NCSA Home
Contact Us | Intranet | Search

Security

RedHat Linux Security Procedures

These are steps and procedures for making RedHat Linux machines more secure on NCSA's network.

Keeping rpm packages up to date

Probably the number one way to prevent your RedHat machine from being compromised is to keep the rpm packages installed on the machine up to date. There are many different ways to do this, and we cover a couple here.

updateme
Updateme is a package developed at the University of Georgia. The updateme home page is http://www.eits.uga.edu/wsg/linux/updateme/. From there you will be able to install the rpm. Once installed you can run the commands: 

  # updateme --cron --cron_interval daily
This will set up updateme to run daily from cron. However, this only checks RPM's for updates, it does not install them. When it is run it will send mail to root on the machine with a list of packages that need updating. You can then run updateme by hand on the machine to install the RPM's. We recommend having the cron job just notify, rather than install RPM's, because many times there are dependencies that will need to be resolved when installing a RPM.

You will also need to create the file /usr/local/etc/updateme.cf and add the following line: 

site=linux.ncsa.uiuc.edu
This will get all the RPM updates from NCSA's linux ftp server. Here is a sample updateme.cf file.

Note:
Be sure you modify the following line in the /etc/aliases file so that someone is receiving root's mail: 

# Person who should get root's mail
root:user@ncsa.uiuc.edu
After you have added the "user" to receive mail you will need to run the command: 
  # /usr/bin/newaliases

up2date
Up2date is an update agent program provided by RedHat. It is a mechanism for updating RPMs via a command line or graphical interface. If you run the command: 

  # /usr/bin/up2date
it will start up the graphical interface if you are currently running X. The interface will then lead you through the steps to update your machine's RPM's.

You should also add in a cronjob that will run up2date daily and notify you of recent updates (/usr/bin/up2date --list).

One caveat with running up2date is that you will need to register your machine with the RedHat Network. Currently the updates are free, however, I don't think there is a promise that these will always be provided for free. Also, all the updates are retrieved from redhat.com's servers and there are times when these machines are really busy.

Turning off unused services

The less services that are running on a machine tends to make it more secure because there are fewer ways to gain access to the system. You can list the services that are running with: 
  # /usr/bin/serviceconf

  # /sbin/chkconfig --list
Here is a list of services that are running with a default install of RedHat 7.3 which most users can turn off: 

You can use the /sbin/chkconfig command to turn off services.  Here is an
example of turning off the XXXXX service:


You might want to go through the list of services to become familiar with what
some of them do.  You may then be able to determine what additional services 
you can stop.









Modifying configuration options

There are a number of other configuration files that can be modified to
turn services off, or protect them better.


Turning sendmail daemon mode off

In the past sendmail has been a big security target because of a number of
vulnerabilities.  Currently it has been much more stable, however, it is a
service that most people do not need to run in daemon mode.  To change this
you need to modify the file /etc/sysconfig/sendmail and set:

 DAEMON=no


With daemon mode off, sendmail will still process mail at the interval set by
the QUEUE variable in the above file.











Configuring xinetd

Another safe way to keep people away from your machine is to turn off all
services except the ones that are necessary.  There also may be
services that need to be enabled on the machine, but many of these can be
wrapped to only allow certain hosts or domains access.  We'll cover how to
do each of these.


Turning off services in xinetd

You can find out what services are running out of xinetd by running the
command:

  # /sbin/chkconfig --list


This will the daemons that are invoked at startup time and at the end
it lists the xinetd based services.


Wrapping services in xinetd










Configuring TCP wrappers

If a service is run in daemon mode, and not started from xinetd, then you
may want to wrap the service with TCP wrappers.









Securing connections

If you are going to be connecting to your RedHat machine from other machines
within, or outside NCSA, you might want to use applications that allow secure
connections.  Most of the default services that are set up will transmit your
username and password in the clear over the network.  If these happen to be
"sniffed" by someone, then your account on that machine, and possibly others,
will be compromised.  We'll cover how to set up two different packages that
will help secure these connections, Kerberos and SSH.


Kerberos

Kerberos has been the central authentication service for NCSA since the
beginning of 1998.  It provides a way to authenticate to machines without
ever passing critical information in the clear.  For more information on
using kerberos you can refer to the

NCSA Kerberos pages.  The ones you will need to refer to are 

Installing Kerberos on RedHat Linux systems
and

Adding your host to the Kerberos database.



SSH










Securing LPRng?


Firewall ruleset?


Logging?


User level tripwire?
















		

			







	 University of Illinois home page
	NCSA Home | About NCSA | NCSA Projects | Blue Waters | NCSA News | NCSA User Info
Contact NCSA | NCSA Intranet | Site Map 

	Contact security with questions regarding this page. Last updated December 16, 2003.

	All rights reserved. ©2009 Board of Trustees of the University of Illinois.