/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsAt the time of PCQLinux 2004 installation, a firewall is configured for you (step 7 of installation). The default is ‘deny all’ for incoming packets. We assume that you know what you are doing, if you are changing this setting. Over and above this, immediately after your server installation, you should get down to securing your installation further. Below is a list of some security measures that you can practice.
Disable unwanted services
Issue the command ‘ntsysv’. Make sure you un-check the services that you are not going to use. Highlighting a service using the arrow keys and pressing F1 will show a description of the service, which can help you to decide whether to enable or disable the service.
Enable firewall
PCQLinux 2004 ships with a straightforward tool–namely redhat-config-securitylevel–to achieve this. Launch it by typing in its name on the Linux console or a terminal window within X. Launch the firewall by simply selecting Enable if it is disabled. If you want to further customize the services to which access is allowed, check them selectively. If you have launched the tool from the command line, select (using spacebar) the Customize button to select/deselect the services. If your server is hosting two network cards, you can mark the card connected to your internal network to allow free flow of traffic across it. The firewall will block the traffic (specifically, inbound traffic) across the card or network interface not marked as trusted.
Block SSH root login
Telnet access is disabled by default. Instead, you have Secure Shell, wherein the data flows encrypted. However, by default, SSH login as root is enabled. That is, someone can SSH to the server as root (privileged or administrator) user. This behavior should be disabled by default and if a person needs root access, he can ‘su’ during an SSH session. Coming to actually disabling root login, open the file named sshd_cofig file found in /etc/ssh directory and append the following line to it.
PermitRootLogin no
Issue ‘service sshd reload’.
Secure Web server
If you are using Apache Web server for a site that requires some sort of login, then it is recommended to SSL (Secure Socket Enable) enable the site. Without this, sensitive information, such as the login credentials, will flow unencrypted between a Web browser and the Web server. To SSL enable Apache, you need to install an RPM named mod_ssl-2.0.47-10.i386.rpm found in the directory PCQLinux/RPMS on PCQLinux 2004 CD 1. For this, open the file named httpd.conf found in the directory /etc/httpd. Remove the following line:
Listen 80
Issue ‘service httpd reload’.
Restrict MySQL access
A default MySQL installation has the root password set to blank and anyone is allowed to connect to the server as anonymous. Here’s how to fix it. Issue the following command.
mysql -u root -p
This will show the MySQL command prompt. At this prompt, issue the following SQL query.
delete from user where user=’’
This will disable anonymous logins. Issue ‘quit’ to return to the Linux command line. Issue the following at the Linux command line.
mysqladmin -u root -p pcq123_labs_
This will set the root (the admin user for MySQL database server) password to pcq123_labs_. Substitute this with your preferred password.
Shekhar Govindarajan