As a part of the sys admin’s job, it is important to take a few extra minutes to go through and properly secure a newly installed Linux server. These steps include enabling SELinux on the machine, configuring the firewall, and setting user permissions. There are however additional steps one should take in order to secure their server. One would be to tune and secure kernel parameters, set limits on kernel dumps, prevent IPv6 from loading if you company is not using it, and turning off unnecessary services.

Networking
First, lets take a look at configuring kernel parameters to prevent network based attacks. These include disallowing intruders to alter routing tables and source routed packets, preventing an intruder from configuring the server to become a router, and turning on reverse path filtering. To change these settings edit the /etc/sysctl.conf file and enter:
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

If you are currently running IPv6 at your company, here are a few kernel parameters to prevent network based attacks:
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

To make these settings effective without rebooting the server type sysctl -p

We can go a step further by disabling unused network functions such as IPv6 and prevent self assigned addressing.

To detect whether or not IPv6 is running on a server type: ifconfig | grep inet6 which will return:
inet6 addr: fe80::240:5ff:fe32:ef19/64 Scope:Link
inet6 addr: ::1/128 Scope:Host
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
To prevent IPv6 from loading, run the following command:
echo "install ipv6 /bin/true" > /etc/modprobe.d/ipv6
Then add the following lines to /etc/sysconfig/network:
NETWORKING_IPV6=no
IPV6INIT=no
This will deactivate the IPv6 protocol from running on the server.

To prevent self assigned addressing on network cards, open the /etc/sysconfig/network file and add:
NOZEROCONF=yes

Server security
Turning off the ability to create core dumps is important as intruders can use this to gather information about running services and configurations in order to exploit them. To do so, edit the /etc/security/limits.conf file and insert:
* hard core 0

We should also prevent setuid programs from creating these as well:
sysctl -w fs.suid_dumpable=0

There are also built in kernel features which can help protect against buffer overflow attacks. These features are turned on by default, however these kernel parameters should be enabled in case they have been turned off:
sysctl -w kernel.exec-shield=1
sysctl -w kernel.randomize_va_space=1
These settings ensure randomization of the stack and memory regions, which are refereed to as the ExecShield.

There are many services which are running on a default installation which include cups, sendmail, isdn, bluetooth, and many others. If these services are not being used on the server then they should be turned off and configured not to start up on a reboot. To do so we can run the following bash script:
for i in acpid autofs avahi-daemon luetooth cups firstboot gpm hidd ip6tables sendmail exim xfs xinetd yum-updatesd rhnsd pcscd readahead_early readahead_later apmd hplip isdn ip6tables mcstrans
do
service $i stop
chkconfig $i off
done

Your services will vary depending on the installation. We should also ensure that X does not run on reboot, placing the server in run level three. To do so, edit the /etc/inittab file and change id:5:initdefault: to id:3:initdefault:

For further reading I highly encourage you to download the NSA RHEL 5 hardening documents at RHEL 5 Pamphlet
Hardening RHEL 5 Guide

Education:
Ferris State University
Master of Business Administration
Expected graduation: May 2011

Ferris State University
Master of Science in Information Systems Management
Advanced studies certificate in Information Security and Networking Management
Graduated: May 2009

Central Michigan University
Bachelor of Science in Information Technology
Minor: Media Design, Production, Technology
Graduated: May 2007

Certifications:
Red Hat Certified Engineer – 805009290438216
Red Hat Certified Technician – 605008302621519
CompTIA – Security+, Linux+, Network+, A+

Professional course work:
Red Hat Linux Networking and Security Administration RH253 – Course completed March 20, 2009
Red Hat Linux Administration RH133 – Course completed November 7, 2008
Cisco Certified Network Associate Semester 2 – Course completed May 5, 2008
Certified Wireless Network Administrator – Course completed March 14, 2008
Cisco Certified Network Associate Semester 1 – Course completed December 12, 2007

