[CentOS] Hardening CentOS by removing "hacker" tools

Filipe Brandenburger filbranden at gmail.com
Sat Jun 7 03:14:38 UTC 2008

On Fri, Jun 6, 2008 at 7:54 PM, Luke S Crawford <lsc at prgmr.com> wrote:
> Removing network tools does not make it harder to break into the box,
> however, it can make it harder to do something with it once you are in.

That's the idea.

> (also, [not] installing the programs just
> means that if your box get compromised, the hacker needs to install
> some new packages.  Not difficult, even without root-  the attacker
> can install to the compromised user homedir.)

Not if /home and /tmp and /var/tmp are mounted with noexec,nodev,nosuid,...

> It sounds like your boss doesn't know much about this.  you have 2
> choices...  You can do what he says (largely useless.)  or you can try to
> educate yourself (and your boss) on ways to actually make your systems more
> secure.

Actually his argument (with which I agree) is that no box is
uncompromisable. Once compromised, you want to limit what can be done
from that box to reach more critical and secure parts of your network.

Also, removing those tools certainly WON'T make the box LESS secure.

> First, turn off all daemons you don't need.  if it's not running, you
> don't need to worry if there is a security hole in it.

This is a worry for this box because it will need to be particularly
exposed to the world (that's inherent to its role).

> I think a good firewall is useful...
> apply security updates immediately
> make sure that PermitRootLogin is set to no in /etc/ssh/sshd_config
> Beyond here, look at selinux, look at mounting all user-accessible partitions
> (/tmp, /home/ and /var)  as noexec
> some people remove development tools, because many people transport exploit
> code as c source code to the box, compile it and then execute it.

Yes, I'm doing all of those, including SELinux, and I'm planning on
doing yet more (like chroot'ed SSH).


More information about the CentOS mailing list