can you buy loxicom dogs without prescription uk
sildenafil tablets cobra100mg
what does zoloft dors
does benicar have side effects with levitra
how long does 1 gram valtrex stay in system
classification of viagra
celexa 30 mg for anxiety
propranolol er 60 mg for migraines
buy generic zithromax online
septra single dose uti treatment
average what age men take viagra
qe farmacia vende misoprostol en cordoba
price of nexium in philippines
metformin 500 mg for preventative
5 mg lexapro for anxiety
can you take azithromycin twice in one month
how long does 0.5 grams of dostinex stay in your system
can epileptics take lexapro
can you take azithromycin twice in one month
can i take nighttime aspirin while on lisinopril
is a cough a common side effect of lisinopril
propecia takes how long to work
zoloft central nervous system side effects
compound ketoconazole bl chicken skin
clomiphene dosage pct
fluconazole thrush days
nortriptyline dosage for ibs
is lexapro dangerous dr
why take metformin an hour before eating
do you have to wean from ritalin to switch to strattera
can you take fluconazole with xifaxan
medicamento piroxicam 10 mg
anastrozole for sale no prescription
strattera price uk
strep coverage with septra
taking aspirin with cialis
amoxicillin clavulanate generic name
generic wellbutrin 450 xl
isotretinoin 30 mg price in india
can you take pervicid with cipro
cymbalta 60mg for ms
can i buy diflucan over the counter in ireland
does atorvastatin have ototoxic in it
teva trazodone long term effects
cost of cozaar without insurance
gabapengis and levofloxacin
how to wean off prednisone25 mg
stereochemistry of metoprolol
bupropion hcl xl for ocd
pseudomonas aeruginosa linezolide
over the counter water pills equivalent for lasix
cialis canadian generic
does celebrex reacts with cialis
clozapine 600 mg
how much is acyclovir cream in mercury
azithromycin and orange juice
no effect from prednisone after 5 days
does wellbutrin cause gas and diarrhea
paroxetine long term effects
cialis allowed in dubai
half life of diflucan
e 20 generic viagra
baclofen extended release grs capsules 20mg
metronidazole purchase uk
celexa overdose 80mg
paxil en mexico
accidentally took 80 mg celexa
azithromycin 250 mg treatment for bv
flagyl for mouth infection
mild endometriosis when using clomid ovidrel and iui
lexapro generic 10mg
viagra generic cheap canada
cvs how much does wellbutrin xl cost
prednisone 50 92
pamelor 10 mg reviews
cipro 250 mg side effects
seroquel for anxiety dosage
can remeron potentiate klonopin
escitalopram y eutirox
terbinafine 250 mg tab
can i take phenergan on an empty stomach
iv flagyl and ivf ringers lactate can use in pregnancy
kamagra ok bring into united states
olanzapine prescription 35 mg
propranolol iv costo
red viagra capsules usa in urdu
canada viagra cialis
duloxetine30 what is use
alendronate sodium side effects mayo clinic
how long can you take diflucan for onychomycosis
buspar 60 mg side effects
maxalt cost with insurance
metronidazole 500 mg insert insert in vagina is ok
spiramycin metronidazole and alcohol
metoprolol 2.5 mg iv
accutane 2 months
wellbutrin xl no prescription online
side effects of zoloft on newborn babies
gabapentin and insomnia
can u use hot tub on zoloft
acyclovir eye drops over the counter
atorvastatin 10mg tablets
amlodipine besylate price target
thuoc albuterol sulfate
doxycycline 100mg capsules patient information leaflet
does hydrochlorothiazide work as lasix
buy azithromycin antibiotic online
how to take clomid 100mg. on a 28 day cycle
short term use of metformin
septra 200 mg
buy cheap doxycycline uk
nexium extended release otc price
my dog take a propranolol 10 mg
elavil sandoz dosage
can you take tylenol and celebrex together
torsemide tablet 20 mg banglaesh company
rosacea and doxycycline
can amoxicillin capsule cure pid
can you get high off of augmentin 875
effexor vs lexapro yound adults
can clomid drug stop period
metronidazole how much does it cost
viagras head office in toronto canada
how much amoxicillin for a kitten
where can i buy fluconazole uk
buy cialis pay with paypal
tab cytotec in qatar
levitra generico uk
does medroxyprogesterone acetate 10mg prevent pregnancy
bupropion australia buy
web md d lexapro
can antibiotics cure malaria and gonorrhea
amoxicillin 500mg dogs side effects
two forms of.metoprolol
pct with nolvadex only
can use of flagyl delay menstruation
periactin generic name
when is the best time for take prednisone 50 mg
day 20 20 mg prozac
gabapentin 300 mgbe used for ancity
can you get acyclovir over the counter in bali
dutasteride fase 3
azithromycin dihydrate bet limit
taking medroxyprogesterone to start period
warfarin 10 mg loading dose
can periactin be taken along with vitamins
topiramate 50 mg does it have aspirin
singulair 4 mg buy
tab metronidazole 2g
cytotec pills in south africa
para que es ia medicina metoprolol succer 25mg
levofloxacina vs ciprofloxacina
amlodipine 100mg twice a day and side effects
doxycycline 100mg cost uk
buy orlistat from mexico
can 30 prozac kill you
can you take mersyndol with celebrex
period after clomid cycle
how many dose of amoxicillin 1 year old baby
can gabapentin be given as needed for dog back problems
sertraline hcl 50 mg cost
fluoxetine hcl 20 mg can it be snorted or shot
viagra price bangalore
erythromycin stearate 250 mg and alcohol
chances of getting herpes when on antivirals
can you snort baclofen to get high
generix voguel sildenafil consecuencis
levitra professional canada
levofloxacin sandoz500mg for 3 days
flagyl 500 mg dosage for bv
pomada voltaren para que serve
what will 800mg bactrim heal
lisinopril tablets usp 20 mg
buy orlistat 120 mg shopping in usa online
generic tadalafil 20 mg canada
forgetting to take synthroid in the mor
is it ok to use monistat 1 while diflucan
montelukast 10mg tablets
kamagra oral jelly 200mg
dexamethasone deksametason 0 5 mg
pamelor 50 mg efeitos colaterais
how to give dexamethasone .5 dosage to canine
bupropion is msking me hingry
can i take klonopin topromax and remeron together
can you recover after zyprexa
natural altenative to benicar
delsym cough syrup and zoloft
energized after taking zoloft
