Hardening your Red Hat or Fedora system

A few advices about hardening (securing) your Linux or Unix system. In my field of work, I come across a lot of different Unix and Linux systems. The majority of these system is protected by firewalls, local or on the network. This of course standard praxis today. What I don't always see is that these systems has been hardened in anyway. This has a number of reasons. One of the most common for systems running in production, is that this particular system is crucial for the business, and must not be down for any period of time. I can understand that, but some pit stops is going to be necessary to keep the system stable and secure. Patching a Unix or Linux server is usually a easy and quick procedure. One should of course backup the old working data before patching, and make sure there is a way to roll back, but that is almost all to it.

Now days almost every Linux distribution has a command line tool to accomplish a fast and reliable updates.

Red Hat
# yum

SuSE
# yast2

Debian

# apt-get

Gentoo

# emerge

Besides updating your server or workstation, you should take a look at what services your system is running. The goal should be to close all those unused services and ports that is only a potential way in for an intruder.

On Red Hat and Fedora, there is an excellent tool for managing your services, if you don't want to do it manually by moving run control scripts from every level of run control.

# system-config-services
Yupp, this is a graphical front end that should show you all installed services on your system. Even those not running for the moment. This is a great tool. Every service has a short description, which will make it easier for you to decide wetter it should run or not.

Ok, so lets say you have stopped a few services from the system-config-services window.
Oh, do not forget to save your settings!

Some services that is probably not necessary on a workstation.
named (DNS daemon)
httpd (apache webserver daemon)
nfs (network file system)
portmap (DARPA port to RPC program mapper)
ntpd (network time daemon)
nscd (name service caching daemon)
snmpd (simple network management protocol daemon)

What you might want to have running,
iptables (excellent local firewall)
sshd (Secure Shell daemon) will allow remote encrypted connection. (If you don't know what to use it for, turn it off!)
crond (schedule jobs)
apmd (monitors you battery level. For laptops)
irqbalance
syslog (system log messages)

This is just a tiny list of all the possible services you can have installed on your Linux or Unix box, but it is a start.

Now, you can check manually your active network status with the netstat command.

# netstat -an (will show you all listening and non-listening sockets in an alpanumeric way
You can pipe netstat -an to more and use spacebar to scroll down the list of connections.
# netstat -an | more
One easy way to see what ports your system is accepting connectons on is to use netstat and use the grep command.
[root@localhost ~]# netstat -an | grep LIST
tcp 0 0 :::22 :::* LISTEN

This shows you that your system is running a sshd server and that it is accepting connection on tcp port 22.

# netstat --tcp (shows you all active tcp connections)

[salt@localhost ~]$ netstat --tcp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.33.77:54758 32.107.37.11:http TIME_WAIT
tcp 0 0 192.168.33.77:41690 eh-in-f191.google.com:http ESTABLISHED
tcp 0 0 192.168.33.77:41688 eh-in-f191.google.com:http ESTABLISHED
tcp 0 0 192.168.33.77:45580 199.106.212.28:http TIME_WAIT

Try to run these commands every now and then, so you get a picture of what is normal network activity on your system. And you will be suprised how much you can learn from just watching the netstat outputs.

The last thing in this little brief hardening post is iptables. Iptables will provide your system some shelter if configured correctly.

To see what the current iptables is protecting run this command;
# iptables -nL
Iptables will show you all your active firewall policies.
If you are no familiar with the iptables syntax, don't worry. There is plenty of frontends for setting up the rules.

On Red Hat and Fedora, you simply run;
# system-config-securitylevel (as user root)
See picture on the top left of this post.
Here it is just a matter of clicking to enable or disable services like ftp, httpd, sshd etc. Your new firewall configurations will be automically enabled after saving.

Ok, this is a few hacks you can do. This does not mean that your server or workstation is secure!! But it will most likely not give anyone a simple and free entrance to break into your system.

Next post will cover some more advanced security enhancements.