. The only way you are going to see if you are being probed for an attack, or if someone has been attacking you is by checking the logs. I decided to go in depth here, cause of how vital this section is. Ok, I will cover the 2 main linux daemons (syslogd and klogd), and you can work from there. :) Note these are system daemons and are automatically started by "rc.*" upon boot up. To configure exactly what you log, you must edit a file called "/etc/syslogd.conf". For more information - man syslog.conf or syslogd. I suggest you read Bronc Buster's - Another Paper on Linux Security bronc@shocking.com http://www.attrition.org This snippet is from the Bronc Buster's paper, it's good and his idea so I decided not to make any changes(ok, maybe 2) but rather just lay it to u. #/etc/syslog.conf file # # Modified by Bronc Buster mail.none; *.=info; *.=notice /usr/adm/messages *.=debug /usr/adm/debug *.err /usr/adm/syslog *.=alert root, gw01f *.=emerg root, gw01f authpriv.*; auth.* /admin/bronc/auth.log authpriv.*;auth.* /var/log/secure mail.info;mail.notice /var/log/maillog daemon.info;daemon.notice /var/log/daemon.log *.* /dev/tty12 #EOF Basically, what he did, was, seperate his error messages to create information manageability and make his logs more readable. At the top the first line, mail.none; *.=info; *.=notice /usr/adm/messages Here we removed all messages in regard to mail from the messages log. Thereafter, logs associated with *.=info; *.=notice are specified to be reported in /usr/adm/messages as well. Thereafter, *.=debug /usr/adm/debug all debug messages are sent to their own file, as well as "err" (error), messages. Then, this is a kewl part, all "alert" or "emerg" (emergency) messages are sent to console or to the terminal that I was logged in....either as root or useradmin gw01f. The next two lines, authpriv.*; auth.* /admin/gw01f/auth.log authpriv.*;auth.* /var/log/secure basically cover connections and possible logins. This makes it easy to to check out who logged in and when. Also, notice an extra copy was sent to my home directory. This is a major and vital security measure. If the 'system cracker" does wipe his existence clean of the logs or remove them completely, you will still have a copy in your home directory. (HOME$ or "~") The third to last line, basically just dumps the mail messages into a seperate files for logging. mail.info;mail.notice /var/log/maillog The second line, like the one above, logs only what the daemons are doing inregards to the server or system. daemon.info;daemon.notice /var/log/daemon.log The last line, is one I learnt a while back and very handy, is dump all incoming logs in realtion to all of the above areas, to terminal 12 (/dev/tty12) . Pressing Ctrl + F12, will display this functionality. Another issue, which I didn't cover, but you should consider is dumping of all logs to a remote location. This is rather simple, the syntax is as follows. #log ALL other boxes IP number # *.* @ ------------------------------------------------------------------------- Note what about "/var/log/wtmp" and "/var/log/utmp", plus each users shell histories you must ask(hehe). It is wise to use "chattr" on these files, (mentioned above), so it can't be deleted or edited, except appended by the system. I know....on most of my shell accounts, many poor admins don't worry much bout the .bash_history, and this is so vital at assessing the type of users he or she is. Umm, one South African FreeBSD box comes to mind. :-). I usually place into my .bashrc or .profile: rm $HOME/.bash_history or echo > .bash_history or even Link /dev/null to your .bash_history. Ok, there is a lot of ways.....*damn* -------------------------------------------------------------------------------------------- - Finding unsual programs ------------------------------------ "Yes, I see those files, you can't hide them from me!" hehe, a famous line to me. A poor admin, is one who pays very little attention to users accounts, goes to their home directories and just does a plain old: [Gw01f@sek /Gw01f] ls This is both poor adminstration and lack of common sense. If you know unix/linux file strucutures at all, you would know the simple power behind "." in making directories and naming files, when the admin is not very bright.I'm not going to delve into that issue. But here's the solution, these commands should find almost all or most of those hidden commands, and to make the admin job all the easier. [Gw01f@sek /Gw01f] find / -name ".." \print -xdev [Gw01f@sek /Gw01f] find / -name ".*" \print -xdev | cat -v Note, you can play around with the following comands to be more decisive. ------------------------------------------------------------------------------------------- Next, it's important we find group and world writable files, for obvious reasons. [Gw01f@sek /Gw01f] find / -type f \(-perm -2 0 -perm -20\) -exec ls -lg { }\; --------------------------------- Important is to find those users, who want to make getting into the system easy, by using those .rhosts files. [Gw01f@sek /Gw01f] find /home -name .rhosts > rhosts_ppl ---------------------------------- --------------------------------------------------------------------------------- END OF SECTION 4 --------------------------- 5. Third Party Security Tools -------------------------------------- Unbelievably, I'd love to elaborate here, cause there is so many good kernel-hardening, and server sekuring software written for linux in general, everything from firewalls to running daemons. This document is already longer than I thought, so I will just give name the tools and the affiliated website. Happy sek~! 1. Bastille Linux Security ( the linux hardening tool) - http://www.bastille-linux.org 2. Medusa (is a kernel patch that improves security) - http://medusa.fornax.sk 3. SSH - Secure shell (who does not know what it is?) - http://www.ssh.com 4. Tripwire - (maintains system integrity - brilliant stuff ) - http://www.tripwiresecurity.com 5. Logcheck - (NO, it's a neccessity, the name says it all) - http://www.psionic.com/abacus/logcheck/ 6. NMAP - (the definitive, scanner of scanners) - http://www.insecure.org/nmap 7. Portsentry ( scan em ports ) - http://www.psionic.com/abacus/portsentry/ 8. LyX ( Editor I used for this Howto ) - http://www.lyx.org More to be added :) ------------------------------------------------------------------------------------------ 6. Media - Suggested reading and websites --------------------------------------------------------- 1. Remote OS detection via TCP/IP Stack Fingerprinting Phrack Magazine Volume 8, Issue 54- 1998 Author: Fyodor http://www.phrack.com 2. Techniques Adopted By "System Crackers" When Attempting to Break into Corporate Or Sensitive Private Netwoks http://www.ns2.co.uk 3. Linux Unleashed - Third Edition http://www.amazon.com 4. ALT2600 - FAQ http://www.alt2600.com http://rootshell.com/docs/ALT2600.txt 5. A short overview of IP spoofing http://www.attrition.org 6. Security Portal - http://www.securityportal.com 7. Linux Security - http://www.linuxsecurity.com 8. Security Focus - http://www.securityfocus.com ------------------------------------------------------------------------------------------- 7. Conclusion -------------------- That's that, there's so much more to write-on and I should have, but I got to actually go and get some actual work done of my own. I'm hoping to update this as soon as I get a chance, in the future, I'd like to cover IPCHAINS(especially), network monitoring utilities, intrusion-detection conceptually, Apache security, Apache-SSL and handy tips for getting the most out of you Redhat Linux. May the force be with U :) SeK u!!!!!!! gw01f@hotmail.com Most Failure is due to giving up, not realizing how close to success you were - Thomas Edison ----------------------------------/ Gw01f's END \----------------------------------