RHEL 6 Security: Resources & Hardening

TL;DR

This guide provides resources and steps to improve the security of Red Hat Enterprise Linux 6 (RHEL 6). It covers patching, firewall configuration, SELinux, user management, SSH hardening, and log analysis. RHEL 6 is end-of-life, so focus on minimal functionality and isolation if possible.

1. Patching

Keeping your system updated is crucial, even though RHEL 6 is no longer officially supported. You’ll need to use the Red Hat Customer Portal (requires a subscription) or find alternative repositories (use with caution!).

1. Check for Updates: Use yum to check for available updates.

   sudo yum check-update

2. Apply Updates: Install all available updates. Be careful, as updates may cause compatibility issues on an old system.

   sudo yum update

3. Security Errata: Regularly review Red Hat security advisories for RHEL 6 (if you have access to the portal) and apply relevant patches.

2. Firewall Configuration (iptables)

RHEL 6 uses iptables as its firewall. Configure it to allow only necessary traffic.

1. Check Current Rules: View the current iptables rules.

   sudo iptables -L

2. Allow SSH (Port 22): Ensure SSH is allowed from trusted networks. Replace your_network with your actual network address.

   sudo iptables -A INPUT -p tcp --dport 22 -s your_network -j ACCEPT

3. Allow HTTP/HTTPS (Ports 80/443): If you’re running a web server, allow these ports.

   sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

   sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

4. Drop All Other Incoming Traffic: This is a default-deny approach.

   sudo iptables -P INPUT DROP

5. Save Rules: Save the current iptables rules so they persist after reboot. The method varies depending on your setup; often it involves using service iptables save or a similar command.

3. SELinux

SELinux provides mandatory access control. It’s best to keep it enabled in enforcing mode if possible, but you may need to temporarily switch to permissive mode for troubleshooting.

1. Check SELinux Status: Determine the current SELinux mode.

   getenforce

2. Set Mode (if needed): Change the SELinux mode. Use with caution!

   sudo setenforce enforcing

   sudo setenforce permissive

3. Audit Logs: Monitor the audit logs for SELinux denials (see section 6).

4. User Management

Strong user management is essential.

1. Disable Unnecessary Accounts: Remove or disable accounts that are not used.

   sudo usermod -L username

   (Locks the account)

2. Strong Passwords: Enforce strong password policies. Consider using pam_pwquality module in /etc/pam.d/system-auth and /etc/pam.d/password-auth to enforce complexity requirements.
3. sudo Access: Limit sudo access to only those users who require it, and grant them the minimum necessary privileges.

   sudo visudo

   (Edit the sudoers file carefully!)

5. SSH Hardening

Secure your SSH configuration.

1. Disable Password Authentication: Use key-based authentication instead.
   In /etc/ssh/sshd_config, set PasswordAuthentication no
2. Change Default Port: Change the default SSH port (22) to a non-standard port. In /etc/ssh/sshd_config, change Port 22 to another port number.
3. Disable Root Login: Prevent direct root login via SSH.
   In /etc/ssh/sshd_config, set PermitRootLogin no
4. Allow Users/Groups: Restrict SSH access to specific users or groups.
   Use the AllowUsers and AllowGroups directives in /etc/ssh/sshd_config.
5. Restart SSH Service: Apply changes.

   sudo service sshd restart

6. Log Analysis

Regularly review system logs for suspicious activity.

1. Key Logs: Focus on these logs:
   • /var/log/messages (General system messages)
   • /var/log/secure (SSH login attempts and authentication events)
   • /var/log/audit/audit.log (SELinux audit events)
2. Log Rotation: Ensure logs are rotated to prevent them from filling up disk space.
3. Tools: Consider using tools like grep, awk, or log analysis software (e.g., Logwatch) to help identify patterns and anomalies.