Securing the /etc/services file
Secure the /etc/services file to prevent unauthorized editing. If this file is editable, crackers can use it to enable ports on your machine you have otherwise closed. To secure this file, type the following commands as root:
# chown root.root /etc/services
# chmod 0644 /etc/services
# chattr +i /etc/services
This prevents the file from being renamed, deleted or having links made to it.
Securing the /tmp Partition
It is recommended to create /tmp as separate partition and mount it with the noexec and nosuid options.
The noexec option disables the executable file attribute within an entire file system, effectively preventing any files within that file system from being executed.
The nosuid option disables the SUID file-attribute within an entire file system. This prevents SUID attacks on, say, the /tmp file system.
To secure the /tmp partition of your Parallels Plesk Panel server:
If /tmp is a separate partition on the server, you only need to edit /etc/fstab and add the noexec and nosuid options for /tmp. Then remount the partition.
If the /tmp directory resides on the / partition:
Create a new partition for /tmp, for example with size 512 MB:
# mkdir /filesystems
# dd if=/dev/zero of=/filesystems/tmp_fs seek=512 count=512 bs=1M
# mkfs.ext3 /filesystems/tmp_fs
Add the string into /etc/fstab:
/filesystems/tmp_fs /tmp ext3 noexec,nosuid,loop 1 1
Move current /tmp directory content to another location.
Mount new /tmpp partition:
# mount /tmp
Move content from old /tmp directory to the new one.
Securing NFS
NFS (Network File System) allows servers to share files over a network. But like all network services using NFS involves risks.
If you don’t have shared directories to export, ensure that the NFS service is NOT enabled and running:
# service nfs status
rpc.mountd is stopped
nfsd is stopped
rpc.rquotad is stopped
And then check using chkconfig
# chkconfig –list nfs
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
#
You probably don’t need the portmap service as well which is used by NFS (the portmap daemon registers rpc-based services for services like NFS, NIS, etc.):
# service portmap status
portmap is stopped
Then check status using chkconfig
# chkconfig –list portmap
portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off
#
NFS should not be enabled if not needed.
If you must use NFS, use TCP wrapper to restrict remote access.
Make sure you export to only those machines that you really need to.
Use fully qualified domain names to diminish spoofing attempts.
Export only directories you need to export.
Export read-only wherever possible.
Use NFS over TCP.
Securing Sendmail
Note that it is recommended to use Postfix over Sendmail for various security reasons.
On newer Linux systems Sendmail is configured to run in the background for local mail delivery and not to accept incoming network connections. If your server is not a mail or relay server, then it is important that Sendmail is not accepting incoming network connections from any host other than the local server.
The default sendmail.cf configuration file on RedHat does not allow Sendmail to accept incoming network connections. The following setting in /etc/mail/sendmail.cf tells Sendmail not to accept incoming network connections from servers other than the local node:
DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA
If that’s not the case on your system, you can change it by setting or uncommenting the DAEMON_OPTIONS parameter in the /etc/mail/sendmail.mc file.
Uncomment the DAEMON_OPTIONS line in /etc/mail/sendmail.mc to read:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl
Then run:
# mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.old
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# /etc/init.d/sendmail restart
To verify whether Sendmail is still listening for incoming network request, you can run one of the following commands from another node (make sure that you have permissions to probe a machine):
# nmap -sT -p 25 [ip address]
# telnet [ip address] 25
Securing Postfix
Postfix is a replacement for Sendmail which has several security advantages over Sendmail. Postfix consists of several small programs that perform their own small task. And almost all programs run in a chroot jail. These are just a few examples why Postfix is recommended over Sendmail.
Linux servers that are not dedicated mail or relay servers should not accept external emails. However, it is important for production servers to send local emails to a relay server.
Before you continue on a Red Hat system, make sure Postfix is activated using the following command:
# alternatives –set mta /usr/sbin/sendmail.postfix
The following parameters in /etc/postfix/main.cf should be set to ensure that Postfix accepts only local emails for delivery:
mydestination = $myhostname, localhost.$mydomain, localhost
inet_interfaces = localhost
The parameter mydestination lists all domains to receive emails for. The parameter inet_interfaces specifies the network to liston on.
Once you’ve configured Postfix, restart the mail system with the following command:
# /etc/init.d/postfix restart
To verify whether Postfix is still listening for incoming network request, you can run one of the following commands from another node:
# nmap -sT -p 25 [ip address]
# telnet [ip address] 25
Don’t run these commands on the local host since Postfix is supposed to accept connections from the local node.
