Armoring (Grid) Linux systems
This page is intended to system administrators willing to improve the security of their Linux systems in a Grid environment. It contains specific configuration changes aimed at reducing the
risk of intrusion and at limiting the impact of potential compromises.
This page
only focus on the security of the system level (as opposed to the grid middleware level).
Generic recommendations are available from
Site Security Guidelines
Remove useless network services
Unless specifically needed by some application, the following network services should be uninstalled:
portmap,nfslock, and
xinetd.
# Turning off useless services
/sbin/chkconfig --level 2345 portmap off
/sbin/chkconfig --level 2345 nfslock off
/sbin/chkconfig --level 2345 xinetd off
/etc/init.d/nfslock stop
/etc/init.d/portmap stop
/etc/init.d/xinetd stop
The list of active network services should be carefully controlled and validated. It is available using:
netstat -tplu
Remove unnecessary applications
It is important to check that every installed application is useful for the service provided by the node.
In particular, potentially dangerous applications (such as nmap, tcpdump or ethereal) should be removed.
For instance, the following set of packages should be uninstalled:
rpm -e ethereal tcpdump nmap libpcap redhat-config-rootpassword cups redhat-lsb cups-libs samba-common
wireless-tools ftp dhclient audiofile ppp esound arts libgnome samba-client wvdial rp-pppoe libgnomeui
memprof libbonoboui gnome-python2 gnome- python2-bonobo redhat-config-packages libao-0.8.3-3.1
libao-devel-0.8.3-3.1
Configure a secure local firewall
It is highly recommended to configure a local firewall on all the machines. Such a firewall would control the incoming connection to the system.
The local firewall is far more effective when the default behavior is to reject the connections, except is it is specifically allowed.
A sample
iptables configuration:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Maintaining established connections
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
# This node accepts SSH connections from the following subnets:
-A INPUT -s 137.138.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 128.141.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 128.142.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
# NTP from cern servers
-A INPUT -s 137.138.17.69 -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -s 137.138.16.69 -p udp -m udp --sport 123 -j ACCEPT
# Drop invalid packets.
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
# Enable local loop and ICMP-ping
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p icmp --icmp-type timestamp-request -j DROP
COMMIT
Armoring SSH configuration
Remote root login via SSH should be done using public_key or Kerberos only.
By doing so, even if the root password of the node is compromised (sniffed, cracked, guessed), is would still be impossible for the attacker to remotely login as root (physical access to the machine or the
su command is necessary to login as root with the root password).
It is assumed that system administrators are knowledgable and will reasonably protect their SSH private key.
It is possible to implement this with:
echo "PermitRootLogin without-password" >> /etc/ssh/sshd_config
Single user mode
Very often, single-user mode Linux, which can be activated with
physical access to the machine, enable the user to login as root
without being prompted for a password.
It is highly recommended to disable this feature:
echo "# What to do in single-user mode." >> /etc/inittab
echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
-- Romain Wartel -
Romain.Wartel@cernNOSPAMPLEASE.ch - 03 Feb 2006