Tuesday, September 13, 2011

Linux Security tips

Linux Security tips

1.  Use encrypted channel
scp, ssh, OpenSSH, rsync, or sftp for file transfer
sshfs for remotefs
GnuPG/OpenPGP
SSL for apache (mod_ssl)
Avoid Using FTP, Telnet, And Rlogin / Rsh

2. Remove unnecessary software and services

3. Enable disk quota
 -modify /etc/fstab file, remount  the file system(s), create quota db files, assign quota policy


4. Keep Linux Kernel and Software Up to Date, patch accordingly
5: Use Linux Security Extensions such as SELinux

6: Strong UserAccounts/Password Policy
    -password aging (chage), max failed login etc, force-on passwd changing on first login
    -locking strategy etc, rectrict prev. password,
#chage -M 99999 userName
#chage -l userName
#chage -M 60 -m 7 -W 7 userName
#faillog  ###checking /var/log/faillog
#faillog -r -u userName  ###unlock###
#passwd -l userName; passwd -u userName        ###lock and unlock accounts
# awk -F: '($2 == "") {print}' /etc/shadow            ###checking empty passwd

7. Login as username, sudo and disable direct root login
8. Control physical access - server room, BIOS password, dvd/cdron, USB etc

9.Check listening network port, close unnecessary port
#netstat -tulpn
#nmap -sT -O localhost;  nmap -sT -O server-FQDN

10. Use iptables, tcpwrappers or host-based firewall, IDS, IPS

11. Kernel parameter hardening  /etc/sysctl.conf
Linux read /etc/sysctl.conf at boot time.

kernel.exec-shield=1          ### Turn on execshield
kernel.randomize_va_space=1
net.ipv4.conf.all.rp_filter=1   # Enable IP spoofing protection
net.ipv4.conf.all.accept_source_route=0   ### Disable IP source routing
net.ipv4.icmp_echo_ignore_broadcasts=1 ### Ignoring broadcasts request
net.ipv4.icmp_ignore_bogus_error_messages=1
net.ipv4.conf.all.log_martians = 1  ### Make sure spoofed packets get logged

12. Separate Disk Partitions (may increase performance, security - subjective tho)
/usr, /home,  /var and /var/tmp,  /tmp
Edit /etc/fstab file and add the following options:
noexec - Do not set any binaries execution (prevents execution of binaries but allows scripts)
nodev - Do not allow character or special devices  (prevents use of device files such as zero, sda etc).
nosuid - Do not set SUID/SGID access (prevent the setuid bit).

13. Disable Unwanted SUID and SGID Binaries & world-writable file & orphan/not owned file
SUID/SGID bits enabled file can be misused when it has a security problem or bug. 
Finding SGID/SUID
#find / -perm +4000   ###See all set user id files
# find / -perm +2000    ###See all group id files
#find / \( -perm -4000 -o -perm -2000 \) -print  
#find / -path -prune -o -type f -perm +6000 -ls

Find all world writable and sticky bits set files:
#find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

Files not owned by any valid user or valid group
#find /dir -xdev \( -nouser -o -nogroup \) -print

14. Centralized AAA, Logging and  auditing
AAA - Kerberos, RADIUS etc
Logging - Syslog server, rotate log file etc
log monitoring - logwatch, logcheck
System Accounting/auditing - auditd ( /etc/audit.rules) for system startup and shutdown events (reboot / halt), date/time of the event, user of the event, type of event, status of event (fail/success),  etc

15.Secure Email
SSL certificates/GPG keys to secure email communication on both server/client
Dovecot IMAPS, POP3S, Postfix SMTP (Mail Server) SSL, IMAP SSL,Sendmail SSL etc




 


Posted by at No comments:

Solaris printing

CUPS in Solaris

/usr/bin/lp
/opt/sfw/cups/bin/lp
/usr/bin/{lp,lpstat,cancel,enable,
/opt/sfw/cups/bin/{lp,lpstat
/usr/sbin/{lpadmin,lpmove,accept
/opt/sfw/cups/sbin/(lpadmin ,lpmove,accept,

# mv /usr/bin/lp /usr/bin/lp.solaris
# ln -s /opt/sfw/cups/bin/lp /usr/bin/lp
Check that /opt/sfw/cups/bin:/opt/sfw/cups/sbin is in PATH/opt/sfw/cups/etc/cups/cupsd.conf ßmain config file.

Configure CUPS
# cp /opt/sfw/cups/etc/init.d/cups /etc/init.d
ß Copy the start/stop script to /etc/init.d
# ln -s /etc/init.d/cups /etc/rc2.d/S99cups
softlink# ln -s /etc/init.d/cups /etc/rc1.d/K99cups
# etc/init.d/cups {start|stop|status}

ß To start/stop/status the CUPS schedule
#lpinfo –v ß see a list of supported devices
#lpadmin -p printer -E -v device -m ppd
# lpadmin -p Laserjet -E -v socket://11.22.33.44 -m laserjet.ppd
# lpstat -v or

ß GUI via Web Browser# lp -d printer filename ßtest printing
#vi /opt/sfw/cups/etc/cups/cupsd.conf
ßchange loglevel from info to LogLevel for debugging.
Restart scheduler to activate new changes/opt/sfw/cups/var/log/cups
Check files access_log and error_log in this directoryDeleting the Printer Remote printer

#lpadmin -x printer_name <---
#lpstat -p printer_name -l <--- to verify locally installed remote printer
#reject printer_name
#disable
printer_name
#lpadmin -x printer_name
#lpstat -p printer_name -l <--- to verify Cancelling a print job
#cancel -d printer-name job-idChecking the printer status
#lpstat -d <--- Show default printer
#lpstat -p printer_name -D <--- Show description of printer
#lpstat -p printer_name <-- Basic status of printer
#lpstat -p printer_name -l <-- Detailed status of printer
#lpstat -t <-- Status of print services

Restarting the Print Scheduler
#lpstat -r <-- Check to see if scheduler is running
#lpshut <-- Turn off scheduler
#lpsched <-- Turn on scheduler
Posted by at No comments:
Labels: ,

Linux - system analysis/debugging

Useful for finding out bottlenecks -    disk/storage, CPU, memory, network

#top
#vmstat; vmstat -m; vmstat -a
# w username
# uptime
# ps -A; ps -Al
# ps -AlF; ps -AlFH; ps -AlLm
# ps ax; ps axu; ps axjf
# ps -ejH
# pstree
# ps -eo euser,ruser,suser,fuser,f,comm,label    ###show Security info
# ps axZ
# ps -eM
# ps -U -u u

Set Output In a User-Defined Format
# ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm
# ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm
# ps -eopid,tt,user,fname,tmout,f,wchan

Display Only The Process IDs of process-name
# ps -C process-name -o pid=
OR
# pgrep process-name

# ps -p -o comm=      ###show the Name of PID
# ps -auxf | sort -nr -k 4 | head -10    ###Top 10 Memory Consuming Process
# ps -auxf | sort -nr -k 3 | head -10    ###10 CPU Consuming Process
#free - Memory Usage
Posted by at No comments:
Labels: , , ,

Monday, September 12, 2011

Creating local yum repositories using ISO files

Create repository location (any suitable location) and change directory
#mkdir -p /var/ftp/pub/yumrepo
#cd /var/ftp/pub/yumrepo

Create directory for RPM packages
#mkdir CentOS
Create mount point for ISO disks
#mkdir disk1 disk2 disk3 disk4 disk5 disk6 disk7 disk8

Mount ISO disks and loop
#mount -r -o loop  disk1
... 
#mount -r -o loop  disk8 


Copy RPM packages 
#cp disk*/CentOS/* .
#cp disk1/repodata/comps.xml   .


Install createrepo package
#rpm -Uvh CentOS/createrepo*


Create repository
#createrepo -g comps.xml   .

Configure yum to use the newly created repo. Can use command line or GUI

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)