HOWTO Serverify RedHat linux
written by John Newbigin
jn@it.swin.edu.au

If you use RedHat Linux 7.2 or RedHat Enterprise Linux 2.1 in a server role there are a number of configuration changes you should make to ensure the machine is ready for the task at hand.

Disable <Ctrl><Alt><Del>

This seems quite obvious as I have seen many machines accidentally rebooted with <Ctrl><Alt><Del>, I have even done it once myself.  This a big problem in mixed NT, Linux environments where on one machine it means "I want to log in" and on another it means "I want to reboot".

To disable <ctrl><alt><del> you need to edit /etc/inittab and change these two lines

#Trap CTRL-ALT-DELETE
ca::ctrlaltdel:/sbin/shutdown -t3 -r now

to

#Disable CTRL-ALT-DELETE
ca::ctrlaltdel:/bin/echo "<ctrl><alt><del> disabled"

After editing /etc/inittab you need to tell init to reload the file
# kill -HUP 1

sysctl.conf

There are a number of settings in /etc/sysctl.conf which need to be checked.  If the machine will be forwarding IPv4 packets then you need to enable

net.ipv4.ip_forward = 1

For servers I recommend

kernel.sysrq = 1

to enable the magic SysRq key, and

net.ipv4.icmp_echo_ignore_broadcasts = 1

to prevent the machine from responding to broadcast pings.  This can be used as a form of DOS so it is best to disable it.

Depending on the kind of work your server will be doing, you might need to increase the maximum number of open files and inodes.  (Under 2.4 is seems that fs.inode-max is automatic but under 2.2 you will need to increase it)

fs.file-max = 16384
#fs.inode-max = 65536

After editing /etc/sysctl you will need to rerun sysctl to apply your changes

# /sbin/sysctl -p

Console security

Be default, RedHat linux will grant special privileges to any user who logs in on the console.  This allows users to do things such as use the attached audio devices and start the X server.  There are however some bad things which this allows, such as halting and rebooting the machine.  To prevent this you need to edit the pam configuration for some usermode applications.

In /etc/pam.d you will find files called halt, reboot and poweroff.  Edit each of these files and comment out the following line

#auth required /lib/security/pam_console.so

This change will take effect immediately you save the file.  You might want to consider removing the usermode RPM but there are a number of dependencies on this package and most of the tools are either useful or harmless as they require a root password.

Keeping logs

By default, your logs will be kept for 4 weeks.  I like to increate this to 104 weeks or 2 years.  This obviously can be adjusted to balance disk space and logging needs.  I would however recommend 52 weeks as a minimum.

To change the time your logs are kept for, edit /etc/logrotate.conf and change the rotate parameter.  You can also override this for specific logs by editing the files in /etc/log/logrotate.d/.  For more details see the logrotate man page.

If you have more that one Linux/Unix server then you should probably set one machine up as a log server and send all your logs to a central machine as well as storing them locally.  This makes is easier to process your logs and means you have a second copy should a machine have it's security compromised.

To make a server accept log messages from other machines you need to enable syslog remote reception.  This can be done by editing /etc/sysconfig/syslog and adding "-r" to the SYSLOGD_OPTIONS so it looks like this

SYSLOGD_OPTIONS="-m 0 -r"

Then restart syslog by doing

# /etc/rc.d/init.d/syslog restart

You should see a message in the log files about remote reception

To make a machine send it's log messages to your log server you need to add an entry to /etc/syslog.conf.  Something like

*.info @loghost

should be all that is needed.  See the man page for more details (man 5 syslog.conf)

You also need to restart syslog after this change.  The procedure is the same as above.

Restricting Access

Using tcp wrappers is restrict access is simple to set up.  Most services are already configured to use tcp wrappers.  The most secure way to configure tcpwrappers is to deny everything be default.

/etc/hosts.deny should contain only the line

ALL: ALL

Then you can add services to /etc/hosts.allow as appropriate.  For example

swat: 192.168.5. : severity notice
sshd: KNOWN : severity notice
ALL: LOCAL : severity notice

You do not need to restart anything after changing these files.  They are reread every time a connection is made.

Password Policy

Changing the password policy is not strictly necessary as by default a minimum length of 6 characters is required.  There is however very little documentation on changing the policies so here is my suggestion.  The following is specified in the The PAM System Administrators' Guide but is not very obvious.

Enabling a password history

1. Create the old password file with the command
# touch /etc/security/opasswd

2. Edit /etc/pam.d/system-auth and add the following pam_unix parameter "remember=3".

Cracklib will automatically check /etc/security/opasswd and will not allow any of the passwords listed to be used again.  This means that you must have pam_cracklib stacked before your pam_unix module (which is the default).

IDE Hard disk performance

edit /etc/sysconfig/harddisks


Last modified 20030929.
Maintained by John Newbigin http://uranus.it.swin.edu.au/~jn