This guide is step-by-step guide for hardening Gentoo Linux.

This is a step-by-step guide for hardening Gentoo Linux.

No matter how many safeguards you implement, all can easily be circumvented if

No matter how many safeguards you implement, they can all be easily circumvented

the attacker can gain physical access to your box.  Make sure your hardware is 

by an attacker with physical access to your computer. Despite this, there are

not casually accessible. For example, you may want to place your box

atleast some measures that can be taken to provide a degree of security against

in a locked server closet.  Locking cases is a good idea too.  For the highest 

anattacker with physical access to your machine. Putting your hardware in a

level of security set your BIOS to restrict booting to your hard drive only.

lockedcloset prevents an attacker from simply unplugging it and carting it

Disable booting from the floppy and CD-ROM drives.  For the paranoid, enabling 

off. Locking your computer's case is also a good idea, to make sure that a

the BIOS password is a good idea.  BIOS passwords are also a good idea for 

attacker cannot simply walk away with your hard drive. To prevent an attacker

laptop users.

from booting from another disk, nicely circumventing your permissions and login

restrictions, try setting the hard drive as the first boot device in your BIOS,

and setting a BIOS password. It is also important to set a LILO or GRUB boot

password, to prevent a malicious user from booting into single-user mode and

gaining complete access to your system. This is covered in more detail in

Chapter 3, under <uri link="#passwording_GRUB">Setting a GRUB password</uri>

and <uri link="#passwording_LILO">Setting a LILO password</uri>.

Document what services the machine should run or is supposed to run. This will 

Start by documenting what services this machine should run. This will help you

help you compose a better partition scheme for the system.  It can also make 

compose a better partition scheme for your system, and allow you to better plan

your intrusion detection strategy much easier. Of course you should not document

your security measures. Of course, this is unnecessary if the machine serves a

this if you only have one or a few computers and you are the only one using 

single simple purpose, such as a desktop, or a dedicated firewall. In those

them e.g. if the computer is going to act as a firewall it should not run 

cases, you should not be running <e>any</e> services, except perhaps sshd.

<e>any</e> services except perhaps sshd.

Document this and the current version of sshd - it will help you keep track of 

This list can also be used to aid system administration. By keeping a current

which system to upgrade in case someone finds a security hole in sshd. This 

list of version information, you will find it much easier to keep everything up

will also aid in determining who should have access to the system.

to date if a remote vulnerability is discovered in one of your daemons.

Golden rules:

Partitioning rules:

  Any directory tree a user should be able to write to (<path>/home</path> and 

  Any directory tree a user should be able to write to (e.g. <path>/home</path>, 

  <path>/tmp</path> <path>/var</path>), should be on a separate partition and 

  <path>/tmp</path>) should be on a seperate partition and use disk quotas. This

  use disk quotas. Portage uses <path>/var/tmp</path> to compile files so that 

  reduces the risk of a user filling up your whole filesystem. Portage

  partition should be large. This reduces the risk of a user filling up your 

  uses <path>/var/tmp</path> to compile files, so that partition should be large.

  <path>/</path> mount point.

  Any directory tree where you want to install non-distribution software should

  Any directory tree where you plan on installing non-distribution software should

  be on a separate partition. According to the <uri 

  be on a seperate partition. According to the <uri link =

  link="http://www.pathname.com/fhs/">File Hierarchy Standard</uri>, this is 

  "http://www.pathname.com/fhs/">File Hierarchy Standard</uri>, this

  <path>/opt</path> or <path>/usr/local</path>. If these are separate 

  is <path>/opt</path> or <path>/usr/local</path>.  If these are separate

  Try to move static data to its own partition, and mount that partition in 

  For extra security, static data can be put on a seperate partition that is

  read-only mode. If you're really paranoid you could try storing static data 

  mounted read-only. For the truly paranoid, try using read-only media like

  on read-only media like CDROMs.

  CD-ROM.

The user 'root' is the most vital user on the system and should not be used for

The user 'root' is the most vital user on the system and should not be

anything except if it is necessary. If an attacker gains root access you can no

used for anything except when absolutely necessary. If an attacker gains root

longer trust your system, so reinstall.

access, the only way to ever trust your system again is to reinstall.

  Always create a user for everyday use and if this user needs to have root 

  Always create a user for everyday use and if this user needs to have root

  access, add the user to the group wheel. This makes it possible for a normal

  access, add the user to the group 'wheel'. This makes it possible for a normal

  user to su to root.

  user to <c>su</c> to root.

  Never run X or any other user application as root

  Never run X or any other user application as root. root should only be used when

  absolutely necessary; if a vulnerability exists in an application running as a

  user, an attacker can gain user level access. But if that application is running

  as root, the attacker gains root access.

  Always use absolute paths when logged in as root. It's possible to trick root

  Always use absolute paths when logged in as root (or always use <c>su -</c>,

  into running a different application rather than the one meant to be ran. For 

  which replaces the environmental variables of the user with those of root,

  example if someone tampered with the PATH and root su's without using 

  while being sure root's <c>PATH</c> only includes protecte directories

  <c>su -</c>. Then root will use the path of the user.

  like <path>/bin</path> and <path>/sbin</path>). It's possible to trick

  root into runninga different application rather than the one meant to be

  run. If root's <c>PATH</c> is protected or root only uses absolute paths, wecan

  be sure this won't happen.

  If a user only needs a few commands instead of everything that root normally 

  If a user only needs to run a few commands as root, instead of everything that

  can do, consider using <c>sudo</c>, but be careful with this!

  root normally can do, consider using <c>sudo</c> instead. Just be careful who

  you give this access to, as well!

  Never leave the terminal when you are logged in as root

  Never leave the terminal when you are logged in as root.

