1/8/05 Slackware 10.0 Hardening and Core Customization 3/27/07 Updated some stuff to make it more compatible with newer releases. I. New Kernel. Connect to VectorStar's public file archive and get the latest kernel and any necessary kernel patches needed for that server to work. As of Kernel 2.4.19, a patch is needed for the FastTrak TX2000's and the SuperTrak SX6000. Unpack the kernel and make /usr/src/linux a symlink to it. run the patches. "patch -p0 < filename". go into /usr/src/linux and make menuconfig. I will leave kernel compilation up to the experience of the reader. However, there are a couple of specifically-important options: Code maturity: Development code must be enabled. Modules: Loadable module support must be disabled. CPU: MTRR should be used on the CPU. General: No MISC binaries, no APM. BlockDev: Must have loopback, network, ramdisk, initrd. NetOpts: Socket filtering on any DNS server. multicast off, Syncookie on. IDE/ATA: Supertrak requires Promise PDC202xx, with FORCE ("Special FastTrak Feature" ENABLED. FT TX2000 (as of 2.4.19) requires that FORCE is DISABLED. Make sure to add support for IDE RAID controllers. SCSI: The 3ware driver is the first one listed. the SX6000 driver is listed in SCSI, at the bottom. I2O: Do NOT enable I2O Block support if you have a SuperTrak. Oh God. Net: Include DEC Tulip, Intel EEPro, Davicom and Realtek 8139, even if you don't need them all right now. Filesystems: quota, automount4, EXT3, VMemFS, ISO9660+options, Minix, proc, /dev/pts, ROMfs, ext2. Set NLS to English. Okay. "make". Put the kernel into production: "cp arch/i386/boot/bzImage /boot/bzImage-2.6.10" "cp System.map /boot/System.map-2.6.10" "rm /boot/System.map;ln -s /boot/System.map-2.6.10 /boot/System.map" "cp .config /boot/config-2.6.10" Edit LILO accordingly and run LILO. Twice to be safe. Reboot to test the kernel. remove /lib/modules/2.4.26, /usr/src/linux-2.4.26. Go into /boot and remove the old stuff for 2.4.26. If you were using your .18 old kernel as a backup in LILO, remove it from LILO's configs and run LILO. II. OS security updates - packages. Right now the best slackware mirror is carroll.cac.psu.edu Go to a slackware ftp site into slackware-10.0/patches/packages/ and download all appropriate patches. They can be installed with the "upgradepkg" command. At the time of this writing, there were patches for glibc, glibc-solibs, proftpd, rsync, vim, and zlib. III. Configuration Files in /etc edit HOSTNAME and remove the domain name. remove X11, csh.login, fb.modes, nntpserver. remove cron.hourly, cron.monthly, cron.weekly, and remove their actual cron jobs as well with "crontab -e". Edit your fstab as needed. it always needs tweaking. Edit hosts and remove the line with your server's name and IP listed. Only localhost should be in there. Edit the identd.conf file for standalone operation. 3 concurrent req's timeout of 10, kernel threads of 2, kernel buffs of 32, kernel attempts of 3. Edit inetd.conf. Disable everything. Edit inittab. comment out consoles c4-c6. change c1-3 so they work in init mode 4 (make the second field "12345" instead of "1235") Tweak issue and issue.net as you see fit. In login.defs, disable MAIL_CHECK_ENAB, OBSCURE_CHECKS_ENAB, QUOTAS_ENAB. Uncomment ISSUE_FILE. Comment out MAIL_DIR. Change MAIL_FILE to ".mail/INBOX" and uncomment it. Set PASS_MIN_LEN to 4. Comment out CHFN_RESTRICT. Set USERGROUPS_ENAB to "no". set "GID_MIN" to 103. in logrotate.conf, set "rotate" to 9. Uncomment "compress" *** logrotate.d/ entries will need to be made for each logfile that gets continually updated. netgroup allows per-server rule-based passwd db rewrites. Very cool to allow/remove shell access/etc. In profile, yank X11 and games paths from the PATH. set "biff" to "n", unless we're on the shell server. Edit resolv.conf and add a second "nameserver" line, with NS2 on top and NS1 on the bottom. Edit shells and ensure that only bash and zsh are in there. Remove skel/.screenrc. ssh/sshd_config: LoginGraceTime 120, PermitRootLogin no, UsePrivilegeSeparation yes. Comment out sftp-server. On the ftp server, we will custom-compile a chroot'd sftp-server later. syslog.conf: See the section on syslog and logrotate. warnquota.conf: This file should only be set up on the file server/quota server. It probably won't work if run from another server due to how NFS quotas are (not) managed. Here's a basic recommended config: MAIL_CMD = "/usr/lib/sendmail -t" FROM = "staff-quotas@vectorstar.net" SUBJECT = "VectorStar: Your Account is out of Disk Space" CC_TO = "staff-quotas@vectorstar.net" MESSAGE = This is an automatic message from VectorStar Networks\ to let you know that you are out of disk space.|Below are \ the filesystems on which you have reached disk capacity:| SIGNATURE = Regards,|The VectorStar Staff| wgetrc: tries = 3 create zshrc. In it, add: alias pico='pico -w' IV. Bootup scripts in /etc/rc.d Remove rc.4. we don't run X. in rc.K: remove samba, PCMCIA. in rc.M: change setterm -blank to 0 (unlimited). change "darkstar.example.net" to your servername. Notice there are two lines to configure for the hostname deal. Remove the subsections for PCMCIA, printing, appletalk, smartd, atd, sendmail, rc.alsa, rc.font, rc.keymap, rc.hpoj, rc.mysqld, rc.httpd, samba, gpm. in rc.S: remove the rc.modules section. in rc.inet1.conf: rc.inet1 is now capable of handling both eth0 and eth1. We traditionally use eth0 for the WAN side and eth1 for the LAN, except of course in cases where there are no WAN interfaces. :) configure your IP addresses accordingly. in rc.inet2: remove the section for mounting SMB filesystems. You may notice that rc.syslog is started both in this flie and in rc.M. Resist the temptation to remove it. This is done in case one of your main partitions (such as /usr) was just mounted by NFS. Just leave it be. \:) Remove rc.firewall, rc.ip_forward and rc.bind sections. delete rc.ip_forward in rc.local: All custom daemons must be started from here. These things may include: in.identd (all servers) snmpd (all servers) postgres (SQL) proftpd (FTP server) apache (web servers, mail server) qmail (mail server) chmod 0 rc.serial. chmod 0 rc.sysvinit. This would be useful if we had to install some redhat-proprietary package (like backup software) that uses the SysV style initialization scripts. rc.yp: You will receive instructions on editing this file in the VectorStar YP documentation. V. Core system user/group accounts userdel lp,mail,news,uucp,operator,games,ftp,smmsp,mysql,gdm,pop This should leave you with: root bin daemon adm sync shutdown halt rpc sshd nobody To be clean, reorder them by UID if they are not in order. groupdel lp,wheel,floppy,audio,video,cdrom,mail,news,uucp,games, smmsp,mysql,gdm,ftp,pop,nobody,users,console This should leave you with: root bin daemon sys adm tty disk mem kmem man slocate utmp rpc sshd shadow nogroup To be clean, reorder by GID if they are not in order. Add a "vsadmin" user. UID 30 (or next available), GID 105 (staff). This is the failsafe emergency account in case NIS is broken and we need remote access to fix it. home /, shell /bin/zsh. Set a password. VI. Filesystem Lockdown and permissions on executables # chmod 750 /boot /mnt /sbin /var/tmp /var/yp chgrp 105 /boot /mnt /sbin /var/tmp /var/yp # If we are NOT on the mail server, kill the mail spool. rm -rf /var/spool/mail /var/mail # Back to all systems... rm -rf /home /var/X11R6 rm -rf /usr/dict /usr/etc rm -rf /usr/local/games /usr/local/src # chmod 750 /usr/sbin /usr/src /usr/local/sbin chgrp 105 /usr/sbin /usr/src /usr/local/sbin rm -rf /usr/X11R6 /usr/X11 /usr/lib/X11 /usr/bin/X11 /usr/include/X11 chmod 0 /usr/libexec/sftp-server # We'll be compiling our own # chroot'd version in /bin: chmod 700 mount umount chmod 750 dmesg dd df free ftp netstat ps sync telnet chgrp 105 dmesg dd df free ftp netstat ping ping6 ps su sync telnet chmod 4750 ping ping6 su # This must be done AFTER the chgrp in /usr/bin: chmod 0 rcp rsh rlogin talk* chmod 4710 chsh chfn chage crontab expiry gpasswd newgrp passwd tracepath* traceroute* chgrp 105 chsh chfn chage crontab expiry gpasswd newgrp passwd tracepath* traceroute* chmod 750 finger screen* rpm2targz wall chgrp 105 finger screen* rpm2targz wall in /usr/bin - compilers: chmod 750 aclocal ansi2knr as as86 as86_encap auto* bison \ c++filt c2ph c_rehash cpan cpp g++-gcc-3.* gccbug gcc-3.* \ glibcbug install install-info ld ld86 libtool* link lsof m4 make* \ objcopy objdump* patch perlcc readelf strace* strings unlink xtrace \ yacc chgrp 105 aclocal ansi2knr as as86 as86_encap auto* bison \ c++filt c2ph c_rehash cpan cpp g++-gcc-3.* gccbug gcc-3.* \ glibcbug install install-info ld ld86 libtool* link lsof m4 make* \ objcopy objdump* patch perlcc readelf strace* strings unlink xtrace \ yacc chmod 0 /usr/lib/perl5/5.*/i486-linux/Socket.pm chmod 0 /usr/lib/perl5/5.*/i486-linux/IO/Socket.pm VII. Setting ulimits Create an executable (755) bash script: /etc/profile.d/ulimit.sh #!/bin/sh if (( $UID > 1017 )); then if [ "$SHELL" = "/bin/zsh" ]; then ulimit -Hm 10240 ulimit -Hu 20 ulimit -Hn 128 ulimit -Hl 10240 ulimit -Hv 20480 elif [ "$SHELL" = "/bin/bash" ]; then ulimit -m 10240 ulimit -u 20 ulimit -n 128 ulimit -l 10240 ulimit -v 20480 fi fi VIII. /proc performance/load tweaks on startup add this stuff to rc.local: ### Proc tweaks... # IPC Stack buffers. I remember msgmnb needing to be double msgmax. echo 65536 > /proc/sys/kernel/msgmnb echo 32768 > /proc/sys/kernel/msgmax # Open file handles by the OS. Default is 51087. echo 65536 > /proc/sys/fs/file-max IX. setting up admin cron jobs By now you'll need to mount /vsn via NFS from the file server. Once you have /vsn mounted, you can set up the standard cron jobs. in /vsn/admin/cron there are a few scripts which should be run by all servers. in /vsn/admin/cron/SERVERNAME are the scripts which should only be run by that particular server. X. syslog and logrotate This is a generic syslog config that should meet the basic needs of any of our servers: # Stuff between .info and .warn, but no authpriv,cron,mail *.info;*.!warn;authpriv.none;cron.none;mail.none -/var/log/messages # Warn and higher, same stuff but more important. *.warn;authpriv.none;cron.none;mail.none -/var/log/syslog ## Debugging information is logged here. #*.=debug -/var/log/debug # Authorization - generally logins/logouts and failures. authpriv.* -/var/log/secure # Cron related logs: cron.* -/var/log/cron # Mail related logs: mail.*;mail.!=debug -/var/log/maillog # Emergency level messages go to all users: *.emerg * Logrotate is as follows: Remove spooler and debug from /etc/logrotate.d/syslog On FTP server, copy syslog to proftpd and point to file "proftpd.log" Set PID file to /var/run/proftpd.pid . XI. Pine.conf quell-folder-message option Edit /usr/lib/pine/pine.conf. user-domain=vectorstar.net smtp-server=mail.priv.vectorstar.net/novalidate-cert/tls/user=$USER inbox-path=.mail/INBOX feature-list=quell-folder-internal-msg mail-directory=.mail disable-these-authenticators=CRAM-MD5,PLAIN Well, that's all we have for hardening! Some more application specific stuff could be added here, but this is a pretty reasonable starting point.