The last year has seen an explosion in the use of the Linux operating system, both in business and personal environments. The largest downfall in this explosion is that many new users have a very limited knowledge of the security issues involved in running a Linux box. This document will try to help those new to the OS learn how to harden their system.

Since Redhat is currently the most popular distribution of Linux it is the one I chose to use for this article. Some of this information may not apply to all servers. this document assumes you have a working knowledge of Linux, basic security and networking.

Setting Permissions and File System Security

First important step in securing a system is restricting access to certain areas of the file system.

1. Prevent unauthorized access to system/superuser directories.
   chmod 700 /root /sbin /usr/sbin /usr/local/sbin
   chmod 751 ‘find / -perm +6000’
   
2. Remove the SetUserID bit from All the system files with this permission.
   chmod –R –s /bin /sbin /usr /var
   
3. Allow ‘su’ access to only users in the system group ‘wheel’.
   groupadd wheel - only necessary if the group is not already setup.
   chown root.wheel /bin/su
   chmod 4750 /bin/su
   
4. Disable compiler from use by non super-users.
   chmod 700 /usr/bin/*cc*
   chmod 700 ‘find /usr/include /usr/src –type –d’
   

Miscellaneous Security Enhancements

1. Ensure your kernel has tcp_wrapper installed. This is a logging deamon, and will help you better log all the network based activity on your system. If it is not compiled, you will need to recompile your kernel to install this program.
2. Remove accounts in /etc/passwd that are not required. Here are a few examples of normally not required accounts- games,lp ,opertator, uucp, guest, news, sync.
3. Use Tcsh not Bash, at least for root and super-users. Bash has become known to the security world as “Buggy Again Shell” due to the large number of security related issues it has had over the years. It is a great functional and easily scripted shell, but is inherently insecure. To use Tcsh- Change this setting within the /etc/passwd file.
   root:x:0:0:root:/root:/bin/tcsh
   
4. Tightening up inetd.conf, numerous services are enabled by default, many are not required. Look at the /etc/inetd.conf file, then comment out any services that are not required on your system. Some examples of unnecessary files include: echo, daytime, comstat, ntalk, pop-3, pop-2, tftp, bootps, finger, cfinger, auth, imap.
5. Cleaning up system startup files. First you need to determine the run level your system is using, it is normally level 3 by default. Many of the system startup files in the /etc/rc.d/rc3.d/ directory are not required. Delete the files that are not required. Some examples include: apmd, netfs, lpd, gmp, and NTF.

Remotely Accessing your System

1. Download and install the SSH daemon based on the installation procedures documented in the package.
2. Ensure that the install places the SSH deamon binaries into the /usr/local/sbin and the client binaries into the /usr/local/bin.
3. Configure SSH1 via /etc/sshd_config change the following lines to ensure the best level of security.
   PermitRootLogin no
   X11Forwarding no
   PermitEmptyPasswords no
   For added security, you can restrict the hosts allowed to connect to your SSHd by editing the line that said “AllowedHosts” and add the ip address or host name in this field.
4. Then add the SSHd to the startup script in the /etc/rc.d/rc.local by placing a line at the bottom stating /usr/local/sbin/sshd &

The Next Step