Gentoo has general protection against normal users, trying to <c>su</c>. The 

Gentoo has some default protection against normal users trying to <c>su</c> to

default PAM setting states that a users has to be a member of wheel in order 

root. The default PAM setting requires that a user be a member of the group

to be able to su.

"wheel" in order to be able to <c>su</c>.

<section>

<section id = "security_policies">

There are several reasons why security policies are needed.

There are several reasons to draft a security policy for your system(s) and

network.

  You cannot claim to have a secure network without a definition of what you 

  A good security policy allows you to outline security as a "system", rather

  think is secure

  than simply a jumble of different features. For example, without a policy an

</li>

  administrator might decide to turn off telnet, because it transmits

<li>

  unencrypted passwords, but leave on FTP access, which has the same weakness. A

  It is almost impossible to catch potential attackers, resolve network 

  good security policy allows you to identify which security measures are

  problems, or conduct audits, without spying on network traffic or looking in 

  worthwhile, and which are not.

  private home directories. And spying without the users agreement is illegal 

  in most countries. And since about 60% of all attacks currently come from 

  inside the organization, it is important that you keep an open eye.

  You cannot expect your users to think about security, if you never explained 

  In order to diagnose problems, conduct audits, or track down intruders, it may

  why it was important or how they should protect themselves and their 

  be necessary to intercept network traffic, inspect the login and command

  colleagues.

  history of users, and look in home directories. Without outlining this in

  print, and making users aware of this, such actions may actually be illegal

  and put <e>you</e> in legal jepeordy.

  Good guidelines and network documentation always pays off, no matter what

  Hijacked user accounts pose one of the most common threats to system

  security. Without explaining to users why security is important, and how to

  practice good security (such as not writing passwords on a Post-It note on

  their desks), it is unlikely you will have any hope of secure user accounts.

  Police or federal law enforcement can not help you catch the attacker, if 

  A well-documented network and system layout will aid you, as well as law

  they do not know your network configuration or the services that you provide.

  enforcement forensics examiners, if need be, in tracing an intrusion and

</li>

  idetifying weaknesses after the fact. A security policy "issue" banner,

<li>

  stating that your system is a private network and all unauthorized access is

  What will you do when there has been an attack? You need to define what you 

  prohibited, will also help ensure your ability to properly prosecute an

  are going to do and who you are going to tell about it. Are you just going 

  intruder, once he is caught.

  to call the police/a CERT team on every occasion? They won't take you serious!

This should clearly state why it is important to create policies for systems 

The need for a good security policy is hopefully now more than clear.

with more than one user and why it is important to educate users.

A policy is a document (or several documents) with answers to questions like 

The policy itself is a document, or several documents, that outline the network

who, where, why and what. Every user on your system/network should read, 

and system features (such as what services are provided), acceptible use and

understand and sign it. It is important that you take the time to help the 

forbidden use, security "best practices", and so forth. All users should be made

users understand the policy and why the policy needs to be signed or what will 

aware of your security policy, as well as changes you make to keep it up to

happens if they act directly against the policy (the policy should also state 

date. It is important that you take the time to help users understand your

this). This should be repeated at least once a year since the policy can change

policy and why that policy needs to be signed or what will happens if they act

but also as a reminder to the user.

directly against the policy (the policy should also state this). This should be

repeated at least once a year, since the policy can change (but also as a

reminder to the user of the policy itself).

  <li>Handling of classified material when traveling</li>

  <li>Handling of confidential material when traveling</li>

The policy for the IT-staff might be a bit different then the normal users.

Different users may require different levels or types of access, and as such

your policy may vary to accomodate them all.

The security policy can become huge, and vital information can easily be 

The security policy can become huge, and vital information can easily be

forgotten. The IT-staff's policy could contain information that is classified 

forgotten. The IT-staff's policy could contain information that is confidential

for the ordinary user, so it is wise to split it up into smaller policies; i.e.

for the ordinary user, so it is wise to split it up into smaller policies;

Acceptable Use Policy, Password policy, Email policy and Remote Access policy.

e.g. Acceptable Use Policy, Password policy, Email policy and Remote Access

policy.

One can find example policies at <uri 

You can find example policies at <uri

link="http://www.sans.org/resources/policies/">The SANS Security Policy 

link="http://www.sans.org/resources/policies/">The SANS Security Policy

Project</uri>. If you have a small network and think these policies are too

Project</uri>. If you have a small network and think these policies are too much

much you should look at the <uri 

you should look at the <uri

link="http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2196.html">Site Security 

link="http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2196.html">Site Security

<title>Tightening the security after/during installation</title>

<title>Tightening security during and after installation</title>

The <path>make.conf</path> file contains user defined USE flags and 

The <path>make.conf</path> file contains user defined USE flags and

<path>/etc/make.profile/make.defaults</path> contains the default USE flags 

<path>/etc/make.profile/make.defaults</path> contains the default USE flags for

for Gentoo Linux. For this guide the important flags are <c>pam</c> (Pluggable 

Gentoo Linux. For this guide's purposes, the important flags are <c>pam</c>

Authentication Modules), <c>tcpd</c> (TCP wrappers) and <c>ssl</c> (Secure 

(Pluggable Authentication Modules), <c>tcpd</c> (TCP wrappers), and <c>ssl</c>

Socket Layer). These are all in the default USE flags.

(Secure Socket Layer). These are all in the default USE flags.

<section>

<section id = "passwording_GRUB">

<title>GRUB password</title>

<title>Password protecting GRUB</title>

Grub supports 2 different ways of adding password restriction to its 

GRUB supports two different ways of adding password protection to your boot

configuration file (<path>/boot/grub/grub.conf</path>). One with plain text 

loader. The first uses plain text, while the latter uses md5+salt encryption.

password and one with md5+salt encryption.

