ProductsDesktop Server For Scientific Computing For IBM POWER For IBM System z For SAP Business Applications Red Hat Network Satellite ManagementExtended Update Support High Availability High Performance Network Load Balancer Resilient Storage Scalable File System Smart Management Extended Lifecycle SupportWeb Server Developer Studio Portfolio Edition JBoss Operations Network FuseSource Integration Products Web Framework Kit Application Platform Data Grid Portal Platform SOA Platform Business Rules Management System (BRMS) Data Services Platform Messaging JBoss Community or JBoss enterprise
SolutionsApplication development Business process management Enterprise application integration Interoperability Operational efficiency Security VirtualizationMigrate to Red Hat Enterprise Linux Systems management Upgrading to Red Hat Enterprise Linux JBoss Enterprise Middleware IBM AIX to Red Hat Enterprise Linux HP-UX to Red Hat Enterprise Linux Solaris to Red Hat Enterprise Linux UNIX to Red Hat Enterprise Linux Start a conversation with Red Hat Migration services
TrainingPopular and new courses JBoss Middleware Administration curriculum Core System Administration curriculum JBoss Middleware Development curriculum Advanced System Administration curriculum Linux Development curriculum Cloud Computing and Virtualization curriculum
ConsultingStandard Operating Environment (SOE) Strategic Migration Planning Service-oriented architecture (SOA) Enterprise Data Solutions Business Process Management
Issue #6 April 2005
- What's new in security for Red Hat Enterprise Linux 4
- Taking advantage of SELinux in Red Hat Enterprise Linux
- The security dilemma, part 2: Intrusion prevention
- It's 2 a.m., do you know who's reading your email?
- Video: See you at the Summit
- Taking your desktop virtual with VNC
- Video: Open source software licenses explained
- Video: Ticketmaster chooses Red Hat Enterprise Linux and Strongmail
- Open source in the force: One officer speaks
- Red Hat Knowledgebase: Serving apple pie to the masses
- Data sharing with a GFS storage cluster
- Red Hat Training adds Windows®-to-Linux® migration course
From the Inside
In each Issue
- Editor's blog
- Red Hat speaks
- Ask Shadowman
- Tips & tricks
- Fedora status report
- Magazine archive
Tips & Tricks
Red Hat's customer service team receives technical support questions from users all over the world. As they are received, Red Hat technicians add the questions and answers to the Red Hat Knowledgebase on a daily basis. Individuals with a redhat.com login are granted access. Every month, Red Hat Magazine offers a preview into the Red Hat Knowledgebase by highlighting some of the most recent entries.
This month's issue features articles about security, including an inside view of Red Hat Enterprise Linux 4. We realize it is impossible to answer all your security questions with just one magazine issue, but we've tried to answer a few more with this month's Tips & Tricks.
Tips from RHCEs
Creating multiple terminals with screen
by Brent Langston, RHCE
Screen is a useful utility that I stumbled across several years ago
and continue to use today. It is a terminal multiplexer that acts as
screen window manager for text-based terminals. Simply put,
screen allows you to open multiple terminals on a single connection.
You might wonder how or why this is useful since Red Hat provides six
ttys by default. As an example, consider when only one tty is
available, as is the case in single user mode. Another good example
is when a user connects to a remote system through SSH or over a
modem. Rather than making multiple connections, you can use your
single connection and run
screen to get multiple ttys.
Screen can monitor terminals and display a message if it
detects activity. It provides a clipboard type feature that allows
you to copy/paste from window to window. It also gives you a buffer
allowing you to scroll back through history.
How many of you have started a long process at work like, for
instance, a kernel rebuild? If you begin that process within
screen, then you the
screen, go home, ssh to
your office machine, and re-attach to the
process remains running the entire time. You can attach and detach
screens at will, but the processes continue to run.
screen utility is provided by the
rpm. You can install it on your Red Hat Enterprise Linux system by
up2date . Some important
keystrokes to note: Ctrl-A is the control key for
You follow Ctrl-A with another key that corresponds to what you want
to do. To see a list of all of the key bindings, press Ctrl-A
followed by ?. Don't forget to check out the main page for more
The next time you need multiple windows over one connection, don't forget about this valuable utility!
How can I verifying which ports are listening?
After configuring network services, it is important to pay attention to which ports are actually listening on the system's network interfaces. Any open ports can be evidence of an intrusion.
There are two basic approaches for listening the ports that are
listening on the network. The less reliable approach is to query the
network stack by typing commands such as
lsof -i. This method is
less reliable since these programs do not connect to the machine from
the network but rather check to see what is running on the system. For
this reason, these applications are frequent targets for replacement
by attackers in an attempt to cover their tracks if they open
unauthorized network ports.
A more reliable way to check which ports are listening on the
network is to use a port scanner such as
The following command issued from the command line determines which ports are listening for TCP connections from the network:
nmap -sT -O localhost
The output of this command looks like the following:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on localhost.localdomain (127.0.0.1): (The 1596 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 111/tcp open sunrpc 515/tcp open printer 834/tcp open unknown 6000/tcp open X11 Remote OS guesses: Linux Kernel 2.4.0 or Gentoo 1.2 Linux 2.4.19 rc1-rc7) Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds
This output shows the system is running
portmap due to the presence of the
sunrpc service. However, there is also a mystery
service on port 834. To check if the port is associated with the
official list of known services, type:
cat /etc/services | grep 834
This command returns no output, which indicates that while the port
is in the reserved range (meaning 0 through 1023) and requires
root access to open, it is not associated with a
Next, check for information about the port using
To check for port 834 using
netstat, use the
netstat -anp | grep 834
The command returns the following output:
tcp 0 0 0.0.0.0:834 0.0.0.0:* LISTEN 653/ypbind
The presence of the open port in
netstat is reassuring because a cracker opening
a port surreptitiously on a hacked system would likely not allow it to
be revealed through this command. Also, the
-p option reveals the process id (PID) of the
service which opened the port. In this case the open port belongs to
ypbind (NIS), which is an RPC service handled
in conjunction with the
lsof command reveals similar information since it is also capable of linking open ports to services:
lsof -i | grep 834
Below is the relevant portion of the output for this command:
ypbind 653 0 7u IPv4 1319 TCP *:834 (LISTEN) ypbind 655 0 7u IPv4 1319 TCP *:834 (LISTEN) ypbind 656 0 7u IPv4 1319 TCP *:834 (LISTEN) ypbind 657 0 7u IPv4 1319 TCP *:834 (LISTEN)
These tools reveal a great deal about the status of the services running on a machine. They are
flexible and can provide a wealth of information about network services and configuration. Consulting
the man pages for
nmap, and similar services is therefore highly recommended.
How do I secure SSH to disable direct root login?
by Vishal Gaikwad
To disallows direct root login, edit the
/etc/ssh/sshd_config file with a text editor and
find the following line:
Change the yes to no and remove the comment character at the beginning of the line:
Restart the sshd service:
service sshd restart
It is also recommended that you also restrict access to your system by
limiting users root access with the
command. Refer to additional articles in Red Hat Knowledgebase on how to
restrict the use of
What ports and/or websites do I need to allow through my firewall so that the Red Hat Update Agent (up2date) and Red Hat Network (RHN) services are available?
by Michael Kearey
The Red Hat
Network (RHN) service is hosted at
xmlrpc.rhn.redhat.com. This is the default
configuration and need not be changed unless you are using a Red Hat
Network Satellite server.
To verify the server your system is configured to use, issue the command:
at a terminal. Here is an example of the command output:
0. debug No 1. useRhn Yes 2. rhnuuid 578918ea-cb1c-11d8-8f02-814df2323483 3. isatty Yes 4. showAvailablePacka No 5. networkSetup Yes 6. retrieveOnly No 7. enableRollbacks No 8. noSSLServerURL http://xmlrpc.rhn.redhat.com/XMLRPC 9. pkgSkipList ['kernel*'] 10. storageDir /var/spool/up2date 11. adminAddress ['root@localhost'] 12. noBootLoader No 13. serverURL https://xmlrpc.rhn.redhat.com/XMLRPC 14. fileSkipList  15. versionOverride 16. sslCACert /usr/share/rhn/RHNS-CA-CERT 17. noReplaceConfig Yes 18. useNoSSLForPackage No 19. systemIdPath /etc/sysconfig/rhn/systemid 20. enableProxyAuth No 21. retrieveSource No 22. disallowConfChange ['noReboot', 'sslCACert', 'useNoSSLForPackages', 'noSSLSe 23. headerFetchCount 10 24. networkRetries 5 25. pkgsToInstallNotUp ['kernel', 'kernel-modules'] 26. enableProxy No 27. proxyPassword 28. updateUp2date Yes 29. keepAfterInstall No 30. proxyUser 31. removeSkipList ['kernel*'] 32. useGPG Yes 33. gpgKeyRing /etc/sysconfig/rhn/up2date-keyring.gpg 34. httpProxy 35. headerCacheSize 40 36. forceInstall No 37. noReboot No Enter number of item to edit
Entry numbers 8 and 13 —
serverURL — define what servers
Alternatively, you may also verify the settings by looking at the
contents of the file
/etc/sysconfig/rhn/up2date and locating the
... noSSLServerURL=http://xmlrpc.rhn.redhat.com/XMLRPC ... serverURL=https://xmlrpc.rhn.redhat.com/XMLRPC ...
