Unix Administration (II): Security (A)

Debian etch (4.0) installation on the College PowerEdge 2900 server went very smoothly. Everything was fine except that Xorg hardware detection didn't detect my monitor settings very well, I fixed that using the preinstallation notes I wrote in the previous post. So now I have a base Debian system which needs to be secured. The security plan will go in three phases:

A- Normal system-wide security customizations (boot loaders, BIOS, partitions, ..)
B- Careful customization of PAM (Pluggable Authentication Modules) conf files.
C- Careful security customizations of services (NFS, SSH, ..) and other singular programs.

This post will cover Part A leaving the two remaining parts to other posts. Here're the stuff I went through to cover this phase:

1- Prevent Floppy and CD-ROM booting.
Soltuion: Set a BIOS configuration password. I wished to make a BIOS password for system booting too, but this will prevent me from doing remote rebooting of the system. I don't want to go from home to college just to reboot the server!.

2- Prevent physical intruder to get a root account by passing customized linux kernel parameters like "init=/bin/sh" to the booting kernel.
Solution: Password protect the Grub bootloader so only authenticated users can be able to change the kernel or change its passed parameters.
$ # Generate a md5 password using grub-md5-crypt
$ echo "password --md5 (MD5 password)" >> /redhat-boot/grub/grub.conf

3- Prevent DoS attacks of filling "/" mount point by filling user writable directories like /tmp
Soution: User writable partitions like /home and /tmp will have their own separated LVM logical volums (physical partitions equivalent). Actually this step is already done in the installation phase.

4- Out-of-the-box "init" configuration permits any user with access to a physical keyboard and a console (even if not logged in!) to restart the system by presssing Ctrl+Alt+Del.
Solution: Pressing the Ctrl-Alt-Del sequence activates the following line in /etc/inittab:
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
$ man shutdown
-a: Allow only users listed in /etc/shutdown.allow to shutdown/reboot the system
$ cat > /etc/shutdown.allow
root
ahmed
^D

5- Script kiddies tend to use exploits which try to create and execute files in /tmp.
Solution: Use wise mount options that prevent attackers from executing setuid binaries or executables in /tmp. Also prevent similar cases in the /var and /home partitions. Mount /usr and /boot as read-only to let the system be in a safe and stable state.
$ cat /etc/fstab
/dev/debian/usr /usr ext3 defaults,ro 0 2
/dev/debian/var /var ext3 defaults,nodev 0 2
/dev/debian/home /home ext3 rw,nosuid,nodev,exec,auto,nouser,async 0 2
/dev/debian/tmp /tmp ext3 defaults,nodev,nosuid,noexec 0 2
...

6- Each running service could introduce a security threat. Run the minimum number of services required.
Solution:
$ # No one uses the inetd daemon nowadays
$ update-rc.d -f openbsd-inet remove
$ update-rc.d openbsd-inet stop 20 2 3 4 5 .

$ # There's no need for exim4 mailer too till now
$ update-rc.d -f exim4 remove
$ update-rc.d exim4 stop 20 2 3 4 5

To Be Continued