This will add the password <c>changeme</c> and if no password is entered simply 

This will add the password <c>changeme</c>. If no password is entered at boot,

use the default boot setting.

GRUB will simply use the default boot setting.

When adding a md5 password, you need to convert the password into crypt format 

When adding an md5 password, you must convert your password into crypt format,

(<c>man crypt</c>) which is the same format as <path>/etc/shadow</path>. For 

which is the same format used in <path>/etc/shadow</path>. For more information

more information see <c>man crypt</c>. The encrypted password <e>changeme</e> 

see <c>man crypt</c>. The encrypted password <e>changeme</e>, for example, could

could look like this $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.

look like this $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.

Or this you can convert it directly in the grub shell:

You can encrypt your password directly at the GRUB shell:

    GRUB  version 0.92  (640K lower / 3072K upper memory)

GRUB version 0.92 (640K lower / 3072K upper memory)

   [ Minimal BASH-like line editing is supported.  For the first word, TAB

   [ Minimal BASH-like line editing is supported. For the first word, TAB lists

     lists possible command completions.  Anywhere else TAB lists the possible

     possible command completions. Anywhere else TAB lists the possible

<codenote>Typed changeme</codenote>

<codenote>Typed changeme at the prompt</codenote> 

timeout 5

timeout 5 

The 5 seconds timeout becomes handy if the system is remote and should be able 

The 5 seconds timeout becomes handy if the system is remote and should be able

to reboot without any keyboard interaction. Learn more about grub passwords by 

to reboot without any keyboard interaction. Learn more about GRUB passwords by

<section>

<section id = "passwording_LILO">

<title>LILO password</title>

<title>Password protecting LILO</title>

LILO also supports two ways of handling passwords: global and per-image, both 

LILO also supports two ways of handling passwords: global and per-image, both in

in clear text.

clear text.

The global one is set at the top of the configuration file:

The globalpassword is set at the top of the configuration file, and applies to

every boot image:

password=changeme

password=changeme 

restricted

restricted 

Otherwise simply add it to an image.

The per-image pasword is set as below:

image=/boot/bzImage

image=/boot/bzImage 

      read-only

      read-only 

      password=changeme

      password=changeme 

If the <c>restricted</c> option is not entered, it will prompt for password, 

If the <c>restricted</c> option is not entered, it will prompt for a password

In order to store the new information in <path>lilo.conf</path> you need to run 

In order to store the new information in <path>lilo.conf</path>, you must run

The <path>/etc/securetty</path> file allows you to specify which <c>tty</c> 

The <path>/etc/securetty</path> file allows you to specify which <c>tty</c>

We suggest that you comment out all lines except <c>vc/1</c>. This will ensure 

We suggest that you comment out all lines except <c>vc/1</c>. This will ensure

Users in the wheel group can still <c>su -</c> to become root on other TTYs.

Users in the group "wheel" can still <c>su -</c> to become root on other TTYs.

Extra logging should be added to catch warnings or errors that might warn of an

Extra logging should be added to catch warnings or errors that might indicate

ongoing attack or of a successful compromise. Attackers often scan or probe 

anongoing attack or a successful compromise. Attackers often scan or probe

networks before attacking.

before attacking.

Its also vital that the log files are easy readable and manageable.  Gentoo 

It's also vital that your log files are easily readable and manageable. Gentoo

Syslogd is the most common logger for Linux and Unix in general. It does not 

Syslogd is the most common logger for Linux and Unix in general. It does not

come with log rotation. This feature is handled by running 

come with log rotation. This feature is handled by running

<path>/usr/sbin/logrotate</path> in a cron job and configured in 

<path>/usr/sbin/logrotate</path> in a cron job (logrotate is configured in

<path>/etc/logrotate.conf</path>. How often log rotation should be done depends 

<path>/etc/logrotate.conf</path>). How often log rotation should be done depends

logging server. To further enhance security you could add logs in two places.

logging server. To further enhance security you could add logging to two places.

#  /etc/syslog.conf     Configuration file for syslogd.

#  /etc/syslog.conf      Configuration file for syslogd.

local2.*                -/var/log/ppp.log

local2.*                --/var/log/ppp.log

Attackers will most likely try to erase their tracks by editing or deleting the 

Attackers will most likely try to erase their tracks by editing or deleting log

log files. You can make it harder for the attacker by logging to one or more 

files. You can make it harder for them by logging to one or more remote logging

logging servers on different machines. Get more info about syslogd by executing

servers on other machines. Get more info about syslogd by executing <c>man

<c>man syslog</c>.

syslog</c>.

<uri link="http://metalog.sourceforge.net">Metalog</uri> by Frank Dennis is not 

<uri link="http://metalog.sourceforge.net">Metalog</uri> by Frank Dennis is not

able to log to a remote server, but it does have advantages when it comes to 

able to log to a remote server, but it does have advantages when it comes to

performance and logging flexibility. It can log by program name, urgency, 

performance and logging flexibility. It can log by program name, urgency,

facility (like syslogd) and comes with regular expression matching and it can 

facility (like syslogd), and comes with regular expression matching with which

launch external scripts when specific patterns are found. It is very good for 

you can launch external scripts when specific patterns are found. It is very good

taking action when needed.

at taking action when needed.

