Want a quick guide to installing and securing Red Hat Linux? This article details the steps required to install Red Hat Linux 8.0 on a production server. It covers the procedures necessary to get the operating system from the setup CDs to your system’s hard disks, shutting down any unnecessary system services, and applying any required system updates from Red Hat.
Installing and Securing Red Hat Linux in an Hour
Submitted by Frank 2003-05-25 Red Hat 11 Comments
The article is *not* about securing Red Hat Linux. It’s about installing it, making a list of which RPMs are installed, and then it tells you to disable some (but doesn’t say which) services.
The artcile was not useful, but I have summarised the important parts below:
1. After an install, run the following to make a list of installed RPMs:
rpm -qa > /root/date.rpms (eg, /root/20030228.rpms)
One shouldn’t have to remove packages after install, or disable services after install. Rather one would have to install those packages needed, and enable those services needed.
From a security point of view, the second approach is a lot better. Also it’s more convenient. How many packages are there, and how many do you use? How many services are there, and how many do you use?
In general, now you have to spend more time disabling the stuff you don’t need than you would’ve spend enabling the stuff you DO need if everything would’ve been disabled by default.
This is one of the reasons I like OpenBSD; at least there’s no cruft installed by default, no unnecessary services enabled by default,…
Remember hacking win.ini and how fun that was. The same is happening again.
It’s really not an article about securing RH8, it only shows how to install RH8 and hold it up2date with up2date 😉
Hopefully RH8 is secure out of the box.
If a newbie thought by your headline he runs a now a real secure RH8 after doing all of this article 😉
Hmm, you better change your headline, Eugenia 😉
On a default RH8 I can log on with ssh from everywhere as a root.
This is not really secure for a secure machine…
>> This is one of the reasons I like OpenBSD; at least there’s no cruft installed by default, no unnecessary services enabled by default,…
I don’t know what you guys are talking about.. isn’t this about installing a RedHat SERVER?? The default server install is already so lean and mean, there’s hardly any cruft (you need only the first CD) More importantly, at that point, you should already know what you need anyhow, and you oughta know better than permit crap you don’t need.
> I don’t know what you guys are talking about.. isn’t
> this about installing a RedHat SERVER?? The default
> server install is already so lean and mean, there’s
> hardly any cruft (you need only the first CD) More
> importantly, at that point, you should already know
> what you need anyhow, and you oughta know better than
> permit crap you don’t need.
My point is that you still need to disable stuff and lock down the box after a fresh install.
Of course, if you’re installing a server, you should know what you’re doing, but still, having to disable everything you don’t need is a waste of time.
And what if you accidentially forget something?
It is also true that (most) linux distro’s are way better security-wise than they were some time ago. But still they’re not quite there yet, imho. At least they’re making progress
It’s a bit like the two traditional security policies:
1) Everything is allowed, except that what’s prohibited
2) Everything is prohibited, except that what’s allowed
In theory, both will work, but it’s quite clear that #2 is better.
And since we’re talking about server installs here now, as soon as you’re placing admin convenience above security, you’ve lost it.
This Paper is not about securing or harding a RH box, Its about getting a very basic install done.
there is so much more, like:
setting up the wheel group.
running ps -aux and making sure what processes and stuff is running.
running chkconfig –list, and seeing what services and running on what run level and Removing all the ones you dont need.
this is all just basic stuff, and for the record my box partiting looks like this:
Filesystem Size Used Avail Use% Mounted on
/dev/hda6 980M 981M 0 100% /
/dev/hda1 243M 14M 216M 7% /boot
/dev/hda5 980M 17M 914M 2% /data
/dev/hda9 22G 429M 20G 3% /home
none 125M 0 124M 0% /dev/shm
/dev/hda7 980M 50M 881M 6% /tmp
/dev/hda2 9.6G 2.4G 6.7G 26% /usr
/dev/hda3 1.9G 890M 979M 48% /var
/dev/hdb1 37G 11G 23G 32% /core
/dev/cdrom1 480M 480M 0 100% /mnt/cdrom1
notice 2 non standard partitions, thats where i keep stuff, that does not go in /home. stuff other need or stuff shared by samba or nfs or something.
and if the systems really gets hosed or something i have all the non standard partitons to work with. makes much more sense.
I could go on.
I just wanted to let all the newbies know that this is not securing or harding.
If this is an example of IBM’s “professionalism”, then they need to “RTFM” the RedHat manuals for Kick Start. If I was going to build servers for a Data Center, I would want to build them quickly, ensure the configuration is standardized, and secure them as much as possible during the installation. I can do this with Solaris (JumpStart) and AIX (NIM), why didn’t they explore Kick Start?
what is the point of a _server_ without the _services_ installed by default?
> what is the point of a _server_ without the _services_ installed by default?
You clearly do not understand.
OpenBSD comes with quite some services (apache, sendmail, bind, ftpd, sshd, nfs,…) installed by default, but just not _enabled_ by default (well, sshd is, but that’s an exception).
What is the point of having _unused_ services, with possible security holes, enabled on a server? What’s the use of having a web server displaying some default page on a mailserver? What’s the use of having an MTA listen for external connections on a webserver (local connections is another matter of course)? What’s the use of having NFS running on a machine that isn’t exporting any filesystems? What’s the use of having lpd running on a server, and thus will never print anything anyway? … (I could go on, but I think you got the point by now )
It’s really simple, with most (all?) linux distro’s, you spend some time disabling all the stuff that’s enabled by default that you don’t need.
With OpenBSD, you spend a few minutes _enabling_ the stuff you do need. It isn’t inconvenient either; enabling eg. apache only requires you to change 2 chars in /etc/rc.conf. How’s that for convenience?
For lesser used services (like MySQL, PostgreSQL, ircd,…) you indeed have to install a package, but how bad is that?
> OpenBSD comes with quite some services (apache, sendmail,
> bind, ftpd, sshd, nfs,…) installed by default, but just
> not _enabled_ by default (well, sshd is, but that’s an
Actually, the latest versions of Red Hat don’t have the bulk of those services enabled by default either.
I ALWAYS do a custom install, and select exactly what I want to put on the machine.
> What is the point of having _unused_ services, with
> possible security holes, enabled on a server? What’s the
> use of having a web server displaying some default page on
> a mailserver?
Apache is disabled by default now.
> What’s the use of having an MTA listen for external
> connections on a webserver (local connections is another
> matter of course)?
sendmail IS enabled by default, but it only accepts connections on the loopback interface. You have to edit your sendmail config files to permit external connections (run it through m4, etc).
> What’s the use of having NFS running on a machine that
> isn’t exporting any filesystems?
nfs is disabled by default.
> What’s the use of having lpd running on a server, and thus
> will never print anything anyway?
Uh, Red Hat hasn’t used lpd as a default in quite some time. The default is cups. And I don’t usually install any printing support on a non-print server server. That one IS enabled by default though.
> … (I could go on, but I think you got the point by now
Well, sort of. I think it is clear you aren’t really up on your Linux. I’ll admit that the BSDs are typically more secure out of the box, but not by much anymore.
> It’s really simple, with most (all?) linux distro’s, you
> spend some time disabling all the stuff that’s enabled by
> default that you don’t need.
Depends a ton on the distro, and how much trouble you take to actually install only what it is you need. Mandrake now has a nice little section of their installer that lets you set what’ll be enabled at startup before you even boot the system (something I wouldn’t mind seeing from Red Hat).
> With OpenBSD, you spend a few minutes _enabling_ the stuff
> you do need. It isn’t inconvenient either; enabling eg.
> apache only requires you to change 2 chars in
> /etc/rc.conf. How’s that for convenience?
Under Red Hat: ‘chkconfig httpd on’. All done. Even more convenient. Don’t even need to edit a text file. Then ‘service httpd start’ if you want to start it up without rebooting.
> For lesser used services (like MySQL, PostgreSQL,
> ircd,…) you indeed have to install a package, but how
> bad is that?
I think this is a key difference. The Red Hat installer is WAY more flexible. You choose exactly what you want to install. For some services, it is just assumed that since you chose to install it, you probably want to run it.
Don’t get me wrong, I love all (well, most all) operating systems, especially those that are unix-ish. But you’re way off on some of what you say.