Re: locking down redhat linux?

From: by way of Micronet mailing list administrator <galitz_at_berkeley.edu>
Date: Tue Feb 10 2004 - 12:14:57 PST

Most folks have recommended sites or books already. Here
is a quick checklist based on experience more than anything else:

- update your box (make sure you do this first) (#)
- install the latest kernel for your kernel series
- configure TCP wrappers (/etc/hosts.allow /etc/hosts.deny)
- configure IPTables
- disable inetd/xinetd (if possible)
- install the latest ssh/sshd (*)
- configure allowable hosts in your sshd_config
- run "chkconfig --list" and disable everything that you can
- run a network scan against your box and look for anything
   that you missed

(#) installing new services via rpm update can *sometimes*
cause a disabled service to enabled.

* - As a matter of personal preference (and possibly flame
war fodder) most folks run openssh which comes with Redhat,
though depending on the version you are running (which is
not mentioned) it may be a vulnerable version. Just make sure
you update it or are sure it is a secure version.
   I actually prefer the ssh.com version of ssh, which is free to
.edu establishments... but that is purely a matter of site policy
and sysadmin preference.

I will also x-post this to unix-sysadmin@listlink.berkeley.edu where
you get more experienced UNIX guys commenting...

-geoff

On Feb 9, 2004, at 6:33 PM, Rusty Wright wrote:

> Can anyone recommend a site or document that lists what to do to
> tighten security on a redhat linux system?
>
> -----------------------------------------------------------------------
> -
> The following was automatically added to this message by the list
> server:
>
> For information about Micronet, including subscribing to
> or unsubscribing from its mailing list and finding out
> about upcoming meetings, please visit the Micronet Web site:
> <http://micronet.berkeley.edu/>.
>
http://www.galitz.org

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Tue Feb 10 12:16:47 2004

This archive was generated by hypermail 2.1.8 : Tue Feb 10 2004 - 12:16:47 PST