http://industrial-linux.org/cgi/index.fcgi?f=105-security#A53 find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls ­lg {} \; ======================================== File security chattr +i /etc/lilo.conf set the file immutable chattr -i /bin/login -------------------------- encrypt file openssl des3 -salt -in file.txt -out file.des3 -------------------------- decrypt file openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword -------------------------- encrypt while typing openssl des3 -salt -out myfile.txt ======================================== file integrity md5sum file -------------------------- better openssl dgst -sha1 -c file openssl dgst -ripemd160 -c file ======================================== Login /etc/login.defs /usr/sbin/authconfig enable the shadow password -------------------------- /etc/profile TMOUT=3600 (sec.) logout automaticaly -------------------------- /etc/pam.d/su auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/Pam_wheel.so group=wheel only group wheel can su -------------------------- /etc/skel/.bash_logout rm -f $HOME/.bash_history ======================================== DNS /usr/sbin/groupadd -g 150 dns /usr/sbin/useradd -u 150 -g 150 -M -s /bin/false dns mkdir /home/dns chmod 0700 /home/dns mkdir /home/dns/etc mkdir /home/dns/lib mkdir /home/dns/dev mkdir /home/dns/usr mkdir /home/dns/usr/sbin mkdir /home/dns/var mkdir /home/dns/var/named mkdir /home/dns/var/run chmod 0755 /home/dns/* chmod 0755 /home/dns/usr/sbin chmod 0755 /home/dns/var/* /bin/mknod -m 666 /home/dns/dev/null c 1 3 /bin/cp /etc/named.conf /home/dns/etc/ /bin/cp /var/named/* /home/dns/var/named /bin/chown -R dns.dns /home/dns/var/named /home/dns/var/run /bin/cp /usr/sbin/{named,named-xfer} /home/dns/usr/sbin /bin/cp /lib/libc.so.6 /home/dns/lib /bin/cp /lib/ld-linux.so.2 /home/dns/lib Change line in "/etc/rc.d/init.d/syslog" that reads "daemon syslog -m 0" to "daemon syslog -a /home/dns/dev/log", then execute "chmod 0755 /etc/rc.d/init.d/syslog". Change line in "/etc/rc.d/init.d/named" that reads "daemon named" to "daemon named -u dns -g dns -t /home/dns", then execute "chmod 0755 /etc/rc.d/init.d/named". ======================================== Apache Disable Apache symlinks ======================================== PAM Change your PAM configuration so it contains a strong default fall-thru policy with logging. In addition to denying inappropriate access, this will help you detect mis-configured PAM entries. It's contained in /etc/pam.d/other, like this: auth required /lib/security/pam_deny.so auth required /lib/security/pam_warn.so account required /lib/security/pam_deny.so account required /lib/security/pam_warn.so password required /lib/security/pam_deny.so password required /lib/security/pam_warn.so session required /lib/security/pam_deny.so session required /lib/security/pam_warn.so ------------------ /etc/hosts.deny in.telnetd: ALL: banners /usr/local/etc in /usr/local/etc/in.telnetd >You do not have access to this host. so when you telnet to your hosts from a host that is not allowed you get: Connected to 192.168.1.100. >Escape character is `^]` . >You do not have access to this host. ======================================== SYN and ping ------------------ Prevent SYN attacks and ping echo 1 >/proc/sys/net/ipv4/tcp_syncookies ------------------ disable ping echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all ------------------ Prevent ping to broadcasts echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ------------------ enable all echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all ======================================== OpenSSL + certificate Generating a server certificate for use with OpenSSL Many secured services use OpenSSL to achieve encryption. For this to work, you will need to generate a server certificate and encryption key. To create this, you can use the following steps: 1.Change directory to /etc/ssl/certs 2.Use the command: RANDFILE=/dev/urandom openssl req -new -x509 -nodes -out server.pem -keyout \ server.pem -days 365 This generates a RSA private key and a certificate and puts them both in a file called server.pem. You would probably want to change this if you want to have have separate certificates for each encrypted service. ======================================== web server verification (SSL/TLS test) openssl s_client -connect www.sourceforge.net:443 ------------------ certificate information about a mail server openssl s_client -connect mail.myisp.net:995 -showcerts ========================================