Introduction
What is Bastille? Bastille is a Linux hardening program that proactively configures the Linux box, make it a more locked down safe OS. It also has the ability to dynamically harden the systems current state, generating a report each time.
Bastille currently supports the Red Hat (Fedora Core, Enterprise, and Numbered/Classic), SUSE, Debian, Gentoo, and Mandrake distributions, along with HP-UX. There is now a Mac OS Version as well. When the program is run, there is a myriad of options and settings it allows you to change in a typical Linux yes/no command prompt fashion.
------------------------------------------------------
Requirements
Linux Distro - CentOS 5
Internet Access
Root Access
Installation
------------------------------------------------------
CREATE A SYSTEM ADMIN ACCOUNT
adduser service
------------------------------------------------------
CREATE PASSWORD FOR service
passwd service
------------------------------------------------------
CREATE DIRECTORIES TO DOWNLOAD RPM
mkdir /downloads
cd /downloads
------------------------------------------------------
DOWNLOAD AND INSTALL PSAD
wget http://www.cipherdyne.com/psad/download/psad-1.4.6-1.i386.rpm
rpm -Uvh psad-1.4.6-1.i386.rpm
------------------------------------------------------
DOWNLOAD AND INSTALL BASTILLE
wget http://easynews.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-3...
wget ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el4/en/i386/RPMS.dag/per...
rpm -ivh Bastille-3.0.9-1.0.noarch.rpm
rpm -Uvh perl-Curses-1.12-1.2.el4.rf.i386.rpm
------------------------------------------------------
START BASTILLE
/usr/sbin/bastille
-------------------------------------------------------
BASTILLE LINUX WIZARD (yes a linux wizard)
accept
ENTER
Would you like to set more restrictive permissions on the administration utilities? -> YES
ENTER
Would you like to disable SUID status for mount/umount? -> YES
Would you like to disable SUID status for ping? -> YES
Would you like to disable SUID status for at? -> YES
Would you like to disable the r-tools? -> YES
Would you like to disable SUID status for usernetctl? -> YES
Would you like to disable SUID status for traceroute? -> YES
Should Bastille disable clear-text r-protocols that use IP-based authentication? -> YES
Would you like to enforce password aging? -> YES
Do you want to set the default umask? -> YES
What umask would you like to set for users on the system? -> 007
Should we disallow root login on tty's 1-6? -> NO
Should Bastille ask you for extraneous accounts to delete? -> NO
Would you like to password-protect the GRUB prompt? -> NO
Would you like to disable CTRL-ALT-DELETE rebooting? -> YES
Would you like to password protect single-user mode? -> NO
Would you like to set a default-deny on TCP Wrappers and xinetd? -> NO
Would you like to display "Authorized Use" messages at log-in time? -> YES
Who is responsible for granting authorization to use this machine? -> YOUR COMPANY NAME
Would you like to put limits on system resource usage? -> YES
ENTER
Should we restrict console access to a small group of user accounts? -> YES
Which accounts should be able to login at console? -> root
Would you like to set up process accounting? -> NO
ENTER
Would you like to disable acpid and/or apmd? -> YES
Would you like to disable PCMCIA services? -> YES
Would you like to disable GPM? -> YES
Would you like to deactivate the HP OfficeJet (hpoj) script on this machine? -> YES
Would you like to deactivate the ISDN script on this machine? -> YES
Would you like to deactivate kudzu's run at boot? -> YES
Do you want to stop sendmail from running in daemon mode? -> YES
Would you like to deactivate named, at least for now? -> NO
Would you like to deactivate the Apache web server? -> NO
Would you like to bind the Web server to listen only to the localhost? -> NO
Would you like to bind the web server to a particular interface? -> NO
ENTER
Would you like to deactivate the following of symbolic links? -> YES
Would you like to disable printing? -> YES
Would you like to install TMPDIR/TMP scripts? -> NO
Would you like to run the packet filtering script? -> YES
ENTER
Do you need the advanced networking options? -> NO
DNS Servers: [0.0.0.0/0] -> **LEAVE DEFAULT**
Public interfaces: -> eth+
TCP services to audit: -> telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh
UDP services to audit: -> 31337
ICMP services to audit: -> **BLANK**
TCP service names or port numbers to allow on public interfaces: -> 21 22 25 53 80 110 111 143 443 631 953 993 995 3306
UDP service names or port numbers to allow on public interfaces: -> **BLANK**
Force passive mode? -> YES
TCP services to block: -> 2049 2065:2090 6000:6020 7100
UDP services to block: -> 2049 6770
ICMP allowed types: -> destination-unreachable echo-reply time-exceeded
Enable source address verification? -> YES
Reject method: -> DENY
Interfaces for DHCP queries: -> **BLANK**
NTP servers to query: -> **BLANK**
ICMP types to disallow outbound: -> destination-unreachable time-exceeded
Should Bastille run the firewall and enable it at boot time? -> YES
Would you like to setup psad? -> YES
psad check interval: -> 15
Port range scan threshold: -> 1
Enable scan persistence? -> NO
Scan timeout: -> 3600
Show all scan signatures? -> NO
Danger Levels: -> 5 50 1000 5000 10000
Email addresses: -> root@localhost
Email alert danger level: -> 1
Alert on all new packets? -> YES
Enable automatic blocking of scanning IPs? -> NO
Should Bastille enable psad at boot time? -> YES
Are you finished answering the questions, i.e. may we make the changes? -> YES
TAB
EDIT SSH CONFIG FILE TO DENY ROOT LOGON
vi /etc/ssh/sshd_config
EDIT THIS LINE
PermitEmptyPasswords no
REBOOT
------------------------------------------------------
As you can see it is as simple as using a Windows Product, expect it will not break, and it is way more secure.