Hardening Doc Update 2

Tue Jan 11 10:53:40 UTC 2005

On Tue, 11 Jan 2005 00:04:34 -0800, "tuxxer" <tuxxer at cox.net> said:
> > - You might also want to mention the role of the built-in firewall -
> > even enabled services like SSH are effectively closed unless the
> > administrator alters the default firewall settings.
> 
> I use Firestarter, so this I need to do some playing around with this
> before I can speak intelligently about it.  

It's extremely basic, which is good for simple configurations.  I don't
know what RH would recommend for routers and more complex setups - I use
shorewall.  The only quirks with the built-in firewall config that I can
think of are a) it automatically allows inbound traffic for mDNS and UDP
631 (CUPS browsing ?), b) The manual install process doesn't expose all
of the functionality - trusted interfaces and allowing arbitrary port
numbers become post-installation tasks.

> > You might want to consider the role of Installation Types here - the
> > user can pick an Installation Type and then customise the package groups
> > (which ties in with role selection in 1.2).   Anaconda essentially
> > mandates certain packages, so you don't really get the flexibility that
> > you mention.   Even using the "Minimal" package group will install
> > sendmail, CUPS, SSH and NFS (and mDNS on FC3, I think).
> Mentioned.  Could probably do more here, so I will look into adding more
> detail.  I think I really need to do some experimentation, but don't
> have the facilities at the moment.

FWIW, the relevent sections of the draft Installation Guide are
complete.  If you can't find relevent information there then feel free
to ask. I've installed FC rather a lot already... and have more or less
beaten VMWare into submission, so testing configurations is now a bit
less onerous too.

> > Strictly IMHO, disabling service accounts is often excessive and causes
> > a maintenance problem.  They can't login locally, and you can easily
> > block remote logins (see above).
> 
> Rahul mentioned something along these lines.  Does anyone know for sure
> if you remove a certain service that the user for that service is
> removed as well?  I don't remember for sure, but I believe that the user
> remains.

I believe so too, but haven't checked.  Removal definitely leaves the
configuration files behind.

> > Section 4.2)
> > 
> > "Then, either reboot your system, or issue the command pkill -1 sshd.
> > The pkill command will force sshd to re-read it's configuration file.
> > This will force users to login as a normal user account and then su to
> > root, or utilize sudo."
> However, I think that it might be valuable to kill existing connections (assuming that you have multiple
> users, which I think I touched on this in the scope and intended
> audience).  If you have someone "unwanted" logged on while you're making
> changes, booting them might be handy.  Admittedly, it's unlikely,
> however, possible.  I think I'll mention both, with a caveat.

It might be worth putting something as a general point at the start of
the document - warning the reader to try not to allow network
connections whilst carrying out lockdown, and advising that config
changes will not affect existing connections.

> The "general points" are valid, but may require
> some "re-engineering" of the doc in its entirety, so I'll save that for
> another time when I have a little more time to dedicate to it.  I've
> commented where I was able to make "quick changes".

OK.  I'll bear that in mind when I look at it again.  Thanks for being a
good sport about us bystanders picking holes in your doc.

--

Stuart Ellis
s.ellis at fastmail.co.uk