DRAFT - NOT DONE YET!!!
Slackware System Hardening
Copyright (c) 2002, 2005 Jeffrey Denton
Written by Jeffrey Denton <
[email protected]>
___ August 2005
version - 0.5
http://www.cochiselinux.org/files/system-hardening
This is a list of some of the steps I take to improve the security of my
Slackware systems. It is by no means complete. You can either do all of
the things listed here, or you can choose only the ones you feel would help
secure your system.
WARNING: Hardening a system is a compromise between security
and usability. Some of the things I do would adversely
affect the usability of you system and may very well
break things. Please have one of the following on hand
just in case you lock yourself out of your system:
Tom's Rootboot -
http://www.toms.net/rb/
The "Live" CD that comes with the officail
version of Slackware.
Make sure you have a bootdisk.
You should make a backup of anything that you feel is
important, would be hard to replace, or that you simply
could not do without. If you are either new to Linux
or don't know what you are doing, you could very easily
get carried away and end up with a system that is
unusable.
The contents of the document is only meant to be used
on Slackware Linux.
You have been warned.
Note: - The settings assume that only one user is on the system, "dentonj".
- Associated man pages are listed for further information.
- I will comment this document if I ever get to it.
-- Resources --
-- Keep Current --
-- Disable Daemons/Close Ports --
/etc/rc.d:
chmod -R go-rwx /etc/rc.d
/etc/inetd.conf:
grep -v "^#" /etc/inetd.conf
Comment the results
man inetd
/usr/etc/orbitrc:
The location of the configuration file can vary. In Slackware,
ORBit looks for /usr/etc/orbitrc. Here is a command that you can
use to verify where ORBit looks for the configuration file on
your system.
for i in `ls /usr/bin/orbit*`; do echo $i; strings $i | grep orbitrc; done
ORBit had a habit of opening up ports in Gnome a long, long time
ago. The following enteries would stop that from happening. The
default has changed so that ORBit doesn't open ports by default.
I don't leave anything to chance:
ORBIIOPUSock=1
ORBIIOPIPv4=0
ORBIIOPIPv6=0
/usr/X11R6/bin/startx:
defaultserverargs="-nolisten tcp"
man Xserver
/etc/X11/xdm/Xservers:
:0 local /usr/X11R6/bin/X -nolisten tcp
man xdm
/etc/X11xdm/xdm-config:
DisplayManager.requestPort: 0
man xdm
/etc/X11/gdm/gdm.conf:
command=/usr/X11R6/bin/X -nolisten tcp
/opt/kde/share/config/kdm/Xservers:
:0 local@tty1 /usr/X11R6/bin/X vt7 -nolisten tcp
man kdm
/etc/rc.d/rc.4:
exec /usr/X11R6/bin/xdm -nodaemon -udpPort 0
man xdm
-- Limit Access --
/etc/lilo.conf:
mandatory
password=""
prompt
timeout=0
menu-title="Unauthorized Access Prohibited"
message=/boot/boot_message.txt
serial=0,9600n8
lilo -v -p
man lilo.conf
man lilo
/etc/login.access:
+:root dentonj:LOCAL
-:ALL:ALL
man login.access
/etc/login.defs:
FAIL_DELAY 20
DIALUPS_CHECK_ENAB no
LOG_UNKFAIL_ENAB yes
LOG_OK_LOGINS yes
SULOG_FILE /var/log/sulog
ISSUE_FILE /etc/issue
#HUSHLOGIN_FILE
LOGIN_TIMEOUT 300
CHFN_RESTRICT rwh
DEFAULT_HOME no
#ENVIRON_FILE
PASS_MIN_LEN 12
PASS_MAX_DAYS 90
touch /var/log/btmp
man login.defs
man dpasswd
/etc/suauth:
ALL:ALL EXCEPT dentonj:DENY
chmod 600 /etc/suath
man suauth
/etc/porttime:
tty1,tty2,tty3,tty4,tty5,tty6:root,dentonj:Al0000-2400
*:*:
chmod 600 /etc/porttime
man porttime
/etc/limits:
dentonj C0F100000L1U150
* L0
chmod 600 /etc/limits
man limits
/etc/shells:
Delete the following:
/bin/ash
/bin/csh
/bin/ksh
/bin/tcsh
/bin/zsh
man shells
/etc/password:
Delete the following:
adm
games
gdm
halt
lp
news
operator
pop
rpc
shutdown
sync
uucp
find / -user adm -ls
userdel adm
man find
man userdel
Add /bin/false as the shell to the following:
bin
daemon
ftp
mail
mysql
news
nobody
smmsp
sshd
Note: Don't run these if you like to make the /etc/passwd
and the /etc/shadow files immutable (chattr +i ...).
It gets ugly....
/usr/bin/passwd -x 90 -w 7 root
/usr/bin/passwd -x 90 -w 7 dentonj
Check the status of all account when you are done:
for i in `cat /etc/passwd | awk -F: '{print $1}'; do passwd -S $i; done
/usr/bin/pwck
man 1 passwd
man 5 passwwd
man 5 shadow
man pwck
/etc/group:
Delete the following:
adm
news
lp
pop
uucp
find / -group adm -ls
groupdel adm
/usr/bin/grpck
The above may crate a long list of files that no longer
belong to any user or group.
find / -nouser -o -nogroup -ls > unowned.txt
Ignore any results in /dev.
chown root.root <the results>
man find
man group
man groupdel
man grpck
man chown
/etc/sudoers:
User_Alias ADMIN = dentonj
Cmnd_Alias LOGS = /usr/bin/tail
ADMIN ALL = LOGS
sudo tail /var/log/messages
man sudo
man sudoers
man visudo
/etc/ftpusers:
Add the following:
bin
sync
halt
operator
mysql
nobody
daemon
lp
shutdown
mail
games
gdm
smmsp
pop
sshd
anonymous
man ftpusers
/etc/host.conf:
nospoof on
spoofalert on
spoof warn
man host.conf
/etc/hosts.allow:
sshd:192.168.1.:ALLOW
ALL:ALL EXCEPT localhost:banners /etc/issue.net:DENY
/usr/bin/tcpdchk
/usr/bin/tcpdmatch sshd localhost
/usr/bin/tcpdmatch sshd 1.1.1.1
man 5 hosts_access
man hosts_options
man tcpd
man tcpdchk
man tcpdmatch
/etc/hosts.deny:
ALL:ALL@ALL EXCEPT localhost, PARANOID:DENY
Optional, add:
ALL:ALL:/bin/mail -s "%s connection attempt from %c"
[email protected]
/usr/bin/tcpdchk
/usr/bin/tcpdmatch sshd localhost
/usr/bin/tcpdmatch sshd 1.1.1.1
man 5 hosts_access
man hosts_options
man tcpd
man tcpdchk
man tcpdmatch
Access Control Lists:
man acl
man setfacl
man getfacl
/etc/inittab:
Comment out the following line:
#ca::ctrlaltdel:/sbin/shutdown -t5 -r now
I actually don't think this is necessary. But I'm including it
because just about every hardening document on Linux recommends it.
It stops someone from being able to reboot the system by doing a
three finger salute. The first thing is you need physical access to
the system. Even if you disabled this feature, it doesn't stop
someone from pulling the power cord to force a reboot. The second
thing is that most Window Managers capture Ctrl-Alt-Del anyways
and either bring up a shutdown menu or shutdown X Windows (in which
case you'd have to hit Ctrl-Alt-Del again to reboot).
The only time I see disabling this as being useful is when you
have a Windows admin learning Linux. You don't want them rebooting
the system everytime they want to lock the system or go to the
Task Manager.
Add the following to keep someone from booting into single user
mode without a password:
co:S:respawn:/sbin/sulogin /dev/console
However, the way that Slackware sets up it's init scripts, a login
prompt is already displayed when ever the system enters single user
mode. They above line is unnecessary and may not even be called if
placed in the wrong place in /etc/inittab (near the end of the file).
man init
man inittab
man initscript
man sulogin
man telinit
/etc/securetty:
This file lists the devices that the root user can login on.
It's common to find hardening docs that recommend commenting out
some of the entries in this file. By default, phyical access is
required for root to login to the devices uncommented in the file.
If you have to worry about someone using those devices to login,
you have other things to worry about.
