http://ssl.webangel.ie/ 2026-05-28T10:34:07+00:00 http://ssl.webangel.ie/ http://ssl.webangel.ie/lib/exe/fetch.php?media=wiki:dokuwiki.svg text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:aide&rev=1759830220&do=diff Secure Server Builds Aide aide is not included by default with RHEL you will need install it from the install cd # rpm -Uvh aide......rpm Generate a new database: # /usr/sbin/aide --init By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. The database, as well as the configuration file /etc/aide.conf and the binary /usr/sbin/aide (or hashes of these files) should be copied and stored in a secure location. Storing these copies or hashes on read-only media may … text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:boot_security&rev=1759830220&do=diff Secure Server Build Boot Security Ensure root is the owner of /etc/grub.conf then chmod 700 grub.conf This makes root the only person who can rw to it. Boot password This should be set up at install time Interactive Booting Edit the file /etc/sysconfig/init. Add or correct the setting: text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:configuring_the_mta&rev=1759830220&do=diff Secure Server Build Configuring the MTA Remove sendmail with # yum erase sendmail Install Post fix # rpm -Uvh postfix Edit the file /etc/postfix/main.cf. Ensure that only the following inet interfaces line appears: inet_interfaces = localhost text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:disabling_standard_services&rev=1759830220&do=diff Secure Server Build Disabling standard Services Ensure that the following services are turned off. Disabling xinetd does a lot of them Service command Telnet (server and client) rsh (server client and all r-related commands chkconfig rsh on text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:enable_sha-512_hashing_for_all_password_encryption&rev=1759830220&do=diff Secure Server Build Enable Sha512 hashing for all password encryption First, edit the file /etc/pam.d/system-auth to ensure that sha512 is used by the pam unix.so module in the password section, replacing any other algorithms (such as md5, bigcrypt, blowfish, or sha256) with sha512, as shown: text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:execshield&rev=1759830220&do=diff Secure Server Build Execshield Enable ExecShield Protection Against Buffer Overflows Open your /etc/sysctl.conf file: # vi /etc/sysctl.conf Add the following lines: kernel.exec-shield = 1 kernel.randomize_va_space = 1 Save and close the file. First line will enable ExecShield protection and second line will enable random placement of virtual memory regions protection. To load in sysctl settings, enter: text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:hardening_standards_for_the_apache_web_server&rev=1759830220&do=diff Secure Server Build Hardening standards for the Apache web server text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:implementing_logrotate&rev=1759830220&do=diff Secure Server Build Implementing Logrotate Edit the file /etc/logrotate.d/syslog. Find the first line, which should look like this (wrapped for clarity): /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron { text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:iptables&rev=1759830220&do=diff Secure Server Build IPTables The default should be “Disallow everything except the specific network services required by the application”. Do not use system-config-securitylevel it overwrites the iptables file Changes are made by editing /etc/sysconfig/iptables text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:ipv6&rev=1759830220&do=diff Secure Server Build IPv6 Do not use this on system where you will have BONDS as it turns off bonds completely see RH bug 531873 To prevent the IPv6 kernel module (ipv6) from being automatically loaded, add the following line to /etc/ modprobe.conf install ipv6 /bin/true text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:logging_and_auditing&rev=1759830220&do=diff Secure Server Build Logging and Auditing 13.2.1 Syslog Syslog should be enabled by default. Appropriate logging levels should be set in /etc/syslog.conf. Permissions should be set such that “group” and “world” have no access at all to the syslog file. All relevant files should be owned by root, or by a secure admin group that is predefined in /etc/group. Communicate with the UNIX operations group to ensure that the hardened server’s syslog files are incorporated into its centralized server … text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:network_configuration&rev=1759830220&do=diff Secure Server Build Network Configuration Edit the file /etc/sysctl.conf and add or correct the following lines: # Disable network forwarding net.ipv4.ip_forward = 0 net.ipv4.route.flush = 1 # Disable send packet redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.send_redirects = 0 net.ipv4.route.flush = 1 # Disable source routed packet acceptance net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Disable