industrial-linux.org/cgi/index.fcgi?f=105-security#A53 find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls ­lg {} \; ======================================== File security chattr +i /etc/lilo.conf set the file immutable chattr -i /bin/login ======================================== Login /etc/login.defs /usr/sbin/authconfig enable the shadow password -------------------------- /etc/profile TMOUT=3600 (sec.) logout automaticaly -------------------------- /etc/pam.d/su auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/Pam_wheel.so group=wheel only group wheel can su -------------------------- /etc/skel/.bash_logout rm -f $HOME/.bash_history ======================================== DNS /usr/sbin/groupadd -g 150 dns /usr/sbin/useradd -u 150 -g 150 -M -s /bin/false dns mkdir /home/dns chmod 0700 /home/dns mkdir /home/dns/etc mkdir /home/dns/lib mkdir /home/dns/dev mkdir /home/dns/usr mkdir /home/dns/usr/sbin mkdir /home/dns/var mkdir /home/dns/var/named mkdir /home/dns/var/run chmod 0755 /home/dns/* chmod 0755 /home/dns/usr/sbin chmod 0755 /home/dns/var/* /bin/mknod -m 666 /home/dns/dev/null c 1 3 /bin/cp /etc/named.conf /home/dns/etc/ /bin/cp /var/named/* /home/dns/var/named /bin/chown -R dns.dns /home/dns/var/named /home/dns/var/run /bin/cp /usr/sbin/{named,named-xfer} /home/dns/usr/sbin /bin/cp /lib/libc.so.6 /home/dns/lib /bin/cp /lib/ld-linux.so.2 /home/dns/lib Change line in "/etc/rc.d/init.d/syslog" that reads "daemon syslog -m 0" to "daemon syslog -a /home/dns/dev/log", then execute "chmod 0755 /etc/rc.d/init.d/syslog". Change line in "/etc/rc.d/init.d/named" that reads "daemon named" to "daemon named -u dns -g dns -t /home/dns", then execute "chmod 0755 /etc/rc.d/init.d/named". ======================================== Apache Disable Apache symlinks ======================================== PAM Change your PAM configuration so it contains a strong default fall-thru policy with logging. In addition to denying inappropriate access, this will help you detect mis-configured PAM entries. It's contained in /etc/pam.d/other, like this: auth required /lib/security/pam_deny.so auth required /lib/security/pam_warn.so account required /lib/security/pam_deny.so account required /lib/security/pam_warn.so password required /lib/security/pam_deny.so password required /lib/security/pam_warn.so session required /lib/security/pam_deny.so session required /lib/security/pam_warn.so ======================================== /etc/hosts.deny in.telnetd: ALL: banners /usr/local/etc in /usr/local/etc/in.telnetd >You do not have access to this host. > so when you telnet to your hosts from a host that is not allowed you get: Connected to 192.168.1.100. >Escape character is `^]` . >You do not have access to this host. ======================================== Syncookies echo 1 >/proc/sys/net/ipv4/tcp_syncookies echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts Prevent ping to broadcasts ======================================== OpenSSL + certificate Generating a server certificate for use with OpenSSL Many secured services use OpenSSL to achieve encryption. For this to work, you will need to generate a server certificate and encryption key. To create this, you can use the following steps: 1.Change directory to /etc/ssl/certs 2.Use the command: RANDFILE=/dev/urandom openssl req -new -x509 -nodes -out server.pem -keyout \ server.pem -days 365 This generates a RSA private key and a certificate and puts them both in a file called server.pem. You would probably want to change this if you want to have have separate certificates for each encrypted service.