prednisone 50 mg daily for eustachian tube blockage
zyprexa side effects hair loss
dexamethasone 20 mg iv push
meloxicam interactions with tylenol 3
only have 7 days worth of 500 mg amoxicillin cure strep
is doxycycline hydrochloride for chlamydia infection
buy nexium esomeprazole magnesium
strattera vs intuniv
medicamento augmentin composicion
can you take valtrex with st johns wort
amiodarone 150 mg injection
amaryl 6 mg
baclofen cream 60 mg
what stops misoprostol
will 5mg lexapro do anything
naproxen 500 mg ne icin kullanilir
buy atomoxetine online no prescription
levofloxacin hydrochloride capsules adalah obat untuk
effectiveness of mini pills when taking ciprofloxacin
remeron 15mg for anxiety after running out of neurontin
ampicillin tr 500 mg during pregnancy
sertraline can you take it with topamax
tadalafil 8 mg
does 40 mg of prednisone cause constipation in dogs
prednisone cumulative effect
how long does allegra d stay in your system
price for nexium 40 mg 30 count
metronidazole sp posologie
metronidazole medicine is good to take with amoxicillin
how much is verapamil cream for plantar fibroma
take prednisone 10 mg and z pack together
convert metforming 500mg er to metforming 500mg ir
why cant i buy cialis
amitriptyline 10 mg fibromyalgia and endometriosis
order allegra d online
cytotec farmacia san pedro
cialis 20mg dosage
irbesartan common side effects
tamsulosin mylan 0.4 mg. 160
is buying viagra in canada safe
is jaw clenching a symptom of lexapro withdrawl
dexamethasone injection in germany
septran tablets glaxosmithkline dogs
generic levitra pros and cons
80mg recreational value of strattera
what is voltaren resinat ciprofloxacin used for
proventil hfa 90 mcg and proctalgia fugax
buy viagra 1
metoprolol succ er 50mg and zantac
gabapentin for dogs side effects overdose
generic viagra canada teva
elavil gg 40
authorized dealer of dapoxetine tablet in nigeria
seroquel price on street
augmentin fuori dal frigo 12 ore
augmentin for 10 days for sinus infection
fluoxetine 3mg cats
amoxicillin and spironolactone
viagra men fucking
accidental two doses of singulair
maxalt mlt treating rebound headache
citalopram 20 mg and weight loss
orlistat hexal 84
from paxil 10mg to paxil 20mg
generic lexapro cost
can i take viagra while on terbinafine
jock itch skin cream lamisil rate in rupees
azithromycin how much generic
buy seroquel uk
isotretinoin capsules usp 30 mg
valtrex buy online
prednisone 8 day tapering
metronidazole tablet price philippines
buy ampicillin betta fish
cheap tadalafil online
viagra without a rx
price of metoprolol er succinate at walgreen
therapeutic indication of indomethacin.org
fluoxetine cost cvs
buy cialis for daily use online
lexapro generic 30 mg
can i take metaxalone with wellbutrin
should you refridgerate metronidazole cream
para que sirve baclofen 10 mg tab
stopping prozac after 3 weeks
inactive ingredients in lisinopril 10 mg by lupin
diflucan aka fluconazole or nizoral aka ketaconazole.
how much per cost of viagra at walmart
what is a substitute antibiotic for flagyl
overdose on antibiotics 1g
l thyroxine christiaens 75 mg
clopidogrel plavix 600mg
albuterol sulfate 0.083 dosage
tiagra 100 sildenafil tablets
cost of zyprexa medication
taking cipro for 6 weeks
current price for ciprotab 500mg in nigeria chemist
weaning off topamax migraine
plavix for cats
metronidazole antibiotics for dogs australia
diarrhea and long term sertraline
safe uk site to buy premarin .3
donde consigo misoprostol en costa rica
bruising easy lyrica cymbalta
propranolol hcl actavis retard 80 mg
linezolid usp 600m
tempat beli ketoconazole tablet
xenical omega 3
claritin vs singulair
can you die from taking too much ambien and buspar
cozaar 25 mg generic
can a 3 month old have albuterol
is neomycin related to erythromycin
cheap kamagra shop in nottinham
innovator of furosemide injection
seroquel makes me irritable
cheap orlistat tablets
cheap viagra melbourne
montelukast 10 mg en espanol
livox antibiotic in bangladesh
does sertraline cause throat tightening
price of nizoral shampoo at giant eagle on scalp ave pa
azithromycin dose for kids sore throat
is amoxicillin 250 mg for dog drwasy
thuoc metoprolol tartrate
ko proizvodi cialis
como funciona el cytotec con 3 semanas de embarazo
baclofen gets you high
thyroxine sodium ip tablets 100 mcg price
is finasteride generic as good as avodart
order propranolol online
can i take aleve pm while taking metronidazole
estrace watson 487
can you adapt adult dose of albuterol to toddler
metronidazole oral suspension online hong kong
digoxin and tums toxicity
buy lamisil tablets in whistler
tadalafil off label uses
viagra best used
augmentin syrup australia
lexapro 5 mg forum
ketoconazole lotion prevent eyebrow hair loss
will hydrochlorothiazide show on drug test
kamagra 100mg jelly sachets
take diovan with or without food
augmentin 600 sy price egypt
augmentin 12h plm
azithromycin 3 month old dosage
can 500mg of azithromycin cure chlamydia and gonorrhea
buy amoxil cheap
can you take half a dose of prednisone 50 milligrams
dostinex cabergolina 0 5 mg pretul
genesis finasteride u.s.p side effects
how much is misoprostol pills in south africa
doxycycline dog increased urination
fluconazole for obesity urinary tract infection dose
voltaren sr 75mg tablets
buy terbinafine tablets without prescription
azithromycin one shot chlamydien
nexium 24 hour same as precribed
citalopram hydrobromide 40 mg side effects
cost of viagra for dogs
debrox celecoxib para que sirve
zovirax sticks to lip
is zyvox safe to take with acyclovir
valacyclovir hcl 1 mg oral tablet
lisinopril 15 mg
generic albuterol inhaler for kids
does nizoral shampoo lower testosterone in the body
dog antibiotic side effects
acyclovir with or without food
qysmia and bupropion together
misoprostol crossing placenta
Hardening RedHat Linux with Bastille
Securely installing a bastion host
By Seán Boran
This article presents a concise step-by-step approach to securely
installing RedHat Linux for use in a firewall DMZ, or other sensitive environment, using
Bastille. Linux has progressed rapidly and can be configured to be as secure as, if not
better, than commercial UNIX.
