Initial Hardening of the operating system
The steps noted below will increase the level of hardening of your operating system.
These steps will remove groups and users not used by Internet servers, and set appropriate permissions for
system programs. Please note that when you see a zero (0) in the last chmod permission bit, it means that
the world has no permission.
- Log into each server as root.
- Copy and paste the following to your command line to execute (please double check directory locations as
applicable):
- Modify Kernel settings to increase security:
sysctl -w kern.securelevel=2
sysctl -w net.inet.tcp.log_in_vain=1
sysctl -w net.inet.udp.log_in_vain=1
- Edit /etc/defaults/rc.conf and /etc/rc.conf and make the following changes:
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
kern_securelevel_enable="YES"
kern_securelevel="2"
tcp_extensions="NO"
tcp_keepalive="YES"
icmp_bmcastecho="NO"
icmp_bandlim="YES"
- Edit /etc/sysctl.conf and make the following changes:
net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1
kern.securelevel=2
net.inet.ip.check_interface=1
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
kern.fallback_elf_brand=3
net.inet.tcp.syncookies=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
net.inet.icmp.icmplim=200
IMPORTANT NOTE: This document is based on FreeBSD. The concepts
should be similar across operating systems, but the commands will very likely be different. Also, never
assume the directory structures exist in your system as written in the document. Never blindly follow
security instructions -- read, review, compare, apply as it fits your system.
|
