The configuration file for ssh server security hardening is located at /etc/ssh/sshd_config
There are couple of entries you would like to pay little attention. Please go through each entries and try to understand what they do. Based on the requirement of your organization, you add/remove/modify the values.
1. Link a banner file.
Banner /etc/issue
Note: issue file contains the banner entry. it can be /etc/ssh-banner or something..
2. Set Maximum number of retries for authentication
MaxAuthTriesLog 3
3. Are logins to accounts with empty passwords allowed?
PermitEmptyPasswords no
4. Are root logins permitted using sshd ?
PermitRootLogin no
~~~~~ Warning !!! Content posted here are gained through the real world experience or some may come from training or any other Internet sources. Reading this blog may confuse you or may increase understanding of UNIX/Linux operating system and its component. It might help you to land on Real job or may fire your from the Real job. So, use on your own risk !!! No left or right reserved !!! -Kamal ~~~~~
Thursday, February 23, 2012
Thursday, February 9, 2012
packet filtering and configure network address translation using iptable
Use iptables to implement packet filtering and configure network address translation (NAT)
Install and use "system-config-network-tui" to create the basic "/etc/sysconfig/iptables" file, then edit the file with vi.
Filtering:
man iptables
iptables -I INPUT -s 192.168.1.3 -p tcp --dport 22 -j ACCEPT
-I insert (Can include a rule number, for example "-I 4" which means "insert as 4th rule")
-A append
-D delete (include rule number)
-m Specify a module to use (ex: Use "-m multiport" to specify multiple ports)
-s source
-d destination
--dport destination port
--sport source port
-j jump to target (ACCEPT, DENY, DROP)
The last rule should be (to reject all others):
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
Block a host:
iptables -I INPUT -p tcp --dport 80 -s 10.168.20.225 -j REJECT
Block a subnet:
iptables -I INPUT -p tcp -s 10.168.20.0/24 -j REJECT
Accept reply packets:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Accept anything on the loopback interface:
iptables -i lo -j ACCEPT
NAT:
Allow the gateway to forward IP packets by modifying /etc/sysctl.conf
Change
net.ipv4.ip_forward = 0
To
net.ipv4.ip_forward = 1
Then execute: sysctl -p
Examples:
iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE
iptables -I FORWARD -i eth1 -o eth1 -j ACCEPT -m comment --comment "accept everything on the way out"
iptables -I FORWARD -o eth1 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "accept related or established on the way back"
DNAT:
Forward all incomming tcp traffic on port 8800 to 192.168.1.3 port 80:
iptables -t nat -I PREROUTING -p tcp --dport 8800 -j DNAT -to 192.168.1.3:80
From the web, sorry forgot the source ...
Install and use "system-config-network-tui" to create the basic "/etc/sysconfig/iptables" file, then edit the file with vi.
Filtering:
man iptables
iptables -I INPUT -s 192.168.1.3 -p tcp --dport 22 -j ACCEPT
-I insert (Can include a rule number, for example "-I 4" which means "insert as 4th rule")
-A append
-D delete (include rule number)
-m Specify a module to use (ex: Use "-m multiport" to specify multiple ports)
-s source
-d destination
--dport destination port
--sport source port
-j jump to target (ACCEPT, DENY, DROP)
The last rule should be (to reject all others):
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
Block a host:
iptables -I INPUT -p tcp --dport 80 -s 10.168.20.225 -j REJECT
Block a subnet:
iptables -I INPUT -p tcp -s 10.168.20.0/24 -j REJECT
Accept reply packets:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Accept anything on the loopback interface:
iptables -i lo -j ACCEPT
NAT:
Allow the gateway to forward IP packets by modifying /etc/sysctl.conf
Change
net.ipv4.ip_forward = 0
To
net.ipv4.ip_forward = 1
Then execute: sysctl -p
Examples:
iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE
iptables -I FORWARD -i eth1 -o eth1 -j ACCEPT -m comment --comment "accept everything on the way out"
iptables -I FORWARD -o eth1 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "accept related or established on the way back"
DNAT:
Forward all incomming tcp traffic on port 8800 to 192.168.1.3 port 80:
iptables -t nat -I PREROUTING -p tcp --dport 8800 -j DNAT -to 192.168.1.3:80
From the web, sorry forgot the source ...
Thursday, February 2, 2012
Create, lock, and unlock user account on Redhat
User account activities on Redhat
1. Lock the user password
# usermod -L username
2. Force password change upon initial login.
# chage -d 0 username
3. Unlock the account
There are two common approaches to this step.
The administrator can assign an initial password or assign a null password.
Note: passwd disables the immediate password expiration just configured.
a. Assign a null password instead of an initial password.
# usermod -p "" username
b. Using Python interpreter with the python command and usermod.
# python
at the prompt, type the following commands. Replace with the password to encrypt and with a random combination of at least 2 of the following: any alphanumeric character, the slash (/) character or a dot (.).
# import crypt; print crypt.crypt("","")
The output is the encrypted password, similar to '12CsGd8FRcMSM'.
Press Ctrl-D to exit the Python interpreter.
At the shell, enter the following command (replacing with the encrypted output of the Python interpreter):
# usermod -p ""
4. Adding a new user account
# useradd myuser
# passwd myuser
source:redhat
1. Lock the user password
# usermod -L username
2. Force password change upon initial login.
# chage -d 0 username
3. Unlock the account
There are two common approaches to this step.
The administrator can assign an initial password or assign a null password.
