This is the seventh in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.
In Part 1 we reviewed a secure partitioning strategy, in Part 2 we performed a minimal install, in Part 3 we performed some mandatory housekeeping before starting the hardening process, in Part 4 we secured ssh, in Part 5we enabled system accounting and in Part 6 we minimized network services. In this post we configure the Linux host-based firewall.
A Word of Caution
The actions outlined in these posts have been performed on a clean install of OEL 5.5 exactly as documented in these posts. If you are contemplating taking these actions on an existing server, please take appropriate precautions such as:
- Backing up the server
- Reviewing the content of all scripts before running them
- Testing the actions on a non-production server
The hardening steps in these posts were performed in the order posted. Performing these steps in a different order my result in unpredictable behavior. Also, all these scripts MUST be run as root, not as sudo.
Configuring the Firewall
OEL (Red Hat) installs, enables and configures a firewall to allow the ssh service on port 22 by default.
Depending on the function of the server, it is likely that other ports need to be opened to allow the server to fulfill its mission.
The firewall is configured via the system-config-securitylevel tool. One of the ways to invoke the tool is through the system setup utility we mention in Part 2. Invoke the setup utility by entering:
and the following menu appears:
Select Firewall Configuration and then run tool and the system-config-securitylevel tool appears:
The settings above are the defaults which are also the appropriate security settings. Select the Customize button and the following screen appears:
The above screenshot shows the default setting. If additional services (ports):protocols need to be opened, they can be selected from the list or added in the Other ports field. Select OK to save the changes.