Network Infrastructure Security Recommendations



Similar documents
NATIONAL POPULATION REGISTER (NPR)

Encryption Security Recommendations

Guide to the Secure Configuration of Red Hat Enterprise Linux 5

Secured CentOS 4.x i386

OS Installation: CentOS 5.8

Identity Theft Prevention Program (FACTA Identity Theft Red Flags Rule)

Monitoring Clearswift Gateways with SCOM

Guide to the Secure Configuration of Red Hat Enterprise Linux 5

Linux Server Configuration Guidelines

Red Hat Linux Administration II Installation, Configuration, Software and Troubleshooting

LAMP Quickstart for Red Hat Enterprise Linux 4

How to install/configure MySQL Database

The Ten Minute Guide to Setting Up a Linux Web Server

Configuring Secure Linux Hosts

Linux Security Ideas and Tips

Cloud Homework instructions for AWS default instance (Red Hat based)

GroundWork Monitor Open Source Installation Guide

How to install PowerChute Network Shutdown on VMware ESXi 3.5, 4.0 and 4.1

Ruby on Rails Secure Coding Recommendations

Redmine Installation on Debian. v1.1

Newton Linux User Group Graphing SNMP with Cacti and RRDtool

BF2CC Daemon Linux Installation Guide

Cloud Computing Thunder and Lightning on Your Horizon?

Zenoss Core Installation and Upgrade

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

Moving Drupal to the Cloud: A step-by-step guide and reference document for hosting a Drupal web site on Amazon Web Services

Installing and Running MOVES on Linux

Preparing for the Installation

Red Hat Certifications: Red Hat Certified System Administrator (RHCSA)

COURCE TITLE DURATION LPI-202 Advanced Linux Professional Institute 40 H.

MySQL Backup and Security. Best practices on how to run MySQL on Linux in a secure way Lenz Grimmer <lenz@mysql.com>

Rancid Server Build and Operation Overview (v0.3) (This is being done from memory so expect some errors)

RH033 Red Hat Linux Essentials or equivalent experience with Red Hat Linux..

Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

Linux FTP Server Setup

Installation & Configuration Guide for Solaris 8

Linux Operating System Security

INUVIKA OVD INSTALLING INUVIKA OVD ON RHEL 6

Migrating LAMP stack from x86 to Power using the Server Consolidation Tool

OnCommand Performance Manager 1.1

CloudPortal Business Manager 2.2 POC Cookbook

Auditing and Hardening Unix Systems Using CIS benchmarks on SUSE Linux

Installing and Configuring MySQL as StoreGrid Backend Database on Linux

User Manual of the Pre-built Ubuntu 9 Virutal Machine

Table of Contents. Introduction. Audience. At Course Completion. Prerequisites

Linux Security on HP Servers: Security Enhanced Linux. Abstract. Intended Audience. Technical introduction

MySQL Backups: From strategy to Implementation

Lenz Grimmer

Unit objectives IBM Power Systems

Distributed File System

Install Cacti Network Monitoring Tool on CentOS 6.4 / RHEL 6.4 / Scientific Linux 6.4

Setting Up Specify to use a Shared Workstation as a Database Server

FreeIPA - Open Source Identity Management in Linux

Centrify Identity and Access Management for Cloudera

Hardened Hosting. Quintin Russ. OWASP New Zealand Chapter th December 2011

Deployment - post Xserve

How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

Cacti The ULTIMATE Management Solution

Using an Open Source Framework to Catch the Bad Guy. Norman Mark St. Laurent Senior Solutions Architect, Red Hat

stub (Private Switch) Solaris 11 Operating Environment In the Solaris 11 Operating Environment, four zones are created namely:

Installation and Control in Linux

Deploying IBM Lotus Domino on Red Hat Enterprise Linux 5. Version 1.0

Linux Boot Camp. Our Lady of the Lake University Computer Information Systems & Security Department Kevin Barton Artair Burnett

What is included in the ATRC server support

Red Hat JBoss Core Services Apache HTTP Server 2.4 Apache HTTP Server Installation Guide

