Securing and Hardening Linux Production Systems Linux Security Cookbook HOWTO GuideSecuring and Hardening Red Hat Linux Production Systems. A Practical Guide to Basic Linux Security in Production Enterprise Environmentswww. This article is a practical step by step guide for securing Linux production systems. It discusses basic Linux Security. If you work on a corporate Linux Security Standard, or if you do. Sarbanes Oxley Act SOX or. Step 4 Set the NIC mode to specify which ports access the CIMC for server management see Figure 22 for identification of the ports. Cisco ISE can use up to four. Statement on Auditing Standards No. SAS 7. 0 related work, then. This Linux Security HOWTO is intended for a technical audience, Linux system administrators, and security people in corporations and organizations. Linux distributions for their production environment. If you are a Linux expert then you may find familiar material here, but you will have difficulties to find documentation. Restricting su Access to System and Shared Accounts. If you need to make Linux production systems compliant with various audit requirements, then this article should. The main objective of this Linux Security guide is to discuss basic Linux security requirements including account policies for production systems that are being. This document covers various system services like SSH which are usually enabled and required on all Linux production servers. But it does not cover. Apache, Samba etc., since these applicationsservices are usually not needed across all Linux. In fact, these applications warrant their own security HOWTO. Also, this article does not cover security features that require kernel patching. This is not an option. The steps in this guide have been tested on RHEL 3 and 4. This document comes without warranty of any kind. Rhel Ssh Active Directory Authentication Ports' title='Rhel Ssh Active Directory Authentication Ports' />But every effort has been made to provide the information as accurate as possible. I welcome emails from any readers with comments, suggestions, and corrections at webmasteratpuschitz. If you believe that I did not address a basic and important Linux security topic, please drop me an email. Contents GeneralRemoving Unnecessary Software Packages RPMsPatching Linux SystemsDetecting Listening Network PortsClosing Network Ports and Disabling Runlevel System ServicesClosing Network Ports and Disabling Xinetd ServicesReviewing Inittab and Boot ScriptsRestricting System Access from Servers and NetworksSecuring SSHSecuring PostfixSecuring SendmailSecuring NFSCopying Files Using SSH Without Providing Login PromptsKernel Tunable Security ParametersChecking File Permissions and OwnershipChecking AccountsEnabling Password AgingEnforcing Stronger PasswordsRestricting Use of Previous PasswordsLocking User Accounts After Too Many Login FailuresRestricting Direct Login Access for System and Shared AccountsRestricting su Access to System and Shared AccountsPreventing Accidental Denial of ServiceDisplaying Login BannersMiscellaneousBibliography and References. Physical security should be of the utmost concern. Linux production servers should be in locked datacenters. View Getting Started Get Started with View Get Started with View View Architecture Planning Introduction to View Advantages of Using View. But physical security is out of scopy for this article. Depending on the environment and circumstances, you may want to consider boot loader passwords. It is strongly recommended to have scripts available which verify that all security action items have. Even the best sysadmins can make mistakes and miss steps. If you have a larger. Linux environment, it would be a good investment to write scripts for checking Linux security action items. To retire servers with sensitive data, it is important to ensure that data cannot be. To ensure that all traces of data are removed, the Disk. Sanitizer. tool can be used. This tool can be operated from a floppy disk and it removes data according with the. U. S. Department of Defense Do. D standards. Disk. Sanitizer is available at. US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/images/authconfig-ui.png' alt='Rhel Ssh Active Directory Authentication Ports' title='Rhel Ssh Active Directory Authentication Ports' />If your system gets compromised, your backups become invaluable. Breaking Chains Slavery On Trial. But also in cases like bugs, accidents etc. For production systems it is. Backups offsite for cases like disasters. For legal reasons, some firms and organizations must be careful about backing up too much information and. If your environment has a policy regarding the destruction of old paper files, you. Linux backup tapes as well. Servers should have separate partitions for at least, boot, usr, var. You dont want that e. Third party applications should be on separate. I will not cover iptables in this paper. Most companies use hardware based. If you are interested in a Linux Stateful Firewall using iptables, check out my HOWTO for. Stateful Firewall and Masquerading on Linux. For lots of iptables tutorials and examples, see. Kernel Tunable Security Parameters For more information, see. Kernel Tunable Security Parameters. Virtual Address Space Randomization Starting with the 2. Linux now uses address space randomization technique. For more information, see. Linux virtual address randomization and impacting buffer overflows. Address space randomization in 2. SELinux is an advanced technology for securing Linux systems. Hardening Linux using SELinux technology. HOWTO and is out of scope for this guide. I highly recommend the book. SELinux NSAs Open Source Security Enhanced Linux. FTP, telnet, and rlogin rsh are vulnerable to eavesdropping, which is one of the reasons why SSHSCPSFTP should be used instead. It is highly recommended not to run these services. Due to the high risk, this guide does not cover these services. It would also be a good idea not to have FTP and Telnet server RPMs installed on the system. A very important step in securing a Linux system is to determine the primary function or role of the Linux server. You should have a detailed knowledge of what is on your system. Otherwise you will have a difficult time. Linux systems proactively wont be that effective. Therefore, it is very critical to look at the default list of software packages and remove unneeded packages or packages. If you do that you will have less packages to update and to maintain. For example, you should not have Apache or Samba installed on your system if you dont use them. Also, it is a good practice not to have development packages, desktop software packages e. X Server etc. installed on production servers. Other packages like FTP and Telnet daemons should not be installed as well. SSHSCPSFTP should be used instead. One of the first action items should be to create a Linux image that only contains RPMs. A good approach is to start with a minimum list of RPMs and then add packages as needed. It may be time consuming but worth the efforts. To get a list of all installed RPMs you can use the following command. If you want to know more about a particular RPM, run. To check for and report potential conflicts and dependencies for deleting a RPM, run. For information on performing Kickstart installations and how to build an image, see. Kickstart Installations. Building an infrastructure for patch management is another very important step to proactively secure Linux. It is recommended to have a written security policy and procedure to handle Linux security updates. For example, a security policy should detail the timeframe for assessment, testing, and rollout of patches. Network related security vulnerabilities should get the highest priority and. For example, a security procedure should detail the process for assesment, testing, and rollout of. The assessment phase should occur within a testing lab, and initial rollout should. A separate security log should detail what Linux security notices have been received, when patches have. For Red Hat systems I recommend.