-- Logging --
/etc/rc.d/rc.syslog:
/usr/sbin/syslogd -m 0 -r
/usr/sbin/klogd -c3 -x -p
man syslogd
man klogd
/etc/syslog.conf:
kern.* /dev/console
*.info;*.!warn; \
authpriv.none;cron.none;mail.none;news.none - /var/log/messages
*.warn; \
authpriv.none;cron.none;mail.none;news.none - /var/log/syslog
*.debug - /var/log/syslog
authpriv.*;auth.* - /var/log/secure
cron.* - /var/log/cron
mail.* - /var/log/maillog
*.emerg *
uucp;news.crit - /var/log/spooler
OR, log everything:
*.* - /var/log/messages
*.* @192.168.1.1
man syslog.conf
/etc/logrotate.conf:
rotate 20
compress
OR:
monthly
#weekly
rotate 12
compress
man logrotate
/etc/logrotate.d/syslog:
/var/log/cron /var/log/debug /var/log/maillog /var/log/messages
/var/log/secure /var/log/spooler /var/log/sulog /var/log/syslog {
create 0640 root root
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid \
2> /dev/null || true`
endscript
}
man logrotate
/etc/rc.d/rc.S:
# Setup the /etc/motd to reflect the current kernel level:
# THIS WIPES ANY CHANGES YOU MAKE TO /ETC/MOTD WITH EACH BOOT.
# COMMENT THIS OUT IF YOU WANT TO MAKE A CUSTOM VERSION.
# echo "$(/bin/uname -sr)." > /etc/motd
man motd
/etc/motd, /etc/issue.net, /boot/boot_message.txt:
****************************************************************
Unauthorized access prohibited; all access and activities not
explicitly authorized by the administrator are unauthorized.
All activities are monitored and logged. There is no privacy
on this system. Unauthorized access and activities or any
criminal activity will be reported to appropriate authorities.
****************************************************************
lilo -v -p
man issue
faillog:
faillog -u dentonj -m 10
man faillog
-- FIlesystem --
/etc/fstab:
/dev/hdb1 swap swap defaults 0 0
/dev/hdb5 / ext3 defaults 1 1
/dev/hdb6 /var ext3 rw,nosuid,nodev 0 2
/dev/hdb7 /tmp ext3 rw,nosuid,nodev,noexec 0 2
/dev/hdb8 /usr ext3 ro 0 2
/dev/hdb9 /home ext3 rw,nosuid,nodev 0 0
/dev/hda1 /mnt/windows vfat rw,nosuid,nodev,noexec,noauto 0 0
/dev/hda2 /mnt/slack ext2 rw,noauto 0 0
/dev/fd0 /mnt/floppy auto rw,nodev,noauto 0 0
mkdir /mnt/windows
mkdir /mnt/slack
mkdir /mnt/floppy
man fstab
man nfs
man mount
I use to add 'noexec' to /home. But 'noexec' is pretty trivial to
bypass. Plus, I like having a $HOME/bin directory for misc. scripts.
Change how often fsck is run during boot:
for i in hdb5 hdb6 hdb7 hdb8 hdb9; do
tune2fs -c 0 /dev/$i
tune2fs -m 3m /dev/$i
done
tune2fs -l /dev/hdb5
man tune2fs
Remove the SUID bit from the following files:
chmod a-s /usr/sbin/...
man chmod
Make some files immutable:
chattr +i /etc/exports
chattr +i /etc/hosts.equiv
chattr +i /etc/hosts.lpd
chattr +i /etc/inetd.conf
chattr +i /etc/lilo.conf
chattr +i /etc/login.access
chattr +i /etc/login.defs
chattr +i /etc/porttime
chattr +i /etc/protocols
chattr +i /etc/securetty
chattr +i /etc/services
chattr +i /etc/suauth
man chattr
lcap:
The following files should be empty if they exist:
/etc/d_passwd
/etc/dialips
/etc/environment
/etc/exports
/etc/hosts.lpd
/etc/hosts.equiv
/etc/shutdown.allow
$HOME/.rhosts
/root/.rhosts
The following files shouldn't normally exist:
/etc/fastboot
/etc/forcefsck
/etc/hushlogins
/etc/initscript
/etc/nologin
Limit access to $HOME directories:
chmod -R go-rwx /home/dentonj
chmod -R go-rwx /root
man chmod
-- Network --
/etc/rc.d/rc.local:
# Set static ARP entries for the default gateway
arp -s 192.168.144.1 00:00:DE:AD:BE:EF
-- rc.local -- (Should this be renamed and/or broken up?)
