can you buy loxicom dogs without prescription uk sildenafil tablets cobra100mg what does zoloft dors does benicar have side effects with levitra how long does 1 gram valtrex stay in system classification of viagra celexa 30 mg for anxiety propranolol er 60 mg for migraines buy generic zithromax online septra single dose uti treatment average what age men take viagra qe farmacia vende misoprostol en cordoba price of nexium in philippines metformin 500 mg for preventative robertjszmidt.pl 5 mg lexapro for anxiety can you take azithromycin twice in one month muslimdate.com how long does 0.5 grams of dostinex stay in your system can epileptics take lexapro can you take azithromycin twice in one month can i take nighttime aspirin while on lisinopril kurs-speyer.de is a cough a common side effect of lisinopril propecia takes how long to work zoloft central nervous system side effects mazowsze.waw.pl NEOHAIRINDO.COM bukitpinus.com compound ketoconazole bl chicken skin clomiphene dosage pct fluconazole thrush days nortriptyline dosage for ibs is lexapro dangerous dr why take metformin an hour before eating do you have to wean from ritalin to switch to strattera can you take fluconazole with xifaxan medicamento piroxicam 10 mg anastrozole for sale no prescription strattera price uk foodloversheaven.com strep coverage with septra kontraindikasi clomipramine taking aspirin with cialis amoxicillin clavulanate generic name prnc.tv generic wellbutrin 450 xl azithromycin 300mg isotretinoin 30 mg price in india can you take pervicid with cipro cymbalta 60mg for ms can i buy diflucan over the counter in ireland does atorvastatin have ototoxic in it teva trazodone long term effects cost of cozaar without insurance robertjszmidt.pl eastriverpartners.info gabapengis and levofloxacin how to wean off prednisone25 mg stereochemistry of metoprolol bupropion hcl xl for ocd pseudomonas aeruginosa linezolide over the counter water pills equivalent for lasix cialis canadian generic dinkim.com does celebrex reacts with cialis clozapine 600 mg how much is acyclovir cream in mercury azithromycin and orange juice no effect from prednisone after 5 days mhc-s.com does wellbutrin cause gas and diarrhea paroxetine long term effects cialis allowed in dubai half life of diflucan onlineslotssystems.com e 20 generic viagra baclofen extended release grs capsules 20mg stlsoccer.net metronidazole purchase uk celexa overdose 80mg paxil en mexico accidentally took 80 mg celexa azithromycin 250 mg treatment for bv flagyl for mouth infection mild endometriosis when using clomid ovidrel and iui lexapro generic 10mg viagra generic cheap canada cvs how much does wellbutrin xl cost prednisone 50 92 gories nitroglycerin dfldctl.com pamelor 10 mg reviews levofloxacine 400 directmobility.co.uk cipro 250 mg side effects seroquel for anxiety dosage can remeron potentiate klonopin escitalopram y eutirox capsulas lamisil terbinafine 250 mg tab lisinopril parameters can i take phenergan on an empty stomach lifesaverpoolfencesofnevada.com iv flagyl and ivf ringers lactate can use in pregnancy kamagra ok bring into united states olanzapine prescription 35 mg propranolol iv costo avmdtogo.org red viagra capsules usa in urdu canada viagra cialis duloxetine30 what is use cyproheptadine 3mg rosemontgroupfoundation.org alendronate sodium side effects mayo clinic how long can you take diflucan for onychomycosis buspar 60 mg side effects maxalt cost with insurance metronidazole 500 mg insert insert in vagina is ok hanhvyshop.vn spiramycin metronidazole and alcohol sekerpinarosgb.com metoprolol 2.5 mg iv accutane 2 months wellbutrin xl no prescription online side effects of zoloft on newborn babies meloxicam 513 gabapentin and insomnia can u use hot tub on zoloft egyptgolftours.com myghsy.com q2melbourne.com acyclovir eye drops over the counter atorvastatin 10mg tablets amlodipine besylate price target thuoc albuterol sulfate businesscreditpro.com doxycycline 100mg capsules patient information leaflet does hydrochlorothiazide work as lasix MASTERRAFTING.COM buy azithromycin antibiotic online how to take clomid 100mg. on a 28 day cycle bisenconsulting.com short term use of metformin avmdtogo.org septra 200 mg buy cheap doxycycline uk nexium extended release otc price my dog take a propranolol 10 mg elavil sandoz dosage muteber.com can you take tylenol and celebrex together torsemide tablet 20 mg banglaesh company rosacea and doxycycline feifan8.net can amoxicillin capsule cure pid can you get high off of augmentin 875 effexor vs lexapro yound adults can clomid drug stop period balitoursclub.com metronidazole how much does it cost viagras head office in toronto canada aml.ca gelernt.net how much amoxicillin for a kitten fehmierduran.com csipropertyservices.com feswmp.com shapirogalvinlaw.com