December 3, 2005

Basic Red Hat Enterprise Server security tip # 1

The following applies to RHES 3 too. The SE Linux isn't enabled by default in RHES 3 and the config commands begin with system-config* on RHES 4, instead of redhat-config-*.

Take down unneeded services

 First of all, you should realize that the more services that are up and running on your system, (which might be the case by default after installation), the more vulnerable your system will be. You really need to take down unused services, and protect the ones you will use.

Default Security Level

With or without X you can start system-config-securitylevel. In runlevel 3 (without X started) you'll get an ncurses based menu. Here you can disable/enable access to most common internet services. And there's even a menu for SE Linux. SE Linux stands for Security Enhanced Linux.
It's designed to protect applications and files from unauthorized access/modification. SE Linux comes in several different modes. I'll post a know-how about it later. Just keep the defaults as is for now which is enabled by default on RHES 4. If you get in to trouble while installing MySQL for example, you might want to disable the MySQL protection for a while. I noticed that while installing the RHEL4 rpm distributed version of MySQL 4.1.7, the rpm configurations scripts shocked, and couldn't succed installing all the neccessary configuration files.
On Fedora and Red Hat, it's extremely easy to disable and take down services. As root, run system-config-services (RHEL4), and stop all unnecassary services.

[Packet filtering, firewall]
|
Host STOP <--- evil packet from evilhacker.org | You should be able to activate iptables during the installation phase. If you haven't you should. Install the rpm for iptables. You should use rpm -Uvh and --aid so that all dependencies are met. With iptables you can deny or allow traffic to spefic ports with simple rules. For example, if I want to protect my sshd (ssh server daemon) to only allow a specific range of ip addresses to connect I could write this. # iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j REJECT
# iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT

To be continued ....

at 12:33 AM

Labels: