Securing RedHat 8.0 for Deployment outside the firewall
Mike Carroll, CISSP

I Introduction

II Physical Security

III Installation
1. Installation media
2. CMOS
3. File system layout
4. Package Selection

IV Post Install
Removing unnecessary programs

V System Security
1. CMOS
2. Root account
3. Disable console program access
4. Special Accounts
5. Blocking su
6. Control file system mounting
7. Shell logging
8. Disable cntl-alt-del
9. Tighten startup scripts
10. Remove SUID bits from unnecessary programs
11. Prevent system response to ICMP
12. Disable IP source routing
13. Disable IP Forwarding
14. Enable TCP SYN protection
15. Disable ICMP redirects
16. Enable bad error message protection
17. Enable IP spoofing protection
18. Log Spoofed, Source Routed and Redirect Packets
VI Network Configuration

I. Introduction

This document will guide systems administrators in configuring a secure Red Hat 8.0 server for deployment on the internet without protection from a firewall of any kind.

It will discusses how to install and optimize the RedHat 8.0 environment for security and performance, although it is generic enough to be used as a reference for most modern Red Hat distributions.

II. Physical Security

The server should be deployed in a safe, secure environment. Physical access to the system should be limited only to those responsible for, or trusted with, the security of the organization in which it is deployed.

Most server class machines have a mechanism to lock the computer case; it is recommended that they be utilized as instructed by the manufacturer.

This precaution should prevent someone with physical access from changing the boot order in the CMOS, and thereby breaching security.

III. Installation

1. Installation Media
Before installation can begin, you should have acquired installation CD’s directly from Red Hat, or acquired them by downloading them from a trusted internet site.

You should also be familiar with the type of hardware installed in your machine. Do you have IDE or SCSI drives? How much memory do you have? How big is your hard drive?

After you have obtained your installation media and you are comfortable with the chosen hardware, you can get started.

After booting your computer, you should enter the CMOS menu, make sure that it is configured to boot from CDROM first. This will allow for the simplest installation.

Place the first CD of the set in the CDROM drive and exit the CMOS menu.

Your computer should boot from the Red Hat 8.0 disk one. This will bring up the initial installation screen, just press enter to start the automatic installation process.

You should see the message: CD Found. To begin testing CD Media before installation press OK.

This is an optional step, if you are unsure of your media, it’s advised to test it, otherwise just tab over to <Skip>.

The system will start up the X server and you should see a Welcome to Red Hat Linux screen, just click next. Then select the appropriate language, and keyboard configuration. Next select the appropriate mouse configuration.

Installation Type

Select “Server” and click next.

Disk Partitioning Setup

Select “Manually partition with Disk Druid. Click next.

Disk Partitioning

It’s a good rule of thumb to partition your disk with a minimal root partition.

A traditional rule has been to configure a swap partition that is twice the size as the amount of RAM that is installed, I believe this to be outdated thinking as RAM is so much cheaper, and too large a swap size can be detriment to system performance. I usually don't configure much more than 1GB for swap.

Boot Loader Configuration

Use the default boot loader program, Grub. It is advised to use a boot loader password. Make it secure and remember it.

Network Configuration

Edit each of your network interfaces with the appropriate network information suitable for your networked environment. I usually designate eth0 as the “outside interface” and eth1 as the “internal interface”. Outside interface will refer to the interface that faces the un-trusted network segment or the internet. The Inside interface will be connected directly to your internal network.

Firewall Configuration

Select Firewall

If you know what ports you are going to be using (and you should) go ahead and configure the firewall now.

Additional language support

Add any additional languages necessary.

Time Zone Selection

Select the appropriate Time zone.

Account Configuration
Create a secure root password and enter it on the screen. Go ahead and create your userid also, don't login as root.

Package Group Selection
Make sure that no packages are selected and click next to start installation.

IV Post Installation

Remove unnecessary programs.
Remove each program using the command “rpm –e <RPM-name>”

anacron-2.3-23
apmd-3.0.2-12
aspell-0.33.7.1-16
autofs-3.1.7-33
automake14-1.4p6-3
automake15-1.5-4
bc-1.06-10
bison-1.35-4
byacc-1.9-22
cdecl-2.5-25
cpio-2.4.2-28
curl-7.9.8-1
curl-devel-7.9.8-1
cvs-1.11.2-5
cyrus-sasl-devel-2.1.7-2
cyrus-sasl-plain-2.1.7-2
db4-devel-4.0.14-14
db4-utils-4.0.14-14
dev86-0.16.3-4
dhclient-3.0pl1-9
dialog-0.9b-20020519.1
diffstat-1.28-4
dos2unix-3.1-12
dosfstools-2.8-3
doxygen-1.2.14-8
dump-0.4b28-4
eject-2.0.12-7
ethtool-1.6-2
expat-devel-1.95.4-1
fbset-2.1-11
finger-0.17-14
flex-2.5.4a-26
gdb-5.2.1-4
gdbm-devel-1.8.0-18
gettext-0.11.4-3
gnome-libs-1.4.1.2.90-22
gnupg-1.0.7-6
gpm-1.19.3-23
gpm-devel-1.19.3-23
hdparm-5.2-1
htmlview-2.0.0-6
imlib-1.9.13-9
indent-2.2.8-3
iptables-1.2.6a-2
irda-utils-0.9.14-6
jfsutils-1.0.17-3
kernel-pcmcia-cs-3.1.31-9
ksymoops-2.4.5-1
kudzu-0.99.69-1
kudzu-devel-0.99.69-1
lftp-2.5.2-5
lha-1.14i-7
libbonoboui-2.0.1-2
libcap-1.10-12
libcap-devel-1.10-12
libgnome-2.0.2-5
libgnomecanvas-2.0.2-1
libgnomeui-2.0.3-3
libxml-1.8.17-5
libxml2-devel-2.4.23-1
libxml-devel-1.8.17-5
lilo-21.4.4-20
lokkit-0.50-18
lrzsz-0.12.20-14
ltrace-0.3.10-12
mailcap-2.1.12-1
MAKEDEV-3.3.1-2
memprof-0.5.0-2
minicom-2.00.0-6
mkbootdisk-1.4.8-1
mouseconfig-4.26-1
mtools-3.9.8-5
mt-st-0.7-6
net-snmp-5.0.1-6
net-snmp-utils-5.0.1-6
nfs-utils-1.0.1-2
ORBit-0.5.13-5
parted-1.4.24-6
pax-3.0-4
pciutils-2.1.10-2
pciutils-devel-2.1.10-2
pinfo-0.6.4-7
procmail-3.22-7
pspell-0.12.2-14
python-2.2.1-17
python-devel-2.2.1-17
python-optik-1.3-2
quota-3.06-5
raidtools-1.00.2-3.3
rcs-5.7-18
rdist-6.1.5-24
readline-devel-4.3-3
redhat-logos-1.1.6-2
reiserfs-utils-3.6.2-2
rhnlib-1.0-1
rhpl-0.51-1
rmt-0.4b28-4
rpm-python-4.1-1.06
rp-pppoe-3.4-7
rsh-0.17-10
rsync-2.5.5-1
sendmail-8.12.5-7
splint-3.0.1.6-3
star-1.5a04-1
statserial-1.1-30
strace-4.4-8
swig-1.1p5-20
talk-0.17-17
tcpdump-3.6.3-3
telnet-0.17-23
unix2dos-2.2-17
up2date-3.0.7-1
wget-1.8.2-3
whois-1.0.10-4
wireless-tools-25-1

Don't delete any programs you are going to need for your application.

V System Security
1. CMOS Security.

Make sure to use a CMOS password that can not be easily guessed, keep it in a safe place. Make sure that booting from a CDROM or floppy drive is not allowed.

2. Root Account

The root account is the most privileged account on the system. Each command will be executed immediately; even of you have instructed the system to destroy critical system files. Be careful, only use root when absolutely necessary, you must understand what you type before you type it.
Sudo: It is recommended that you use the “sudo” command to assign root privileges for administrators. Granularly assign privileges to meet the specific needs of each administrator.

3. Disable console program access

In a safe environment where we are sure that console is secured because passwords for BIOS and GRUB are set and all physical power and reset switches on the system are disabled it may be advantageous to entirely disable all console-equivalent access to programs like shutdown, reboot, and halt for regular users on your server. To do this, run the following command:

/#rm -f /etc/security/console.apps/<servicename>

It is suggested that authconfig halt poweroff reboot setup be removed from the directory above.