The standard configuration is basically enough. If you want to be notified by

The standard configuration is usually enough.  If you want to be notified by

<pre caption = "/usr/local/sbin/mail_pwd_failures.sh for postfix">

<pre caption="/usr/local/sbin/mail_pwd_failures.sh for postfix">

<pre caption = "/usr/local/sbin/mail_pwd_failures.sh for qmail">

<pre caption="/usr/local/sbin/mail_pwd_failures.sh for qmail">

Then uncomment the command line under Password failures in 

Then uncomment the command line under "Password failures" in 

Syslog-ng provide some of the same features as syslog and metalog with a small 

Syslog-ng provides some of the same features as syslog and metalog with a small

difference. It can filter messages based on level and content (like metalog), 

difference. It can filter messages based on level and content (like metalog),

provide remote logging like syslog, handle log from syslogd (even streams from 

provide remote logging like syslog, handle logs from syslogd (even streams from

Solaris, write to a TTY, execute programs and it can act as a logging server. 

Solaris), write to a TTY, execute programs, and it can act as a logging server.

A classic configuration file slightly modified.

Below is a classic configuration file slightly modified.

Very easy to configure but also very easy to miss something in the configuration

Syslog-ng is very easy to configure, but it is also very easy to miss something

file since it is huge. The author still promises some extra features like 

in the configuration file since it is huge. The author still promises some extra

encryption, authentication, compression and MAC (Mandatory Access Control) 

features like encryption, authentication, compression and MAC (Mandatory Access

control. With these options it will be a perfect for network logging. since 

Control) control. With these options it will be a perfect for network logging,

the attacker cannot spy on the log.

since the attacker cannot spy on the log.

</p>

<p>

And syslog-ng does have one other advantage: it does not have to run as root!

And syslog-ng does have other advantages. It does not have to run as root!.

Of course, keeping logs alone is only half the battle. An application such as

Logcheck can make regular log analysis much easier. Logcheck is a script,

accompanied by a binary called <c>logtail</c>, that runs from your cron daemon

and checks your logs against a set of rules for suspicious activity. It then

mails the output to root's mailbox.

</p>

<p>

Logcheck uses four files to filter important log entries from the

unimportant. These files are <path>logcheck.hacking</path>, which contains known

hacking attack messages, <path>logcheck.violations</path>, which contains

patterns indicating security

violations, <path>logcheck.violations.ignore</path>, which contains keywords

likely to be matched by the violations file, allowing normal entries to be

ignored, and <path>logcheck.ignore</path>, which matches those entries to be

ignored.

When mounting an <c>ext2</c>, <c>ext3</c> or a <c>reiserfs</c> partition, you 

When mounting an <c>ext2</c>, <c>ext3</c>, or <c>reiserfs</c> partition, you

have several options you can apply to the <path>/etc/fstab</path>. The options 

have several options you can apply to the file <path>/etc/fstab</path>. The

are:

options are:

  <c>noexec</c> - Will prevent from executing files from this partition

  <c>noexec</c> - Will prevent execution of files from this partition

Unfortunately these settings can easily be circumvented by executing a 

Unfortunately, these settings can easily be circumvented by executing a

non-direct path. However setting <path>/tmp</path> to noexec will stop about 

non-direct path. However, setting <path>/tmp</path> to noexec will stop the

99% of all script kiddies since their exploits are designed to be executed 

majority of exploits designed to be executed directly from <path>/tmp</path>.

directly from <path>/tmp</path>.

Placing <path>/tmp</path> in <c>noexec</c> mode can prevent certain scripts 

Placing <path>/tmp</path> in <c>noexec</c> mode can prevent certain scripts

Disk quotas see <uri link="#doc_chap6_sect3">Quotas section</uri>.

For disk quotas see <uri link="#doc_chap6_sect3">the Quotas section</uri>.

I do not set <path>/var</path> to <c>noexec</c> or <c>nosuid</c> even if files 

I do not set <path>/var</path> to <c>noexec</c> or <c>nosuid</c>, even if files

normally are never executed from this mount point. The reason for this is that 

normally are never executed from this mount point. The reason for this is that

<path>/var/tmp</path> since ebuilds are made here. But an alternative path can 

<path>/var/tmp</path> since ebuilds are made here. But an alternative path can

be setup if you insist on having <path>/var</path> in <c>noexec</c> mode.

be setup if you insist on having <path>/var</path> mounted in <c>noexec</c>

mode.

<section>

<section id = "limits_conf">

Controlling resource limitations can be very effective when trying to prevent 

Controlling resource usage can be very effective when trying to prevent a local

a local DoS or handling the maximum allowed logins for a group or user.

Denial of Service or restricting the maximum allowed logins for a group or user.

*    soft core      0

*    soft core 0

*    hard core      0

*    hard core 0

*    hard nproc     15

*    hard nproc 15

*    hard rss       10000

*    hard rss 10000

@dev hard core      100000

@dev hard core 100000

@dev soft nproc     20

@dev soft nproc 20

@dev hard nproc     35

@dev hard nproc 35

If you find yourself trying to set <c>nproc</c> or <c>maxlogins</c> to 0, maybe 

If you find yourself trying to set <c>nproc</c> or <c>maxlogins</c> to 0, maybe

you should delete the user instead. The example above sets the group <c>dev</c> 

you should delete the user instead. The example above sets the group <c>dev</c>

settings for processes, core file and <c>maxlogins</c>. The rest is set to a 

settings for processes, core file and <c>maxlogins</c>. The rest is set to a

default value. 

default value.

only apply to packages that use PAM. 

only apply to packages that use PAM.

<path>/etc/security/limits.conf</path>. The only differences is the format and 

<path>/etc/security/limits.conf</path>. The only difference is is the format and

it only works on users or wild cards (not groups). Lets have a look at decent 

that it only works on users or wild cards (not groups). Lets have a look at a

configuration:

sample configuration:

Here we set the default settings and a specific setting for the user kn. 