# DANGEROUS!!! Could destroy your harddrive!!!
# Improve harddrive performance
# This is harddrive specific
/usr/sbin/hdparm -c3 -a16 -W1 -u1 /dev/hdb
# Turn on the Num Lock
/usr/bin/setleds -D +num
# Enforce login time restrictions set in /etc/porttime
if [ -x /usr/sbin/logoutd ]; do
/usr/sbin/logoutd
fi
# Log icmp packets to syslog
/usr/sbin/icmpinfo -vvv -s -l
# Turn on process accounting
/sbin/accton /var/log/pacct
man hdparm
man setleds
man logoutd
man icmpinfo
man acct
man accton
touch /var/log/pacct
man sa
man dump-acct
-- Cron --
/etc/rc.d/rc.M:
/usr/sbin/crond -l8 >> /var/log/cron 2>&1
man crond
Change permissions on the cron directories. This prevents users
from being able to use cron:
chmod -R o-rwx /var/spool/cron/
chmod -R o-rwx /etc/cron.*
less /usr/doc/dcron-2.3.3/README
/var/spool/cron/crontabs/root:
# Sync clocks
0 0 * * * /usr/sbin/ntpdate clock.via.net && hwclock --systohc
# System cleanup
0 3 * * * /usr/bin/find / -type f -name core \
-exec /bin/rm -f {} \; 2> /dev/null
0 3 * * * /usr/bin/find /tmp -atime +7 \
-exec /bin/rm -f {} \; 2> /dev/null
0 3 * * * /usr/bin/find /var/tmp -atime +7 \
-exec /bin/rm -f {} \; 2> /dev/null
0 3 * * * /usr/bin/find /var/spool/lpd -type f \( -name "cf*" -o \
-name "df*" \) -atime +2 -exec /bin/rm -f {} \; 2> /dev/null
# Paranoid stuff
0 3 * * * /bin/chmod -R go-rwx /home/dentonj
0 3 * * * /bin/chmod -R go-rwx /root
0 3 * * * /bin/rm -f /home/*/dead.letter
0 3 * * * /usr/bin/find /home -name .rhosts -o -name .forward -ls \
-exec /usr/bin/cat {} \; | mail -s \
".rhosts or .forward files on $HOSTNAME" root@localhost 2> /dev/null
# Security programs
man crond
man crontab
-- Bash --
/root/.bashrc:
ulimit -u unlimited
/etc/inputrc:
set bell-style none
set editing-mode vi
set mark-directories on
set mark-modified-lines on
set match-hidden-files on
set show-all-if-ambiguous on
set visible-stats on
man bash
man readline
History:
History can be turned off using the following:
HISTSIZE=0
HISTFILESIZE=0
Or:
set +o history
-- Kernel --
Install GRSecurity
Install PAX
/etc/sysctl.conf:
# Improve file system performance
vm.bdflush = 60 64 64 256 500 300 80 0 0
# Increase swap bandwidth system perfomance
vm.kswapd = 512 32 32
# Enables/Disables memory overcommitment
vm.overcommit_memory = 0
# Increase number of pages kernel reads in at once
vm.page-cluster = 5
# Improve number of page tables keeps in a per-processor cache
vm.pagetable_cache = 25 50
# Increase limit of file-handles
fs.file-max = 8192
# Enable/Disable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 1
# Enable/Disable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable/Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable/Disable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable/Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable/Disable bad error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable/Disable IP spoofing protection
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
# Enable/Disable Log Spoofed, Source Routed, Redirect Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Improve shared memory size
kernel.shmall = 134217728
kernel.shmmax = 134217728
# Improve default and maximum window size
net.core.vmem_max = 2048000
net.core.vmem_default = 2048000
# Enable packet forwarding
#net.ipv4.ip_forward = 1
# Change the default TTL to help obscure OS fingerprinting attempts
# If you are using GRSecurity, this may be unnecessary
net.ipv4.ip_default_ttl = 128
sysctl -A
man sysctl
man sysctl.conf
-- Misc --
-- Program Hardening --
-- Security Programs/Scripts --
-- Mean Tricks --
/etc/rc.d/rc.6:
touch /etc/forcefsck
/etc/hotplug/blacklist:
hid
/etc/inittab:
id:6:initdefault:
iptables -m random
iptables -A FORWARD -s 192.168.1.1 -m random --average 90 -j DROP
iptables -A INPUT -j DROP
Anywhere in /etc/rc.d:
reboot
enable -n enable
-- Useful Commands --
ldd /usr/bin/lppasswd
strings /usr/bin/lppasswd
List some of the popular REM commands used.
man -k cron
grep crond /var/log/packages/*
cd /bin && for i in `ls | grep -v "@$"`; do file $i | \
grep "not stripped"; done
sa
ac
-- /etc/profile --
#Kick and lockout users that are UID 0 but are not root
if [ `id -u` = "0" -a `echo $USER` != "root" ]; then
#Lock the user out
passwd -l $USER
# Save some info
date >> /root/SHIT
netstat -peanut >> /root/SHIT
ps auxww >> /root/SHIT
w >> /root/SHIT
w | mail -s "$USER has gained ROOT access" root@localhost
# Let EVERYONE know
wall << EOF
***********************************************************
$USER has gained ROOT access!!!
***********************************************************
EOF
for i in `ls /dev/pts/`; do
echo -e "\n$USER has gained ROOT access!!\n" >> /dev/pts/$i
done
# Log it
logger -is -f /var/log/messages "$USER has gained ROOT access!!"
# Let the luzer know
echo -e "\a\n\n You are _NOT_ root!!\n\n\a"
# Kill the user and his processes
skill -9 -u $USER
# For the paranoid
ifconfig eth0 down
# This should be redundant
logout
exit
fi
# Set ksh93 visual editing mode:
if [ "$SHELL" = "/bin/ksh" ]; then
# VISUAL=emacs
# VISUAL=gmacs
VISUAL=vi
fi
if [ `id -u` = "0" ]; then
PS1="\[\033[1;31m\][\j][\u@\h:\w]#\[\033[0m\] "
else
PS1="\[\033[1;32m\][\j]\u@\h:\w\$\[\033[0m\] "
#else
# PS1='\u@\h:\w\$ '
fi
# For non-root users, add the current directory to the search path:
#if [ ! "`id -u`" = "0" ]; then
# PATH="$PATH:."
#fi
#
# Stuff I've added
#
# History
# Normally these would be set to 20 for security reasons.
# However, I've been getting lazy and started using HISTORY
# as a log of what I've done.
export HISTSIZE=10000
export HISTFILESIZE=10000
# Display timestamp information with each history entry
export HISTTIMEFORMAT="%F %T "
# Logout if root is not being used
if [ `id -u` = "0" ]; then
export TMOUT=1200
fi
# Extra PATH stuff
export PATH="$PATH:/usr/local/sleuthkit/bin:/usr/local/mysql/bin:/usr/local/tct/bin:/usr/local/tctutils/bin:/usr/local/autopsy"
# Extra MANPATH stuff
export MANPATH="$MANPATH:/usr/local/sleuthkit/man:/usr/local/tct/man:/usr/local/tctutils/man:/usr/local/autopsy/man"
# Aliases
alias matrix="cmatrix -bass"
alias m="cmatrix -bass"
alias td="tcpdump -nvvSi eth0 | grcat conf.tcpdump"
alias tl="tcpdump -nvvSi lo | grcat conf.tcpdump"
# shred doesn't delete recursively
# use "/bin/rm -rf ..." for directories
alias rm="shred -uz"
# Set and editor
export VISUAL=vim
# Disable the Bash builtin command kill, forces the use
# of /bin/kill. This was a nice idea, but it keeps
# jobs from being able to be killed
#enable -n kill
# Misc shell settings
shopt -s cdspell # correct minor misspelled dir names
shopt -s cmdhist # save multiline commands in the same
# history entry
shopt -s dotglob # include hidden files in pathname expansion
shopt -s extglob # extended pattern matching
setterm -bfreq 0 # turn error bell off
# grep options
# the -i grep option causes problems with ./configure, ugly
export GREP_OPTIONS="-n --color"
export GREP_COLOR="1;33"
# Secure less
export LESSSECURE=1
# This works for single user systems
# and if the dumbass uses an interactive shell
#if [ `id -u` != "0" -a `id -u` != "1000" ]; then
# logout
#fi
# Set shell variables as readonly, this should be last
typeset -r HISTFILE
typeset -r HISTFILESIZE
typeset -r HISTSIZE
typeset -r HISTNAME
typeset -r USER
typeset -r LOGNAME