Hardening RHEL 3 ("Taroon")

I used the following steps to "harden" the RHEL 3 ES ("Taroon") operating system after choosing a "Minimal" install. The server will be used as a firewall.

Configure and run up2date

Use Red Hat's up2date system update utility to install updated packages for RHEL 3.

1. Import the Red Hat, Inc. public key into your GPG keyring.
rpm --import /usr/share/rhn/RPM-GPG-KEY

2. Run up2date to register with the Red Hat Network.
up2date

3. List the updated packages.
up2date --update --list

4. Update your system to the latest packages.
up2date --update

By default, the Red Hat Network system daemon (rhnsd) will check for package updates every 4 hours, and download and install (if retrieveOnly is "No") all packages not in pkgSkipList (by default, kernel* packages). See /etc/sysconfig/rhn/rhnsd, up2date-config, and /etc/sysconfig/rhn/up2date for more information.

Disabling services

There are several services running by default that may be safely disabled. First, we'll generate a list of services that are enabled at runlevel 3.

[root@localhost root]# /sbin/chkconfig --list | awk '/3:on/ { print $1 }'
microcode_ctl
gpm
kudzu
syslog
netfs
network
random
rawdevices
keytable
mdmonitor
atd
apmd
isdn
iptables
ip6tables
pcmcia
irqbalance
sendmail
autofs
sshd
portmap
nfslock
crond
xinetd
cups

We will disable the following services:
gpm kudzu netfs mdmonitor atd apmd isdn ip6tables autofs portmap nfslock rhnsd xinetd cups

for SERVICE in gpm kudzu netfs mdmonitor atd apmd isdn ip6tables autofs portmap nfslock xinetd cups
do
/sbin/chkconfig $SERVICE off
/sbin/service $SERVICE stop
done

Configuring OpenSSH server

By default, the OpenSSH server allows ssh protocols 1 and 2 and remote root logins. ssh protocol 1 is susceptible to "man-in-the-middle" attacks, and remote root logins should be disabled. I will also disable password authentication, thereby requiring key-based authentication.

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original

sed -e 's/#Protocol 2,1/Protocol 2/' \
-e 's/#PermitRootLogin yes/PermitRootLogin no/' \
-e 's/#PasswordAuthentication yes/PasswordAuthentication no/' \
/etc/ssh/sshd_config > /etc/ssh/newsshd_config

mv -f /etc/ssh/newsshd_config /etc/ssh/sshd_config
/sbin/service sshd reload

Note: if your system has multiple network interfaces, you may want to change ListenAddress to a specific IP address so that the ssh daemon does not listen on all interfaces.

Disable zeroconf route

The /etc/sysconfig/network-scripts/ifup script will add a "zeroconf" route by default. Example:

Destination Gateway Genmask Flags MSS Window irtt Iface
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0

While this does not necessarily pose a security threat, you may disable the zeroconf route during system boot by adding NOZEROCONF=yes to /etc/sysconfig/network. You may of course manually delete the route for the current session.

echo "NOZEROCONF=yes" >> /etc/sysconfig/network

More information:
http://files.zeroconf.org/draft-ietf-zeroconf-ipv4-linklocal.txt

Back to brandonhutchinson.com.