Last Article - I went through the basic installation of installing CentOS 4.2 using the single Server Install CD. Since this machine was to be used on the Internal network and I didn’t really want the performance overhead of a host based firewall - I decided to not enable the firewall during the installation. Note: The default is the firewall is enabled - so some of what I am about to disclose wouldn’t apply if the firewall was turned on.

My approach will be to disable anything unnecessary and continue to run without the firewall enabled. Actually, it is good practice to disable unused services that might have been installed and enabled during a default installation. This is regardless of whether or not the firewall is enabled.

So, right after the OS installation - I went over and fired up a new session on a Nessus box. I configured it to scan a single host - which was the CentOS box. All the available plugins were enabled and safe checking was turned off. The result was three warnings that come back in the Nessus report:

1. The remote host answers to an ICMP timestamp request. This allows an attacker
   to know the date which is set on your machine.

   This may help him to defeat all your time based authentication protocols.

   Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
   timestamp replies (14).

   Risk factor : Low
   CVE : CAN-1999-0524

2. The remote SSH daemon supports connections made
   using the version 1.33 and/or 1.5 of the SSH protocol.

   These protocols are not completely cryptographically
   safe so they should not be used.

   Solution :
   If you use OpenSSH, set the option ‘Protocol’ to ‘2′
   If you use SSH.com’s set the option ‘Ssh1Compatibility’ to ‘no’

   Risk factor : Low

3. The statd RPC service is running. This service has a long history of
   security holes, so you should really know what you are doing if you decide
   to let it run.*** No security hole regarding this program have been tested, so
   *** this might be a false positive.

   Solution : We suggest that you disable this service.
   Risk factor : High
   CVE : CVE-1999-0018, CVE-1999-0019, CVE-1999-0493
   BID : 127, 450, 6831, 11785

So now that we have our vulnerability report - the first thing to do is make sure each warning is valid and applicable to your environment. In this case, I can safely go with all three recommendations without causing any negative impact on my application.

Here are the remediation steps to fix the three security warnings:

1. Well, the first one can’t be turned off unless the firewall is enabled. For reference, if the firewall was turned on the correct rule would be:
   $IPTABLES -A INPUT -p ICMP –icmp-type timestamp-request -i $EXTIFACE -j DROP
   Explanation: This issue is not one of the more critical problems by far. There are a couple of things that can be obtained from a machine that answers to an ICMP Type 13 packet (ICMP Timestamp Request).
   1. You would be able to determine what time the local machine has
   2. By evaluating the reply packet you could potentially determine the ‘fingerprint’ of the OS. This could allow someone to determine the host OS you are running and then use that to research any vulnerabilities for that OS that could be used to exploit the system
2. From a shell prompt, enter vi /etc/ssh/sshd_config
   - Uncomment the Protocol line (remove the #) and then delete the comma and 1, which leaves the line looking like:
   Protocol 2
   Save the file and exit the editor
   Restart the sshd service by entering: service sshd restart
   Explanation: Changing the ssh service to where it only operates using ssh version 2 is a good measure to eliminate security holes in past versions. Version 1 is only still there for compatibility purposes and would only effect clients that connect to the machine for terminal sessions or some other sort of secure communications (such as secure file transfer). Most everything these days will support version 2.
3. Disable this service if you are not planning on using NFS (Network File System). The easiest way to do this is to run ntsysv –level 35 note: you may run into problems running this command in a remote terminal window - due to graphics problems. Your probably safer by running it in front of the system console.
   After running the command, use the down arrow to find the following services and press the spacebar on each of them to remove the X beside the respective service:
   netfs
   portmap
   rpcgssd
   rpcidmapd
   Before you exit the program, read on to #4
4. I would also recommend disabling a few other services while in the configuration utility:
   acpid (Power Management Related)
   apmd (Power Management Related)
   cups
   isdn (Only used if you have an ISDN card in the machine)
   pcmcia (Most likely you either don’t have or will not use a pcmcia device in the machine)
   Now tab to the ok button and press Enter to exit the program
5. Reboot your Linux Server to bring it back up under the new ‘cleaner’ configuration

A follow up Nessus scan after my server reboot revealed only one warning, which was expected (#1 again from above), since I don’t have the firewall enabled. It was happy that the only port open was ssh and was only running ssh v2. Hopefully, this has served as a basis of securing your CentOS installation.