By default, when you login to a Linux machine, it tells you the Linux distribution name, version, kernel version, and the name of the server. This is giving away too much info. We’d rather just prompt users with a “Login:” prompt.
To do this, edit the rc.local file (vi /etc/rc.local) and place “#” in front of the following lines as shown:
–
# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.
#echo “” > /etc/issue
#echo “$R” >> /etc/issue
#echo “Kernel $(uname -r) on $a $(uname -m)” >> /etc/issue
##cp -f /etc/issue /etc/issue.net
#echo >> /etc/issue
Then, remove the following files: issue.net and issue under /etc/ directory:
# rm -f /etc/issue
# rm -f /etc/issue.net
To find all files with the ‘s’ bits from root-owned programs, use the command:
# find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -l {} \;
software named “sXid�? that will do the job for you automatically each
day and report the results via mail.
To disable the suid bits on selected programs above, use chmod a-s :
# chmod a-s /usr/bin/chage
The password length
Edit the passwd file (vi /etc/pam.d/passwd) and remove the following line:
password required /lib/security/pam_stack.so service=system-auth
Edit the system-auth file (vi /etc/pam.d/system-auth) and remove the lines:
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
Now add the following lines to /etc/pam.d/passwd. We use the PAM “pam_cracklib�? module here with the argument “minlen�? to enforce the password length.
password required /lib/security/pam_cracklib.so retry=3 minlen=12
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
Fix the permissions of the script files that are responsible for starting and stopping all your normal processes that need to run at boot time.
To fix the permissions of those files, use the following command:
[root@deep /]# chmod -R 700 /etc/init.d/*
Which means just the super-user “root�? is allowed to Read, Write, and Execute scripts files on this directory. I don’t think regular users need to know what’s inside those script files.
WARNING: If you install a new program or update a program that use the init system V script located under /etc/rc.d/init.d/ directory, don’t forget to change or verify the permission of this script file again.
http://www.securityfocus.com/infocus/1613
It is important to look everywhere on the system for unusual or hidden files (files that start with a period and are normally not shown by the “ls�? command), as these can be used to hide tools and information (password cracking programs, password files from other systems, etc.). A common technique on UNIX systems is to put a hidden directory or file in a user’s account with an unusual name, something like ‘…’ or ‘.. ‘ (dot dot space) or ‘..^G’ (dot dot control-G). The find program can be used to look for hidden files.
To look for hidden files, use the following commands:
# find / -name “.. ” -print -xdev
# find / -name “.*” -print -xdev | cat -v
Manually add all MAC address.
Get MAC address of each machine using ifconfig
To add manually MAC address to ARP entries, use the following command:
# arp -s 207.35.78.3 00:50:DA:C6:D3:FF
WARNING: If you receive error message like: SIOCSARP: Invalid argument, it is because the MAC (Media Access Control) address you want to add is the one of your server. You must add only MAC address of INTERNAL computers in your private network. This hack doesn’t apply to external node on the Internet.
You can now be reassured that someone will not change the system’s IP address of an
INTERNAL system and get through. If they do change the IP address, the server simply won’t talk to them. With the new iptables tool of Linux, which replace the old ipchains utility for packet filter administration and firewall setup, MAC addresses can be filtered and configured in the firewall rules too.
Set login Time out for all users. Do this by editing /etc/profile
TMOUT=7200
export TMOUT
Edit the profile file (vi /etc/profile) and change the line:
HISTSIZE=1000
To read:
HISTSIZE=10
Which means, the .bash_history file in each users home directory can store 10 old
commands and no more. Now, if a cracker tries to see the ~/.bash_history file of users on
your server to find some password typed by mistake in plain text, he or she has less chance to find one.
HISTFILESIZE=0
#each time a user logs out, its .bash_history file will be deleted so crackers will not be able to use .bash_history file of users who are not presently logged into the system.
[] To locate all group & world-writable files on your system, use the command:
# find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \;
[] To locate all group & world-writable directories on your system, use the command:
# find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \;
See “Tripwire”
To locate files on your system that do not have an owner, use the following command:
# find / -nouser -o -nogroup
NOTE: Ignore files reported under /dev/ directory.