Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Red Hat/Fedora :: rhsec60.txt

A Guide to Securing RedHat Linux 6.0




::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::          .ooO A Guide to Securing RedHat Linux 6.0 by wyze1 Ooo.         ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::                                                                          ::
:: A lot of people out there are raving about RH6, why exactly, I don't     ::
:: know, but they seem to think it's just great. ;P So, for lack of any     ::
:: hope of getting these people to start using *BSD or Solaris, I have      ::
:: designed a guide to securing Red Hat Linux 6.0 which covers all known    ::
:: problems up to date, although it doesn't really tackle other issues.     ::
::                                                                          ::
:: Now, go to ftp://update.redhat.com and download the source for the new   ::
:: kernel supplied by RedHat for RH6 systems (2.2.5-22). Then, go and       ::
:: download the information on the Linux 2.2.x ICMP DoS that causes Kernel  ::
:: Panic - search Geek-Girl's BugTraq archive for it. <http://geek-girl.com>::
:: Apply the patch to fix this vulnerability. Now, recompile the Kernel,    ::
:: look in /usr/doc/HOWTO/Kernel-HOWTO if you don't know how.               ::
::                                                                          ::
:: Now there haven't been any SUID vulnerabilities discovered in RH6 yet,   ::
:: but you probably don't want any just in case. You can nuke the lot of    ::
:: them simply by typing "chmod a-s -R / &". You may find some you want     ::
:: to re-SUID, like mount, but you probably won't need that many.           ::
::                                                                          ::
:: Now, lets play with the Alt+SysRq Kernel hack, one of the nicest things  ::
:: about the new 2.2.x Kernel series. This hack allows you to press Alt,    ::
:: SysRq (Print Screen) and a Hotkey to perform various different tasks     ::
:: even when the system is not responding. You can press Alt+SysRq+K to     ::
:: kill all processes on the vterm you are using, or Alt+SysRq+M to dump    ::
:: memory information onto the screen and a whole bunch of other really     ::
:: neat things - none of which we are looking at in detail now, except for  ::
:: the one that makes the difference for security - Alt+SysRq+1-9. This     ::
:: hack determines how much of the kernel mumblings are logged. Having a    ::
:: lot of mumblings logged is generally quite nice, or, you can keep it at  ::
:: 1 or something and just jack it up when you need to. ;)                  ::
::                                                                          ::
:: Ugh. RedHat 6.0 has a stupid PAM'erized su. If you give the correct      ::
:: password to it, you become superuser immediately, and if you give the    ::
:: wrong password, there is a full one second delay before it tells you the ::
:: attempt failed and logs the attempt. During this period, you can press   ::
:: Ctrl+Break to stop su and nothing will be logged, making it easy for     ::
:: some-one to brute-force the root password. Nuke su. It's a dumb program  ::
:: and I don't like it anywayz. ;)                                          ::
::                                                                          ::
:: I hope you're not running X-Windows, but if you are, be sure to fix a    ::
:: few critical permissions in the UNIX 98 PTYs which could give you        ::
:: trouble by typing chmod 600 /dev/pts/*                                   ::
::                                                                          ::
:: RedHat 6.0 also fucks up the permissions on the CD-ROM drive. A minor    ::
:: problem, but worth fixing anyway - Think of backups. Cat your /etc/fstab ::
:: to see where your cdrom drive is and then chmod 600 /dev/whatever        ::
::                                                                          ::
:: If you use KDE, and more specifically if you use K-Mail, then you are    ::
:: vulnerable to a silly symlink problem. Nuke K-Mail, Don't use K-Mail, or ::
:: if you are a COMPLETE loser and you *really* want it, d/l the fix from   ::
:: ftp.kde.org/pub/kde/security_patches/kmail-security-patch.diff           ::
::                                                                          ::
:: I think the ipop2d on RH6 in vulnerable to a remote buffer overflow      ::
:: exploit that produces a shell as user "nobody". I'm not sure, but if yer ::
:: running an ipop2d yer a loser anyway, so who cares. ;)                   ::
::                                                                          ::
:: Now you should have a quasi-secure lame Linux box that is hopefully a    ::
:: bit less lame than when you started. This text only really covers what   ::
:: silly security problems need to be fixed, not common sense stuff. If     ::
:: you are new to *nix then you should get the Linux Administrators         ::
:: Security Guide from www.seifried.org/lasg - but not even that can        ::
:: completely teach you common sense. Make sure to close unwanted ports by  ::
:: checking your /etc/inetd.conf and preparing user's home directories      ::
:: properly, ie. like this...                                               ::
::                                                                          ::
:: cd /home/redneck                 # Go to the home directory              ::
:: chattr +a .bash_history          # Make history append only              ::
:: chown root.root .bash_profile    # Make profile unmodifiable             ::
:: chown root.root .bash_logout     # Make logout unmodifiable              ::
:: chown root.root .bashrc          # Make bashrc unmodifiable              ::
::                                                                          ::
:: There is a wealth of stuff you can do to make your system much more      ::
:: secure, but I'm not going to go into any of that right now. There are    ::
:: already too many lame guides to generic Linux security, and I don't      ::
:: feel like making another one. Later.                                     ::
::                                                                          ::
::                               --=====--                                  ::
:: * Kat (guy@inside.thematrix.za.net) has joined #hack                     ::
:: <wyze1> Guy... do you want to know... what... the matrix is?             ::
:: <wyze1> WELL I WONT TELL YOU, YA DUMB LITTLE FUCK!#%!$^%! THEY SAID I    ::
:: COULD HAVE A TALK SHOW, BUT NOOOOOOOOO, I HAVE TO BE IN A SCI-FI AND     ::
:: WEAR THIS G00FY TRENCHCOAT!^%$#^$!#%$ I HATE YOU ALL DAMNIT!#%@%^$#      ::
:: <wyze1> *sigh*                                                           ::
:: * wyze1 sets mode: +o Kat                                                ::
::                               --=====--                                  ::
::                                                                          ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH