|You are here: Lab Home > Computing Sciences > Lab Services > CIS > UNIX > UNIX Security|
Recommended UNIX Security Configuration
1. Install Security Patches
Install the latest security patches available from the your vendor. New security patches are released frequently so you should check for new security updates on a regular basis. We recommend updating your systems patches at least once every 1-3 months.
Links to Vendor Patches:
- Sun Microsystems Sunsolve Patches
- Red Hat Linux Patches
- SGI IRIX Patches
- Compaq (Digital) Tru64 Patches
2. Turn off Unnecessary Network Services
Turn off unnecessary services run by inetd or xinetd. The following services should be commented out in /etc/inetd.conf unless you have a specific need: finger, exec, systat, netstat, rusersd, walld, rstatd, rexd, rpc.cmsd, imapd, innd, rpc.ttdbserverd. Telnet and ftp should also be commented out of the /etc/inetd.conf unless you have a specific need to allow telnet or ftp connections.
3. Install SSH Secure Shell. Minimize rhosts usage.
Install and use SSH (Secure Shell) to eliminate logins utilizing clear-text passwords. The current recommended version for LBNL UNIXsystems is ssh-1.2.31 and is required to faciliate user access to LETS and other LBNL systems.
Minimize the number of entries in your /.rhosts file. Never allow a non-root user to be able to "rsh" or "rlogin" to root. The /.rhosts file must be owned by root and the permissions of this file should be 600.
CIS managed UNIX systems will have the entry cs4.lbl.gov root in their /.rhosts file. This access is to allow access from a very secure CIS system for the purpose of doing remote systems administration.
Never make use of the hosts.equiv file. This file should be deleted or should not have any entries.
4. Sendmail Configuration
Sendmail has been the source of several security problems over the last several years. In addition, systems running sendmail can be used to relay SPAM junk mail.
Turn off sendmail or run sendmail in send-only mode. The default configuration for sendmail is to accept incoming mail and started at boot time as the process
/usr/lib/sendmail -bd -q1h. Edit the system startup files to eliminate the -bd flag so that sendmail is started as
/usr/lib/sendmail -q1h. Doing this will prevent any incoming connections to sendmail port 25.
If you need to run sendmail to accept connections, we recommend that you obtain and compile the latest version of the Berkeley Sendmail from www.sendmail.org. If you are running the latest version of your vendor's operating system, you may then already have a relatively recent version of Sendmail which will suffice. Versions of Sendmail based on 8.9.0 or later include anti-SPAM relay features.
5. Limiting Access with TCP Wrappers
Install and configure TCP Wrappers and Portmap3. This is recommended for Solaris, SunOS, IRIX, and Tru-64 systems; most LINUX distributions already have TCP Wrappers installed, but the /etc/hosts.allow and /etc/hosts.deny files need to be configured. These utilities can be used to limit access to your system using an access control list. The TCP Wrapper program is used to control access to services run from inetd and Portmap3 is used to limit access to the portmapper or rpcbind services such as NFS and NIS. Use the following /etc/hosts.allow configuration file as an access control list template and modify as needed. It is preferable to limit access to only one or more of the following domains: lbl.gov, nersc.gov, es.net, psf-jgi.org. Hosts requiring access from outside these domains should be added on an individual basis by specifying the IP address of the specific host or subnet for a group of hosts.
Download CIS TCP Wrapper and Portmap3 Package
6. Designating a Responsible Contact
The person listed as the DNS contact for your machine (This is the person who is listed as the contact for the IP address your machine is using) will be the person that will be contacted by the LBNL CPPM and LBNL Networking if they detect a security problem with your machine. Designate the end user as the first DNS contact and your systems administrator (designate email@example.com if CIS managed) as the second DNS contact.
7. Keep up to Date with Computing Security Issues
Join one of the CPP security mailing lists at LBNL to keep up with the latest computing security announcements.