9. LINUX ADMINISTRATION

SECURITY - Stay Away from Default


Note = Security

Configuration Setup-

1

MYSQL SECURITY CHANGE ROOT USER 

mysql> use mysql;
Reading    table information for completion of table and column names
You can    turn off this feature to get a quicker startup with -A

Database changed

Change user root to others

mysql> update user set user="dbaroot" where user="root";
Query OK, 3 rows affected (0.00    sec)
Rows matched: 3     Changed: 3  Warnings: 0

mysql> flush privileges;
Query OK, 0 rows affected (0.00    sec)

Login with new root user

# mysql    -u dbaroot -p
Enter password:

2

  SSH Copy ID = Login  WITHOUT PASSWORD


1) Generate    RSA. ssh-keygen


2) Copy-ID to remote ( Normal ).   


3) Copy-ID to    remote ( None Standard Port )

3   

  SSH DISABLE HOST CHECKING

noc@sol-11:~$ ssh root@server186 -p 2268
Warning: Permanently added 'server186,216.214.78.186' (RSA) to the list of known hosts.
root@server186's password:

noc@sol-11:~$ ssh root@server186 -p 2269
Warning: Permanently added 'server186,216.214.78.186' (RSA) to the list of known hosts.
root@server186's password:

noc@sol-11:~$ cat ~/.ssh/config
Host server186
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

4

  SSHD CHANGE LOGIN PORT = /etc/ssh/sshd_config

Port 2222 <- define this in sshd_config, so the port 2222  will be used after service restart
/sbin/service iptables off
/sbin/service sshd restart

chkconfig iptables off

5

  TCP WRAPPER = /etc/hosts.deny and  /etc/hosts.allow

# hosts.deny    This file describes the names of the hosts which are
#        *not* allowed to use the local INET services, as decided
#        by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
sshd:ALL

# hosts.allow    This file describes the names of the hosts which are
#        allowed to use the local INET services, as decided
#        by the '/usr/sbin/tcpd' server.
#
sshd:120.140* 120.141* 218.111.47* 192.168.1* 175.136.247* localhost


6

  NESSUS SECURITY SCANNER INSTALLATION







7

   BLOCK ALL IP EXCEPT IN THE ALLOWED LIST

[root@transit ~]# pwd
/root
[root@transit ~]# cat iptables-allow-list
192.168.1.166

[root@transit ~]# cat myfirewall-1
#!/bin/bash
_input=/root/iptables-allow-list
IPT=/sbin/iptables
_pub_if="eth0"

$IPT -F

$IPT -N iptables-allow-list

# DROP and close everything
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
 
# Unlimited lo access
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Allow all outgoing connection but no incoming stuff by default
$IPT -A OUTPUT -o ${_pub_if} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i ${_pub_if} -m state --state ESTABLISHED,RELATED -j ACCEPT

while IFS= read -r ip
do
        # Append everything to iptables-allow-list in the root path
    $IPT -A iptables-allow-list -i ${_pub_if} -s $ip -j LOG --log-prefix " Allowed IP List "
    $IPT -A iptables-allow-list -i ${_pub_if} -s $ip -j ACCEPT
done <"${_input}"

# Allow  it
$IPT -I INPUT -j iptables-allow-list
$IPT -I OUTPUT -j iptables-allow-list
$IPT -I FORWARD -j iptables-allow-list

8

   ADVANCE FROM NO7 INLUDE WITH "iptables-allow-list-dport80"

[root@zvps-lan69 ~]# cat /root/iptables-allow-list
192.168.68.66
[root@zvps-lan69 ~]# cat /root/iptables-allow-list-dport80
192.168.68.68

[root@zvps-lan69 ~]# cat /etc/sysconfig/myfirewall
#!/bin/bash
_input=/root/iptables-allow-list
_input2=/root/iptables-allow-list-dport80
IPT=/sbin/iptables
_pub_if="eth0"

$IPT -F

$IPT -N iptables-allow-list
$IPT -N iptables-allow-list-dport80

# DROP and close everything
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
 
# Unlimited lo access
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Allow all outgoing connection but no incoming stuff by default
$IPT -A OUTPUT -o ${_pub_if} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i ${_pub_if} -m state --state ESTABLISHED,RELATED -j ACCEPT

while IFS= read -r ip
do
        # Append everything to iptables-allow-list in the root path
    $IPT -A iptables-allow-list -i ${_pub_if} -s $ip -j LOG --log-prefix " Allowed IP List "
    $IPT -A iptables-allow-list -i ${_pub_if} -s $ip -j ACCEPT
done <"${_input}"

while IFS= read -r ip
do
     $IPT -A iptables-allow-list-dport80 -i ${_pub_if} -p tcp --dport 80 -s $ip -j ACCEPT
done <"${_input2}"


# Allow  it
$IPT -I INPUT -j iptables-allow-list
$IPT -I OUTPUT -j iptables-allow-list
$IPT -I FORWARD -j iptables-allow-list
$IPT -I INPUT -j iptables-allow-list-dport80
$IPT -I OUTPUT -j iptables-allow-list-dport80
$IPT -I FORWARD -j iptables-allow-list-dport80

00

  Folder Encryption ( forgot pass is unrecoverable )

[root@bkjsrc6 ~]# yum install cryptsetup-luks.x86_64

[root@bkjsrc6 ~]# mkdir /export/xdoc



00

  Linux History Privacy

.bash_profile add last line export HISTIGNORE="[ \t]*"

any command start with space will be ignore by history

00

  Shell only to change password = users ftp "ONLY"

[root@kvm140 ~]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/dash
/usr/bin/passwd

[root@kvm140 ~]# chsh -s /usr/bin/passwd routers
Changing shell for routers
Shell changed.

00

  Solaris



00

  Solaris



00

  Solaris




Previous Section    LINUX ADMINISTRATION Next Section