heavyanalytics.com where can i buy fluconazole uk buy cialis pay with paypal tab cytotec in qatar levitra generico uk does medroxyprogesterone acetate 10mg prevent pregnancy bupropion australia buy web md d lexapro can antibiotics cure malaria and gonorrhea amoxicillin 500mg dogs side effects allcoinreviews.org two forms of.metoprolol pct with nolvadex only can use of flagyl delay menstruation periactin generic name when is the best time for take prednisone 50 mg day 20 20 mg prozac gabapentin 300 mgbe used for ancity can you get acyclovir over the counter in bali dutasteride fase 3 azithromycin dihydrate bet limit taking medroxyprogesterone to start period warfarin 10 mg loading dose chatcopii.com acyclovir singapore can periactin be taken along with vitamins feifan8.net topiramate 50 mg does it have aspirin singulair 4 mg buy tab metronidazole 2g cytotec pills in south africa cflailesi.org para que es ia medicina metoprolol succer 25mg levofloxacina vs ciprofloxacina amlodipine 100mg twice a day and side effects doxycycline 100mg cost uk buy orlistat from mexico can 30 prozac kill you can you take mersyndol with celebrex period after clomid cycle how many dose of amoxicillin 1 year old baby can gabapentin be given as needed for dog back problems sertraline hcl 50 mg cost verapamil 7301 fluoxetine hcl 20 mg can it be snorted or shot viagra price bangalore erythromycin stearate 250 mg and alcohol bollywoodinformer.com levofloxacin kegunaannya chances of getting herpes when on antivirals can you snort baclofen to get high generix voguel sildenafil consecuencis levitra professional canada levofloxacin sandoz500mg for 3 days flagyl 500 mg dosage for bv pomada voltaren para que serve what will 800mg bactrim heal lisinopril tablets usp 20 mg buy orlistat 120 mg shopping in usa online emberdomme.com vasdecom orlistat generic tadalafil 20 mg canada delite.cn forgetting to take synthroid in the mor is it ok to use monistat 1 while diflucan montelukast 10mg tablets internationalintellectualproperty.org flagyl powder iphone-accessory.cn kamagra oral jelly 200mg dexamethasone deksametason 0 5 mg pornmite.com nsfrm.com pamelor 50 mg efeitos colaterais how to give dexamethasone .5 dosage to canine elusionist.com bupropion is msking me hingry can i take klonopin topromax and remeron together shapirogalvinlaw.com myexactamundo.com asiliahomehealth.com can you recover after zyprexa natural altenative to benicar delsym cough syrup and zoloft energized after taking zoloft prednisone 50 mg daily for eustachian tube blockage jarsofclaychurchinc.org zyprexa side effects hair loss dexamethasone 20 mg iv push meloxicam interactions with tylenol 3 only have 7 days worth of 500 mg amoxicillin cure strep robertjszmidt.pl is doxycycline hydrochloride for chlamydia infection ascbelfast.com buy nexium esomeprazole magnesium strattera vs intuniv medicamento augmentin composicion cattlespring.org can you take valtrex with st johns wort amiodarone 150 mg injection amaryl 6 mg baclofen cream 60 mg what stops misoprostol will 5mg lexapro do anything biolab.com.sg naproxen 500 mg ne icin kullanilir buy atomoxetine online no prescription levofloxacin hydrochloride capsules adalah obat untuk effectiveness of mini pills when taking ciprofloxacin remeron 15mg for anxiety after running out of neurontin ampicillin tr 500 mg during pregnancy sertraline can you take it with topamax pureadrenalinecycle.com california-employment-lawyers.com tadalafil 8 mg does 40 mg of prednisone cause constipation in dogs prednisone cumulative effect yalovadaarsa.com how long does allegra d stay in your system price for nexium 40 mg 30 count dinkim.com aneyron.com metronidazole sp posologie focva.org metronidazole medicine is good to take with amoxicillin how much is verapamil cream for plantar fibroma take prednisone 10 mg and z pack together focva.org convert metforming 500mg er to metforming 500mg ir lysto sildenafil chinaskinny.com why cant i buy cialis apo famciclovir500mg amitriptyline 10 mg fibromyalgia and endometriosis africanamericanimages.us order allegra d online cytotec farmacia san pedro cialis 20mg dosage irbesartan common side effects lvshi321.com tamsulosin mylan 0.4 mg. 160 is buying viagra in canada safe mutien.be is jaw clenching a symptom of lexapro withdrawl dexamethasone injection in germany septran tablets glaxosmithkline dogs zyprexa nedir generic levitra pros and cons 80mg recreational value of strattera what is voltaren resinat ciprofloxacin used for proventil hfa 90 mcg and proctalgia fugax buy viagra 1 metoprolol succ er 50mg and zantac THUMBUY.COM gabapentin for dogs side effects overdose generic viagra canada teva elavil gg 40 authorized dealer of dapoxetine tablet in nigeria anaheimangelsjersey.com seroquel price on street augmentin fuori dal frigo 12 ore wellbutrin australia augmentin for 10 days for sinus infection fluoxetine 3mg cats amoxicillin and spironolactone africanamericanimages.us viagra men fucking arman-crusher.com DORREAJATETXEA.COM accidental two doses of singulair maxalt mlt treating rebound headache cytotec prospecto lifesaverpoolfencesofnevada.com citalopram 20 mg and weight loss orlistat hexal 84 esteponasurgery.com from paxil 10mg to paxil 20mg generic lexapro cost vitaroom.net can i take viagra while on terbinafine jock itch skin cream lamisil rate in rupees azithromycin how much generic buy seroquel uk dfldctl.com isotretinoin capsules usp 30 mg valtrex buy online prednisone 8 day tapering metronidazole tablet price philippines buy ampicillin betta fish cordarone r springracinginsights.com cheap tadalafil online viagra without a rx price of metoprolol er succinate at walgreen cozaar classification therapeutic indication of indomethacin.org fluoxetine cost cvs lbc4help.org buy cialis for daily use online lexapro generic 30 mg can i take metaxalone with wellbutrin should you refridgerate metronidazole cream para que sirve baclofen 10 mg tab stopping prozac after 3 weeks accommodationmadeasy.com inactive ingredients in lisinopril 10 mg by lupin diflucan aka fluconazole or nizoral aka ketaconazole. how much per cost of viagra at walmart marcosdiaz.net homemade wellbutrin what is a substitute antibiotic for flagyl overdose on antibiotics 1g l thyroxine christiaens 75 mg disulfiram pka skale.it clopidogrel plavix 600mg albuterol sulfate 0.083 dosage prazosin cost tiagra 100 sildenafil tablets cost of zyprexa medication seadoo-maldives.com taking cipro for 6 weeks current price for ciprotab 500mg in nigeria chemist weaning off topamax migraine plavix for cats metronidazole antibiotics for dogs australia diarrhea and long term sertraline safe uk site to buy premarin .3 donde consigo misoprostol en costa rica bruising easy lyrica cymbalta propranolol hcl actavis retard 80 mg gelernt.net linezolid usp 600m tempat beli ketoconazole tablet xenical omega 3 claritin vs singulair can you die from taking too much ambien and buspar cozaar 25 mg generic can a 3 month old have albuterol california-employment-lawyers.com is neomycin related to erythromycin cheap kamagra shop in nottinham innovator of furosemide injection nlpcloud.net jeriaska.com seroquel makes me irritable cheap orlistat tablets cheap viagra melbourne montelukast 10 mg en espanol livox antibiotic in bangladesh es08.com paladardigital.com does sertraline cause throat tightening price of nizoral shampoo at giant eagle on scalp ave pa azithromycin dose for kids sore throat mspnor.com is amoxicillin 250 mg for dog drwasy thuoc metoprolol tartrate seadoo-maldives.com ko proizvodi cialis como funciona el cytotec con 3 semanas de embarazo baclofen gets you high NEOHAIRINDO.COM thyroxine sodium ip tablets 100 mcg price is finasteride generic as good as avodart order propranolol online can i take aleve pm while taking metronidazole estrace watson 487 can you adapt adult dose of albuterol to toddler metronidazole oral suspension online hong kong digoxin and tums toxicity buy lamisil tablets in whistler tadalafil off label uses viagra best used biolab.com.sg disabledinafghanistan.com augmentin syrup australia lexapro 5 mg forum ketoconazole lotion prevent eyebrow hair loss newhollandcommunications.de will hydrochlorothiazide show on drug test kamagra 100mg jelly sachets hpaulsantmire.com take diovan with or without food balitoursclub.com neurontin antidepressant augmentin 600 sy price egypt augmentin 12h plm azithromycin 3 month old dosage can 500mg of azithromycin cure chlamydia and gonorrhea buy amoxil cheap allcoinreviews.org can you take half a dose of prednisone 50 milligrams dostinex cabergolina 0 5 mg pretul newhollandcommunications.de deserteichler.com carlosfloresmusic.com 4kom.it genesis finasteride u.s.p side effects how much is misoprostol pills in south africa doxycycline dog increased urination fluconazole for obesity urinary tract infection dose voltaren sr 75mg tablets buy terbinafine tablets without prescription azithromycin one shot chlamydien nexium 24 hour same as precribed citalopram hydrobromide 40 mg side effects cost of viagra for dogs dataminingweb.com debrox celecoxib para que sirve focva.org zovirax sticks to lip dataminingweb.com paladardigital.com is zyvox safe to take with acyclovir chatcopii.com valacyclovir hcl 1 mg oral tablet zyprexa 1mg csipropertyservices.com lisinopril 15 mg allcoinreviews.org egyptgolftours.com generic albuterol inhaler for kids does nizoral shampoo lower testosterone in the body dog antibiotic side effects acyclovir with or without food lifesaverpoolfencesofnevada.com shapirogalvinlaw.com qysmia and bupropion together q2melbourne.com misoprostol crossing placenta

Hardening RedHat Linux with Bastille

Securely installing a bastion host

By Seán Boran

This article presents a concise step-by-step approach to securely installing RedHat Linux for use in a firewall DMZ, or other sensitive environment, using Bastille. Linux has progressed rapidly and can be configured to be as secure as, if not better, than commercial UNIX.

The focus in this article is on RedHat 6.2 on SPARC + x86, RedHat7 on x86 and Mandrake 7.0 on x86.

DRAFT: Includes bastille 1.1.1

We welcome your feedback on this article.


Table of Contents:

  1. Preparation
  2. Initial OS installation
  3. Install SSH
  4. Bastille: Introduction, Running, Checking, Problems.
  5. Installing tools & sysadmin software
  6. Patches and Logging
  7. Integrity Checking and backup
  8. Install, test, harden applications.
  9. Going Live

Regular maintenance
Additional Notes
References
Changes to this article


1. Preparation


2. Initial OS installation

On x86 hardware, screen, keyboard and mouse are needed. Boot from CDROM or the boot floppy and choose install.

On SPARC hardware, the entire installation can be done without screen or keyboard (also called a "headless server"). Connect the serial console, switch on, halt to the OK prompt by sending a Stop-A (~#, ~%b, or F5 depending on whether you use tip, cu or a vt100 terminal), then start the installation procedure:  boot cdrom - install.

The RedHat install is pretty buggy and options differ between releases:

The Mandrake 7.0 install does not suffer from these shortcomings.

So, choose a server or custom install, set hostname, IP parameters, timezone, etc. Don't enable any naming services like NIS or NFS. Choose manual disk partitioning:

Set a strong password (At least 8 chars with numbers, letters and punctuation) for root. Create an additional test user, as you won't be able to login over the network as root.

The "init level" should be set to 3 (command line login), rather than 5 (graphical login). If a GUI is needed, it can always be started manually with startx.

To login via the 'serial port A' on x86 Hardware, which is useful for troubleshooting, installations and getting to know the command line (it is not necessary for headless SPARCs which do this automatically). Add the following to /etc/inittab.
con:23:respawn:/sbin/getty ttyS0 VC

To allow root to login via this serial port, add ttyS0 to /etc/securetty,
echo "ttyS0" >> /etc/securetty



3. Install SSH

Install SSH, the secure Shell for login access (Bastille can do this, but you need Internet access, I had problems with SPARC, and prefer to know exactly what options are used to compile SSH). SSH is already included in some distributions, such as Redhat7.

There are two key implementations for Linux 'ssh1' and 'OpenSSH', here we use ssh1 as an example. OpenSSH is more interesting in some ways, but ssh1 also supports securid (which is useful to me). See also [7] for a detailed discussion of SSH and it's various implementations.

Either download sources or RPMs (see sites listed under [7]):

1) Sources: 
zcat ssh-1.2.30.tar.gz | tar xf - 
cd ssh-1.2.30; ./configure --prefix=/usr --without-none --without-rsh --without-idea
make && make install

2) RPMs (SPARC example shown):
rpm -i ssh-1.2.30-7i.sparc.rpm        ssh-clients-1.2.27-7i.sparc.rpm
rpm -i ssh-extras-1.2.30-7i.sparc.rpm ssh-server-1.2.27-7i.sparc.rpm

Copy a startup file (example sshd) to /etc/rc.d/init.d/sshd and setup links, unless it was done as part of the previous step.
chkconfig --add sshd

Configure an appropriate /etc/sshd_config file (see also [7]), so that access is restricted to named hosts with known public keys (/etc/ssh_known_hosts) and rhosts authentication is disabled. Avoid trusts. Only allow specific users and hosts to access SSH.

Deny daemon accounts access, for example:
DenyUsers daemon bin sync adm lp shutdown halt mail news uucp nobody operator sympa, squid, postgres, gopher, postfix, xfs.



4. Bastille

Introduction

Bastille is set of open source scripts designed to harden a virgin Red Hat 6.0 or 6.1 installation (6.2 support is planned soon). The first release was in December 1999 and significant progress has been made. V1.1 (released June 2000) was used here. What does Bastille do? Unneeded daemons are stopped, logging enabled/improved, SUID and file permissions tightened, account security improved and even a chroot environment is provided for DNS servers.
Note that Bastille does not run on other Linux variants such as SuSE (which have their own mechanisms and different startup files).

An automated and interactive interface is available. The text based menus provided by the interactive install are very useful for explaining the different options involved and generate a configuration file (tui-generated-raw-config) which is used in the next step by the Bastille back end to do the actual hardening. The configuration file can be edited or copied to other machines to speed up hardening.

Running Bastille
  1. Download Bastille and extract into /root.
  2. Shutdown the network interface during this next phase, just in case (the interface name may vary):
  3. ifconfig eth0 down

  4. Run the Bastille interactive script:
    cd /root/Bastille; ./InteractiveBastille.pl

    Note: On SPARC the Interactive script won't work:
    Can't load './Curses.so' for module Curses: ./Curses.so: ELF file data encoding not big-endian at /usr/lib/perl5/5.00503/sparc-linux/DynaLoader.pm line 169.
    Fix: Download Curses-1.02.tar.gz from CPAN and install:
    perl Makefile.PL; make && make install
    Then change to the Bastille dir & remove the i386 Curses library:
    cd /root/run-Bastille; mv Curses.* /tmp;
    And run InteractiveBastille.pl again.

    InteractiveBastille.pl runs through hardening setup on a step-by-step basis, asking the user what should or should not be tightened down. Unneeded daemons are stopped, logging enabled, SUID and file permissions tightened, account security improved and even a chroot environment is provided for DNS servers.
    Default answers except for the following were used (see tui-generated-raw-config):

  5. Start the actual hardening process:
    ./BackEnd.pl < config > screen.log

Bug: the first time BackEnd fails with the following message:
# ./BackEnd.pl < config > screen.log
/bin/cp: /etc/banners: omitting directory

Run it again and it works fine!

Checking the results
  1. Review the log of the hardening process: /root/Bastille/screen.log and /root/bastille-action-log
  2. Reboot.
  3. Login as root and check the process list, it should be something like:

    tests# ps -ef
    UID PID PPID C STIME TTY TIME CMD
    root 1 0 10 17:07 ? 00:00:03 init [3]
    root 2 1 0 17:07 ? 00:00:00 [kflushd]
    root 3 1 0 17:07 ? 00:00:00 [kupdate]
    root 4 1 0 17:07 ? 00:00:00 [kpiod]
    root 5 1 0 17:07 ? 00:00:00 [kswapd]
    root 6 1 0 17:08 ? 00:00:00 [mdrecoveryd]
    root 276 1 1 17:08 ? 00:00:00 syslogd -m 0 -a /home/dns/dev/lo
    root 286 1 0 17:08 ? 00:00:00 klogd
    root 301 1 0 17:08 ? 00:00:00 crond
    root 310 1 3 17:08 ? 00:00:00 /usr/sbin/sshd
    root 369 1 0 17:08 ttyS0 00:00:00 login -- root
    root 370 1 0 17:08 tty1 00:00:00 /sbin/mingetty tty1
    root 371 1 0 17:08 tty2 00:00:00 /sbin/mingetty tty2
    root 372 1 0 17:08 tty3 00:00:00 /sbin/mingetty tty3
    root 373 1 0 17:08 tty4 00:00:00 /sbin/mingetty tty4
    root 374 1 0 17:08 tty5 00:00:00 /sbin/mingetty tty5
    root 375 1 0 17:08 tty6 00:00:00 /sbin/mingetty tty6
    root 378 369 1 17:08 ttyS0 00:00:00 -bash
    root 390 378 0 17:08 ttyS0 00:00:00 ps -ef

  4. Check the network connections, for example:

# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
raw 0 0 *:icmp *:* 7
raw 0 0 *:tcp *:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] DGRAM 239 /dev/log
unix 0 [ ] STREAM CONNECTED 108 @0000000f
unix 0 [ ] DGRAM 241 /home/dns/dev/log
unix 0 [ ] DGRAM 353
unix 0 [ ] DGRAM 282
unix 0 [ ] DGRAM 254

Bastille Problems/limitations

The Bastille Linux hardening script is a community consensus project: it attempts to integrate existing "best practices" documents and the shared knowledge of many administrators.
The Bastille team are to be congratulated on their good work, but a few problems have been noticed. It has been indicated that the following problems should be addressed in future releases, together with support for RH6.2.



5. Installing tools & sysadmin software

At this stage standard tools/utilities are going to be installed. These tools should already have been compiled and tested extensively on another machine. They are typically transferred as tar files, by CD or FTP.  Some of the following settings can also be configured via linuxconf.


6. Patches and Logging

Patches

Patch management is still very basic in Linux, there is no unique numbering, or dedicated tools for automated checking of patch levels (like Solaris for example), and no "patch bundles" to enable you to quickly get you system unto a current level.

Redhat 6.1, patches can be found at www.redhat.com/errata. Security advisories, bug fixes and package updates are on offer. Mandrake updates are at www.linux-mandrake.com/en/fupdates.php3, but Mandrake also offers a nice Patch checking and installation tool under KDE, that is worth trying out.
Only select patches that are relevant to tools/applications actually in use on your system.
Once you have downloaded the relevant patches apply them:

rpm - Uvh filename.rpm

There are also specific kernel patches to add security features such as strong crypto to the kernel, see [9].

Configure logging:

Syslog logging: The additional syslog configuration setup by Bastille is useful, but only on hosts with local logging or loghosts (syslog servers).

Syslog "clients": It is suggested that most hosts log to central loghost, with an /etc/syslog.conf such as the following:

# syslog.conf for clients
#
# send all messages to "loghost":
*.* @loghost
*.emerg *
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# Log all logins to /var/log/loginlog
auth.*;user.*;daemon.none /var/log/loginlog

# Log additional data to the Alt-F7 and Alt-F8 screens (TTY 7 and 8)
*.info;mail.none;authpriv.none /dev/tty7
authpriv.* /dev/tty7
*.warn;*.err /dev/tty7
kern.* /dev/tty7
mail.* /dev/tty8
###########

Syslog "loghost"

Give the loghost a whopping great /var disk for logs.
Use the default syslog.conf, with the additions from Bastille.
Set up log pruning as described below.

Root cron entries:

## Synchronise the time:
0,15,30,45 * * * * /usr/bin/rdate timehost1 >/dev/null 2>&1

# process the mail queue hourly during the week:
0 * * * 1-5 /usr/lib/sendmail -q

File permissions: tighten more permissions, and restrict certain tools to root or disable:

chmod u-s /usr/sbin/sendmail       #Not for mailgateways or multi-user hosts
chmod 400 /.shosts
chmod 444 /etc/sshd_config /etc/ssh_known_hosts

Documentation:

Document configuration changes in a text file such as /etc/mods, update after each change, with date, author, files affected, description.
cat > /etc/mods <<EOF
19.12.00  sb  New install of RH6.1+Bastille & tools according to hardening guidelines
EOF

Banners.

Change login banners to warn users about unauthorised access - you'll need this if you want to prosecute intruders. Edit /etc/issue (for pre-login) and /etc/motd (for post-login). Bastille does not change /etc/issue, one might might want to remove indications about the Operating System type and add a banner (especially when the console is not in a secured room).

Reboot.

Test - Do SSH and the standard tools work? Check log entries, check console messages. Does the system behave as expected?



7.Integrity Checking and backup

At this stage, we need to install a file integrity checker that uses secure hashing algorithms, initialise it's database and run regular checks to monitor for changes. If possible keep the master database on another machine or offline or on write-once media. Even if you can't run regular checks, take a master copy and store in on a floppy, it will be a great help in detecting what has changed, should the system be penetrated at a later stage.

What options do we have for integrity checking?

An example using the free Tripwire Version 1.2:


8. Install, test, harden applications

Depending on the function of the server, applications such as ftpd, BIND, proxies, etc. are installed at this point.

Hardening of specific applications like ftp, DNS, Email and also general application tips are discussed in a separate document [16].


9. Going Live


Preparing to go live

Consider installing a script to check that important daemons are running. Install monitor_processes.pl and add a root cron entry:
## Check that important processes are running during office hours:
## [If you run 7x24, modify accordingly]
0,30 8-19 * * 1-5 /secure/monitor_processes.pl inetd sshd httpd

If data partitions had to be mounted read-write during the application install/testing, consider mounting them read-only now.

Reinitialise tripwire (or equivalent integrity checker).

Backup the system, again to two tapes, one offsite.

Run a network scan on the system, to ensure that only expected services are visible. A commercial tool such as ISS or a free one like Nessus, nmap or Satan should do the job. Print out the results and archive.

If possible, have additional people do the final testing, just in case something was forgotten. Test in detail - What works? What is forbidden? Check console/log entries. Does the system behave as expected? Watch the logs very frequently during the first few days of production.

Going Live

Test in detail. Check log entries. Does the system behave as expected?

Have applications been tested in detail, by different people with different points of view, from different access points on the network?



Regular maintenance

The following activities should take place hourly, daily, weekly or monthly, depending on how critical the system is:


Additional Notes

This article has been very specific, in the interest of making it practical. However, each security administrator has his own methods and each site has different requirements.



References

[0] www.RedHat.com   www.mandrake.com
Linux on Sun SPARC: www.ultralinux.org   www.sparclinux.com 
[1] sourceforge.net/projects/bastille-linux   www.Bastille-Linux.org
[2] Mandrake User and Reference Manual (also in /doc on the Mandrake CD)
www.linux-mandrake.com/userguide/en/reference/000.html
[3] Scripts/configs included with this article: monitor_socket.pl, monitor_processes.pl, trip_linux.sh, trip_host.shlogcheck.sh, tui-generated-raw-config, sshd, msec.txt.

