Versions Compared

Old Version 71

changes.mady.by.user Gabriel Hernandez

Saved on

compared with

New Version Current

changes.mady.by.user Gabriel Hernandez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel
borderColorgreen
bgColor#F3F9F4
borderStylesolid

 

Anti-Virus Considerations
Anchor
antivirus
antivirus

You may choose any proven anti-virus product. One option is ClamAV. Anchorlinuxupdateslinuxupdates

Applying Security Updates

CentOS (command line):

Install and use the yum-security plugin.
To install the plugin run:

 

...

borderColorgreen
borderStylesolid

...

For UT devices running RHEL or CentOS installations, Cisco AMP - (only for UT systems) is another option.  Please email help@ece.utexas.edu and provide the UT asset tag number (silver sticker The Property of The University of Texas at Austin) for further details.  Your system will need to be verified it is property of the University.

Anchor
linuxupdates
linuxupdates

Applying Security Updates

CentOS (command line):

Install and use the yum-security plugin.
To install the plugin run:

 

Panel
borderColorgreen
borderStylesolid
sudo yum install yum-security

 

To list all updates that are security relevant, and get a reutrn code on whether there are security updates use:

...

# What ports, IPs and protocols we listen for

Port 491522002

It is recommended that a commonly known port number or a port number currently in use by another application is not selected.  This may cause technical issues with port allocation in the future.  A good secure range of ports you may want to use are ports from 49152 through 65535.

...

  • Verify SSH is listening on the new port by connecting to it. Note how the port number now needs to be declared.

ssh username@hostname -p 491522002

Anchor
ntpserver
ntpserver

Configure NTP Server

...

Panel
borderColorgreen
borderStylesolid

Option 1: Uninstall NFS server, NFS client, and Portmapper (RPCbind)

Open a command-line terminal and then type the following command:

$ sudo apt-get --purge remove nfs-kernel-server nfs-common rpcbind

 

Option 2: Portmap lockdown via TCP Wrapper   

 **Note**

Solaris system TCP Wrappers not are enabled by default. Open a command-line terminal and enter the following commands to enable rpcbind TCP Wrappers:


# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind

      (Continue following the instructions below)

 

For all other Linux systems:

Open a command-line terminal and then type the following command:

$ sudo nano /etc/hosts.allowAdd the following lines:
rpcbind: 146.6.101.0/255.255.255.0
rpcbind: 128.83.190.0/255.255.255.0
rpcbind: 129.116.100.192/255.255.255.192
rpcbind: 129.116.238.128/255.255.255.192
rpcbind: 146.6.28.64/255.255.255.192
rpcbind: 146.6.53.0/255.255.255.0
rpcbind: 146.6.177.0/255.255.255.192
rpcbind: 129.116.140.0/255.255.255.0
rpcbind: 129.116.234.0/255.255.255.0
rpcbind: 172.25.1.0/255.255.255.224
rpcbind: 206.76.64.0/255.255.192.0
rpcbind: 198.213.192.0/255.255.192.0
rpcbind: 172.29.0.0/255.255.0.0
rpcbind: 10.0.0.0/255.0.0.0
rpcbind: 10.157.31.128/255.255.255.128
rpcbind: 10.157.33.0/255.255.255.0
rpcbind: 10.157.30.64/255.255.255.192
rpcbind: 10.157.34.0/255.255.255.0   

Save the changes made to the file.

Type the following command:

$ sudo nano /etc/hosts.deny 

Add the following lines:

rpcbind: ALL

Save the changes made to the file.

...

Distribution Updates

Many distributions of Linux offer various distributions such as desktop, workstation, or server editions.  Please ensure you understand the differences in each edition and what additional services are installed/running by default in each addition.  Keep in mind unknown services running without proper configuration are vulnerable and lead system compromises.

Also, be sure the edition chosen offers a long-term support life cycle.  For example, Ubuntu publishes the current life cycle for their latest distributions.  If you run Ubuntu, or are considering Ubuntu, refer to the product support life cycle below.

Image Removed

...

0
rpcbind: 10.157.26.0/255.255.255.128
rpcbind: 10.157.27.0/255.255.255.0
rpcbind: 10.157.31.0/255.255.255.128
rpcbind: 10.157.29.0/255.255.255.128
rpcbind: 10.157.29.128/255.255.255.128
rpcbind: 10.157.30.0/255.255.255.192
   

Save the changes made to the file.