Here we set the default settings and a specific setting for the user kn.  Limits

Limits are part of the sys-apps/shadow package. It is not necessary to set any 

are part of the sys-apps/shadow package. It is not necessary to set any limits

limitations in this file if you have disabled <c>pam</c> in 

in this file if you have disabled <c>pam</c> in

Make sure the file systems you are working with support quotas. ReiserFS is not 

Make sure the file systems you are working with support quotas. In order to use

one of them!

quotas on ReiserFS, you must patch your kernel with patches available from <uri

link =

"ftp://ftp.namesys.com/pub/reiserfs-for-2.4/testing/quota-2.4.20">Namesys</uri>. User

tools are available from <uri link =

"http://www.sf.net/projects/linuxquota/">the Linux DiskQuota

project</uri>. While quotas do work with ReiserFS, you may encounter other

issues while trying to use them--you have been warned!

Putting quotas on a file system prevents users from filling up the disk or 

Putting quotas on a file system restricts disk usage on a per-user or per-group

writing at all. Quotas are enabled in the kernel and added to a mount point. 

basis.  Quotas are enabled in the kernel and added to a mount point

The kernel option is enabled in the kernel configuration under 

in <path>/etc/fstab</path>. The kernel option is enabled in the kernel

<c>File systems->Quota support</c>. Apply the following settings, rebuild the 

configuration under <c>File systems->Quota support</c>. Apply the following

kernel and reboot using the new kernel.

settings, rebuild the kernel and reboot using the new kernel.

Start by installing quotas with <c>emerge quota</c>. Then modify your 

Start by installing quotas with <c>emerge quota</c>. Then modify your

partitions that you want to restrict disk usage like the example below.

partitions that you want to restrict disk usage on, like in the example below.

On every partition that you have enabled quotas, create the quota files 

On every partition that you have enabled quotas, create the quota files

(<path>quota.user</path> and <path>quota.group</path>) and place them in the 

(<path>quota.user</path> and <path>quota.group</path>) and place them in the

This step has to be done on every partition where quotas are enabled. After 

This step has to be done on every partition where quotas are enabled. After

We will now configure the system to check the quotas once a 

We will now configure the system to check the quotas once a week by adding the

week by adding the following line to <path>/etc/crontab</path>:

following line to <path>/etc/crontab</path>:

After rebooting the machine, it is time to setup the quotas for users and 

After rebooting the machine, it is time to setup the quotas for users and

groups. <c>edquota -u kn</c> will start the editor defined in $EDITOR (default 

groups. <c>edquota -u kn</c> will start the editor defined in $EDITOR (default

is nano) and let you edit the quotas of the user kn. <c>edquota -g</c> will do 

is nano) and let you edit the quotas of the user kn. <c>edquota -g</c> will do

the same thing just for groups.

the same thing for groups.

For more detail read <c>man edquota</c> or the <uri 

For more detail read <c>man edquota</c> or the <uri

If the policy states that users should change their password every other week, 

If your security policy states that users should change their password

change the value <c>PASS_MAX_DAYS</c> to 14 and <c>PASS_WARN_AGE</c> to 7. It 

every other week, change the value <c>PASS_MAX_DAYS</c> to 14

is also recommended that you use password aging since brute force methods will 

and <c>PASS_WARN_AGE</c> to 7. It is recommended that you use password

find any password, it is just a matter of time. We also encourage you to set 

aging since brute force methods can find any password, given enough

<c>LOG_OK_LOGINS</c> to yes.

time. We also encourage you to set <c>LOG_OK_LOGINS</c> to yes.

The <path>login.access</path> file is also part of the sys-apps/shadow package, 

The <path>login.access</path> file is also part of the sys-apps/shadow package,

which gives a login access control table. The table is used to control who can 

which provides a login access control table. This table is used to control who

and cannot login based on user name, group name or host name. Per default, all 

can and cannot login based on user name, group name or host name. By default,

users on the system are allowed to login so the file consists only of comments 

all users on the system are allowed to login, so the file consists only of

and examples. Whether you are securing your server or workstation, we recommend 

comments and examples. Whether you are securing your server or workstation, we

that you setup this file so no one other than yourself (the admin) has access to

recommend that you setup this file so no one other than yourself (the admin) has

the console.

access to the console.

These settings does not apply for root.

These settings do not apply for root.

Be careful when configuring these options, since mistakes will leave you out 

Be careful when configuring these options, since mistakes will leave you with no

with no access to the machine if you do not have root access.

access to the machine if you do not have root access.

These settings does not apply to SSH since SSH does not execute 

These settings does not apply to SSH, since SSH does not execute 

<c>/bin/login</c> per default. This can be enabled by using the <c>UseLogin 

<c>/bin/login</c> by default. This can be enabled by setting <c>UseLogin yes</c>

yes</c> in <path>/etc/ssh/sshd_config</path>. It will make SSH use login and 

in <path>/etc/ssh/sshd_config</path>.

the settings will apply.

This will setup login access so members of the wheel group can login locally 

This will setup login access so members of the wheel group can login locally or

or from the gentoo.org domain. Maybe too paranoid, but better safe then sorry.

from the gentoo.org domain. Maybe too paranoid, but better safe then sorry.

Normal users should not have access to configuration files or passwords. An 

Normal users should not have access to configuration files or passwords. An

attacker can steal passwords from databases or websites and use them to deface 

attacker can steal passwords from databases or websites and use them to

or even worse, delete data. This is why it is important that the permissions 

deface--or even worse, delete--data. This is why it is important that your file

are correct. If you are sure that a file is only used by root, assign it with 

permissions are correct. If you are sure that a file is only used by root,

the permissions <c>0600</c> and assign the file to the correct user with 

assign it with the permissions <c>0600</c> and assign the file to the correct

<c>chown</c>.

user with <c>chown</c>.