The focus in this article is on RedHat 6.2 on SPARC + x86, RedHat7 on x86
and Mandrake 7.0 on x86.
We welcome your feedback on this article.
Table of Contents:
- Initial OS installation
- Install SSH
- Bastille: Introduction,
Running, Checking, Problems.
- Installing tools & sysadmin
- Patches and Logging
- Integrity Checking and backup
- Install, test, harden applications.
- Going Live
Changes to this article
- Keep things simple: it is expected that only one or two services will run on a host. Use
several machines, rather than one superserver that does everything. It's easier to isolate
applications, harden, troubleshoot and upgrade hw/sw. Be minimalist, only run what is
- Hardware: If you have Sun/SPARC, consider installation via the serial port console, get
rid of the keyboard, screen and framebuffer. i.e. avoid using X11 and get to know the
- Downloading securely: Hopefully the installation is on an isolated or
non-routed private network, in this case you can ftp to the new box (as root), or ftp from
the new box (via the console) to a server on this net. If you don't have an isolated
network (not advisable), then change the root password to something easy, download the
files and change the password again, shutdown the network interface immediately. This
reduces the window of opportunity for potential attackers.
- Know exactly what the system is supposed to do, what it's hardware configuration will be
etc. hardening is generic and may break certain applications. e.g. those needing RPC.
- It's important to understand how the applications work (how they use ports, devices,
files), to judge what hardening is possible and to assess the risk posed.
On x86 hardware, screen, keyboard and mouse are needed. Boot from CDROM or the boot
floppy and choose install.
On SPARC hardware, the entire installation can be done without screen or keyboard (also
called a "headless server"). Connect the serial console, switch on, halt to the
OK prompt by sending a Stop-A (~#, ~%b, or F5 depending on whether you use tip, cu
or a vt100 terminal), then start the installation procedure: boot
cdrom - install.
The RedHat install is pretty buggy and options differ between releases:
- Ideally the "custom install" would be used to install only necessary modules,
but it's buggy, e.g. on v6.1 the ftp server is not installed (for SPARC, fix this with rpm -i /mnt/cdrom/RedHat/RPMS/wu-ftpd-2.6.0-1.sparc.rpm).
- Gnome is always installed, even if you choose KDE and exclude GNOME. Fix: use startx to start GNOME and kdm to start
- On all v6.2 installation methods, the International keyboard maps are not set correctly
for the commandline or GUI.
The Mandrake 7.0 install does not suffer from these
So, choose a server or custom install, set hostname, IP parameters,
timezone, etc. Don't enable any naming services like NIS or NFS. Choose manual disk
- Consider a separate, large /var filesystem for syslog/web/news/proxy servers or firewall
- Servers containing lots of data (web, ftp) should use a separate disk for their data.
- If you don't wish to mount partitions read-only and there are no logs or application
data, then consider putting the whole boot disk under root.
- Suggestion for a 2GB disk: 1500MB / (root+usr), 200MB swap, 300MB /var.
- Suggestion for a 1GB disk: 700MB / (root+usr), 100MB swap, 200MB /var.
- Suggestion for a log server with 8GB: 100MB / root, 300MB swap, 800MB /usr, 6.9GB
- See also  for a more detailed discussion of disk partitioning.
Set a strong password (At least 8 chars with numbers, letters and punctuation) for root.
Create an additional test user, as you won't be able to login over the network as root.
The "init level" should be set to 3 (command line login), rather than 5
(graphical login). If a GUI is needed, it can always be started manually with startx.
To login via the 'serial port A' on x86 Hardware, which is useful for troubleshooting,
installations and getting to know the command line (it is not necessary for headless
SPARCs which do this automatically). Add the following to /etc/inittab.
con:23:respawn:/sbin/getty ttyS0 VC
To allow root to login via this serial port, add ttyS0 to /etc/securetty,
echo "ttyS0" >> /etc/securetty
Install SSH, the secure Shell for login access (Bastille can do this, but you need
Internet access, I had problems with SPARC, and prefer to know exactly what options are
used to compile SSH). SSH is already included in some distributions, such as Redhat7.
There are two key implementations for Linux 'ssh1' and 'OpenSSH', here we use ssh1 as
an example. OpenSSH is more interesting in some ways, but ssh1 also supports securid
(which is useful to me). See also  for a detailed discussion of SSH
and it's various implementations.
Either download sources or RPMs (see sites listed under ):
zcat ssh-1.2.30.tar.gz | tar xf -
cd ssh-1.2.30; ./configure --prefix=/usr --without-none --without-rsh --without-idea
make && make install
2) RPMs (SPARC example shown):
rpm -i ssh-1.2.30-7i.sparc.rpm
rpm -i ssh-extras-1.2.30-7i.sparc.rpm ssh-server-1.2.27-7i.sparc.rpm
Copy a startup file (example sshd) to /etc/rc.d/init.d/sshd
and setup links, unless it was done as part of the previous step.
chkconfig --add sshd
Configure an appropriate /etc/sshd_config file (see also ),
so that access is restricted to named hosts with known public keys (/etc/ssh_known_hosts)
and rhosts authentication is disabled. Avoid trusts. Only allow specific users and hosts
to access SSH.
Deny daemon accounts access, for example:
DenyUsers daemon bin sync adm lp shutdown halt mail news uucp nobody
operator sympa, squid, postgres, gopher, postfix, xfs.
Bastille is set of open source scripts designed to harden a virgin Red Hat 6.0 or 6.1
installation (6.2 support is planned soon). The first release was in December 1999 and
significant progress has been made. V1.1 (released June 2000) was used here. What does
Bastille do? Unneeded daemons are stopped, logging enabled/improved, SUID and file
permissions tightened, account security improved and even a chroot environment is
provided for DNS servers.
Note that Bastille does not run on other Linux variants such as SuSE (which have their own
mechanisms and different startup files).
An automated and interactive interface is available. The text based menus provided by
the interactive install are very useful for explaining the different options involved and
generate a configuration file (tui-generated-raw-config) which is used in the next step by
the Bastille back end to do the actual hardening. The configuration file can be edited or
copied to other machines to speed up hardening.
- Download Bastille and extract into /root.
- Shutdown the network interface during this next phase, just in case (the interface name
ifconfig eth0 down
- Run the Bastille interactive script:
cd /root/Bastille; ./InteractiveBastille.pl
On SPARC the Interactive script won't work:
Can't load './Curses.so' for module Curses: ./Curses.so: ELF file data encoding not
big-endian at /usr/lib/perl5/5.00503/sparc-linux/DynaLoader.pm line 169.
Fix: Download Curses-1.02.tar.gz from CPAN and install:
perl Makefile.PL; make && make install
Then change to the Bastille dir & remove the i386 Curses library:
cd /root/run-Bastille; mv Curses.* /tmp;
And run InteractiveBastille.pl again.
InteractiveBastille.pl runs through hardening setup on a step-by-step basis, asking the
user what should or should not be tightened down. Unneeded daemons are stopped, logging
enabled, SUID and file permissions tightened, account security improved and even a chroot
environment is provided for DNS servers.
Default answers except for the following were used (see tui-generated-raw-config):
Start the actual hardening process:
- File permissions: set more restrictive permissions on the administration utilities
- SUID: disable all tools except ping and traceroute.
- 2nd UID 0 account: no.
- Disable compiler (only root access)
- Specify remote logging host
- Daemons: disable Sendmail, run Sendmail via cron, disable Apache, enable CGI,
disable indices, disable printing, disable anonymous ftp download.
- RPC can be disabled, even if you need to run KDE.
Review the settings you chose, by viewing config in an editor such as view.
./BackEnd.pl < config > screen.log
Bug: the first time BackEnd fails with the following message:
# ./BackEnd.pl < config > screen.log
/bin/cp: /etc/banners: omitting directory
Run it again and it works fine!
- Review the log of the hardening process: /root/Bastille/screen.log and
- Login as root and check the process list, it should be something like:
tests# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 10 17:07 ? 00:00:03 init 
root 2 1 0 17:07 ? 00:00:00 [kflushd]
root 3 1 0 17:07 ? 00:00:00 [kupdate]
root 4 1 0 17:07 ? 00:00:00 [kpiod]
root 5 1 0 17:07 ? 00:00:00 [kswapd]
root 6 1 0 17:08 ? 00:00:00 [mdrecoveryd]
root 276 1 1 17:08 ? 00:00:00 syslogd -m 0 -a /home/dns/dev/lo
root 286 1 0 17:08 ? 00:00:00 klogd
root 301 1 0 17:08 ? 00:00:00 crond
root 310 1 3 17:08 ? 00:00:00 /usr/sbin/sshd
root 369 1 0 17:08 ttyS0 00:00:00 login -- root
root 370 1 0 17:08 tty1 00:00:00 /sbin/mingetty tty1
root 371 1 0 17:08 tty2 00:00:00 /sbin/mingetty tty2
root 372 1 0 17:08 tty3 00:00:00 /sbin/mingetty tty3
root 373 1 0 17:08 tty4 00:00:00 /sbin/mingetty tty4
root 374 1 0 17:08 tty5 00:00:00 /sbin/mingetty tty5
root 375 1 0 17:08 tty6 00:00:00 /sbin/mingetty tty6
root 378 369 1 17:08 ttyS0 00:00:00 -bash
root 390 378 0 17:08 ttyS0 00:00:00 ps -ef
- Check the network connections, for example:
# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
raw 0 0 *:icmp *:* 7
raw 0 0 *:tcp *:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] DGRAM 239 /dev/log
unix 0 [ ] STREAM CONNECTED 108 @0000000f
unix 0 [ ] DGRAM 241 /home/dns/dev/log
unix 0 [ ] DGRAM 353
unix 0 [ ] DGRAM 282
unix 0 [ ] DGRAM 254
The Bastille Linux hardening script is a community consensus project: it attempts
to integrate existing "best practices" documents and the shared knowledge of
The Bastille team are to be congratulated on their good work, but a few problems have been
noticed. It has been indicated that the following problems should be addressed in future
releases, together with support for RH6.2.
- It must run on a virgin system, it cannot be undone or re-done.
- Bastille won't allow you to quit with Ctrl-C and the window size must be big enough to
show the menus correctly.
- The default menu point after "MiscellaneousDaemons.pm Module 10 of 16" is
"back" instead of next. Fix: manually select "next".
- Insufficient hardening:
- Unneeded accounts like uucp, games, lp, operator, xfs are not removed. Nor are their
shells set to /dev/null or /bin/false or /bin/nosuchshell.
- The xfs (X font server) is still running. While it doesn't have major security
weaknesses, some could be discovered, some day (Bugtraq are actively discussing xfs at the
Fix: disable it and reboot: chkconfig --del xfs
Important: You will no longer be able to use KDE or X11 on the console, but if it's
just occasionally needed, manually start the font server before you need it:
- More system accounts could be added to /etc/ftpusers, such as: sympa, squid, postgres,
gopher, postfix, xfs.
- If ssh is already installed, change sshd_config (DenyUser) so that login from the same
accounts as /etc/ftpusers is forbidden.
- Change the Root description (GECOS) from "root" to "root
MACHINENAME" in /etc/passwd (useful for large installations).
- There is no chroot user ftp, which would be useful to isolate user's from each
other and the system files (wu-ftp does chroot for anonymous ftp). A chroot
for apache would also be useful.
At this stage standard tools/utilities are going to be installed. These tools should
already have been compiled and tested extensively on another machine. They are typically
transferred as tar files, by CD or FTP. Some of the following settings can also be
configured via linuxconf.
- Environment: /.cshrc /.profile /.bashrc /etc/profile /etc/bashrc: set aliases, variables
(such as VISUAL, EDITOR and PATH don't include ".") for your favourite shell.
Set umask to 077, or 027.
- Disk mounting: To reduce the risk of trojan horses and unauthorised modifications, in
/etc/vfstab, mount /var and other data disks with "nosuid".
- Configure /etc/hosts with a list of critical machines (which you don't want resolved via
- DNS client (avoid if not needed): add domain name & DNS servers to /etc/resolv.conf.
Add a DNS entry for "hosts" in /etc/nsswitch.conf (and remove nis and nisplus
- Keyboard security: If your hosts are in secured rooms, it might be desirable to disable
certain key functions such as the following. On the other hand this can be an
inconvenience if the hosts are already physically secure.
- On SPARC: enable/disable the STOP-A keyboard sequence to jump to the eprom prompt in
- To disable hotkey interactive startup, set PROMPT=no in /etc/sysconfig/init.
- On x86: To allow ctrl-alt-delete to shutdown the system, an entry in /etc/inittab like
the following is used:
# Trap CTRL-ALT-DELETE
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Comment it out and reboot or "killall -HUP init" to activate the change.
- Use default routes: add the IP address of the router to /etc/sysconfig/network.
- In /etc/inetd.conf, all services have been disabled: reopen very specific services only
if absolutely needed, by adapting /etc/hosts.allow and /etc/hosts.deny.
- Email: If hosts are not supposed to send email outside the subnet, don't configure the
mailhost alias. Delete /usr/lib/sendmail if you don't need any kind of email. Otherwise:
- edit /etc/mail/aliases (at least point root to a real address)
- set mailhost in /etc/hosts and add a hostname.YOURDOMAIN.COM alias for this
- in /etc/mail/sendmail.cf set the following to ensure all outgoing email is channeled
needed if sendmail complains]
[send emails with no host/domain here]
[skip this if local delivery is allowed]
- Send a test email to check the config:
mail -v -s test_email root </dev/null
- If a sensitive host is to be administered by several people, consider using a tool such
as sudo. See also .
- If user accounts will be allowed on the system, consider restricting access to:
- cron: via /etc/cron.allow and cron.deny (see also ).
- at: via /etc/al.allow and at.deny
- ftp: Disallowed users are listed in /etc/ftpusers (Bastille puts some system accounts in
to start with)
- ssh: /etc/sshd_config (look for AllowUsers DenyUsers AllowHosts DenyHosts entries)
- General inetd services: /etc/hosts.allow and hosts.deny
- File system groups: /etc/groups and use file and directly permissions accordingly.
Patch management is still very basic in Linux, there is no unique numbering, or
dedicated tools for automated checking of patch levels (like Solaris for example), and no
"patch bundles" to enable you to quickly get you system unto a current level.
Redhat 6.1, patches can be found at www.redhat.com/errata.
Security advisories, bug fixes and package updates are on offer. Mandrake updates are at www.linux-mandrake.com/en/fupdates.php3,
but Mandrake also offers a nice Patch checking and installation tool under KDE, that is
worth trying out.
Only select patches that are relevant to tools/applications actually in use on your
Once you have downloaded the relevant patches apply them:
rpm - Uvh filename.rpm
There are also specific kernel patches to add security features such as strong crypto
to the kernel, see .
Syslog logging: The additional syslog configuration setup by Bastille is useful, but
only on hosts with local logging or loghosts (syslog servers).
Syslog "clients": It is suggested that most hosts log to central loghost,
with an /etc/syslog.conf such as the following:
# syslog.conf for clients
# send all messages to "loghost":
# Save boot messages also to boot.log
# Log all logins to /var/log/loginlog
# Log additional data to the Alt-F7 and Alt-F8 screens (TTY 7 and 8)
Give the loghost a whopping great /var disk for logs.
