Redhat linux hardening tips & bash script

From the time a servers goes to live environment its prone to too many attacks from the hands of crackers (hackers) also as a system administrator you need to secure your Linux server to protect and save your data, intellectual property, and time here server hardening comes into effect. Securing a server is much different than securing a desktop computer for a variety of reasons. By default, a desktop operating system is installed to provide the user with an environment that can be run out of the box. Desktop operating systems are sold on the premise that they require minimal configuration and come loaded with as many applications as possible to get the user up and running. Conversely, a server’s operating system should abide by the Principle of Least Privilege, which states that it should have only the services, software, and permissions necessary to perform the tasks it’s responsible for.

We already covered some topics in earlier articles some of them are linked here.

Here are some tips for servers hardening ( Some already mentioned in my previous posts)

1) Removing Unnecessary Software Packages (RPMs)

An administrator should be crystal clear about the primary function or role of the Linux server also should know what is on the server.Therefore, it is very critical to look at the default list of software packages and remove unneeded packages.

To get a list of all installed RPMs you can use the following command:

rpm -qa

Remove the unneeded packages from the list.

2) Disabling Run level System Services

In  Linux servers, some services are enabled to start at boot up by default.
it is safe to disable all services that are not needed as they are risks security and waste of hardware resources. Read more.

3) Reviewing Inittab and Boot Scripts

The inittab file /etc/inittab also describes which processes are started at bootup and during normal operation. For example, Oracle uses it to start cluster services at bootup. Therefore, it is recommended to ensure that all entries in /etc/inittab are legitimate in your environment.

I would at least remove the CTRL-ALT-DELETE trap entry to prevent accidental reboots:

The default runlevel should be set to 3 since in my opinion X11 (X Windows System) should not be running on a production server. In fact, it shouldn’t even be installed.

# grep ':initdefault' /etc/inittab
id:3:initdefault:

To have changes in /etc/inittab become effective immediately, you can run:

# init q

4) Securing SSH

Ssh is a great protocol and as it name stands for Secure SHell its secure but its prone to attacks with basic configuration. There are ways to make ssh even more secure than it is now.Read more

5) SSH login without passwords

Automated authentication onto server using RAS key authenticating mechanism . Read more

6) Kernel Tuning

Following are some tunable kernel parameters you can use to secure your Linux server against attacks .We need to add these entries inside /etc/sysctl.conf configuration file to make the change permanent after reboots.To activate the configured kernel parameters immediately at runtime, use:

#sysctl -p

Disable IP Source Routing

net.ipv4.conf.all.accept_source_route = 0

Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0

Enable Ignoring Broadcasts Request

net.ipv4.icmp_echo_ignore_broadcasts = 1

Enable Bad Error Message Protection

net.ipv4.icmp_ignore_bogus_error_responses = 1

Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.all.log_martians = 1

The above mentioned are only few steps for harding . There are many more steps like providing strong password , locking user accounts after too many login failures , restricting use of previous used passwords , setting banners etc.

Hardening five or six servers can be done quite easily at a stretch but when the number of servers increases it just becomes tiresome and time consuming . So why don’t we think about a running a script that does all the hardening jobs and there wont be any waste of time. The script presented can be customized according to the requirement.

#!/bin/bash
chkconfig autofs off
chkconfig avahi-daemon off
chkconfig avahi-dnsconfd off
chkconfig bluetooth off
chkconfig conman off
chkconfig cups off
chkconfig dhcdbd off
chkconfig firstboot off
chkconfig gpm off
chkconfig haldaemon off
chkconfig isdn off
chkconfig iptables off
chkconfig ip6tables off
chkconfig irda off
chkconfig irqbalance off
chkconfig kdump off
chkconfig kudzu off
chkconfig mcstrans off
chkconfig microcode_ctl off
chkconfig multipathd off
chkconfig netconsole off
chkconfig netfs off
chkconfig netplugd off
chkconfig nfs off
chkconfig nfslock off
chkconfig nscd off
chkconfig pcscd off
chkconfig portmap off
chkconfig rdisc off
chkconfig rhnsd off
chkconfig restorecond off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig rpcsvcgssd off
chkconfig sendmail off
chkconfig smartd off
chkconfig winbind off
chkconfig wpa_supplicant off
chkconfig xfs off
chkconfig ypbind off
chkconfig yum-updatesd off
chkconfig acpid on
chkconfig anacron on
chkconfig atd on
chkconfig cpuspeed on
chkconfig lvm2-monitor on
chkconfig messagebus on
chkconfig ntpd on
chkconfig network on
chkconfig oracle on
chkconfig oracleasm on
chkconfig readahead_early on
chkconfig readahead_later on
chkconfig syslog on
chkconfig sshd on
cat > /root/banner << EOF
|-----------------------------------------------------------------|
| This system is for the use of authorized users only. |
| Individuals using this computer system without authority, or in |
| excess of their authority, are subject to having all of their |
| activities on this system monitored and recorded by system |
| personnel. |
| |
| In the course of monitoring individuals improperly using this |
| system, or in the course of system maintenance, the activities |
| of authorized users may also be monitored. |
| |
| Anyone using this system expressly consents to such monitoring |
| and is advised that if such monitoring reveals possible |
| evidence of criminal activity, system personnel may provide the |
| evidence of such monitoring to law enforcement officials. |
|-----------------------------------------------------------------|
EOF
cat /root/banner
sed -i 's/id:5:initdefault:/id:3:initdefault:/g' /etc/inittab
sed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g' /etc/inittab
echo PermitRootLogin no >> /etc/ssh/sshd_config
echo Banner /root/banner >> /etc/ssh/sshd_config
sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' /etc/ssh/sshd_config
sed -i 's/#X11Forwarding no/X11Forwarding no/g' /etc/ssh/sshd_config
sed -i 's/X11Forwarding yes/#X11Forwarding yes/g' /etc/ssh/sshd_config
sed -i 's/#StrictModes yes/StrictModes yes/g' /etc/ssh/sshd_config
sed -i 's/#IgnoreRhosts yes/IgnoreRhosts yes/g' /etc/ssh/sshd_config
sed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/g' /etc/ssh/sshd_config
sed -i 's/#RhostsRSAAuthentication no/RhostsRSAAuthentication no/g' /etc/ssh/sshd_config
service sshd restart
echo net.ipv4.conf.all.accept_source_route = 0 >> /etc/sysctl.conf
echo net.ipv4.conf.all.accept_redirects = 0 >> /etc/sysctl.conf
echo net.ipv4.icmp_echo_ignore_broadcasts = 1 >> /etc/sysctl.conf
echo net.ipv4.icmp_ignore_bogus_error_responses = 1 >> /etc/sysctl.conf
echo net.ipv4.conf.all.log_martians = 1 >> /etc/sysctl.conf
sysctl -p
if [ $(id -u) -eq 0 ]; then
read -p "Enter username : " username
read -s -p "Enter password : " password
egrep "^$username" /etc/passwd >/dev/null
if [ $? -eq 0 ]; then
echo "$username exists!"
exit 1
else
pass=$(perl -e 'print crypt($ARGV[0], "password")' $password)
useradd -m -p $pass $username
[ $? -eq 0 ] && echo "User has been added to system!" || echo "Failed to add a user!"
fi
else
echo "Only root may add a user to the system"
exit 2
fi