Hardening Fedora

I used the following steps to "harden" the Fedora Core 1 operating system after choosing a "Minimal" install. The server will be used as an SFTP server.

Update the system with yum

Download and install the latest Fedora packages with yum. I recommend installing the freshrpms.net version of yum from rather than the version supplied with Fedora as the freshrpms.net version is configured to use faster mirrors than http://fedora.redhat.com/.

yum update

Depending on your comfort level with Fedora's package updates, you can run yum nightly for automatic system updates.

/sbin/chkconfig yum on
/sbin/service yum start

Disabling services

There are several services running by default that may be safely disabled. First, we'll generate a list of services that are enabled at runlevel 3.

[root@localhost root]# chkconfig --list | awk '/3:on/ { print $1 }'
gpm
kudzu
syslog
rawdevices
netfs
network
random
iptables
anacron
atd
acpid
apmd
irqbalance
pcmcia
nfslock
microcode_ctl
smartd
isdn
autofs
sshd
portmap
sendmail
rhnsd
crond

We will disable the following services:
gpm kudzu netfs anacron atd apmd pcmcia nfslock isdn autofs portmap rhnsd

for SERVICE in gpm kudzu netfs anacron atd apmd pcmcia nfslock isdn autofs portmap rhnsd
do
   /sbin/chkconfig $SERVICE off
   /sbin/service $SERVICE stop
done

Configuring OpenSSH server

By default, the OpenSSH server allows ssh protocols 1 and 2 and remote root logins. ssh protocol 1 is susceptible to man-in-the-middle attacks, and remote root logins should be disabled. I will also disable password authentication to instead rely on key-based authentication.

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original

sed -e 's/#Protocol 2,1/Protocol 2/' \
-e 's/#PermitRootLogin yes/PermitRootLogin no/' \
-e 's/#PasswordAuthentication yes/PasswordAuthentication no/' \
/etc/ssh/sshd_config > /etc/ssh/newsshd_config

mv -f /etc/ssh/newsshd_config /etc/ssh/sshd_config
/sbin/service sshd reload

Back to brandonhutchinson.com.
Last modified: 03/02/2004