Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-27-2009, 10:49 AM   #1
Registered: Aug 2009
Location: Rawalpindi
Distribution: RHEL 5, CentOS
Posts: 38

Rep: Reputation: 16
Lightbulb Securing a RedHat Linux ES 4 Machine

I have recently acquired a project that has oracle 10g & TomCat installed on RedHat 4 ES.
I want to secure the machine at port level as well as OS level. Please give me your precious suggestions.
Old 11-28-2009, 03:28 AM   #2
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Originally Posted by sabir_mustafa View Post
I want to secure the machine at port level as well as OS level.
If you are a RHCE, MCSE, MCSA (I mean not just on paper) then I hope we may expect a little bit more from you (in terms of offering performed steps and details) as you should be looking at your complete infrastructure and not just focus on the DB machine itself. Besides a lot of the analysis involved will be distribution and platform-agnostic (policies, users, processes, access restrictions, networking). *If this is a production environment then you might find that having an experienced DBA along for the ride in the end will cost less if you're not one yourself.
- What networked items make up your web stack (router, IDS, (reverse) proxy, web application firewall, load balancer, web servers, DB servers, staging servers)?
- Are all hosts located in one or more DMZ segments?
- Which (web) hosts are allowed to access the DB host?
- What services will be listening per host?
- Are there password policies on host and DB level?
- Which users will be able to access what systems and how?
- What software components make up your web stack, are they installed using installation defaults and without removing diagnostic and example material?
0 members found this post helpful.
Old 11-28-2009, 11:55 PM   #3
Registered: Aug 2009
Location: Rawalpindi
Distribution: RHEL 5, CentOS
Posts: 38

Original Poster
Rep: Reputation: 16
Dear moderator:
First of all I want to tell u that at least at least RHCE can not be obtained using paper. The only thing that makes difference is experience so please think before you write.
The project was under the control of some other party since 3 yrs, i have also acquired a DBA for the same. During my 1st analysis I found that:

- No strong passwords
- Website is non-ssl
- Replication is manual
- Users are defined in DB
- Password are stored in plain text in DB
- Production network is exposed to internet

I am working for Security as well as Network policy at the same time. Further analysis will be done after I apply basic security designs.
If you can extend any good suggestion it will be welcomed.
Old 11-29-2009, 07:22 AM   #4
Registered: Dec 2008
Location: Bellevue,WA
Distribution: RHEL 5 , Fedora ,Sabayon,Solaris,Vmware,AWS
Posts: 107

Rep: Reputation: 18

For port level securing use iptables
For Os level securing use acl , SELINUX

1 members found this post helpful.
Old 11-29-2009, 02:32 PM   #5
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
@sabir: Hardening RHEL and the services it offers up is a significant task that's going to require research and an iterative approach on your part.

As you probably know, the OS basics include:
  • Shutting off unneeded services
  • Controlling access to tcp/udp services using iptables (or tcp wrappers, or pam_access, if supported)
  • Limiting shell accounts, and enforcing strong passwords where they're required using pam_passwdqc
  • Keeping your clock in sync via ntp
  • Disabling root logins to all but the local machine using pam_access
  • Running a HIDS and checking system integrity at appropriate intervals
  • Installing sysstat and regularly reviewing system performance
  • Reviewing your systems logs often (e.g. logwatch helps)
  • Applying security patches as they're available, after proper testing

Again, that is just the OS, and it may just be a starting point for you. Each of the services needs a critical look to ensure it's in the most secure configuration it can be, given your situation.

Oracle is a universe unto itself. As mentioned, it would be nice if you had a DBA to manage that db/service. If you don't, I suspect you will have a lot of reading to do.

Last edited by anomie; 11-29-2009 at 02:33 PM.
1 members found this post helpful.
Old 12-14-2009, 12:34 AM   #6
Registered: Aug 2009
Location: Rawalpindi
Distribution: RHEL 5, CentOS
Posts: 38

Original Poster
Rep: Reputation: 16
Wink Project update!

Dear members:
I have practically started the project work. Since its a huge project for me for the first time therefore I have decided to share my experience and deployment. Comments and suggestions are warmly welcomed.

The 1st task I have decided is to segregate the network. I have asked the team to distribute the network into following categories.

1. Internal LAN [ For all company users where ever they sit ]
2. Admin LAN [ Only for administrators ]
3. External LAN [ For internet based work ]

I shall further share details as soon as I gathered the information.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Securing machine that needs telnet and ftp keysorsoze Linux - Security 5 05-04-2006 06:31 PM
Securing a redhat eagle683 Linux - Security 5 06-06-2005 05:37 PM
connect to redhat Linux from unix machine rasha Linux - Networking 7 08-15-2004 07:23 PM
securing a redhat 6.1 server JustinHoMi Linux - Security 4 07-19-2002 01:50 AM
Deviation v.1 Securing your Linux/BSD machine sil Linux - Security 0 05-18-2001 06:59 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:05 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration