Main Navigation
Home Realm Linux
page title
Another important part of the post-install set up is to secure the machine.
![[Caution]](/images/caution.png) | Caution |
|---|---|
I am only describing what you need to do to secure the things installed if you followed my recommendations. If you installed other services and do not know what they are used for or how to use them, I HIGHLY recommend shutting them down as described in the Red Hat Linux Users Guide. |
Although sendmail, as of Red Hat Linux version 7.1 and later, will not accept external connections by default, it will still start and listen to the loopback adapter. For this reason, there are still compelling reasons to take steps to secure the sendmail daemon, as shown below.
By default, sendmail is installed on Realm Linux machines and runs in daemon mode. Although recent versions of sendmail are much more secure than older versions, unless you wish to receive mail at your machine, I recommend the following changes.
First, instead of running sendmail in daemon mode, it is sensible to
change it to run in queue-only mode. To do this, you need to change
/etc/sysconfig/sendmail and set DAEMON
to no instead of yes. The file
will then look like this:
DAEMON=no QUEUE=1h
Also, if you are installing a lab machine, I recommend using the Sendmail configuration option in realmconfig to set the hostname that email sent from the machine appears to come from. For example, user@unity.ncsu.edu as opposed to user@random.host.ncsu.edu.
One of the “features” of Red Hat Linux is the ability to hit
I on the keyboard during boot to select services to
start. This is not desirable in some environments. To disable this,
edit /etc/sysconfig/init and change the line which
reads
PROMPT=yes
to read
PROMPT=no
Interactive startup is disabled by most kickstarts, including the example kickstart included in the distribution, the kickstart generators, and the web-kickstart system for security reasons. However, at this time the realmconfig command does not have this functionality.
By default, Grub (the Linux Boot Loader) allows you to pass arguments
to the kernel to change system operation. To disable this, you need to add
the following two line to the top section of
/boot/grub/grub.conf
password changeme
![[Note]](/images/note.png) | Note |
|---|---|
Note that you will want to change "changeme" to a more secure password. |
You can also use an MD5 hash in the Grub configuration file to
further improve your security. This is done by adding the following to
your grub.conf.
password --md5 <MD5HASH>
After doing this, you will also want to make sure your configuration file is only readable by root.
# chmod 600 /boot/grub/grub.conf
This makes it so that the password in the file can not be read by anyone other than root.
There are two services which are turned on by default in Red Hat Linux that are not used in most cases in the campus environment. Although there are no known exploits against these programs at this time, it is always smarter to turn things off to reduce your risk. The two services are portmap and nfslock, both of which would be needed if you are acting as an NFS client. To turn them off, you can either use the /usr/sbin/ntsysv program (which will let you turn off other services if you have installed them), or you can execute the following two commands
# /sbin/chkconfig portmap off # /sbin/chkconfig nfslock off