Thursday, February 23, 2012

SSH security hardening

The configuration file for ssh server security hardening is located at /etc/ssh/sshd_config
There are couple of entries you would like to pay little attention. Please go through each entries and try to understand what they do. Based on the requirement of your organization, you add/remove/modify the values.

1. Link a banner file.
Banner /etc/issue
Note: issue file contains the banner entry. it can be /etc/ssh-banner or something..

2. Set Maximum number of retries for authentication
MaxAuthTriesLog 3

3. Are logins to accounts with empty passwords allowed?
PermitEmptyPasswords no

4. Are root logins permitted using sshd ?
PermitRootLogin no

Thursday, February 9, 2012

packet filtering and configure network address translation using iptable

Use iptables to implement packet filtering and configure network address translation (NAT)

Install and use "system-config-network-tui" to create the basic "/etc/sysconfig/iptables" file, then edit the file with vi.

Filtering:

man iptables

iptables -I INPUT -s 192.168.1.3 -p tcp --dport 22 -j ACCEPT

-I insert (Can include a rule number, for example "-I 4" which means "insert as 4th rule")
-A append
-D delete (include rule number)
-m Specify a module to use (ex: Use "-m multiport" to specify multiple ports)
-s source
-d destination
--dport destination port
--sport source port
-j jump to target (ACCEPT, DENY, DROP)


The last rule should be (to reject all others):

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited


Block a host:
iptables -I INPUT -p tcp --dport 80 -s 10.168.20.225 -j REJECT

Block a subnet:
iptables -I INPUT -p tcp -s 10.168.20.0/24 -j REJECT

Accept reply packets:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Accept anything on the loopback interface:
iptables -i lo -j ACCEPT

NAT:

Allow the gateway to forward IP packets by modifying /etc/sysctl.conf

Change
net.ipv4.ip_forward = 0
To
net.ipv4.ip_forward = 1

Then execute: sysctl -p

Examples:
iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE

iptables -I FORWARD -i eth1 -o eth1 -j ACCEPT -m comment --comment "accept everything on the way out"

iptables -I FORWARD -o eth1 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "accept related or established on the way back"

DNAT:

Forward all incomming tcp traffic on port 8800 to 192.168.1.3 port 80:

iptables -t nat -I PREROUTING -p tcp --dport 8800 -j DNAT -to 192.168.1.3:80

From the web, sorry forgot the source ...

Thursday, February 2, 2012

Create, lock, and unlock user account on Redhat

User account activities on Redhat

1. Lock the user password
# usermod -L username

2. Force password change upon initial login.
# chage -d 0 username

3. Unlock the account
There are two common approaches to this step.
The administrator can assign an initial password or assign a null password.

Note: passwd disables the immediate password expiration just configured.

a. Assign a null password instead of an initial password.
# usermod -p "" username

b. Using Python interpreter with the python command and usermod.
# python
at the prompt, type the following commands. Replace with the password to encrypt and with a random combination of at least 2 of the following: any alphanumeric character, the slash (/) character or a dot (.).

# import crypt; print crypt.crypt("","")

The output is the encrypted password, similar to '12CsGd8FRcMSM'.
Press Ctrl-D to exit the Python interpreter.

At the shell, enter the following command (replacing with the encrypted output of the Python interpreter):

# usermod -p ""

4. Adding a new user account
# useradd myuser
# passwd myuser

source:redhat

Wednesday, February 1, 2012

Delegation of task: shutdown the system by non-root user

Delegation of task: shutdown the system by non-root user.

When you have to give access to the folks from help desk to only shutdown the system, you can do so by following the procedure below.

1. Create a group/users for that particular group list. [ group=shutgroup, user=nocuser
# groupadd shutgroup
# adduser -G shutgroup nocuser

3. Allow the user and group to execute the shutdown permission by editing the sudoers file.
# vi /etc/sudoers #

adn add the following Line.
%shutgroup ALL=NOPASSWD:/sbin/shutdown

Now, any member of the group shutgroup will be able to shutdown the server.

To execute the command use as follows,
# sudo shutdown -h now

How to set up web site on Redhat

Deploy Web Service on Redhat (httpd service)

1. Install httpd package
# yum install httpd* -y

2. Edit the configuration file and look for the ServeName and DocumentRoot

# vi /etc/httpd/conf/httpd.conf

ServerName sama.bhusal.com
DocumentRoot /var/www/html

3. create index file on doc root directory.
# cd /var/www/html
# echo "Welcome to my First web page on this web server" > index.htm

4. start the httpd service
# service httpd start

5. make httpd service persistent
# chkconfig httpd on

6. check web service

go to sama.bhusal.com

How to Install and Configure Nagios on Redhat/Centos.

Install and configure Nagios on Centos 5.
Note: This procedure works on centos and assume work on Redhat 5 as well.

Planning: download and install apache, nagios on the system.

A. Install RPMforge package for your distribution and architecture.
[ http://dag.wieers.com/rpm/FAQ.php#B2 ]

1.a. For x86 - 32-bit systems
# rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

1.b. For x64 - 64-bit systems
# rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

B. Install Apache.

1. Install Apache
# yum install httpd php gcc glibc glibc-common gd gd-devel

2. Configure Apache to start on boot
# chkconfig --levels 345 httpd on

3. Configure iptables to allow Apache traffic
# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
# /etc/init.d/iptables save
# /etc/init.d/iptables restart


C. Install & Configure Nagios

1. Install Nagios and Plugins
# yum install nagios nagios-plugins nagios-plugins-setuid

2. Create the default Nagios web access user & set a password
# htpasswd -c /etc/nagios/htpasswd.users nagiosadmin

3. Verify default config files
# nagios -v /etc/nagios/nagios.cfg

4. Start Nagios
# service nagios start/restart

5. Start Apache
# service httpd start/restart

6. Verify the installation.
Login to the nagios page by going to the site http://server.domain.com/nagios with nagiosadmin and password.

Good to go ...