Use the default syslog.conf, with the additions from Bastille.
Set up log pruning as described below.
Root cron entries:
## Synchronise the time:
0,15,30,45 * * * * /usr/bin/rdate timehost1 >/dev/null 2>&1
# process the mail queue hourly during the week:
0 * * * 1-5 /usr/lib/sendmail -q
File permissions: tighten more permissions, and restrict certain tools to root or
chmod u-s /usr/sbin/sendmail #Not for mailgateways
or multi-user hosts
chmod 400 /.shosts
chmod 444 /etc/sshd_config /etc/ssh_known_hosts
Document configuration changes in a text file such as /etc/mods, update after each
change, with date, author, files affected, description.
cat > /etc/mods <<EOF
19.12.00 sb New install of RH6.1+Bastille & tools according to hardening
Change login banners to warn users about unauthorised access - you'll need this if you
want to prosecute intruders. Edit /etc/issue (for pre-login) and /etc/motd (for
post-login). Bastille does not change /etc/issue, one might might want to remove
indications about the Operating System type and add a banner (especially when the console
is not in a secured room).
Test - Do SSH and the standard tools work? Check log entries, check console messages.
Does the system behave as expected?
At this stage, we need to install a file integrity checker that uses secure hashing
algorithms, initialise it's database and run regular checks to monitor for changes. If
possible keep the master database on another machine or offline or on write-once media.
Even if you can't run regular checks, take a master copy and store in on a floppy, it will
be a great help in detecting what has changed, should the system be penetrated at a later
What options do we have for integrity checking?
- The RPM commands also be used to report changes to rpm installed files "poor man's
for file in $(rpm -qa); do rpm -V $file; done > rpm_changes
It prints out a list, indicating whether Size, MD5 hash, Links, Time (mtime),
Device, User, Group, Mode (permissions) changed:
S.5....T c /etc/host.conf
S.5....T c /etc/hosts.allow
S.5....T c /etc/motd
S.5....T c /etc/securetty
S.5....T c /etc/services
S.5....T c /etc/localtime
S.5....T c /etc/nsswitch.conf
Unfortunately, the list contained 156 entries after hardening a RH6.1 SPARC system! You
can store a copy off line (e.g. floppy) and use it for regular comparison.
- Tripwire : There are both free and commercial versions. Red Hat
x86 is the only Linux for which the Commercial version is officially available (an
included in RH7)
Linux is officially supported on RedHat 5.2 and 6.0. Other distributed
versions of Linux are not officially supported, but basic functionality has been verified
on RedHat 6.1, and various distributions of Debian, Caldera, Open Linux, and SuSE systems
using Linux kernel 2.0.36 or higher.
- The free version can be tricky to get working correctly and has a few bugs. Source code
is provided. It crashes on very large disks (for me).
- The commercial version is a bit pricey (for non Linux users), reports are too verbose
(you may need filter scripts), more configuration examples should be provided. It is more
stable than the free version, also runs on UNIX and NT and offers enhanced security by
cryptographic signing of policy and configuration files. Support (even when paid for) is
- Neither version supports the use of regular expressions when defining policy rules. e.g.
you can't specify a rule for "/home/*/www/cgi-bin" files, that would work even
when new directories are added under /home.
- Apparently, Tripwire will be released as OpenSource for Linux near then end of 2000.
That would be useful.
- PGP can also be used, by signing files to be protected (creating lots of signature
files), then writing a script to check the validity of signatures. This will not catch
permission, link, inode or modify date changes though.
- MD5 signatures could also be used in a similar way, but the list of MD5 signatures
should not be stored on the system being monitored, unless it is PGP signed or encrypted.
- mtree is the tool used on OpenBSD, perhaps it will be ported to Linux ?
- Aide is a new GPL tripwire replacement  that looks
interesting, I've not had a chance to test it so far.
An example using the free Tripwire Version 1.2:
- An rpm is available for x86, the source rpm has to be compiled for SPARC. Download  and install the rpms.
- The tripwire binary is in /usr/sbin, configuration in /etc/tw.config, and it is checked
each day from cron via /etc/cron.daily/tripwire.verify. Databases are kept in
/var/spool/tripwire. See also the man pages: tripwire(8), twconvert(8), tw.config(5).
- After installation, the "initial state" of the system needs to be saved:
This will create a new database in /var/spool/tripwire.
- To tell Tripwire that (change to) a file or entire directory tree is OK:
/usr/sbin/tripwire -update [path]
- The checking can be run each day from cron, or manually via:
- Run tripwire with the "-i 2" option to increase speed (it disabled one
checking algorithm, snerfu, but SHA1 and MDS 5 are still used).
- For increased security and automated checking of several systems from one trusted host,
copy tripwire & it's database and run it remotely at regular intervals using SSH.
Delete the tripwire database on the target after checking. This makes it difficult for an
attacker to know that tripwire is being used to check the system. In addition, immediately
update the tripwire database, so that only differences are reported by successive runs.
See the sample script for doing exactly that trip_linux.sh.
If this method is used, then local tripwire checking can be disabled:
mv /etc/cron.daily/tripwire.verify /etc/cron.daily/.tripwire.verify
- Regularly copy the configuration and database to floppy disk or write-one media, in a
crisis it will be very useful.
Depending on the function of the server, applications such as ftpd, BIND, proxies, etc.
are installed at this point.
Hardening of specific applications like ftp, DNS, Email and also general application
tips are discussed in a separate document .
Consider installing a script to check that important daemons are running. Install monitor_processes.pl and add a root cron entry:
## Check that important processes are running during office hours:
## [If you run 7x24, modify accordingly]
0,30 8-19 * * 1-5 /secure/monitor_processes.pl inetd sshd httpd
If data partitions had to be mounted read-write during the application install/testing,
consider mounting them read-only now.
