How to Secure REDHAT Enterprise Servers in Production Environment

Introduction

  • General Principles
  • Encrypt Transmitted Data Whenever Possible
  • Minimize Software to Minimize Vulnerability
  • Run Different Network Services on Separate Systems
  • Configure Security Tools to Improve System Robustness
  • Least Privilege

System-wide Configuration

  • Installing and Maintaining Software

 Initial Installation Recommendations

 Updating Software

  • Software Integrity Checking

 File Permissions and Masks

 Restrict Partition Mount Options

  • Restrict Dynamic Mounting and Unmounting of Filesystems
  • Verify Permissions on Important Files and Directories

Restrict Programs from Dangerous Execution Patterns

  • Account and Access Control
  • Protect Accounts by Restricting Password-Based Login

 Use Unix Groups to Enhance Security

 Protect Accounts by Configuring PAM

 Secure Session Configuration Files for Login Accounts

 Protect Physical Console Access

 Use a Centralized Authentication Service

 Warning Banners for System Accesses

 SELinux

 How SELinux Works

 Enable SELinux

 Disable Unnecessary SELinux Daemons

 Check for Unconfined Daemons

 Check for Unlabeled Device Files

 Debugging SELinux Policy Errors

 Further Strengthening

 SELinux References

 Network Configuration and Firewall

 Kernel Parameters which Affect Networking

 Wireless Networking

 IPv6

 TCP Wrapper

 Iptables and Ip6tables

  • Secure Sockets Layer Support

 Logging and Auditing

  • Configure Syslog

 System Accounting with auditd

 Services

 Disable All Unneeded Services at Boot Time

 Determine which Services are Enabled at Boot

 Guidance on Default Services

 Guidance for Unfamiliar Services

 Obsolete Services

 Inetd and Xinetd

 Telnet

 Rlogin, Rsh, and Rcp

 NIS

 TFTP Server

 Base Services

 Installation Helper Service (firstboot)

 Console Mouse Service (gpm)

 Interrupt Distribution on Multiprocessor Systems (irqbalance)

 ISDN Support (isdn)

 Kdump Kernel Crash Analyzer (kdump)

 Kudzu Hardware Probing Utility (kudzu)

 Software RAID Monitor (mdmonitor)

 IA32 Microcode Utility (microcode ctl)

 Network Service (network)

 Smart Card Support (pcscd)

 SMART Disk Monitoring Support (smartd)

 Boot Caching (readahead early/readahead later)

 Application Support Services

 Bluetooth Support

 Power Management Support

 Cron and At Daemons

 Disable anacron if Possible

 Restrict Permissions on Files Used by cron

 Disable at if Possible

 Restrict at and cron to Authorized Users

 SSH Server

 Disable OpenSSH Server if Possible

 Configure OpenSSH Server if Necessary

 X Window System

 Disable X Windows if Possible

 Configure X Windows if Necessary

 Avahi Server

 Disable Avahi Server if Possible

 Configure Avahi if Necessary

 Print Support

 Disable the CUPS Service if Possible

 Disable Firewall Access to Printing Service if Possible

 Configure the CUPS Service if Necessary

 The HP Linux Imaging and Printing (HPLIP) Toolkit

 DHCP

 Disable DHCP Client if Possible

 Configure DHCP Client if Necessary

 Disable DHCP Server if Possible

 Configure the DHCP Server if Necessary

                 Network Time Protocol

 Select NTP Software

 Configure Reference NTP if Appropriate

 Configure OpenNTPD if Appropriate

 Mail Transfer Agent

 Select Mail Server Software and Configuration

 Configure SMTP For Mail Client

 Strategies for MTA Security

 Configure Operating System to Protect Mail Server

 Configure Sendmail Server if Necessary

 Configure Postfix if Necessary

 LDAP

 Use OpenLDAP to Provide LDAP Service if Possible

 Configure OpenLDAP Clients

 Configure OpenLDAP Server

 NFS and RPC

 Disable All NFS Services if Possible

 Configure All Machines which Use NFS

 Configure NFS Clients

 Configure NFS Servers

 DNS Server

 Disable DNS Server if Possible

?     Run the BIND9 Software if DNS Service is Needed

?     Isolate DNS from Other Services

?     Protect DNS Data from Tampering or Attack

  • FTP Server

?     Disable vsftpd if Possible

?     Use vsftpd to Provide FTP Service if Necessary

?     Configure vsftpd Securely

  •  Web Server

?     Disable Apache if Possible

?     Install Apache if Necessary

?     Secure the Apache Configuration

?     Use Appropriate Modules to Improve Apache’s Security

?     Configure iptables to Allow Access to the Web Server

?     Additional Resources

  • IMAP and POP3 Server

?     Disable Dovecot if Possible

?     Configure Dovecot if Necessary

  • Samba (SMB) Microsoft Windows File Sharing Server
  • ·

?     Disable Samba if Possible

?     Configure Samba if Necessary

?     Avoid the Samba Web Administration Tool (SWAT)

  • Proxy Server

?     Disable Squid if Possible

?     Configure Squid if Necessary

  • SNMP Server

?     Disable SNMP Server if Possible

?     Configure SNMP Server if Necessary