Professional Documents
Culture Documents
16 - הקשחת שרתי לינוקס - CentOS
16 - הקשחת שרתי לינוקס - CentOS
For
Version: 1.0
Date: 08 June 2010
Table of Contents
[1]
[2]
PRE-HARDENING ................................................................................................................................... 3
ROOT PRIVILEGES .................................................................................................................................. 3
ACTIONS................................................................................................................................................ 3
ENABLING / DISABLING SERVICES .......................................................................................................... 3
REBOOT IS REQUIRED ............................................................................................................................. 3
CONVENTIONAL TERMS ......................................................................................................................... 4
PREREQUISITES...................................................................................................................................... 5
2.1.
2.2.
2.3.
[3]
BACKUP ................................................................................................................................................ 5
PATCH ................................................................................................................................................... 5
INSTALLATION ....................................................................................................................................... 5
HARDENING PROCEDURES .................................................................................................................. 6
3.1.
3.2.
3.3.
3.4.
3.5.
3.6.
APPENDIX A ............................................................................................................................................................. 23
Page 2 of 23
Version 1.0
1.1. Pre-Hardening
This document describes major changes to the configuration of the operating system in order to provide a
better security level. Note section 2.1 for backup before hardening.
1.3. Actions
The actions listed in this document are provided according to the assumption that they will be executed in
the order presented here. Some actions may need to be modified if the order is changed. Some actions are
written so that they may be copied directly from this document into a root shell window with a "cut-andpaste" method.
Page 3 of 23
Version 1.0
Description
Must
Must not
Should
Should not
May
Page 4 of 23
Version 1.0
[2] Prerequisites
2.1. Backup
Before performing the steps of this hardening guide, backup copies of critical configuration files that may be
modified by various hardening items MUST be created. (A full backed-up or mirror SHOULD be performed).
2.2. Patch
Keeping up-to- date with vendor patches is critical for the security and reliability of the system. Vendors
issue operating system updates when they become aware of security vulnerabilities and other serious
functionality issues, but it is up to their customers to actually download and install these patches.
All security patches SHOULD be applied on a test environment before being applied on a production
environment due to the option that a security patch will damage the installed application.
After testing, all security patches SHOULD be implemented on the production environment.
2.3. Installation
The system MUST be installed with the minimum needed components (minimum Packages during
the CentOS operating system installation).
The operating system SHOULD be installed with the following partition table:
/tmp
/home
/var
/boot
Page 5 of 23
Version 1.0
Page 6 of 23
Version 1.0
Page 7 of 23
Version 1.0
required
required
Page 8 of 23
Version 1.0
3.3.3. FTP
FTP protocol is unencrypted, meaning passwords and other data transmitted during the session can be
captured by sniffing the network, and that the FTP session can be hijacked by an external attacker
Note: Any directory writable by an anonymous FTP server should probably have its own partition or
have a quota limitation. This helps prevent a compromised FTP server from filling a hard drive used by
other services.
Action
The /etc/ftpusers file MUST exist, if it does not exist - create it
The following users MUST exist on the /etc/ftpusers file:
root
daemon
bin
sys
adm
smmsp
gdm
webservd
nobody
noaccess
nobody4
sshd
More users SHOULD be added to the /etc/ftpusers file if they should not use the FTP
service.
The root user MUST be the only user which is able to change /etc/ftpusers file
Page 9 of 23
Version 1.0
Action
SSH latest updated package MUST be installed
Configure sshd_config with the following settings:
Port 22
Protocol 2
ServerKeyBits 1024
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
PrintMotd yes
AllowTcpForwarding no
MAY
MUST
SHOULD
SHOULD
SHOULD
MUST
MUST
MUST
SHOULD
MAY
SHOULD
SHOULD
MUST
MUST
SHOULD
SHOULD
MUST
SHOULD
MUST
3.4.2. xinetd.d
On Linux, xinetd has outpaced inetd as the default network superserver. Most distributions have been
using xinetd for some time, there are still many servers that do run inetd.
After enabling SSH, it is possible to nearly disable all xinetd-based services, since SSH provides both a
secure login mechanism and a means of transferring files to and from the system. The actions below will
disable all standard services normally enabled in the xinetd configuration.
