This is the sixth in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.
In Part 1 we reviewed a secure partitioning strategy, in Part 2 we performed a minimal install, in Part 3 we performed some mandatory housekeeping before starting the hardening process, in Part 4 we secured ssh and in Part 5 we enabled system accounting. In this post we minimize network services.
A Word of Caution
The actions outlined in these posts have been performed on a clean install of OEL 5.5 exactly as documented in these posts. If you are contemplating taking these actions on an existing server, please take appropriate precautions such as:
- Backing up the server
- Reviewing the content of all scripts before running them
- Testing the actions on a non-production server
The hardening steps in these posts were performed in the order posted. Performing these steps in a different order my result in unpredictable behavior. Also, all these scripts MUST be run as root, not as sudo.
Disable Standard Services
If any of the following services are configured in /etc/xinetd.d, then the script below will disable them using chkconfig. For services that do not exist, the script prints an OK message:
- amanda
- chargen
- chargen-udp
- cups
- cups-lpd
- daytime
- daytime-udp
- echo
- echo-udp
- eklogin
- ekrb5-telnet
- finger
- gssftp
- imap
- imaps
- ipop2
- ipop3
- klogin
- krb5-telnet
- kshell
- ktalk
- ntalk
- rexec
- rlogin
- rsh
- rsync
- talk
- tcpmux-server
- telnet
- tftp
- time-dgram
- time-stream
- uucp
Administrators that determine some of these services are needed can either modify the script or re-enable them after the script completes.
If you installed OEL according to these posts then the following services will be disabled:
- eklogin
- ekrb5-telnet
- gssftp
- klogin
- krb5-telnet
- kshell
- rsync
You can download the script here: cis_script2_xinetd.sh (1.0K)
Implement TCP Wrappers
TCP Wrappers are implemented by configuring the /etc/hosts.allow and /etc/hosts.deny files. TCP Wrappers rules work by first checking hosts.allow and then checking hosts.deny and stopping on the first match. If hosts.deny is configured before host.allow then the server will block all traffic from network hosts.
Configure /etc/hosts.allow
The following script will loop through the output of ifconfig and create a single hosts.allow entry which will allow all services from all local networks.
For example, on a simple configuration with a single IP address in the 192.168.1.0 / 255.255.255.0 range (plus a local loopback), the script adds the following entry to hosts.allow:
ALL: localhost, 192.168.1
The script assumes IPv4 and a subnet mask of 255.255.255.0. IPv6 configurations are beyond the scope of this post. See the CIS documentation referenced at the top of this post for additional information. If the server is configured for other subnet masks, the hosts.allow file will need to be manually modified after running this script.
Download cis_script3_hosts.allow.sh (0.4K)
Configure /etc/hosts.deny
Warning: Do not proceed with this section until you have configured hosts.allow as above.
The following script will insert a single line in /etc/hosts.deny as follows:
ALL: ALL
Download cis_script4_hosts.deny.sh (0.3K)
Enable These Services Only If Mission Critical
The services described in this section all have security risks and/or flaws. Enable them only if they are mission critical and there are not other alternatives available.
telnet
Enable by running the following:
chkconfig telnet on
ftp
Enable by running the following:
chkconfig --levels 35 vsftpd on
rlogin/rsh/rcp
Enable by running the following:
chkconfig login on
chkconfig rlogin on
chkconfig rsh on
chkconfig shell on
tftp
tftp is not installed by default, so first install the tftp package.
Next run the following script which uses chkconfig to turn on tfpt, then sets the permissions on /tftpboot or creates it with the proper permissions if it does not exist.