Experience:
Systems Administrator – Ferris State University Big Rapids michigan 2008 – Present
Responsible for over 60 UNIX/Linux servers ranging from Red Hat Enterprise Linux 3 – 5, Suse 10, Solaris 9, HP UX 11.23, and Microsoft Windows Server 2003
Migrated Sun ONE Directory Server to Red Hat Directory Server and implemented multimaster replication, SSL encryption, and roaming user home directories
Rolled out hard drive and media encryption software to high risk users with Check Point Endpoint Security
Maintain almost 10 TB of SAN disk space on Red Hat and Solaris servers for Oracle databases
Developed update staging server for RHEL 3 – 5 using Yum, VSFTP, and GPG
Administration of Red Hat Directory Server for authentication to all UNIX/Linux servers
Wrote Red Hat server build documents and developed Python scripts for kickstart generation for use within our server environment
Developed Bash and Perl scripts to automate server configuration changes and back ups
Use of RHEL 5 Xen for server virtualization
Configured and maintained FreeRADIUS for 802.1x wireless authentication and outdoor wireless mesh networks
Server load balancing with F5 Big-IP LTM
Syslog monitoring and alerts with Splunk

Network Technician – Ferris State University Big Rapids Michigan 2007 – 2008
Configured and maintained Nortel layer 2 and 3 switches
Implemented redundancy for Nortel wireless 2380 security switches along with maintaining over 550 Nortel and Cisco access points
Member of a security team responsible for Check Point perimeter and internal firewalls, IBM Proventia IDS/IPS, and network access control using Cisco Clean Access
Maintained both Linux and Windows 2003 servers for DHCP, DNS, and network management servers
Led projects for hard drive encryption, RSA two factor authentication, and web based network statistical data

Network Technician – Central Michigan University 2005 – 2007
Developed new network infrastructure design using redundant etherchannel, multi-spanning tree, and OSPF on Cisco 3750’s to reduce network failover to under 3 second convergence
Configured and maintained over 1,500 networking devices for 30,000 nodes
Assisted on a project that maintained and inserted access control lists to Cisco 7600 series border routers using Suse Enterprise Linux 9, Apache, MySQL, and PHP
Use of the Bradford Network Access Control System for student network access
Developed and implemented a bar code based inventory system using Microsoft SQL, IIS, and PHP
Troubleshot problems with Tacacs+, DNS, and DHCP services running on Red Hat Linux servers

Help Desk Consultant – Central Michigan University 2004 – 2005
Assisted students installing and configuring the Bradford Network’s access control client
Provided first level support for Windows, Macintosh, and Linux desktop and network connectivity issues
Fixed login problems concerning SAP, Active Directory and Time Link

You will need to install the Extra Packages for Enterprise Linux (EPEL) rpm which can be found at:
'rpm -ivh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm' for i386
or: 'rpm -ivh http://download.fedora.redhat.com/pub/epel/5/x86_64/repoview/epel-release.html' for 64bit.

Once the EPEL rpm has been installed, you will then be able to install mod_security by typing 'yum install mod_security' and restart the Apache service.

Make sure that the mod_security engine is turned on by going to
/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf and look for 'SecRuleEngine On'

One of the coolest features is masking the server signature of Apache. This can be done by editing the httpd.conf and making sure that 'ServerTokens' is set to 'Full'. Then change 'SecServerSignature' in 'modsecurity_crs_10_config.conf' to whatever you want.

Postfix Install
To create a functional SMTP server, first you need to install Postfix by running
———————————————————–
yum install postfix
———————————————————–

Check to make sure that your hostname also has your fully qualified domain name.
———————————————————–
echo $HOSTNAME
———————————————————–
If it does not have your domain, then you must add it to the configuration file.
———————————————————–
myhostname = smtp.example.com
———————————————————–

You must also make your SMTP server listen on an interface besides the localhost. Uncomment:
———————————————————–
inter_interfaces = localhost
-----------------------------------------------------------