Configure Security Banners/Disclaimers:The Security Banner refers to the message that is displayed when users log in. Banners provide legal protection against unauthorized access attempts and provide a means to prosecute violators.
Here is an example of a generic banner:
Warning! This is a private system. Unauthorized access to or use of this system is strictly prohibited. Unauthorized users are subject to criminal prosecution and penalties.
To configure a banner in Redhat, edit the file /etc/issue:vi /etc/issue
In order for this banner to be displayed when users attempt to ssh to your server you will need to add it to the sshd_config file.
#Banner /some/bannerEdit this line, removing the # character and change the path to point to the /etc/issue file from above.
Enter the following command to restart the ssh server for the changes to take effect:
Set GRUB boot loader password:Setting a password on the grub boot loader will require you to enter a password before booting the system.
The first step is to create a MD5 representation of your password. Enter the following to execute the grub md5 utility:
/sbin/grub-md5-cryptEnter your password and confirm it. The program will generate an encrypted string. Carefully copy this string to a notepad.
Next you will need to edit the grub config file and add this encrypted password:
vi /boot/grub/grub.confInsert a new line as following, placing your md5 password string after the –md5:
password =md5 $5Hhd9D4HEO7$%df8fHdLO9PDjU70Save the file by entering ESC:x!
Reboot and verify that the new password is working.
Password protect single user mode:Edit the /etc/inittab as followsg:
Insert the following line:
~~:S:wait:/sbin/suloginType ESC:x! to save and exit.
Configure Password Policy:The following settings force users to change their password every 90 days and enforce passwords at least 8 characters long.
vi /etc/login.defsEdit the file as follows:
Type ESC:x! to save and exit
Disable Unnecessary Services:An important security principle is “if you don’t need it, disable it”. All running services expose the system to some level of risk. Obviously, some services are much more vulnerable than others but often you don’t know what the vulnerabilities of any given service are, and some may yet to have been discovered.
To see what services are enabled enter:
To disable a service enter:
/sbin/chkconfig -del serviceAt a minimum the following should be disabled:
/sbin/chkconfig -del bluetooth
/sbin/chkconfig -del cups
/sbin/chkconfig -del autofs
/sbin/chkconfig -del isdn
/sbin/chkconfig -del portmap
/sbin/chkconfig -del vncserver
/sbin/chkconfig -del mdmonitor
/sbin/chkconfig -del winbind
It is also a good idea to go through the /etc/xinetd.d directory and delete any unused services here. For example:
Delete Unnecessary accounts and groups:There are a number of default accounts and groups that you probably will never need and having them around can be a potential risk. Use the following commands to delete them:
Restrict su to sysadmin group:Another layer of protection is to prevent unprivileged users from being able to execute the su command, denying them the ability to become more powerful users.
The first step is to create a system administrators group. Only trusted system admins should be made members of this group.
Next, enter the following commands to restrict the su command to this group:
chgrp sysadmin /bin/su
chmod o-rwx /bin/su
Finally, make sure to add existing system admins to the sysadmin group. For each account execute the following:
/usr/sbin/usermod -g sysadmin username
Prevent root login through ssh:All you need to do is edit the /etc/ssh/sshd_config,
Change the line:
Configure IP Access Controls with tcp_wrappers:TCP_Wrappers is a security framework used to enforce ip address access controls on services such as ssh and ftp. It is installed by default in RedHat and most linux/unix distros. It can be used two ways: you can deny specified ip address or you can restrict access to only allowed ip addresses. In the following example we will do the later.
There are two configuration files that control the access: /etc/hosts.allow and /etc/hosts.deny. As the names imply, hosts.allow lists ip addresses that are allowed, and hosts.deny lists ip addressses that are not allowed.
In the following example we will first configure the hosts.deny file to deny ALL, and then configure the hosts.allow file to only permit ssh for users on the 192.168.1 subnet.
add the line:
ALL: ALLESC:x! to save
add the line:
sshd: 192.168.1ESC:x! to save
Resource Limits:These settings will prevent users from consuming too many resources. These changes will have the following effects: file sized will be limited to 100 MB and users can have a maximum of 150 concurrent processes running.
vi /etc/security/limits.confInsert the following lines at the bottom of the file:
[root@xnetbd ~]# vim /etc/security/limits.conf
hard fsize 102400
hard nproc 150