Mike
McGrath
Fedora Infrastructure Lead
Fedora Project
Host Security Introduction
This chapter focuses on host security. It does not make the distinction between "servers" and "desktops". Additionally this is primarly configuration and setup guidelines. Actual incident response, investigation has not yet been written.
Prerequisites
The topics discussed in this chapter include many advanced topics. RHCE knowledge or greater is strongly recommended. Understanding of every piece of this standard is not a requisite to compliance, but it is recommended.
Host Network Security
Required Config Lines
Complete
Requirement
Action
Service/Config
Comment
Must
Enable
iptables
Should
Set
Unless this host serves as a network device. Do not pass traffic between networks
Should
Set
Unless this host serves as a network device. Do not act like a network device.
Should
Set
Unless this host serves as a network device. Do not act like a network device.
Must
Set
Don't allow outsiders to alter routing tables.
Must
Set
Prevents joining a smurf attack
Must
Set
Protection from bad icmp error messages
Must
Set
enables syncookies for protection against syn flood attacks
Must
Set
Log spoofed, source routed and redirect packets
Must
Set
Log spoofed, source routed and redirect packets
Must
Set
Don't allow source routed packets
Must
Set
Don't allow source routed packets
Must
Set
Enable reverse path filtering
Must
Set
Enable reverse path filtering
Must
Set
Don't allow outsiders to alter routing tables.
Must
Set
Don't allow outsiders to alter routing tables.
Must
Set
Don't allow outsiders to alter routing tables.
Must
Set
Don't allow outsiders to alter routing tables.
IPTables Configuration
Required Config Lines
Complete
Requirement
Action
Config
Comment
Must
Set
*filter
:INPUT DROP []
:FORWARD ACCEPT []
:OUTPUT ACCEPT []
First 4 lines
Should
Set
Disable for more security but more difficult network troubleshooting.
Should
Set
Disabling will break many network protocols, like tcp. Disable only if you know what you are doing.
Should
Use
-A INPUT -p tcp -m tcp --dport $PORT -j ACCEPT
To open specific tcp ports to the world. The example above should replace $PORT with a tcp port number, like 80 for http.
Should
Use
To open udp ports to the world. The example above should replace $PORT with a tcp port number, like 161 for snmp.
Should
Use
To open tcp ports to specific hosts or networks. Using just IP address without a netmask is proper. If a network address is defined, netmask is required. The example above should replace $PORT with a tcp port number, like 80 for http.
Should
Use
To open udp ports to specific hosts or networks. Using just IP address without a netmask is proper. If a network address is defined, netmask is required. The example above should replace $PORT with a tcp port number, like 161 for snmp.
Must
Contain
This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
Must
Contain
This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
Must
Contain
This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
Must
Contain
This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
Must
Contain
This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
Must
Contain
This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
Must
Contain
This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
Must
Contain
This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
Must
Contain
This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
Should not
Use
This flag goes against some known standards and makes troubleshooting very difficult. The security added is debatable.
Should
Set
Before last line
Must
Set
As last line