inetd - We do not use inetd. ===== more /etc/inetd.conf for each service that are enabled update-inetd --disable ( update-inetd --disable discard daytime time ) /etc/init.d/inetd stop vi /etc/init.d/inetd Add the following after /bin/sh # Do not use inetd exit 0 # If you really have to use inetd, use xinetd instead. PAM (only allow one user to su root) --- vi /etc/pam.d/su auth required pam_wheel.so group=wheel addgroup --system wheel adduser root wheel adduser bengt wheel # Make sure root can only login from console (have to su to become root) vi /etc/security/access.conf -:wheel:ALL EXCEPT LOCAL # Make sure root can not SSH directly vi /etc/ssh/sshd_config PermitRootLogin No Harden tools ============ apt-get install harden harden-servers harden-clients harden-tools harden-nids harden-environment apt-get install logcheck samhain sash osh john gnupg tiger chkrootkit acct host whois lsof psad * Create sashroot account - Yes * Clone root password * Purge sashroot account when purging Default answers on evertything. ## Snort is installed by default??? echo -e 'kern.info\t|/var/lib/psad/psadfifo' >> /etc/syslog.conf # If you need to run a dangerous service, do not install the hardening packages, but check which # packages should be removed and remove all except the ones you have to have. configure samhain ----------------- vi /etc/samhain/samhainrc LoginCheckActive=1 file=/etc/postfix/prng_exch file=/etc/postfix/helo_checks.db file=/etc/postfix/sender_checks.db file=/etc/postfix/client_checks.db file=/etc/postfix/tls_per_site.db file=/etc/postfix/relay_certs.db file=/etc/postfix.outgoing/prng_exch file=/etc/postfix.outgoing/helo_checks.db file=/etc/postfix.outgoing/sender_checks.db file=/etc/postfix.outgoing/client_checks.db file=/etc/postfix.outgoing/tls_per_site.db file=/etc/postfix.outgoing/relay_certs.db configure tiger --------------- vi /etc/tiger/tigerrc # Observe that you might have other running processes Tiger_Listening_Every=N Tiger_Running_Procs='syslogd cron atd klogd postfix cyrus ' # Tiger_Listening_ValidProcs='imapd smtpd' vi /etc/cron.d/tiger ... > /dev/null 2>&1 fix logcheck ------------ vi /etc/logcheck/ignore.d.server/MOLLIE ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Detected HTML-specific exploits in [:alnum:]+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Detected and will disarm HTML message in [:alnum:]+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Filename Checks: Windows/DOS Executable ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Found [0-9]+ problems ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Saved infected [":alnum:]+ to ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Silent: Delivered [0-9]+ messages containing silent viruses ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Notices: Warned about [0-9]+ messages ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus Scanning: [-:alnum:]+ found virus ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus Scanning: [-:alnum:]+ found [0-9]+ infections ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus Scanning: Found [0-9]+ viruses ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Other Checks: Found [0-9]+ problems ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Infected message [:alnum:]+ came from [.0-9]+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ClamAV-autoupdate\[[0-9]+\]: ClamAV updated ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ F-Prot autoupdate\[[0-9]+\]: F-Prot successfully updated. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Using locktype = flock ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: message-id=<([^[:space:]]+|)> \(added by ([^[:space:]]+|)\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam\_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ F-Prot autoupdate\[[0-9]+\]: F-Prot did not need updating ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ClamAV-autoupdate\[[0-9]+\]: ClamAV did not need updating ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: New Batch: Found [0-9]+ messages waiting ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: New Batch: Scanning [0-9]+ messages, [0-9]+ bytes ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus and Content Scanning: Starting ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Uninfected: Delivered [0-9]+ messages ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Spam Checks: Found [0-9]+ spam messages ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Using locktype = flock ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Postfix queue structure is depth [0-9] ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [[:alnum:]]+: MailScanner setting (UID|GID) to postfix \([0-9]+\) ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: MailScanner E-Mail Virus Scanner version [0-9]+.[0-9]+.[0-9]+ starting... ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: MailScanner child dying of old age ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: SpamAssassin timed out and was killed, consecutive failure [1-4] of [0-9]+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Spam Checks: Starting ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ fetchmail\[[0-9]+\]: +[0-9]+ +messages \([0-9]+ seen\)? for ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/[a-zA-Z0-9_]+\[[0-9]+\]: +SQUAT returned [0-9]+ messages ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/lmtpd\[[0-9]+\]: DBERROR db3: [0-5] lockers ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam\_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam\_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: reject: RCPT from [^[:space:]]+: [0-9]+ [^[:space:]]+: User unknown in local recipient table; from=[^[:space:]]+ to=[^[:space:]]+ proto=(ESMTP|SMTP) helo=[^[:space:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:alnum:]]+: to=[^[:space:]]+, orig_to=[^[:space:]]+, relay=[^[:space:]]+, delay=[0-9]+, st atus=deferred \(deferred transport\) NARC ==== ????? ????? ????? Hardening checks ================ netstat -pn -l -A inet nmap -sT nmap -sU lsof -i | grep LISTEN #(on the local computer) lsof -i : nmap ==== From another computer nmap -p 22,25,80,143,443,465,993,995 denton # 143 should be close nmap -sT --> fast Interesting ports on (192.168.20.50): (The 1546 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 80/tcp open http 143/tcp open imap 443/tcp open https 465/tcp open smtps 993/tcp open imaps 995/tcp open pop3s nmap -sU 192.168.20.50 --> takes long time though.