For RHN and
up2date to work correctly
the firewall must allow connections to:
- xmlrpc.rhn.redhat.com port 80 (http)
- xmlrpc.rhn.redhat.com port 443 (https)
In addition, to be able to access the Red Hat Network (RHN) website, the firewall must allow connections to:
- rhn.redhat.com port 80 (http)
- rhn.redhat.com port 443 (https)
How can I prevent a non-root user from shutting down or rebooting the system?
by Marizol Martinez
To prevent non-root users from using the shutdown/reboot/halt commands:
- In the file
/etc/X11/gdm/gdm.conf, change the line that reads:
- In the file
/etc/inittab, change the line that reads:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
ca::ctrlaltdel:echo <A message indicating rebooting is not possible>
- In the directory
/etc/security/console.apps/, delete the files
- Remove the file
To remove files, you can use the
How do I configure Sendmail to use SSL encryption for sending/receiving email?
by Bradford Hinson
Sendmail can be configured to encrypt email via the secure socket layer (SSL) when sending and receiving messages. This requires the following configuration changes to Sendmail.
First, SSL requires a valid certificate on the server. This can be obtained from a company which digitally signs the certificate or it can be created locally. To generate an SSL certificate, follow these steps:
cd /usr/share/ssl/certs make sendmail.pem
Enter the desired information for Country Name, State or Province,
Organization Name, etc. when prompted. Next, uncomment the following
/etc/mail/sendmail.mc by removing the
dnl at the beginning of the line:
... define(`confCACERT_PATH',`/usr/share/ssl/certs') define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt') define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem') define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem') ... DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')
Restart Sendmail with the command:
service sendmail restart
Secure SMTP is now enabled for sending mail over port 465 using SSL. To enable the secure IMAP/POP3 services, enable them with:
chkconfig pop3s on chkconfig imaps on
Secure POP3 operates over port 995 and secure IMAP uses port 993. The server is now configured to use SSL for sending and receiving email. When setting up the email client, make sure it is configured to use secure connection (SSL) "Always" in both the sending and receiving preferences.
How can I limit who can use SSH based on a list of users?
by Michael Napolis
One advantage of Pluggable Authentication Module (PAM) is it can be used to limit the number of network users who have access to a certain service based on a list. For example, you can limit SSH connections via PAM.
/etc/pam.d/sshd, add the following line:
auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/sshd_users
This will allow a user to login via
sshd if they are
listed in the
/etc/sshd_users file. The
options specified have the following meanings:
onerr=fail—If an error occurs (file specified is not found or an improperly formatted entry is found in the file), fail this test. This will deny the user access via
sshd. The other possible option for
item=user—This states that we are testing or verifying the user's login name.
sense=allow—This means that if the user is found in the file specified, this test succeeds. This will allow the user access if all other PAM tests succeed as well. The other possible option for
file=/etc/sshd_users—This specifies the file that will contain the list of users (one per line) that are allowed to access
With that, the
/etc/pam.d/sshd will look like:
#%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so auth required pam_listfile.so onerr=fail item=user sense=allow file=/etc/sshd_users account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so
Afterwards, put the valid SSH users in the
/etc/sshd_users file. Each username should be on
a new line.
What firewall settings do I need to use NTP (Network Time Protocol)?
by Joshua Wulf
To use a Network Time Protocol (NTP) client or server on your system you need to have access to port 123 both incoming and outgoing between any client and the server that it is communicating with. The startup script for the NTP service should create the firewall holes on your machine automatically. You will have to ensure that all points along the route between the client and the server will allow traffic on port 123.
This article is protected by the Open Publication License, V1.0 or later. Copyright © 2004 by Red Hat, Inc.