Securing-Optimizing-RH-Linux-1_2_40
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
40
The "root" account is the most privileged account on a Unix system. The "root" account has no
security restrictions imposed upon it. This means the system assumes you know what you are
doing, and will do exactly what you request -- no questions asked. Therefore it is easy, with a
mistyped command, to wipe out crucial system files. When using this account it is important to be
as careful as possible. For security reasons, never log in on your server as "root" unless is
absolutely necessary for tasks that necessities "root" access. Also if your are not on your server,
never sign in and let in as "root". VERY VERY VERY BAD.
6. Set login time out for the root account
Although the notice to never if their are not on the server, sign in and let in as root,
administrators still stay as root or forget to logout after finishing their works and leave their
terminals unattended. The answer to solve this problem is to make the bash shell automatically
logout after not being used for a period of time. To do that, you must set the special variable of
Linux named TMOUT to the time in seconds of no input before logout.
Edit your profile file vi /etc/profile and add the following line somewhere after the line that read
HISTFILESIZE= on this file:
TMOUT=7200
The value we enter for the variable TMOUT= is in second and represent 2 hours (60 * 60 =
3600 * 2 = 7200 seconds). It is important to note that if you decide to put the above line in your
/etc/profile file then the automatic logout after two hours of inactivity will apply for all users on
the system. So instead if your prefer to control which users will be automatically logout and which
ones not, you can set this variable in their individual .bashrc file.
After this parameter has been set on your system, you must logout and login again (as root) for
the change to take effect.
7. The /etc/exports file
If you are exporting file systems using NFS service, be sure to configure the /etc/exports file
with the most restrictive access possible. This means not using wildcards, not allowing root write
access, and mounting read-only wherever possible.
Edit the exports file (vi /etc/exports) and add:
As an example:
/dir/to/export host1.mydomain.com(ro,root_squash)
/dir/to/export host2.mydomain.com(ro,root_squash)
Where /dir/to/export is the directory you want to export, host#.mydomain.com is the machine
allowed to log in this directory, the <ro> option mean mounting read-only and the <root_squash>
option for not allowing root write access in this directory.
For this change to take effect you will need to run the following command on your terminal:
[root@deep]# /usr/sbin/exportfs -a
NOTE: Please be aware that having an NFS service available on your system can be a security
risk. Personally, I don't recommend using it.
8. Disabling console program access