ICMP redirect acceptance net.ipv4.con… text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:noclobber&rev=1759830220&do=diff Secure Server Build Noclobber You will need to edit the file at /root/.bashrc put the following entry there set -o noclobber references: <http://www.linuxhowtos.org/Tips%20and%20Tricks/Protecting%20files%20with%20noclobber.htm> text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:nosuid_nodev_noexec&rev=1759830220&do=diff Secure Server Build Nosuid Nodev Noexec These are just options that need to be added to FSTAB for example LABEL=/ / ext3 defaults 1 1 LABEL=/tmp /tmp ext3 defaults,nosuid,noexec,nodev 1 2 LABEL=/var/log/audit /var/log/audit ext3 defaults,nosuid,noexec,nodev 1 2 LABEL=/home /home ext3 defaults,nosuid,nodev 1 2 text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:pam_configuration&rev=1759830220&do=diff Secure Server Build PAM configuration To configure pam cracklib to require at least one uppercase character, lowercase character, digit, and other (special) character, locate the following line in /etc/pam.d/system-auth password requisite pam_cracklib.so try_first_pass retry=3 text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:prelink&rev=1759830220&do=diff Secure Server Build disabling Prelink Edit /etc/sysconfing/prelink and set PRELINKING=no Execute the following command to revert binaries and libraries to their original content before they were prelinked: # /usr/sbin/prelink -ua Reference <https://access.redhat.com/knowledge/articles/38655> text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:require_a_wheel_group_for_root_access&rev=1759830220&do=diff Secure Server build Require a wheel group for root access Edit the file /etc/pam.d/su Add, uncomment, or correct the line: auth required pam_wheel.so use_uid Edit /etc/group and add the following line wheel:x:10:root, <user list> Edit the file /etc/sudoers text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:restrict_root_login_access_to_the_system_console&rev=1759830220&do=diff Secure server Build Restrict root login access to the system console Only users logged in from the system console should be able to access the system as the root user. Verify that the only entry in /etc/securetty is the string “console” text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:rh8&rev=1759830220&do=diff REdhat 8 hardening Setting up faillock Setting up Passwd History text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:rh8pam&rev=1759830220&do=diff Securing Linux RHEL 8 Best Practices Pam settings pam_faillock text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:selinux&rev=1759830220&do=diff Secure Server Build SELinux SELinux should be configured on by default at install time. The default policy is “targeted”. To check status run # cat /etc/sysconfig/selinux It should show SELINUXTYPE=targeted text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:setting_default_umask&rev=1759830220&do=diff Secure Server Build Setting Default umask Edit the /etc/bashrc on the if line change umask 022 to umask 027 text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:ssh_configuration&rev=1759830220&do=diff Secure Server Build SSH Configuration The table below gives the list of sshd parameters that must be set in /etc/ssh/sshd_config Protocol 2 LogLevel VERBOSE X11Forwarding no MaxAuthTries 4 IgnoreRhosts yes HostbasedAuthentication no PermitRootLogin no PermitEmptyPasswords no PermitUserEnvironment no Cipher aes128-ctr, aes192-ctr, aes256-ctr ClientAliveInterval 300 ClientAliveCountMax 0 Allowusers <list> banner <bannerfile> text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:tcp-wrappers&rev=1759830220&do=diff Secure Server Build TCP Wrappers Edit the /etc/hosts.allow file to include sshd: ALL Edit the /etc/hosts.deny to include ALL: ALL text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:uncommon_network_protocols&rev=1759830220&do=diff Secure Server Build Uncommon Network Protocol Edit /etc/modules.conf and add the following lines at bottom install dccp /bin/true install sctp /bin/true install rds /bin/true install tipc /bin/true text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:user_accounts_and_environments&rev=1759830220&do=diff Secure Server Build User Accounts and Environments Disable system accounts RHEL has a number of system accounts that are used to manage applications. These accounts are not intended to provide interactive access to users. All non-system application accounts should have their shell field in the passwd file set to /sbin/nologin. text/html 2025-10-07T09:43:40+00:00 Anonymous (anonymous@undisclosed.example.com) http://ssl.webangel.ie/doku.php?id=linux:linux-hardening:wireless_networking&rev=1759830220&do=diff Secure Server Build Wireless Networking run the following commands # iwconfig for any device listed by above command run # ifdown <devicename> then remove the config file # rm /etc/sysconfig/network-scripts/ifcfg-<devicename>