Initial Hardening of the operating system   IMPORTANT NOTE:  This document is based on CentOS, RedHat Linux 7.3 and Enterprise.  The concepts should be similar across operating systems, but the commands will very likely be different.  Also, never assume the directory structures exist in your system as written in the document.  Never blindly follow security instructions -- read, review, compare, apply as it fits your system. The steps noted below will increase the level of hardening of your operating system.  The overwhelming majority of the steps below are from http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0.pdf These steps will remove groups and users not used by Internet servers, and set appropriate permissions for system programs.  Please note that when you see a zero (0) in the last chmod permission bit, it means that the world has no permission. Log into each server as root. Then copy and paste the following to your command line to execute (please double check directory locations as applicable): userdel adm userdel lp # required by Virtozzo -- not sure why userdel shutdown userdel halt userdel news userdel uucp userdel operator userdel games userdel gopher groupdel adm groupdel lp # required by Virtozzo -- not sure why groupdel news groupdel uucp groupdel games groupdel dip chmod 750 /bin/setserial chmod 750 /sbin/badblocks chmod 750 /sbin/ctrlaltdel chmod 750 /sbin/chkconfig chmod 750 /sbin/debugfs chmod 750 /sbin/depmod chmod 106750 /sbin/dump chmod 750 /sbin/dumpe2fs chmod 750 /sbin/fdisk chmod 750 /sbin/fsck chmod 750 /sbin/fsck.ext2 chmod 750 /sbin/halt chmod 750 /sbin/hdparm chmod 750 /sbin/hwclock chmod 755 /sbin/ifconfig chmod 750 /sbin/ifdown chmod 750 /sbin/ifup chmod 750 /sbin/init chmod 750 /sbin/insmod chmod 750 /sbin/killall5 chmod 750 /sbin/mingetty chmod 750 /sbin/mkbootdisk chmod 750 /sbin/mke2fs chmod 750 /sbin/mkfs chmod 750 /sbin/mkfs.ext2 chmod 750 /sbin/mkfs.msdos chmod 750 /sbin/mkinitrd chmod 750 /sbin/mkswap chmod 750 /sbin/modinfo chmod 750 /sbin/modprobe chmod 2750 /sbin/netreport chmod 750 /sbin/portmap chmod 750 /sbin/quotaon chmod 106750 /sbin/restore chmod 750 /sbin/runlevel chmod 750 /sbin/swapon chmod 750 /sbin/tune2fs chmod 750 /usr/bin/eject chmod 104750 /usr/bin/gpasswd chmod 755 /usr/bin/lpq chmod 755 /usr/bin/lprm chmod 100500 /usr/bin/lpr chmod 750 /usr/bin/minicom chmod 750 /usr/sbin/atd chmod 750 /usr/sbin/atrun chmod 750 /usr/sbin/crond chmod 750 /usr/sbin/edquota chmod 750 /usr/sbin/exportfs chmod 750 /usr/sbin/groupadd chmod 750 /usr/sbin/groupdel chmod 750 /usr/sbin/groupmod chmod 750 /usr/sbin/grpck chmod 750 /usr/sbin/grpconv chmod 750 /usr/sbin/grpunconv chmod 750 /sbin/klogd chmod 750 /usr/sbin/logrotate chmod 102750 /usr/sbin/lpc chmod 755 /usr/sbin/lsof chmod 550 /usr/sbin/makemap chmod 750 /usr/sbin/newusers chmod 750 /usr/sbin/nmbd chmod 750 /usr/sbin/ntpdate chmod 750 /usr/sbin/ntpq chmod 750 /usr/sbin/ntptime chmod 750 /usr/sbin/ntptrace chmod 750 /usr/sbin/ntsysv chmod 750 /usr/sbin/pppd chmod 750 /usr/sbin/pwck chmod 750 /usr/sbin/pwconv chmod 750 /usr/sbin/pwunconv chmod 550 /usr/sbin/quotastats chmod 750 /usr/sbin/rdev chmod 550 /usr/sbin/repquota chmod 750 /usr/sbin/rpc.mountd chmod 750 /usr/sbin/rpc.nfsd chmod 750 /usr/sbin/rpc.rquotad chmod 750 /sbin/rpc.statd chmod 750 /usr/sbin/rpcinfo chmod 750 /usr/sbin/setup chmod 750 /usr/sbin/showmount chmod 750 /usr/sbin/smbd chmod 750 /sbin/syslogd chmod 750 /usr/sbin/tcpd chmod 750 /usr/sbin/tcpdump chmod 750 /usr/sbin/timeconfig chmod 750 /usr/sbin/tmpwatch chmod 750 /usr/sbin/tunelp chmod 750 /usr/sbin/useradd chmod 750 /usr/sbin/userdel chmod 104750 /usr/sbin/userhelper chmod 750 /usr/sbin/usermod chmod 100750 /usr/sbin/usernetctl chmod 750 /usr/sbin/vipw chmod 2750 /sbin/dump chmod 2750 /sbin/restore chmod 0 /usr/bin/rlogin chmod 0 /usr/bin/rsh chmod 0 /usr/bin/rcp chmod 500 /usr/bin/lpr chmod 500 /usr/bin/lprm chmod 500 /usr/bin/lpq chmod 500 /usr/bin/lpstat chmod 500 /usr/bin/lppasswd IMPORTANT NOTE:  This document and all linked document is being provided as a good will gesture to the Parallels H-Sphere community and to others who may benefit from its use.  Dynamic Net, Inc. makes no representations implied or explicit as to their value or warranty. Dynamic Net, Inc. will not be held liable for any damage resulting in the application of the steps and procedures noted.  If you feel uncomfortable at all about doing any of the steps, make a complete system backup and hire a third party like We Manage Servers to do the work for you.