Action
If all xinetd-based services are not needed xinetd SHOULD be completely disabled by
stopping the xinetd service.
The file xinetd.conf should have 600 permissions
Set immutable bit to the xinetd.conf file
Page 10 of 23
Version 1.0
Page 11 of 23
Version 1.0
Page 12 of 23
Version 1.0
Page 13 of 23
Version 1.0
Page 14 of 23
Version 1.0
Page 15 of 23
Version 1.0
Page 16 of 23
Version 1.0
Page 17 of 23
Version 1.0
Page 18 of 23
Version 1.0
3.4.6. Crontab
The following configuration settings with enable scheduling jobs with CRON / AT only to users which are
listed in cron.allow and at.allow (white list approach) add users to the files in order to permit CRON /
AT use.
Action
The /etc/cron.d/cron.allow file MUST be exist and owned by root (600)
The /etc/cron.d/cron.deny file MUST be exist and owned by root (600)
The /etc/cron.d/at.allow file MUST be exist and owned by root (600)
The /etc/cron.d/at.deny file MUST be exist and owned by root (600)
If one of the above files does not exist, 'touch' the relevant file )make sure "root" is
allowed to schedule crons by adding him to the .allow files)
Page 19 of 23
Version 1.0
halt
poweroff
reboot
xserver
The user environment variable PATH MUST NOT include the current directory (i.e. . )
The user environment variable LD_LIBRARY_PATH MUST NOT include the current
directory (i.e. . )
The /etc/sysctl.conf owner MUST be root.
Only root MUST have write permissions to /etc/sysctl.conf.
The file /etc/sysctl.conf SHOULD be immutable.
The /var/log/wtmp owner MUST be root.
The /var/log/wtmp MUST be readable for root only (600).
World-writable directories should have their sticky bit set
Use the following command to obtain a list of these directories:
find / \( -fstype nfs -o -fstype cachefs \) -prune -o\
-type d \( -perm -0002 -a ! -perm -1000 \) print
When the so-called "sticky bit" is set on a directory, then only the owner of a file may
remove that file from the directory (as opposed to the usual behavior where anybody
with write access to that directory may remove the file).
3.5. Networking
3.5.1. General Networking Requirements
The following network settings SHOULD be implemented.
Note: Bold lines should be repeated for all Ethernet adapters.
Action
Disable IP source routing:
Edit the /etc/sysctl.conf and add the following lines:
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
Disable ICMP Redirect:
Edit the /etc/sysctl.conf and add the following lines:
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
CentOS Server Hardening
Page 20 of 23
Version 1.0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects =0
net.ipv4.conf.default.accpet_source_route = 0
Disable the magic-sysrq key:
Edit the /etc/sysctl.conf and add the following line:
kernel.sysrq = 0
Disable the packet forwarding option:
Edit the /etc/sysctl.conf and add the following line:
net.ipv4.ip_forward=0
Enable the TCP SYN Cookie Protection:
Edit the /etc/sysctl.conf and add the following line:
net.ipv4.tcp_syncookies = 1
Configure the system to ignoring broadcasts request:
Edit the /etc/sysctl.conf and add the following line:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Enable bad error message Protection
Edit the /etc/sysctl.conf and add the following line:
net.ipv4.icmp_ignore_bogus_error_responses = 1
Page 21 of 23
Version 1.0
Page 22 of 23
Version 1.0
Appendix A
The Following Text is a suggestion for /etc/issue and /etc/motd:
This computer system, including all related equipment, networks and network devices (specifically including
Internet access), is provided only for authorized use.
The computer systems may be monitored for all lawfull purposes, including to ensure that their use is
authorized, for management of the system, to facilitate protection against unauthorized access and to verify
security procedures, survivability and operational security.
Monitoring includes active attacks by authorized entities to test or verify the security of this system.
During monitoring, information may be examined, recorded, copied and used for authorized purposes.
All information, including personal information, placed on or sent over this system may be monitored. Use of
this computer system, authorized or unauthorized, constitutes consent to the monitoring of this system.
Page 23 of 23
Version 1.0