Saveit  script:
Original spanish version: saveit-sp.sh, my tweaked version: saveit (less verbose messages, fix for OpenBSD, english translations, if target exists save with a time postfix).
[4] Klaxon and tocsin www.eng.auburn.edu/users/doug/second.html
[5] Tripwire:
Free version V1.2 www.cert.org/ftp/tools/tripwire (last updated in 1994). It was difficult to find rpms, but I eventually found them at www.lj.net/~jht/rpms
Commercial Version www.tripwiresecurity.com (starts at $495.-/server) also runs on NT.
OpenSource Version www.tripwire.org Planned for late 2000, on Linux only.
Sunworld article.
[6]  Sample tools for analysing logs:
Logcheck www.psionic.com/abacus/logcheck (see also my improved version of logcheck.sh)
Swatch  ftp.stanford.edu/general/security-tools/swatch
[7] All About SSH PartI and Part II, an article written for SecurityPortal by the author.
All about SSH - PartI securityportal.com/direct.cgi?/research/ssh-part1.html,
All about SSH - Part II securityportal.com/direct.cgi?/research/ssh-part2.html  
Downloading SSH Sources:
SSH1 sources: ssh-1.2.30.tar.gz from ftp.cs.hut.fi/pub/ssh
OpenSSH sources: www.OpenSSH.com

Downloading rpm binaries:
SSH1 for RH SPARC ftp.zedz.net/pub/crypto/linux/redhat/sparc
OpenSSH and SSH1 for RH x86: ftp.zedz.net/pub/crypto/linux/redhat/i386
OpenSSH for Mandrake x86:  ftp.zedz.net/pub/crypto/linux/mandrake/7.0
   ftp.sunet.se/pub/Linux/distributions/mandrake-crypto
Also:
  ftp.cryptoarchive.net
  www.cryptoarchive.net/ftp.cryptoarchive.net/SSH/OpenSSH
[8] AIDE, a GPL file integrity checker. www.cs.tut.fi/~rammer/aide.html
[9] SecurityPortal's Linux Security Knowledge Base
  1. File system considerations in Linux kben10000036.html
  2. XNTP - accurate time synchronization for Linux kben10000029.html
  3. Linux kernel security patches kben10000021.html
  4. Securing the Linux console kben10000016.html
  5. Securing the LILO bootloader kben10000002.html
  6. Secure administrative access tools for Linux kben10000011.html, kben10000012, kben10000013, kben10000014.
  7. Limiting user access to cron kben10000014.
  8. Article Index www.securityportal.com/lskb/articles
[10] New reports on Bastille or Linux Hardening since April'00:
- Bastille Walkthrough, by Jay Beale [STALE LINKS]
- Building a Secure Gateway System, By Chris Stoddard
- Shredding Access in the Name of Security: Set UID Audits, by Jay Beale [STALE LINKS]
- Why Do I Have to Tighten Security on My System?, by Jay Beale [STALE LINKS]
-
How Do I Tighten Security on My System?, by Jay Beale [STALE LINKS]
[11] Patching RedHat, tools: rh-errata
[16] Hardening Applications
[17] syslog replacements:
syslog-ng www.balabit.hu/products/syslog-ng (tcp connections, content filtering, encryption, authentication)
secure syslog  www.core-sdi.com/english/slogging/ssyslog.html
Nsyslogd coombs.anu.edu.au/~avalon/nsyslog.html (tcp connections & SSL)
[18] Security Advisories: www.cert.org, www.first.orgwww.ciac.org
CERT provide several useful firewall/hardening/intrusion detection papers online www.cert.org/tech_tips.
[19] Security Newsletters: SecurityPortal, SecurityFocus, SANS.


Other links:


Changes to this article

25.Apr.'00  Improve tripwire, ssh, references, Mandrake. Spelling. Feedback from Kurt+Jay.
29.Apr.'00  Initial Publication
28.Jun.'00  Add links to new reports [10], Correct links[9] and snort.
09.Aug.'00 New: saveit, Update: Bastille 1.1, Links.
19.Dec.'00 Update for RH7

Last Update: 11 December, 2001


Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2001, Sean.Boran, All Rights Reserved

By default after 20 reboot, the filesystems are checked (fsck). If you have several filesystems, it's better to stagger the checking so that all filesystems are not checked at the same time, avoiding a slow "21 reboot".

Each filesystem has a mount count which can be interrogated as follows:
dumpe2fs /dev/hda1 | grep 'Mount count'

Set this to a staggered number between 1 and 19, for example:
tunefs -C 6 /dev/hda1
tunefs -C 12 /dev/hda4
tunefs -C 18 /dev/hda7

Warning: umount filesystems before running tunefs.

The number of reboots between check can also be changed:
tunefs -c 10 [check every 10 reboots]
tunefs -i 5 [check every 5 days]