Solved

to secure network in RHEL VM

Posted on 2014-02-04
4
403 Views
Last Modified: 2014-02-10
Hi All,

I have one RHEL virtual machine on VMware - connected with 3 difrent network - please advice how to secure my server and what tools could be used?
0
Comment
Question by:apunkabollywood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 13

Expert Comment

by:Daniel Helgenberger
ID: 39831960
Please elaborate a little more about witch version of RHEL and witch services/daemons the VM is running.

The default settings of a RHEL machine are already good to connect it to the public internet. This means in particular:
- SElinux, mandatory access control, in enforcing mode,
- Firewall turned on, allowing only SSH and any related connections

After the initial configuration is done you should turn off root logins in SSH and disallow challenge / response authentication (basically allowing only SSH logins with valid keys).

The tools you are working with most foremost is iptables for firewall rules and SElinux as mandatory access control.
If you keep the data locations for your services (eg. /var/www as http-root) to the default, you will rarely need to interact with SElinux. Also keep in mind if you have custom build software, you may need to create custom rules or even turn off SElinux.

If you provide more info, I can assist you better.
0
 
LVL 25

Accepted Solution

by:
madunix earned 500 total points
ID: 39832869
I don't know which security tips are related to your systems, but it's a good practice to find two/three or multiple sources of information, this way you can pick more security tips. You can go from more generalist tips to more specific tips, that seems to be a good approach to secure your servers.

I would implement iptables as said above, with iptables you can do
. Blocking a Single IP Address
. Allowing All Traffic from an IP Address
. Blocking a Port From All Addresses
. Allowing a Single Port from a Single IP
. Reroute Traffic

For example you can route all traffic that comes to the port XXXX to YYYY. This means that the incoming tcp connection can come from both port YYYY and XXXX.
iptables -t nat -A PREROUTING -p tcp -d A.B.C.D --dport XXXX -j DNAT --to A.B.C.D:YY

Additionally Patch the system, use the right user:group, turn off unwanted services, disable unused modules and ports, tune server, hide config, restrict access, firewall ....etc.

Red Hat Linux Server Security Checklist:
http://www.howtogeek.com/wiki/Using_Iptables_on_Linux
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
http://www.cyberciti.biz/faq/iptables-block-port/
http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf
http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf
http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf
http://www.tecmint.com/linux-server-hardening-security-tips/
http://www.cyberciti.biz/tips/linux-security.html
http://www.utsa.edu/oit/PDF/linuxchecklist.pdf
http://linuxlyfe.com/centos/basic-web-server-security-checklist
http://onedollardata.wordpress.com/2010/06/08/red-hat-linux-server-security-checklist/
http://www.sans.org/score/checklists/linuxchecklist.pdf
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/index.html
0
 

Author Comment

by:apunkabollywood
ID: 39841528
Thank you for your valuable suggestion but let me more specific about requirements

1-Actually it will acting as a Storage NODE and we are using EMC networker and its require root role - so i need to secure as per this so that no hacking or etc possible with proper monitoring?

2. I want to specify specific VLAN access from specific NIC card - please help me with that kind of settings?

3. SSH only allow from specific admin port not from all?

Please help me if you have more suggestions on the same
0
 

Author Closing Comment

by:apunkabollywood
ID: 39847178
Thank you - Helps me a lot
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
Teach the user how to use vSphere Update Manager to update the VMware Tools and virtual machine hardware version Open vSphere Client: Review manual processes for updating VMware Tools and virtual hardware versions: Create a new baseline group in vSp…
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question