Cloud.com CloudStack Community Edition 2.1 Beta Installation Guide

Recommended File System Ownership and Privileges

Secure Network Filesystem (Secure NFS) By Travis Zigler

Managed File Transfer

RHCSA 7RHCE Red Haf Linux Certification Practice

SAMBA SERVER (PDC) Samba is comprised of a suite of RPMs that come on the RHEL/Fedora CDs. The files are named:

Linux for UNIX Administrators

Secure Shell Demon setup under Windows XP / Windows Server 2003

GroundWork Monitor Community Edition Install Guide VMware Virtual Appliance

Security Enhanced Linux and the Path Forward

VMware vcenter Log Insight Security Guide

SIOS Protection Suite for Linux: MySQL with Data Replication. Evaluation Guide

Using Red Hat Enterprise Linux with Georgia Tech's RHN Satellite Server Installing Red Hat Enterprise Linux

CommandCenter Secure Gateway

Small Systems Solutions is the. Premier Red Hat and Professional. VMware Certified Partner and Reseller. in Saudi Arabia, as well a competent

ENTERPRISE LINUX SECURITY ADMINISTRATION

Administrators guide to the Matrix Control Panel. Linux

Protecting Host from Net

Installing Virtual Coordinator (VC) in Linux Systems that use RPM (Red Hat, Fedora, CentOS) Document # 15807A1-103 Date: Aug 06, 2012

GL-550: Red Hat Linux Security Administration. Course Outline. Course Length: 5 days

How To Run A Linux Agent On Alandesk (For Free) On A Linux Server (For A Non-Free) On Your Ubuntu Computer (For Cheap) On An Ubuntu 2.5 (For Ubuntu) On Linux

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

Chapter 1. Backup service

Best Practices to Secure Linux Server homing Oracle

WEB2CS INSTALLATION GUIDE

JAMF Software Server Installation Guide for Linux. Version 8.6

SAP Netweaver 7.3 on Amazon Cloud

Linux System Administration. System Administration Tasks

Enabling Active Directory Authentication with ESX Server 1

GL254 - RED HAT ENTERPRISE LINUX SYSTEMS ADMINISTRATION III

Linux System Administration on Red Hat

Transcription:

Hardening Red Hat Enterprise Linux Ensure that file systems with user-writeable directories (ie /home, /tmp, /var/tem) are mounted on separate partitions. Ensure updates are applied as soon as they become available. The default version of yum-updatesd does not function reliably. Instead apply updates through a cron job using the following process: Disable the service with: /sbin/chkconfig yum-updatesd off Create the file yum.cron, make it executable, place it in /etc/cron.daily or /etc/cron.weekly, and ensure that it reads as follows: #! /bin/sh /usr/bin/yum R 120 e 0 d 0 y update yum /usr/bin/yum R 10 e 0 d 0 y update Disable Unnecesary Services Review /sbin/chkconfig --list for services configured to start at boot (The default run level is 5). To disable a service, run the following command: /sbin/chkconfig servicename off Unless they are required, disable the following: anacron haldaemon messagebus apmd hidd autofs` hplip* pcscd avahi-daemon* bluetooth isdn kdump cups* kudzu rhnsd* firstboot mcstrans gpm mdmonitor xfs microcode_ctl readahead_early readahead_later setroubleshoot Items marked with a * are network services and it is particularly important to disable these. Additionally, if is not in use the following should be disabled; netfs, nfslock, portmap, rpcgssd, and rpcidmapd. Some software relies on haldaemon and messagebus so care should be taken when disabling them. Changes are applied on reboot. 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 1

Disable SUID and SGID Binaries. The following files can have their SUID or SGID bits safely disabled (by using chmod s filename) unless required for the specific purpose listed: File: Required For: /bin/ping6 IPv6 /sbin/mount.nfs /sbin/mount.nfs4 /sbin/netreport /sbin/umount.nfs /sbin/umount.nfs4 /usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/crontab /usr/bin/lockfile /usr/bin/rcp /usr/bin/rlogin /usr/bin/ /usr/bin/wall /usr/bin/write /usr/bin/xorg /usr/kerberos/bin/ksu /usr/libexec/openssh/sshkeysign /usr/lib/vte/gnome-pty-helper /usr/sbin/ccreds_validate network control passwd account info account info cron Procmail console messaging console messaging Xorg Kerberos SSH host-based authentication Gnome, Xorg Pam auth caching 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 2

/usr/sbin/suexec /usr/sbin/userisdnctl /usr/sbin/usernetctl Apache, CGI ISDN network control Configure and Use Iptables and TCP Wrapper The Iptables firewall should be configured to only allow necessary network communication. If running, view the current firewall policy with the following command: /sbin/iptables L By default, the output should correspond to rules stored in the file /etc/sysconfig/iptables. Understand and edit these rules, removing any lines that allow unneccary communications. To activate the updated rules, restart the services. Also configure the TCP Wrapper library to protect network daemons that support its use by adding appropriate rules to /etc/hosts.allow and /etc/hosts.deny. Configure and Use SELinux. The default SELinux policy (targeted) provides protection against compromised or misconfigured system services. Ensure that /etc/selinux/config includes the following lines: SELINUX=enforcing SELINUXTYPE=targeted *Note: stronger policies such as strict and mls can be used if appropriate. However, these require customization to operate successfully for many usage scenarios. Set Kernel Parameters. Add the following lines to /etc/sysctl.conf to prevent certain kinds of attacks: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.all.accept_source_route=0 net.ipv4.icmp_echo_ignote_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_messages=1 kernel.exec-shield=1 kernel.randomize_va_space=1 Configure SSH. Ensure that /etc/ssh/sshd_config includes the following lines: PermitRootLogin no Protocol 2 Hardening MySQL Installation Ensure Source files are removed from the server. 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 3

Create service account for MySQL groupadd mysql useradd d /dev/null g mysql s /bin/false mysql Ensure proper directory owneip and permissions chown R root /usr/bin/mysql* chown R mysql:root /var/lib/mysql chmod R go-rwx /var/lib/mysql mkdir p /var/log/mysql chown R mysql:root /var/log/mysql Copy the main config file from the default directory cp /usr/share/mysql/my-medium.cnf /etc/my.cnf Remove the default folder rm rf /var/lib/mysql/test rm f /usr/share/mysql/*.cnf Set proper owneip and permissions for my.cnf chown root /etc/my.cnf chmod 644 /etc/my.cnf Edit /etc/my.cnf and add the following lines below [mysqld] section: pid-file = /var/lib/mysql/test log = /var/log/mysql/mysql.log bind-address = 127.0.0.1 Add the following line below [safe_mysqld] err-log = /var/log/mysql/mysql.err Set a password for the MySQL root user: /usr/bin/mysqladmin -u root password 'new-password' /usr/bin/mysqladmin -u root -h hostname password 'new-password' Note: Specify a complex password (at least 14 characters) and document it. Replace hostname with the server FQDN (DNS name). Run the command to login to MySQL: /usr/bin/mysql -uroot -pnew-password. Note: Replace the string new-password with the actual password for the root account. Remove test database and access use mysql; DELETE FROM mysql.user WHERE user = ''; 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 4

DELETE FROM mysql.user WHERE user = 'root' AND host = '%'; DELETE FROM mysql.user WHERE User='root' AND Host!='localhost'; DROP DATABASE test; DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'; FLUSH PRIVILEGES; quit References Articlesbase: http://www.articlesbase.com/security-articles/mysql-security-best-practices-andhardening-guide-5090978.html MySQL Security: http://dev.mysql.com/doc/refman/5.0/en/security.html National Security Administration: www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf Open Web Application Security Project: https://www.owasp.org/index.php/owasp_backend_security_project_mysql_hardeni ng Publication and Author Information Jim Kelton is Managing Principal of Altius IT (www.altiusit.com), an IT security audit, security consulting, and risk management company based in Costa Mesa, California. Mr. Kelton has over 30 years of experience in the Information Technology industry and is recognized as a security expert. He is certified by the Information Systems Audit and Control Association (ISACA) as: Certified Information Systems Auditor (CISA) Certified in Risk and Information Systems Controls (CRISC) Certified in the Governance of Enterprise IT (CGEIT) He sits on the Board of Directors of the following associations and organizations: Association of Professional Consultants (APC) International Association of Professional Security Consultants (IAPSC) Technology Professionals Association (TPA) 151 Kalmus Drive Suite L-4 Costa Mesa California 92626 (714) 794-5210 www.altiusit.com 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information