Type the following command:

$ sudo nano /etc/hosts.deny 

Add the following lines:

rpcbind: ALL

Save the changes made to the file.


Anchor
distribution
distribution

Distribution Updates

Many distributions of Linux offer various distributions such as desktop, workstation, or server editions.  Please ensure you understand the differences in each edition and what additional services are installed/running by default in each addition.  Keep in mind unknown services running without proper configuration are vulnerable and lead system compromises.

Also, be sure the edition chosen offers a long-term support life cycle.  For example, Ubuntu publishes the current life cycle for their latest distributions.  If you run Ubuntu, or are considering Ubuntu, refer to the product support life cycle below.

Image Added

Source:  https://wiki.ubuntu.com/LTS

Anchor
linuxfirewall
linuxfirewall

Enable Firewall

Ubuntu:  https://help.ubuntu.com/community/UFW

RHEL/CentOS:  https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_firewalls

 

Anchor
luks
luks

Encryption:  LUKS

Encryption is mandatory for all desktops and laptops with a Linux non-server operating system.

Refer to documentation at - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-encryption

Note:  It is preferred that encryption is enabled during the installation of the operating system.  Initiating encryption after the system has been deployed will wipe all the user's data.

Anchor
denyhosts
denyhosts

Implement Deny Hosts

...

Example of IP Tables configuration that will only allow UT campus networks to access a system remotely via SSH.  The networks listed below include various wired, wireless, and VPN networks.

Note: To access these systems from off-campus, users will need to utilize the UT VPN client available at https://vpn.utexas.edu

 

Panel
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 128.62.0.0/16 -j ACCEPT
-A INPUT -s 128.83.0.0/16 -j ACCEPT
-A INPUT -s 129.116.0.0/16 -j ACCEPT
-A INPUT -s 146.6.0.0/16 -j ACCEPT
-A INPUT -s 172.29.0.0/16 -j ACCEPT
-A INPUT -s 198.213.192.0/18 -j ACCEPT
-A INPUT -s 206.76.64.0/18 -j ACCEPT
-A INPUT -s 10.144.0.0/12 -j ACCEPT
-A INPUT -s 128.62.0/16 -j ACCEPT
-A INPUT -s 146.6.248.0/21 -j ACCEPT
-A INPUT -S 198.213.192.0/18 -j ACCEPT
-A INPUT -s 206.76.64.0/18 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
COMMIT
Anchor
passwordcomplexity
passwordcomplexity

Password Complexity

On most Linux systems, you can use PAM to enforce password complexity. If you have a file in RHEL/CentOS named /etc/pam.d/system-auth-ac

Example:  Modify pam passwd requirements, length of 12 with special, upper, and lower cases plus a number:

/etc/pam.d/system-auth-ac

#password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=10 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1

 

/etc/login.defs
PASS_MAX_DAYS   9999999
PASS_MIN_DAYS   0
PASS_MIN_LEN    12
PASS_WARN_AGE   7

To change some of the defaults at user creation time

/etc/default/useradd   

GROUP=1000   <-setting a default group doesn't seem to work. specify with useradd -g <groupname> <username>

#HOME=/home 
HOME=/group/users
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
#CREATE_MAIL_SPOOL=yes
CREATE_MAIL_SPOOL=no

 

Anchor
systemaccounts
systemaccounts

System Accounts

Files/Directory Permissions/Access

  • Enable system accounting (install package sysstat).
  • Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.
    • Check in /etc/sudoers to see who has sudo rights
    • Check in /etc/groups to see what groups your users belong to
    • Check in /etc/passwd and/or /etc/shadow for blank passwords
  • All administrator or root access must be logged.

System Access, Authentication, and Authorization

  • Enable the terminal security file to restrict root logins to system console onlyDo not allow root logins via SSH.
  • Ensure the following are set in /etc/pam.d/other:
     auth  required pam_deny.so
     auth   required pam_warn.so
     account  required pam_deny.so
     account  required pam_warn.so
     password  required pam_deny.so
     password  required pam_warn.so
     session  required pam_deny.so
     session  required pam_warn.so
     session  required pam_deny.so 
      Warn will report alerts to syslog.

 

 

 

...