Note: passwd disables the immediate password expiration just configured.
a. Assign a null password instead of an initial password.
# usermod -p "" username
b. Using Python interpreter with the python command and usermod.
# python
at the prompt, type the following commands. Replace
# import crypt; print crypt.crypt("
The output is the encrypted password, similar to '12CsGd8FRcMSM'.
Press Ctrl-D to exit the Python interpreter.
At the shell, enter the following command (replacing
# usermod -p "
4. Adding a new user account
# useradd myuser
# passwd myuser
source:redhat
Wednesday, February 1, 2012
Delegation of task: shutdown the system by non-root user
Delegation of task: shutdown the system by non-root user.
When you have to give access to the folks from help desk to only shutdown the system, you can do so by following the procedure below.
1. Create a group/users for that particular group list. [ group=shutgroup, user=nocuser
# groupadd shutgroup
# adduser -G shutgroup nocuser
3. Allow the user and group to execute the shutdown permission by editing the sudoers file.
# vi /etc/sudoers #
adn add the following Line.
%shutgroup ALL=NOPASSWD:/sbin/shutdown
Now, any member of the group shutgroup will be able to shutdown the server.
To execute the command use as follows,
# sudo shutdown -h now
When you have to give access to the folks from help desk to only shutdown the system, you can do so by following the procedure below.
1. Create a group/users for that particular group list. [ group=shutgroup, user=nocuser
# groupadd shutgroup
# adduser -G shutgroup nocuser
3. Allow the user and group to execute the shutdown permission by editing the sudoers file.
# vi /etc/sudoers #
adn add the following Line.
%shutgroup ALL=NOPASSWD:/sbin/shutdown
Now, any member of the group shutgroup will be able to shutdown the server.
To execute the command use as follows,
# sudo shutdown -h now
How to set up web site on Redhat
Deploy Web Service on Redhat (httpd service)
1. Install httpd package
# yum install httpd* -y
2. Edit the configuration file and look for the ServeName and DocumentRoot
# vi /etc/httpd/conf/httpd.conf
ServerName sama.bhusal.com
DocumentRoot /var/www/html
3. create index file on doc root directory.
# cd /var/www/html
# echo "Welcome to my First web page on this web server" > index.htm
4. start the httpd service
# service httpd start
5. make httpd service persistent
# chkconfig httpd on
6. check web service
go to sama.bhusal.com
1. Install httpd package
# yum install httpd* -y
2. Edit the configuration file and look for the ServeName and DocumentRoot
# vi /etc/httpd/conf/httpd.conf
ServerName sama.bhusal.com
DocumentRoot /var/www/html
3. create index file on doc root directory.
# cd /var/www/html
# echo "Welcome to my First web page on this web server" > index.htm
4. start the httpd service
# service httpd start
5. make httpd service persistent
# chkconfig httpd on
6. check web service
go to sama.bhusal.com
How to Install and Configure Nagios on Redhat/Centos.
Install and configure Nagios on Centos 5.
Note: This procedure works on centos and assume work on Redhat 5 as well.
Planning: download and install apache, nagios on the system.
A. Install RPMforge package for your distribution and architecture.
[ http://dag.wieers.com/rpm/FAQ.php#B2 ]
1.a. For x86 - 32-bit systems
# rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
1.b. For x64 - 64-bit systems
# rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
B. Install Apache.
1. Install Apache
# yum install httpd php gcc glibc glibc-common gd gd-devel
2. Configure Apache to start on boot
# chkconfig --levels 345 httpd on
3. Configure iptables to allow Apache traffic
# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
# /etc/init.d/iptables save
# /etc/init.d/iptables restart
C. Install & Configure Nagios
1. Install Nagios and Plugins
# yum install nagios nagios-plugins nagios-plugins-setuid
2. Create the default Nagios web access user & set a password
# htpasswd -c /etc/nagios/htpasswd.users nagiosadmin
3. Verify default config files
# nagios -v /etc/nagios/nagios.cfg
4. Start Nagios
# service nagios start/restart
5. Start Apache
# service httpd start/restart
6. Verify the installation.
Login to the nagios page by going to the site http://server.domain.com/nagios with nagiosadmin and password.
Good to go ...
Note: This procedure works on centos and assume work on Redhat 5 as well.
Planning: download and install apache, nagios on the system.
A. Install RPMforge package for your distribution and architecture.
[ http://dag.wieers.com/rpm/FAQ.php#B2 ]
1.a. For x86 - 32-bit systems
# rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
1.b. For x64 - 64-bit systems
# rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
B. Install Apache.
1. Install Apache
# yum install httpd php gcc glibc glibc-common gd gd-devel
2. Configure Apache to start on boot
# chkconfig --levels 345 httpd on
3. Configure iptables to allow Apache traffic
# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
# /etc/init.d/iptables save
# /etc/init.d/iptables restart
C. Install & Configure Nagios
1. Install Nagios and Plugins
# yum install nagios nagios-plugins nagios-plugins-setuid
2. Create the default Nagios web access user & set a password
# htpasswd -c /etc/nagios/htpasswd.users nagiosadmin
3. Verify default config files
# nagios -v /etc/nagios/nagios.cfg
4. Start Nagios
# service nagios start/restart
5. Start Apache
# service httpd start/restart
6. Verify the installation.
Login to the nagios page by going to the site http://server.domain.com/nagios with nagiosadmin and password.
Good to go ...
Subscribe to:
Posts (Atom)