• No results found

Network Infrastructure Security Recommendations

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Network Infrastructure Security Recommendations"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Network Infrastructure Security Recommendations

Hardening Red Hat Enterprise Linux

Ensure that file systems with user-writeable directories (ie /home, /tmp, /var/tem) are mounted on separate partitions.

Ensure updates are applied as soon as they become available.

The default version of yum-updatesd does not function reliably. Instead apply updates through a cron job using the following process:

• Disable the service with: /sbin/chkconfig yum-updatesd off

• Create the file yum.cron, make it executable, place it in /etc/cron.daily or /etc/cron.weekly, and ensure that it reads as follows:

#! /bin/sh

/usr/bin/yum –R 120 –e 0 –d 0 –y update yum /usr/bin/yum –R 10 –e 0 –d 0 –y update Disable Unnecesary Services

• Review /sbin/chkconfig --list for services configured to start at boot (The default run level is 5). To disable a service, run the following command: /sbin/chkconfig servicename off

• Unless they are required, disable the following: anacron haldaemon messagebus

apmd hidd microcode_ctl

autofs` hplip* pcscd

avahi-daemon* isdn readahead_early bluetooth kdump readahead_later

cups* kudzu rhnsd*

firstboot mcstrans setroubleshoot

gpm mdmonitor xfs

Items marked with a * are network services and it is particularly important to disable these. Additionally, if NFS is not in use the following should be disabled; netfs, nfslock, portmap, rpcgssd, and rpcidmapd. Some software relies on haldaemon and messagebus so care should be taken when disabling them. Changes are applied on reboot.

(2)

Network Infrastructure Security Recommendations

• Disable SUID and SGID Binaries. The following files can have their SUID or

SGID bits safely disabled (by using chmod –s filename) unless required for the specific purpose listed:

File: Required For:

/bin/ping6 IPv6

/sbin/mount.nfs NFS

/sbin/mount.nfs4 NFS

/sbin/netreport network control

/sbin/umount.nfs NFS

/sbin/umount.nfs4 NFS

/usr/bin/chage passwd

/usr/bin/chfn account info /usr/bin/chsh account info /usr/bin/crontab cron

/usr/bin/lockfile Procmail

/usr/bin/rcp rsh

/usr/bin/rlogin rsh

/usr/bin/rsh rsh

/usr/bin/wall console messaging /usr/bin/write console messaging

/usr/bin/Xorg Xorg /usr/kerberos/bin/ksu Kerberos /usr/libexec/openssh/ssh- keysign SSH host-based authentication /usr/lib/vte/gnome-pty-helper Gnome, Xorg /usr/sbin/ccreds_validate Pam auth caching

(3)

Network Infrastructure Security Recommendations

/usr/sbin/suexec Apache, CGI

/usr/sbin/userisdnctl ISDN

/usr/sbin/usernetctl network control Configure and Use Iptables and TCP Wrapper

• The Iptables firewall should be configured to only allow necessary network communication. If running, view the current firewall policy with the following command: /sbin/iptables –L

• By default, the output should correspond to rules stored in the file

/etc/sysconfig/iptables . Understand and edit these rules, removing any lines that allow unneccary communications. To activate the updated rules, restart the services.

• Also configure the TCP Wrapper library to protect network daemons that support its use by adding appropriate rules to /etc/hosts.allow and /etc/hosts.deny.

Configure and Use SELinux. The default SELinux policy (targeted) provides protection against compromised or misconfigured system services. Ensure that /etc/selinux/config includes the following lines:

SELINUX=enforcing SELINUXTYPE=targeted

*Note: stronger policies such as strict and mls can be used if appropriate. However, these require customization to operate successfully for many usage scenarios.