Reinitialise tripwire (or equivalent integrity checker).
Backup the system, again to two tapes, one offsite.
Run a network scan on the system, to ensure that only expected services are visible. A
commercial tool such as ISS or a free one like Nessus, nmap or Satan
should do the job. Print out the results and archive.
If possible, have additional people do the final testing, just in case something was
forgotten. Test in detail - What works? What is forbidden? Check console/log entries. Does
the system behave as expected? Watch the logs very frequently during the first few days of
Test in detail. Check log entries. Does the system behave as expected?
Have applications been tested in detail, by different people with different points of
view, from different access points on the network?
The following activities should take place hourly, daily, weekly or monthly, depending
on how critical the system is:
- Check the status of patches, update as needed. Be very wary of kernel patches (test on a
non-production machine). Only install patches for software actually used. Since most
daemons are disabled on bastion hosts and users don't have accounts, few patches are
- Check all logs for errors and unusual activity: /var/log/* and application logs.
- Write scripts to report if critical daemons die, or if important systems cannot be pinged.
- Run tripwire (or equivalent integrity checker).
- Be regularly informed of new vulnerabilities and security issues, either by subscribing
directly to CERT, CIAC
and the vendor security lists and/or, subscribing to SecurityPortal's weekly letter or the SANS weekly/monthly letters.
This article has been very specific, in the interest of making it practical. However,
each security administrator has his own methods and each site has different requirements.
- Red hat provides a facility for automatic installs. Create a text file with
specifications for the install, and point the Red Hat installer at it and go. See also www.redhat.com/mirrors/LDP/HOWTO/KickStart-HOWTO.html
- Mandrake: Mandrake is a Red Hat compatible Linux distribution. It
is interesting because:
- It's installer is much better. A nice GUI that works for simple to expert users. It can
also install crypto tools, if you have a (proxied) ftp connection to the Internet.
- The root password must be at least 8 chars long.
- It includes the MSEC package (Mandrake Security) which allows you to specify a security
level for the system. MSEC is described in chapter 7 of . However,
MSEC has few funnies:
To change security levels, run /etc/security/msec/init.sh X, where
X is the security level 0-5. The default is 3. When converting to level 4 and rebooting,
the system asked for a runlevel number and on entering '3' it just sat there after an
error saying no runlevel files found. All other console ttys were disabled.
- MSEC: init.sh can also be run with the "custom" argument, whereby a
serious of questions are asked as to what security items you want switched on or off (much
like Bastille). An example of the questions and answers given is in msec.txt. Note that it will kill root logon via the serial line,
if you need this, re-add ttyS0 to /etc/securetty.
- V7.0 was tested for this article, only on x86.
- Hardware: Sun SuperSPARCs are not supported, but an UltraSPARC version is currently in
beta. Likewise support for Compaq Alpha processor is also in Beta.
- If a package seems to be missing, those available can be listed in
and manually install with rpm -i.
- A few nice GUI tools are provided, drakxconf in a front end to each. Examples
drakxservices list active services and allow them to be started/stopped
adduserdrake does what it says.
diskdrake is an excellent disk partitioning GUI.
draksec allows selection of Low/Medium/high security levels (it uses msec as the
- I would recommend Mandrake over RedHat at the moment, unless you need the commercial
support etc. of RedHat.
- See also  and .
- The command-line tool chkconfig can be used to enable/disable services. To list
what services are switched on or off:
To (for example) switch on the Apache web server:
chkconfig httpd on
To stop everything except SSH on a virgin RedHat7 server:
chkconfig httpd off
chkconfig apmd off
chkconfig atd off
chkconfig xfs off
chkconfig pcmcia off
chkconfig lpd off
chkconfig nfs off
chkconfig gpm off
chkconfig linuxconf off
chkconfig identd off
chkconfig portmap off
chkconfig sendmail off
chkconfig xinetd off
- Versioning: Use RCS or CVS to manage versions of configuration files. This is especially
important when several administrators manage a host, changes are frequent, etc. Versioning
should also be used with Jumpstart scripts & config files. An alternative is to make a
copy of each config file BEFORE making changes. Append a date to the file, e.g.
- Time Synchronisation with xntpd: If you think you might have to produce
evidence in court, use NTP to synchronise time, not rdate. Prosecutions have
failed because, on busy servers, a few seconds difference could be used to insist that
there is a doubt about the identity of a session. If using NTP, either get a (cheap) radio
clock (if you are near an appropriate transmitter - e.g. the Stuttgart transmitter in
Germany), or setup a dedicated bastion host as a 2nd stratum NTP server, which uses 3 1st
stratum sources. Setup the firewall filter to allow only NTP from the bastion to the three
1st stratums and allow Intranet hosts to query the bastion.
NTP can also be setup for higher security by configuring DES+MD5 authentication keys on
server and client. See www.eecis.udel.edu/~ntp
- Intrusion detection:
- See also Integrity Checking section.
- Regular logfile analysis can be implemented with customer scripts or tools such as
logcheck and swatch .
- I have written a perl script monitor_socket.pl that
listens to a list of sockets and notifies by email and syslog if a connection is received.
Like klaxon above, but does not run from inetd. Originally written to detect
Sybase and Satan connection attempts.
- Snort is a great tool for network-based Intrusion Detection, but does have some
- It's a good idea to keep previous versions of configuration files, to allow rollback and
have an audit trail. This is called versioning. It is especially important when
several administrators manage a host, changes are frequent, etc. Versioning can also be
used with Jumpstart scripts & config files. Some sysadmins use RCS
(included in Yassp), some use CVS, some copy the configuration file to file.DATE
before hand, some do nothing :).
