Versions Compared

Old Version 55

changes.mady.by.user Gabriel Hernandez

Saved on

compared with

New Version 56

changes.mady.by.user Gabriel Hernandez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel
borderColorgreen
bgColor#F3F9F4
borderStylesolid

 

Anti-Virus Considerations
Anchor
antivirus
antivirus

You may choose any proven anti-virus product. One option is ClamAV.

Applying Security Updates
Anchor
linuxupdates
linuxupdates

CentOS (command line):

Install and use the yum-security plugin.
To install the plugin run:

...

Panel
borderColorgreen
borderStylesolid
sudo apt-get upgrade

 

Change SSH Default Port
Anchor
sshport
sshport

Depending on your Linux distribution, the configuration file for SSH may reside in different locations.  Please perform a simple web search for instructions on how to change the port used by SSH on your specific Linux distribution.  Below is an example that may guide you through the process.

...

ssh username@hostname -p 49152

Configure NTP Server
Anchor
ntpserver
ntpserver

The Information Security Office (ISO) has been proactively scanning systems on the UT wired network for outdated versions of the NTP (Network Time Protocol) service running.  Systems running a vulnerable version of NTP can be compromised, thus begin participation in NTP-based distributed denial of service (DDOS) attacks targeting various endpoints across the internet.  This ultimately leads to an inordinate amount of network usage from the system, and it will be identified from the ISO and the ITS-Networking group.

...

Panel
borderColorgreen
borderStylesolid
Example 1:
edit /etc/inet/ntp.client -> ntp.conf
 added:
#added for DDoS prevention - don't allow any machine, except those w/o flags
restrict default notrust nomodify noquery    
restrict 127.0.0.1
restrict 128.83.185.40
restrict 128.83.185.41
 
Example 2 (with additional comments):
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default ignore
restrict -6 default ignore
 
#restrict default kod nomodify notrap nopeer noquery
#restrict -6 default kod nomodify notrap nopeer noquery

 

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
server 128.83.185.40
restrict 128.83.185.40 nomodify notrap nopeer noquery
server 128.83.185.41
restrict 128.83.185.41 nomodify notrap nopeer noquery
 
~~~~~~~~``
default servers are commented out
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst

 

Anchor
distribution
distribution
Distribution Updates

Many distributions of Linux offer various distributions such as desktop, workstation, or server editions.  Please ensure you understand the differences in each edition and what additional services are installed/running by default in each addition.  Keep in mind unknown services running without proper configuration are vulnerable and lead system compromises.

Also, be sure the edition chosen offers a long-term support life cycle.  For example, Ubuntu publishes the current life cycle for their latest distributions.  If you run Ubuntu, or are considering Ubuntu, refer to the product support life cycle below.

Image Added

Source:  https://wiki.ubuntu.com/LTS

Implement Deny Hosts

Anchor
denyhosts
denyhosts

DenyHosts is a script intended to be run by Linux system administrators to help prevent SSH server attacks (also known as dictionary based attacks and brute force attacks) - http://denyhosts.sourceforge.net/

...

/etc/hosts.allow
sshd:hostname (allowed name of machine or IP address) 
and /etc/hosts.deny
sshd:ALL

Limit SSH Access to Campus Network
Anchor
sshaccess
sshaccess

Example of IP Tables configuration that will only allow UT campus networks to access a system remotely via SSH.  The networks listed below include various wired, wireless, and VPN networks.

Note: To access these systems from off-campus, users will need to utilize the UT VPN client available at https://vpn.utexas.edu

 

Panel
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 128.62.0.0/16 -j ACCEPT
-A INPUT -s 128.83.0.0/16 -j ACCEPT
-A INPUT -s 129.116.0.0/16 -j ACCEPT
-A INPUT -s 146.6.0.0/16 -j ACCEPT
-A INPUT -s 172.29.0.0/16 -j ACCEPT
-A INPUT -s 198.213.192.0/18 -j ACCEPT
-A INPUT -s 206.76.64.0/18 -j ACCEPT
-A INPUT -s 10.144.0.0/12 -j ACCEPT
-A INPUT -s 128.62.0/16 -j ACCEPT
-A INPUT -s 146.6.248.0/21 -j ACCEPT
-A INPUT -S 198.213.192.0/18 -j ACCEPT
-A INPUT -s 206.76.64.0/18 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
COMMIT

Password Complexity
Anchor
passwordcomplexity
passwordcomplexity

On most Linux systems, you can use PAM to enforce password complexity. If you have a file in RHEL/CentOS named /etc/pam.d/system-auth-ac

Example:  Modify pam passwd requirements, length of 12 with special, upper, and lower cases plus a number:

/etc/pam.d/system-auth-ac

#password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=10 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1

 

/etc/login.defs
PASS_MAX_DAYS   9999999
PASS_MIN_DAYS   0
PASS_MIN_LEN    12
PASS_WARN_AGE   7

To change some of the defaults at user creation time

/etc/default/useradd   

GROUP=1000   <-setting a default group doesn't seem to work. specify with useradd -g <groupname> <username>

#HOME=/home 
HOME=/group/users
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
#CREATE_MAIL_SPOOL=yes
CREATE_MAIL_SPOOL=no

System Accounts
Anchor
systemaccounts
systemaccounts

Files/Directory Permissions/Access

  • Enable system accounting (install package sysstat).
  • Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.
    • Check in /etc/sudoers to see who has sudo rights
    • Check in /etc/groups to see what groups your users belong to
    • Check in /etc/passwd and/or /etc/shadow for blank passwords
  • All administrator or root access must be logged.

System Access, Authentication, and Authorization

  • Enable the terminal security file to restrict root logins to system console onlyDo not allow root logins via SSH.
  • Ensure the following are set in /etc/pam.d/other:
     auth  required pam_deny.so
     auth   required pam_warn.so
     account  required pam_deny.so
     account  required pam_warn.so
     password  required pam_deny.so
     password  required pam_warn.so
     session  required pam_deny.so
     session  required pam_warn.so
     session  required pam_deny.so 
      Warn will report alerts to syslog.