This will create a huge file with permission of all files having either write 

This will create a huge file with permission of all files having either write

permission set to the group or everybody. Check the permissions and eliminate 

permission set to the group or everybody. Check the permissions and eliminate

world writable files to everyone, by executing <c>/bin/chmod o-w</c> on the 

world writable files to everyone, by executing <c>/bin/chmod o-w</c> on the

Files with the SUID or SGID bit set allows the files to execute with 

Files with the SUID or SGID bit set execute with privileges of the <e>owning</e>

privileges of the <e>owning</e> user or group and not the user executing the 

user or group and not the user executing the file. Normally these bits are used

file. Normally these bits are used on files that must run as root in order to 

on files that must run as root in order to do what they do. These files can lead

do what they do. These files can lead to local root compromise (if they 

to local root compromises (if they contain security holes). This is dangerous

contain security holes). This is dangerous and files with the SUID or SGID 

and files with the SUID or SGID bits set should be avoided at any cost. If you

bits set should be avoided at any cost. If you do not use the files use 

do not use these files, use <c>chmod 0</c> on them or unmerge the package that

<c>chmod 0</c> on them or unmerge the package they came from (check which 

they came from (check which package they belong to by using <c>qpkg -f</c>; if

package they belong to by using <c>qpkg -f</c>). If you do not already have it 

you do not already have it installed simply type <c>emerge

installed simply type <c>emerge gentoolkit</c> it). Otherwise just turn the 

gentoolkit</c>). Otherwise just turn the SUID bit off with <c>chmod -s</c>.

SUID bit off with <c>chmod -s</c>.

  -exec ls -lg {} \; 2>/dev/null >suidfiles.txt</i>

   -exec ls -lg {} \; 2>/dev/null >suidfiles.txt</i>

By default Gentoo Linux does not have a lot of SUID files (it depends on what 

By default Gentoo Linux does not have a lot of SUID files (though this depends

you installed), but you might get a list like the one above. Most of the 

on what you installed), but you might get a list like the one above. Most of the

commands should not be used by normal users, only root. Switch off the SUID 

commands should not be used by normal users, only root. Switch off the SUID bit

bit on <c>ping</c>, <c>mount</c>, <c>umount</c>, <c>chfn</c>, <c>chsh</c>, 

on <c>ping</c>, <c>mount</c>, <c>umount</c>, <c>chfn</c>, <c>chsh</c>, <c>newgrp</c>, <c>suidperl</c>, <c>pt_chown</c>

<c>newgrp</c>, <c>suidperl</c>, <c>pt_chown</c> and <c>traceroute</c> by 

and <c>traceroute</c> by executing <c>chmod -s</c> on every file. Don't

<c>chmod -s</c> on every file. Don't remove the bit on <c>su</c>, 

remove the bit on <c>su</c>, <c>qmail-queue</c> or <c>unix_chkpwd</c>. Removing

<c>qmail-queue</c> or <c>unix_chkpwd</c>. Removing will prevent you from 

setuid from those files will prevent you from <c>su</c>'ing and receiving

su'ing and receiving mail. By removing the bit you remove the possibility of a 

mail. By removing the bit (where it is safe to do so) you remove the possibility

normal user (or an attacker) to gain root access through any of these files.

of a normal user (or an attacker) gaining root access through any of these

files.

The only SUID files that I have on my system are <c>su</c>, <c>passwd</c>, 

The only SUID files that I have on my system are <c>su</c>, <c>passwd</c>,

<c>gpasswd</c>, <c>qmail-queue</c>, <c>unix_chkpwd</c> and <c>pwdb_chkpwd</c>. 

<c>gpasswd</c>, <c>qmail-queue</c>, <c>unix_chkpwd</c> and <c>pwdb_chkpwd</c>.

But if you are running X, you might have some more, since X needs the access.

But if you are running X, you might have some more, since X needs the elevated

access afforded by SUID.

PAM is a suite of shared libraries that provide an alternative way of making 

PAM is a suite of shared libraries that provide an alternative way providing

authentication in programs. The <c>pam</c> USE flag is turned on by default. 

user authentication in programs. The <c>pam</c> USE flag is turned on by

Thus the PAM settings on Gentoo Linux are pretty reasonable, but there is 

default. Thus the PAM settings on Gentoo Linux are pretty reasonable, but there

always room for improvement. First install cracklib.

is always room for improvement. First install cracklib.

This will add the cracklib which will ensure that the users use a minimum 

This will add the cracklib which will ensure that the user passwords are at

password length of 8 characters and it consists of minimum 2 digits, 2 others 

least 8 characters and contain a minimum of 2 digits, 2 other characters, and

and there must be more than 3 characters different from the last password. 

are more than 3 characters different from the last password. This forces the

This forces the user to choose a good password (password policy). Check the 

user to choose a good password (password policy). Check the <uri

<uri link="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.3">PAM</uri> 

link="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.3">PAM</uri>

Every service not configured with a PAM file in <path>/etc/pam.d</path> will 

Every service not configured with a PAM file in <path>/etc/pam.d</path> will use

use the rules in <path>/etc/pam.d/other</path> rule. The default settings are 

the rules in <path>/etc/pam.d/other</path>. The defaults are set to <c>deny</c>,

set to <c>deny</c> as it should. But I like to have a lot of logs and that is 

as they should be. But I like to have a lot of logs, which is why I

why I added <c>pam_warn.so</c>. The last configuration is <c>pam_limits</c> 

added <c>pam_warn.so</c>. The last configuration is <c>pam_limits</c>, which is

which is controlled by <path>/etc/security/limits.conf</path>. See <uri 

controlled by <path>/etc/security/limits.conf</path>. See <uri link =

link="#doc_chap6_sect1">/etc/security/limits.conf section</uri> for more on 

"#limits_conf">/etc/security/limits.conf section</uri> for more on these

these settings.

settings.

Is a way of controlling access to services normally run by inetd (which Gentoo 

This is a way of controlling access to services normally run by inetd (which

does not have) but it can also be used by xinetd and other services.

Gentoo does not have), but it can also be used by xinetd and other services.

The service should be executing tcpd in its server argument (in xinetd). See 

The service should be executing tcpd in its server argument (in xinetd). See the

the chapter on xinetd for more information.

chapter on xinetd for more information.

As you can see the format is very similar to the one in 

As you can see the format is very similar to the one

<path>/etc/login.access</path>. Tcpd supports a specific service and they do 

in <path>/etc/login.access</path>. Tcpd supports a specific service; it does not

not work in the same area of security. These settings only apply to services 

overlap with <path>/etc/login.access</path>. These settings only apply to

using tcp wrappers.

services using tcp wrappers.

It is also possible to execute commands when a service is accessed (can be 

It is also possible to execute commands when a service is accessed (this can be

used when activating relaying for dial in users) but its not recommended since 

used when activating relaying for dial-in users) but it is not recommended,

people tend to create more problems than they are trying to solve. An example 

since people tend to create more problems than they are trying to solve. An

could be that you configure a script to send an email every time someone hits 

example could be that you configure a script to send an e-mail every time

the deny rule, but then an attacker could launch a DoS attack by keep hitting 

someone hits the deny rule, but then an attacker could launch a DoS attack by

the deny rule. This will create a lot of I/O and mails so don't do it!. Read 

keep hitting the deny rule. This will create a lot of I/O and e-mails so

the <c>man 5 hosts_access</c> for more information.

don't do it!. Read the <c>man 5 hosts_access</c> for more information.

The basic rule when configuring the kernel is to remove everything, you do not 

The basic rule when configuring the kernel is to remove everything that you do

need. This will create a small kernel but also remove the vulnerabilities that 

not need. This will not only create a small kernel but also remove the

may lie inside drivers and other features.

vulnerabilities that may lie inside drivers and other features.

Also consider turning off loadable module support. Even though it is possible 

Also consider turning off loadable module support. Even though it is possible to

to add modules (root kits) without this features, it does make it harder for 

add root kits without this features, it does make it harder for normal attackers

normal attackers to install root kits via kernel modules.

to install root kits via kernel modules.

<title>/proc (kernel flags)</title>

<title>The proc filesystem</title>

Many kernel parameters can be altered through the <path>/proc</path> file 

Many kernel parameters can be altered through the <path>/proc</path> file system

system or by using <c>sysctl</c>.

or by using <c>sysctl</c>.

To dynamically change kernel parameters and variables on the fly you need 

To dynamically change kernel parameters and variables on the fly, you need

<c>CONFIG_SYSCTL</c> defined in your kernel. This is default in a standard 2.4 

<c>CONFIG_SYSCTL</c> defined in your kernel. This is on by default in

kernel.

a standard 2.4 kernel. 

This will cause the kernel to simply ignore all ping messages also known as 

This will cause the kernel to simply ignore all ping messages (also known as

ICMP type 0 messages. The reason for this is that an IP packet carrying the 

ICMP type 0 messages). The reason for this is that an IP packet carrying an ICMP

ICMP message can contain payload with other information than you think. 

message can contain a payload with information other than you think.

Administrators use ping as a diagnostic tool and often complain if they cannot 

Administrators use ping as a diagnostic tool and often complain if it is

ping. There is no reason for an outsider to be able to ping. But sometimes it 

disabled, but there is no reason for an outsider to be able to ping. However,

can be handy for insiders to be able to ping. Then this can be solved by 

since it sometimes can be handy for insiders to be able to ping, you can disable

disabling ICMP type 0 messages in the firewall.

ICMP type 0 messages in the firewall (allowing local administrators to continue

to use this tool).

This disables response to ICMP broadcasts and will prevent Smurf attacks. The 

This disables response to ICMP broadcasts and will prevent Smurf attacks. The

Smurf attack works by sending an ICMP type 0 (ping) message to the broadcast 

Smurf attack works by sending an ICMP type 0 (ping) message to the broadcast

address of a network. Typically the attacker will use a spoofed source address. 

address of a network. Typically the attacker will use a spoofed source

All the computers on the network will respond to the ping message and thereby 

address. All the computers on the network will respond to the ping message and

flooding the spoofed host.

thereby flood the host at the spoofed source address.

Do not accept source routed packets. Attackers can use source routing to 

Do not accept source routed packets. Attackers can use source routing to

generate traffic pretending to originate from inside your network, but it is 

generate traffic pretending to originate from inside your network, but that is

actually routed back along the path from which it came, so attackers can 

actually routed back along the path from which it came, so attackers can

compromise your network. Source routing is rarely used for legitimate purposes 

compromise your network. Source routing is rarely used for legitimate purposes,

so disable it.

so it is safe to disable it.

Disable ICMP redirect acceptance. ICMP redirects can be used to alter your 

Do not accept ICMP redirect packets. ICMP redirects can be used to alter your

routing tables, possibly to a bad end.

routing tables, possibly to a malicious end.

Turn on reverse path filtering. This helps make sure that packets use 

Turn on reverse path filtering. This helps make sure that packets use legitimate

legitimate source addresses, by automatically rejecting incoming packets if 

source addresses by automatically rejecting incoming packets if the routing

the routing table entry for their source address does not match the network 

table entry for their source address does not match the network interface they

interface they are arriving on. This has security advantages because it 

are arriving on. This has security advantages because it prevents IP spoofing.

prevents IP spoofing.

However turning on reverse path filtering can be a problem if you use 

However turning on reverse path filtering can be a problem if you use asymmetric

asymmetric routing (packets from you to a host take a different path than 

routing (packets from you to a host take a different path than packets from that

packets from that host to you) or if you operate a non-routing host which has 

host to you) or if you operate a non-routing host which has several IP addresses

several IP addresses on different interfaces.

on different interfaces.

Make sure that IP forwarding is turned off. We only want this for a multi-homed 

Make sure that IP forwarding is turned off. We only want this for a

host.

multi-homed host.

All these settings will be reset when the machine is rebooted. So I suggest 

All these settings will be reset when the machine is rebooted. I suggest that

that you add them to <path>/etc/sysctl.conf</path> which is automatically

you add them to <path>/etc/sysctl.conf</path>, which is automatically sourced by

sourced by the <path>/etc/init.d/bootmisc</path> init script.

the <path>/etc/init.d/bootmisc</path> init script.

The patch from <uri link="http://grsecurity.net">Grsecurity</uri> is standard 

The patch from <uri link="http://grsecurity.net">Grsecurity</uri> is standard in

in the Gentoo kernel sources but is disabled as default. Configure your kernel 

the Gentoo kernel sources but is disabled by default. Configure your kernel as

as you normally do and then configure the Grsecurity options. An in-depth

you normally do and then configure the Grsecurity options. An in-depth

documentation available on the <uri

documentation available on the <uri link="http://www.grsecurity.net/">Grsecurity

link="http://www.grsecurity.net/">Grsecurity homepage</uri>.

homepage</uri>.

<uri link="http://www.Kerneli.org">Kerneli</uri> is a patch that adds 

<uri link="http://www.Kerneli.org">Kerneli</uri> is a patch that adds encryption

encryption to the existing kernel. By patching your kernel you will get new 

to the existing kernel. By patching your kernel you will get new options such as

options like: Cryptographic ciphers, digest algorithms and cryptographic loop 

cryptographic ciphers, digest algorithms and cryptographic loop filters.

filters.

The kerneli patch is currently not in a stable version for the latest kernel, 

The kerneli patch is currently not in a stable version for the latest kernel, so

so be careful when using it.

be careful when using it.

And there is probably a lot more. 

And there are probably a lot more. 

Apache (1.3.26) comes with a pretty decent configuration file but again. We 

Apache (1.3.26) comes with a pretty decent configuration file but again, we need

need to improve some things, like binding to one address and keep it from 

to improve some things, like binding Apache to one address and preventing it

leaking information. These are the options that you should apply the 

from leaking information. Below are the options that you should apply the

configuration file:

configuration file.

If you did not disable <c>ssl</c> in your <path>/etc/make.conf</path> before 

If you did not disable <c>ssl</c> in your <path>/etc/make.conf</path> before

installing apache, you should have access to a ssl enabled server. Just add 

installing Apache, you should have access to an ssl enabled server. Just add the

the following line to enable it.

following line to enable it.

<c>--enable-module=all</c>. This will per default enable all modules so you 

<c>--enable-module=all</c>. This will by default enable all modules, so you

should comment out all modules in the <c>LoadModule</c> section 

should comment out all modules in the <c>LoadModule</c> section

(<c>LoadModule</c> and <c>AddModule</c>) that you do not use. Restart the 

(<c>LoadModule</c> and <c>AddModule</c>) that you do not use. Restart the

One can find documentation at <uri>http://www.apache.org</uri>.

Documentation is available at <uri>http://www.apache.org</uri>.

Consortium</uri> the BIND 9 Administrator Reference Manual is also in

Consortium</uri>. The BIND 9 Administrator Reference Manual is also in

The newer BIND ebuilds support chrooting out of the box. After emerging <c>bind</c> follow these simple instructions:

The newer BIND ebuilds support chrooting out of the box. After

emerging <c>bind</c> follow these simple instructions:

<codenote>Before running the above command you might want to change the chroot 

<codenote>Before running the above command you might want to change the chroot

Djbdns is a DNS implementation of which the author is willing to bet

Djbdns is a DNS implementation on the security of which its author is willing to

<uri link="http://cr.yp.to/djbdns/guarantee.html">money</uri> on how 

bet <uri link="http://cr.yp.to/djbdns/guarantee.html">money</uri>. It is very

secure it is. It is very different from how Bind 9 works but worth a try.

different from how Bind 9 works but worth a try.  More information can be

More information can be obtained from <uri>http://www.djbdns.org</uri>.

obtained from <uri>http://www.djbdns.org</uri>.

Generally, using the FTP (File Transfer Protocol) is a bad idea. It uses 

Generally, using FTP (File Transfer Protocol) is a bad idea. It uses unencrypted

unencrypted data, listens on 2 ports (normally port 20 and 21), and anonymous 

data (ie. passwords are sent in clear text), listens on 2 ports (normally port

logins that are what attackers are looking for (for trading warez). Since the

20 and 21), and attackers are frequently looking for anonymous logins for

FTP protocol contains several security problems (ie. passwords are sent in clear text), you should rather use 

trading warez. Since the FTP protocol contains several security problems you

<c>sftp</c> or HTTP instead. If not, secure your services as good as you 

should instead use <c>sftp</c> or HTTP. If this is not possible, secure your

can and prepare yourself.

services as well as you can and prepare yourself.

If you only need local applications to access the <c>mysql</c> database uncomment the following line.

If you only need local applications to access the <c>mysql</c> database,

uncomment the following line.

Disable the command <c>LOAD DATA LOCAL INFILE</c>.

Then we disable the use of the LOAD DATA LOCAL INFILE command. This is to

prevent against unauthorized reading from local files. This is relevant when new

SQL Injection vulnerabilities in PHP applications are found.