Set Kernel Parameters. Add the following lines to /etc/sysctl.conf to prevent certain kinds of attacks: • net.ipv4.conf.all.rp_filter=1 • net.ipv4.conf.all.accept_source_route=0 • net.ipv4.icmp_echo_ignote_broadcasts=1 • net.ipv4.icmp_ignore_bogus_error_messages=1 • kernel.exec-shield=1 • kernel.randomize_va_space=1

Configure SSH. Ensure that /etc/ssh/sshd_config includes the following lines: PermitRootLogin no

Protocol 2

Hardening MySQL Installation

(4)

Network Infrastructure Security Recommendations

Create service account for MySQL

groupadd mysql

useradd –d /dev/null –g mysql –s /bin/false mysql Ensure proper directory ownership and permissions

chown –R root /usr/bin/mysql* chown –R mysql:root /var/lib/mysql chmod –R go-rwx /var/lib/mysql mkdir –p /var/log/mysql

chown –R mysql:root /var/log/mysql

Copy the main config file from the default directory cp /usr/share/mysql/my-medium.cnf /etc/my.cnf Remove the default folder

rm –rf /var/lib/mysql/test rm –f /usr/share/mysql/*.cnf

Set proper ownership and permissions for my.cnf chown root /etc/my.cnf

chmod 644 /etc/my.cnf

Edit /etc/my.cnf and add the following lines below [mysqld] section: pid-file = /var/lib/mysql/test

log = /var/log/mysql/mysql.log bind-address = 127.0.0.1

Add the following line below [safe_mysqld] err-log = /var/log/mysql/mysql.err

Set a password for the MySQL root user:

/usr/bin/mysqladmin -u root password 'new-password'

/usr/bin/mysqladmin -u root -h hostname password 'new-password'

Note: Specify a complex password (at least 14 characters) and document it. Replace “hostname” with the server FQDN (DNS name).

Run the command to login to MySQL:
/usr/bin/mysql -uroot -pnew-password. Note: Replace the string “new-password” with the actual password for the root account. Remove ‘test’ database and access

(5)

Network Infrastructure Security Recommendations

DELETE FROM mysql.user WHERE user = 'root' AND host = '%';

DELETE FROM mysql.user WHERE User='root' AND Host!='localhost'; DROP DATABASE test;

DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'; FLUSH PRIVILEGES; quit References Articlesbase: http://www.articlesbase.com/security-articles/mysql-security-best-practices-and-hardening-guide-5090978.html MySQL Security: http://dev.mysql.com/doc/refman/5.0/en/security.html

National Security Administration:

www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

Open Web Application Security Project:

https://www.owasp.org/index.php/OWASP_Backend_Security_Project_MySQL_Hardeni ng

Publication and Author Information

Jim Kelton is Managing Principal of Altius IT (www.AltiusIT.com), an IT security audit, security consulting, and risk management company based in Costa Mesa, California. Mr. Kelton has over 30 years of experience in the Information Technology industry and is recognized as a security expert. He is certified by the Information Systems Audit and Control Association (ISACA) as:

• Certified Information Systems Auditor (CISA)

• Certified in Risk and Information Systems Controls (CRISC) • Certified in the Governance of Enterprise IT (CGEIT)

He sits on the Board of Directors of the following associations and organizations: • Association of Professional Consultants (APC)

• International Association of Professional Security Consultants (IAPSC) • Technology Professionals Association (TPA)

References

Download now ( PDF - 5 Page - 44.94 KB )

Related documents

How wind became a four-letter word: Lessons for community engagement from a wind energy conflict in King Island, Australia

In spite of this, the King Island experience was one of con fl ict, with strain on interpersonal relationships, damage to local institutions, the formation of a local opposition

Building a portal for citizens in Norway with secure authentication and single sign on. Dag Efjestad

Federated identity allows Single Sign On (SSO): a user logs in to one of the service provider sites and can click through to another service provider part of the CoT without

Organisational culture and corporate sustainability in Hong Kong's development companies

strategies as well as operations carried out by the organisation. Values from a culture would definitely have an effect on the values towards sustainability. In this research, in

Repeated Changes in Reported Sexual Orientation Identity Linked to Substance Use Behaviors in Youth

Results from multivariable sex-stratified GEE models, controlling for concurrent sexual orientation identity, age group, race/ethnicity, and number of missing waves, and including

Use of the Corporate Form for Public Benefit - Revitalisation of Australian Corporations Law

A particular question that has been raised in relation to the application of the best interests rule to directors of purpose-based companies is the potential tension between

Bankruptcy Examiners Under Section 1104(b): Appointment and Role in Complex Chapter 11 Reorganizations of Failed LBOs

Under: Leveraged Buyouts and the Fraudulent Conveyance Problem, 63 IND. Liss, Note, Fraudulent Conveyances and Leveraged Buyouts, 87 COLUM. The Bankruptcy Code permits the