Set password minimum length to 8 characters
In /etc/pam.d/system-auth:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8
Disallow direct root login
Specify that no device is trusted for root login:
cp /etc/securetty /etc/securetty_bak
cp /dev/null /etc/securetty
Limit the set of people able to attempt to become root
Add the desired users to the group wheel (and you must add at least one!):
usermod -G wheel youruser
Change the group affiliation of the su command, and make it remain setuid as root and executable only by group wheel members:
chgrp wheel /bin/su
chmod 4750 /bin/su
Test to verify that members of the group ‘wheel’ can use su to become root.
Secure /tmp
Remove /var/tmp and symlink to /tmp instead
rm -fR /var/tmp
ln -s /tmp/ /var/
Create a 500Mb partition for /tmp
cd /dev; dd if=/dev/zero of=tmpMnt bs=1024 count=512000
/sbin/mke2fs /dev/tmpMnt
Backup the old tmp folder
cp -Rp /tmp /tmp_backup
Mount the new tmp filesystem
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
chmod 1777 /tmp
Move the files back into tmp
cp -Rp /tmp_backup/* /tmp/
Add this to /etc/fstab so /tmp is mounted on startup:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
And check that the shm line in /etc/fstab looks like this:
none /dev/shm tmpfs noexec,nosuid 0 0
Unmount and remount /dev/shm
unmount /dev/shm; mount /dev/shm
Remove the /tmp backup if everything looks okay
rm -fR /tmp_backup
Restrict permissions on key executables
chmod 700 /usr/bin/rcp
chmod 700 /usr/bin/wget
chmod 700 /usr/bin/lynx
chmod 700 /usr/bin/scp
chmod 700 /usr/bin/GET
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/cc
Remove Samba
yum remove samba
Keep an eye out for root kits
Try
RKHunter or
chkrootkit.
Turn off Apache server signature
In httpd.conf:
ServerSignature Off
ServerTokens Prod
Stop named providing a version
In /etc/named.conf, search for:
query-source address * port 53
Add a line directly underneath with
version "Named";
Make sure display_errors = Off in /etc/php.ini
Echoing errors to the page on a production server is a bad idea™.
