Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Example of IP Tables configuration that will only allow UT campus networks to access a system remotely via SSH.  The networks listed below include various wired, wireless, and VPN networks.

Note: To access these systems from off-campus, users will need to utilize the UT VPN client available at https://vpn.utexas.edu

 

Panel
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 128.62.0.0/16 -j ACCEPT
-A INPUT -s 128.83.0.0/16 -j ACCEPT
-A INPUT -s 129.116.0.0/16 -j ACCEPT
-A INPUT -s 146.6.0.0/16 -j ACCEPT
-A INPUT -s 172.29.0.0/16 -j ACCEPT
-A INPUT -s 198.213.192.0/18 -j ACCEPT
-A INPUT -s 206.76.64.0/18 -j ACCEPT
-A INPUT -s 10.144.0.0/12 -j ACCEPT
-A INPUT -s 128.62.0/16 -j ACCEPT
-A INPUT -s 146.6.248.0/21 -j ACCEPT
-A INPUT -S 198.213.192.0/18 -j ACCEPT
-A INPUT -s 206.76.64.0/18 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
COMMIT

Password Complexity
Anchor
passwordcomplexity
passwordcomplexity

On most Linux systems, you can use PAM to enforce password complexity. If you have a file in RHEL/CentOS named /etc/pam.d/system-auth-ac

Example:  Modify pam passwd requirements, length of 10 12 with special, upper, and lower cases plus a number:

/etc/pam.d/system-auth-ac

#password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=10 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1

 

/etc/login.defs
PASS_MAX_DAYS   9999999
PASS_MIN_DAYS   0
PASS_MIN_LEN    10
PASS_WARN_AGE   7

To change some of the defaults at user creation time

/etc/default/useradd   

GROUP=1000   <-setting a default group doesn't seem to work. specify with useradd -g <groupname> <username>

#HOME=/home 
HOME=/group/users
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
#CREATE_MAIL_SPOOL=yes
CREATE_MAIL_SPOOL=no

System Accounts
Anchor
systemaccounts
systemaccounts

Files/Directory Permissions/Access

  • Enable system accounting (install package sysstat).
  • Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.
    • Check in /etc/sudoers to see who has sudo rights
    • Check in /etc/groups to see what groups your users belong to
    • Check in /etc/passwd and/or /etc/shadow for blank passwords
  • All administrator or root access must be logged.

System Access, Authentication, and Authorization

  • Enable the terminal security file to restrict root logins to system console onlyDo not allow root logins via SSH.
  • Ensure the following are set in /etc/pam.d/other:
     auth  required pam_deny.so
auth   required pam_warn.so
account  required pam_deny.so
account  required pam_warn.so
password  required pam_deny.so
password  required pam_warn.so
session  required pam_deny.so
session  required pam_warn.so
session  required pam_deny.so
Warn will report alerts to syslog.