4. Special Accounts

It is important to disable all vendor default user accounts and groups that you do not use on the system.
To remove unneeded user names:
/# userdel username
To remove unneeded group names:
/# groupdel username

The following users should be removed:
lp, sync, shutdown, halt, news, uucp, operator, games, gopher, ftp

The following groups should be removed:
adm, lp, news, uucp, games, dip

The immutable bit can be used to prevent accidentally deleting or overwriting a file that must be protected. It also prevents someone from creating a symbolic link to this file, which has been the source of attacks involving the deletion of /etc/passwd, /etc/shadow, /etc/group or /etc/gshadow. To set the immutable bit on the passwords and groups files, use the command:
/# chattr +i <filename>

5. Blocking su

It is advised that you restrict the users who can switch to the root account to those that are members of the wheel group.
Edit the su file /etc/pam.d/su and add the following two lines to the top of the file:

auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group=wheel

Now it will be necessary to add users that are allowed to switch to the root account to the wheel group.

6. Control file system mounts

Set security on your /tmp and /home file systems to be more secure. Change the /etc/fstab file entries from:
/dev/sda11 /tmp ext2 defaults 1 2
/dev/sda6 /home ext2 defaults 1 2
To read:
/dev/sda11 /tmp ext2 defaults,rw,nosuid,nodev,noexec 1 2
/dev/sda6 /home ext2 defaults,rw,nosuid,nodev 1 2

7. Shell logging

You should always keep your old commands from lying around; they could give up useful system information, or perhaps a mistyped password.

The HISTFILESIZE and HISTSIZE lines in the /etc/profile file determine the size of old commands the .bash_history file for all users on your system can hold. For all accounts I would highly recommend setting the HISTFILESIZE and HISTSIZE in /etc/profile file to a low value such as 20. Edit the profile file vi /etc/profile and change the lines to:

HISTFILESIZE=20
HISTSIZE=20

The administrator should also add into the /etc/skel/.bash_logout file the rm -f $HOME/.bash_history line, so that each time a user logs out, its .bash_history file will be deleted so crackers will not be able to use .bash_history file of users who are not presently logged into the system. Edit the .bash_logout file vi /etc/skel/.bash_logout and add the following line:

rm -f $HOME/.bash_history

8. Disable Ctrl-Alt-Delete

If you don’t have the best physical security, it may be beneficial to disable the cntl-alt-del keyboard command. To do so, you must comment out the line as follows:

ca::ctrlaltdel:/sbin/shutdown -t3 -r now
To read:

# ca::ctrlaltdel:/sbin/shutdown -t3 -r now

9. Tighten control of your startup scripts

/# chmod -R 700 /etc/rc.d/init.d/*

Don’t give away any information about your system:
/# cp /dev/null /etc/issue
/# cp /dev/null /etc/issue.net

10. Remove SUID bits

A regular user will be able to run a program as root if it is set to SUID root. All programs and files on your computer with the s bits appearing on its mode, have the SUID -rwsr-xr-x or SGID -r-xr-sr-x bit enabled. Because these programs grant special privileges to the user who is executing them, it is important to remove the s bits from root-owned programs that won't absolutely require such privilege. This can be accomplished by executing the command chmod a-s with the name(s) of the SUID/SGID files as its arguments. Such programs include, but aren't limited to:

* Programs you never use.
* Programs that you don't want any non-root users to run.
* Programs you use occasionally, and don't mind having to su to root to run.

Remember that your system needs some suid root programs to work properly, so be careful. Make your choices based on your requirements. To find all files with the s bits from root-owned programs, use the command:

find / -type f $ -perm -04000 -o -perm -02000 $ \-exec ls -lg {} \;

The example system has the following SUID programs installed:

-rwsr-xr-x 1 root 37688 Aug 29 2002 /usr/bin/chage
-rwsr-xr-x 1 root 35000 Aug 29 2002 /usr/bin/gpasswd
-r-xr-sr-x 1 tty 10224 Jul 18 2002 /usr/bin/wall
-rws--x--x 1 root 16835 Aug 30 2002 /usr/bin/chfn
-rws--x--x 1 root 15664 Aug 30 2002 /usr/bin/chsh
-rws--x--x 1 root 6999 Aug 30 2002 /usr/bin/newgrp
-rwxr-sr-x 1 tty 18605 Aug 30 2002 /usr/bin/write
-rwsr-xr-x 1 root 37140 Jul 24 2002 /usr/bin/at
-r-s--x--x 1 root 15368 May 28 2002 /usr/bin/passwd
-rwxr-sr-x 1 slocate 31661 Jun 23 2002 /usr/bin/slocate
---s--x--x 1 root 84984 Jun 27 2002 /usr/bin/sudo
-rwsr-xr-x 1 root 34662 Jul 19 2002 /usr/bin/crontab
-rwsr-xr-x 1 root 5100 Sep 5 2002 /usr/libexec/pt_chown
-rws--x--x 1 root 162476 Aug 13 2002 /usr/libexec/openssh/ssh-keysign
-rwsr-xr-x 1 root 33071 Jun 23 2002 /usr/sbin/ping6
-rwsr-xr-x 1 root 13718 Jun 23 2002 /usr/sbin/traceroute6
-rwxr-sr-x 1 utmp 15570 Jun 23 2002 /usr/sbin/utempter
-rwsr-xr-x 1 root 15502 Sep 4 2002 /usr/sbin/usernetctl
-rws--x--x 1 root 29676 Sep 4 2002 /usr/sbin/userhelper
-rwsr-xr-x 1 root 10205 Jul 1 2002 /usr/sbin/userisdnctl
-rwxr-sr-x 1 lock 12325 Jun 23 2002 /usr/sbin/lockdev
-rwsr-xr-x 1 root 32076 Jun 23 2002 /usr/sbin/traceroute
-rwsr-xr-x 1 root 35302 Jun 23 2002 /bin/ping
-rwsr-xr-x 1 root 81996 Aug 30 2002 /bin/mount
-rwsr-xr-x 1 root 40700 Aug 30 2002 /bin/umount
-rwsr-xr-x 1 root 19132 Aug 29 2002 /bin/su
-r-s--x--x 1 root 7132 Aug 2 2002 /sbin/pam_timestamp_check
-r-sr-xr-x 1 root 119592 Aug 2 2002 /sbin/pwdb_chkpwd
-r-sr-xr-x 1 root 17180 Aug 2 2002 /sbin/unix_chkpwd
-rwxr-sr-x 1 root 12578 Sep 4 2002 /sbin/netreport

You remove the SUID bit with the following command:
/# chmod a-s /full/path/program_name

It is suggested that the SUID bits be removed from the following programs:

-rwsr-xr-x 1 root 37688 Aug 29 2002 /usr/bin/chage
-r-xr-sr-x 1 tty 10224 Jul 18 2002 /usr/bin/wall
-rws--x--x 1 root 6999 Aug 30 2002 /usr/bin/newgrp
-rwxr-sr-x 1 tty 18605 Aug 30 2002 /usr/bin/write
-rwsr-xr-x 1 root 37140 Jul 24 2002 /usr/bin/at
-rwxr-sr-x 1 slocate 31661 Jun 23 2002 /usr/bin/slocate
-rwsr-xr-x 1 root 34662 Jul 19 2002 /usr/bin/crontab
-rwsr-xr-x 1 root 33071 Jun 23 2002 /usr/sbin/ping6
-rwsr-xr-x 1 root 13718 Jun 23 2002 /usr/sbin/traceroute6
-rwsr-xr-x 1 root 15502 Sep 4 2002 /usr/sbin/usernetctl
-rws--x--x 1 root 29676 Sep 4 2002 /usr/sbin/userhelper
-rwsr-xr-x 1 root 10205 Jul 1 2002 /usr/sbin/userisdnctl
-rwsr-xr-x 1 root 32076 Jun 23 2002 /usr/sbin/traceroute
-rwsr-xr-x 1 root 35302 Jun 23 2002 /bin/ping
-rwsr-xr-x 1 root 81996 Aug 30 2002 /bin/mount
-rwsr-xr-x 1 root 40700 Aug 30 2002 /bin/umount
-r-s--x--x 1 root 7132 Aug 2 2002 /sbin/pam_timestamp_check
-r-sr-xr-x 1 root 119592 Aug 2 2002 /sbin/pwdb_chkpwd
-r-sr-xr-x 1 root 17180 Aug 2 2002 /sbin/unix_chkpwd

11. Preventing system response to ICMP
It is always a good idea to not configure your system do that it does not respond to ICMP requests. This will help cover it’s existence on the internet.

Edit the /etc/sysctl.conf file and add the following lines:

# Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

You must restart your network for the change to take effect. The command to restart the network is the following: To restart all network devices manually on your system, use the following command: