[CentOS] Hardening CentOS by removing "hacker" tools
Luke S Crawford
lsc at prgmr.com
Fri Jun 6 23:54:25 UTC 2008
"Filipe Brandenburger" <filbranden at gmail.com> writes:
> My boss asked me to harden a CentOS box by removing "hacker" tools,
> such as nmap, tcpdump, nc (netcat), telnet, etc.
Removing network tools does not make it harder to break into the box,
however, it can make it harder to do something with it once you are in.
removing those tools might help keep an infection from spreading, but it
wont protect the box itself. (also, just installing the programs just
means that if your box get compromised, the hacker needs to install
some new packages. Not difficult, even without root- the attacker
can install to the compromised user homedir.)
It sounds like your boss doesn't know much about this. you have 2
choices... You can do what he says (largely useless.) or you can try to
educate yourself (and your boss) on ways to actually make your systems more
secure.
I would advise the latter course, personally, - if the boss is a good
boss, he will listen to his technical people.
here are the basics:
First, turn off all daemons you don't need. if it's not running, you
don't need to worry if there is a security hole in it.
I think a good firewall is useful... it saves your ass if you
accidentally leave a daemon running that you don't need, or if
the new guy starts up a demon that you weren't running before, or if
you need a daemon to be accessibly to the office but not the world. use the
centos iptables default setup- make sure you can take the box offline,
then change the, default to 'reject' and then open things
up one service at a time until your system works again.
third, subscribe to the announce list for your distro- and check it
every day. apply security updates immediately (you can't just do this
with cron; some require reboots)
also, make sure that PermitRootLogin is set to no in /etc/ssh/sshd_config
- all of the successful brute-force attacks I've seen have been against
the root user. Brute-forcing other users is more difficult, as the
attacker (usually an automated process) needs to first obtain the
username; if you watch /var/log/secure you see a lot more attempts at root
than others.
if you use applications that are not provided by your distro's standard
distribution, subscribe to the mailing lists for those, as well.
the idea being that the majority of hacks are known exploits... if you
watch the mailing lists, you can at least solve the known problems
soon after they become generally known.
those are the minimum steps you need to take... it's thousands of times
better than nothing. these are the 'easy' steps that get you a lot
of security while minimally interfering with usability
going beyond here, you must recognize that in the optimal case, there
is a tradeoff between usability and security. this is the optimal
case; sometimes you can make things less usable without increasing
security.
Beyond here, look at selinux, look at mounting all user-accessible partitions
(/tmp, /home/ and /var) as noexec and ensuring that nobody but root can
write anywhere else... - it doesn't help if you get rooted, but it
makes things mildly more difficult for a local user to run a local root
exploit.
some people remove development tools, because many people transport exploit
code as c source code to the box, compile it and then execute it.
many other things can be done... but don't bother until you take down
unnecessary demons, put up a firewall, subscribe to the announce lists
for your distro, and disable remote root login.
More information about the CentOS
mailing list