Francisco Mancardi [email@example.com] has written a simple script that can be used to save
a copy of a file or directory before doing modifications.
Saveit is a little tool to make a backup of config files before you
change them. It saves a copy under /Backup.d/DATE/ and logs "who saved what
file" in /Backup.d/log-DATE. The existing directory structure is preserved under the
It's a simple, but useful version control tool for text files. e.g.
etc/% saveit vfstab
copying file vfstab ===> /Backup.d/20000707/etc/vfstab
etc/% saveit vfstab
copying file vfstab ===> /Backup.d/20000707/etc/vfstab.13:37
etc/% ls -l /Backup.d/20000707/etc/vfs*
-rw-r--r-- 1 root sys 386 Mar 14 08:31 /Backup.d/20000707/etc/vfstab
-rw-r--r-- 1 root sys 386 Mar 14 08:31 /Backup.d/20000707/etc/vfstab.13:37
./ ../ vfstab
etc/% tail /Backup.d/log-20000707
Backup base directory /Backup.d
Backup requested by root
Date (dd/mm/aaaa) 07-07-2000
Backup base directory /Backup.d
Backup requested by root
Date (dd/mm/aaaa) 07-07-2000
The advantage of this tool are: simplicity and no clogging up the current directory
with old versions of files, rcs directories etc. The script can be downloaded .
Linux on Sun SPARC: www.ultralinux.org
||Mandrake User and Reference Manual (also in /doc on the Mandrake CD)
included with this article: monitor_socket.pl,
monitor_processes.pl, trip_linux.sh, trip_host.sh, logcheck.sh, tui-generated-raw-config, sshd,
Saveit script: Original spanish version: saveit-sp.sh, my tweaked version: saveit
(less verbose messages, fix for OpenBSD, english translations, if target exists save with
a time postfix).
||Klaxon and tocsin www.eng.auburn.edu/users/doug/second.html
Free version V1.2 www.cert.org/ftp/tools/tripwire
(last updated in 1994). It was difficult to find rpms, but I eventually found them at www.lj.net/~jht/rpms
Commercial Version www.tripwiresecurity.com
(starts at $495.-/server) also runs on NT.
OpenSource Version www.tripwire.org Planned for late
2000, on Linux only.
||Sample tools for analysing logs:
(see also my improved version of logcheck.sh)
||All About SSH PartI and Part II, an article written for SecurityPortal by the author.
All about SSH - PartI securityportal.com/direct.cgi?/research/ssh-part1.html,
All about SSH - Part II securityportal.com/direct.cgi?/research/ssh-part2.html
Downloading SSH Sources:
SSH1 sources: ssh-1.2.30.tar.gz from ftp.cs.hut.fi/pub/ssh
OpenSSH sources: www.OpenSSH.com
Downloading rpm binaries:
SSH1 for RH SPARC ftp.zedz.net/pub/crypto/linux/redhat/sparc
OpenSSH and SSH1 for RH x86: ftp.zedz.net/pub/crypto/linux/redhat/i386
OpenSSH for Mandrake x86: ftp.zedz.net/pub/crypto/linux/mandrake/7.0
||AIDE, a GPL file integrity checker. www.cs.tut.fi/~rammer/aide.html
Security Knowledge Base
- File system considerations in Linux kben10000036.html
- XNTP - accurate time synchronization for Linux kben10000029.html
- Linux kernel security patches kben10000021.html
- Securing the Linux console kben10000016.html
- Securing the LILO bootloader kben10000002.html
- Secure administrative access tools for Linux kben10000011.html,
- Limiting user access to cron kben10000014.
- Article Index www.securityportal.com/lskb/articles
||New reports on Bastille or Linux Hardening since April'00:
Walkthrough, by Jay Beale [STALE LINKS]
- Building a Secure Gateway
System, By Chris Stoddard
- Shredding Access
in the Name of Security: Set UID Audits, by Jay Beale [STALE
- Why Do I Have to Tighten
Security on My System?, by Jay Beale [STALE LINKS]
- How Do I Tighten
Security on My System?, by Jay Beale [STALE LINKS]
||Patching RedHat, tools: rh-errata
(tcp connections, content filtering, encryption, authentication)
secure syslog www.core-sdi.com/english/slogging/ssyslog.html
(tcp connections & SSL)
||Security Advisories: www.cert.org,
CERT provide several useful firewall/hardening/intrusion detection papers online www.cert.org/tech_tips.
||Security Newsletters: SecurityPortal,
25.Apr.'00 Improve tripwire, ssh, references, Mandrake.
Spelling. Feedback from Kurt+Jay.
29.Apr.'00 Initial Publication
28.Jun.'00 Add links to new reports ,
Correct links and snort.
09.Aug.'00 New: saveit, Update: Bastille 1.1, Links.
19.Dec.'00 Update for RH7
Last Update: 11 December, 2001
Seán Boran is an IT security consultant based
in Switzerland and the author of the online IT Security Cookbook.
|© Copyright 2001, Sean.Boran, All Rights Reserved
By default after 20 reboot, the filesystems are checked (fsck).
If you have several filesystems, it's better to stagger the checking so that all
filesystems are not checked at the same time, avoiding a slow "21 reboot".
Each filesystem has a mount count which can be interrogated as
dumpe2fs /dev/hda1 | grep 'Mount count'
Set this to a staggered number between 1 and 19, for example:
tunefs -C 6 /dev/hda1
tunefs -C 12 /dev/hda4
tunefs -C 18 /dev/hda7
Warning: umount filesystems before running tunefs.
The number of reboots between check can also be changed:
tunefs -c 10 [check every 10 reboots]
tunefs -i 5 [check every 5 days]