@ Minimize Packages to Minimize Vulnerability

Use the �chkconfig� command to find out services which are running on runlevel 3.
# /sbin/chkconfig --list |grep '3:on'
# chkconfig serviceName off
# yum -y remove package-name

# yum info firefox

# yum list | less
# yum list installed | less
# yum provides /etc/httpd/conf/httpd.conf
# yum grouplist
# yum repolist all
# yum shell
# yum clean all
# yum history

chkconfig --list chkconfig --list | grep httpd

chkconfig --level 35 [service] on

chkconfig --level 2345 [service] off

---------------------------------------------------------------------------------

@ Check Listening Network Ports

# netstat -tulpn
# netstat -a | more Listing all the LISTENING Ports of TCP and UDP
connections
# netstat -at Listing TCP Ports connections
# netstat -l Listing all LISTENING Connections
# netstat -lt Listing all TCP Listening Ports
# netstat -lu Listing all UDP Listening Ports
# netstat -lx Listing all UNIX Listening Ports
# netstat -s Showing Statistics by Protocol
# netstat -st Showing Statistics by TCP Protocol
# netstat -su Showing Statistics by UDP Protocol
# netstat -tp Displaying Service name with PID
# netstat -ac 5 | grep tcp Displaying Promiscuous Mode
# netstat -r Displaying Kernel IP routing
# netstat -i Showing Network Interface Transactions
# netstat -ie Showing Kernel Interface Table
# netstat -g Displaying IPv4 and IPv6 Information
# netstat -c Print Netstat Information Continuously
# netstat --verbose Finding non supportive Address
# netstat -ap | grep http Finding Listening Programs
# netstat --statistics --raw Displaying RAW Network Statistics

---------------------------------------------------------------------------------

@ Use Secure Shell(SSH)

# nano /etc/ssh/sshd_config
PermitRootLogin no
AllowUsers username
Protocol 2

---------------------------------------------------------------------------------
@ FIREWALL

#HTTP
Iptables �t filter �A INPUT �p tcp �dport 80 �j ACCEPT
Iptables �t filter �A INPUT �p tcp �dport 80 �j ACCEPT
#SSH
Iptables �t filter �A INPUT �p tcp �dport 1002 �j ACCEPT
Iptables �t filter �A INPUT �p tcp �dport 1002 �j ACCEPT

---------------------------------------------------------------------------------
@ Install denyhosts
sudo rpm -Uvh http://mirror.metrocast.net/fedora/epel/6/i386/epel-release-6-
8.noarch.rpm
# nano /etc/hosts.allow
# tail -f /var/log/secure

---------------------------------------------------------------------------------

@ Turn on SELinux
# sestatus
# setenforce enforcing
# setenforce disabled
atau
# nano /etc/sysconfig/selinux

---------------------------------------------------------------------------------

@ Turn Off IPv6

# nano /etc/sysconfig/network

NETWORKING_IPV6=no
IPV6INIT=no

---------------------------------------------------------------------------------

@ Restrict Users to Use Old Passwords

# nano /etc/pam.d/system-auth

Add the following line to �auth� section.

auth sufficient pam_unix.so likeauth nullok
Add the following line to �password� section to disallow a user from re-using last
5 password of his or her.
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=5
Only last 5 passwords are remember by server. If you tried to use any of last 5 old
passwords, you will get an error like.
Password has been already used. Choose another.

---------------------------------------------------------------------------------

@ Checking Accounts for Empty Passwords

# cat /etc/shadow | awk -F: '($2==""){print $1}'

---------------------------------------------------------------------------------

@ Review Logs Regularly

/var/log/message � Where whole system logs or current activity logs are available.
/var/log/auth.log � Authentication logs.
/var/log/kern.log � Kernel logs.
/var/log/cron.log � Crond logs (cron job).
/var/log/maillog � Mail server logs.
/var/log/boot.log � System boot log.
/var/log/mysqld.log � MySQL database server log file.
/var/log/secure � Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.

---------------------------------------------------------------------------------

@ Ignore ICMP or Broadcast Request

# nano /etc/sysctl.conf

net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1

#sysctl -p