::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO A Guide to Securing RedHat Linux 6.0 by wyze1 Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: A lot of people out there are raving about RH6, why exactly, I don't ::
:: know, but they seem to think it's just great. ;P So, for lack of any ::
:: hope of getting these people to start using *BSD or Solaris, I have ::
:: designed a guide to securing Red Hat Linux 6.0 which covers all known ::
:: problems up to date, although it doesn't really tackle other issues. ::
:: ::
:: Now, go to ftp://update.redhat.com and download the source for the new ::
:: kernel supplied by RedHat for RH6 systems (2.2.5-22). Then, go and ::
:: download the information on the Linux 2.2.x ICMP DoS that causes Kernel ::
:: Panic - search Geek-Girl's BugTraq archive for it. <http://geek-girl.com>::
:: Apply the patch to fix this vulnerability. Now, recompile the Kernel, ::
:: look in /usr/doc/HOWTO/Kernel-HOWTO if you don't know how. ::
:: ::
:: Now there haven't been any SUID vulnerabilities discovered in RH6 yet, ::
:: but you probably don't want any just in case. You can nuke the lot of ::
:: them simply by typing "chmod a-s -R / &". You may find some you want ::
:: to re-SUID, like mount, but you probably won't need that many. ::
:: ::
:: Now, lets play with the Alt+SysRq Kernel hack, one of the nicest things ::
:: about the new 2.2.x Kernel series. This hack allows you to press Alt, ::
:: SysRq (Print Screen) and a Hotkey to perform various different tasks ::
:: even when the system is not responding. You can press Alt+SysRq+K to ::
:: kill all processes on the vterm you are using, or Alt+SysRq+M to dump ::
:: memory information onto the screen and a whole bunch of other really ::
:: neat things - none of which we are looking at in detail now, except for ::
:: the one that makes the difference for security - Alt+SysRq+1-9. This ::
:: hack determines how much of the kernel mumblings are logged. Having a ::
:: lot of mumblings logged is generally quite nice, or, you can keep it at ::
:: 1 or something and just jack it up when you need to. ;) ::
:: ::
:: Ugh. RedHat 6.0 has a stupid PAM'erized su. If you give the correct ::
:: password to it, you become superuser immediately, and if you give the ::
:: wrong password, there is a full one second delay before it tells you the ::
:: attempt failed and logs the attempt. During this period, you can press ::
:: Ctrl+Break to stop su and nothing will be logged, making it easy for ::
:: some-one to brute-force the root password. Nuke su. It's a dumb program ::
:: and I don't like it anywayz. ;) ::
:: ::
:: I hope you're not running X-Windows, but if you are, be sure to fix a ::
:: few critical permissions in the UNIX 98 PTYs which could give you ::
:: trouble by typing chmod 600 /dev/pts/* ::
:: ::
:: RedHat 6.0 also fucks up the permissions on the CD-ROM drive. A minor ::
:: problem, but worth fixing anyway - Think of backups. Cat your /etc/fstab ::
:: to see where your cdrom drive is and then chmod 600 /dev/whatever ::
:: ::
:: If you use KDE, and more specifically if you use K-Mail, then you are ::
:: vulnerable to a silly symlink problem. Nuke K-Mail, Don't use K-Mail, or ::
:: if you are a COMPLETE loser and you *really* want it, d/l the fix from ::
:: ftp.kde.org/pub/kde/security_patches/kmail-security-patch.diff ::
:: ::
:: I think the ipop2d on RH6 in vulnerable to a remote buffer overflow ::
:: exploit that produces a shell as user "nobody". I'm not sure, but if yer ::
:: running an ipop2d yer a loser anyway, so who cares. ;) ::
:: ::
:: Now you should have a quasi-secure lame Linux box that is hopefully a ::
:: bit less lame than when you started. This text only really covers what ::
:: silly security problems need to be fixed, not common sense stuff. If ::
:: you are new to *nix then you should get the Linux Administrators ::
:: Security Guide from www.seifried.org/lasg - but not even that can ::
:: completely teach you common sense. Make sure to close unwanted ports by ::
:: checking your /etc/inetd.conf and preparing user's home directories ::
:: properly, ie. like this... ::
:: ::
:: cd /home/redneck # Go to the home directory ::
:: chattr +a .bash_history # Make history append only ::
:: chown root.root .bash_profile # Make profile unmodifiable ::
:: chown root.root .bash_logout # Make logout unmodifiable ::
:: chown root.root .bashrc # Make bashrc unmodifiable ::
:: ::
:: There is a wealth of stuff you can do to make your system much more ::
:: secure, but I'm not going to go into any of that right now. There are ::
:: already too many lame guides to generic Linux security, and I don't ::
:: feel like making another one. Later. ::
:: ::
:: --=====-- ::
:: * Kat (guy@inside.thematrix.za.net) has joined #hack ::
:: <wyze1> Guy... do you want to know... what... the matrix is? ::
:: <wyze1> WELL I WONT TELL YOU, YA DUMB LITTLE FUCK!#%!$^%! THEY SAID I ::
:: COULD HAVE A TALK SHOW, BUT NOOOOOOOOO, I HAVE TO BE IN A SCI-FI AND ::
:: WEAR THIS G00FY TRENCHCOAT!^%$#^$!#%$ I HATE YOU ALL DAMNIT!#%@%^$# ::
:: <wyze1> *sigh* ::
:: * wyze1 sets mode: +o Kat ::
:: --=====-- ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
