|
|
|
|
|
| 1 | 2 |
3 | 4 | 5 | 6 | 7 | 8 | 9 |
10 | 11 | 12 | 13 | 14 | 15 | 16 |
17 | 18 | 19 | 20 | 21 | 22 | 23 |
24 | 25 | 26 | 27 | 28 | 29 | 30 |
31 | |
|
|
|
|
|
|
|
|
Hardening CentOS 5
เพิ่มเติม 1 //people.redhat.com/sgrubb/files/hardening-rhel5.pdf เพิ่มเติม 2 //wiki.centos.org/HowTos/OS_Protection
Credit: //aniruddhas.com/tutorials/Hardening-CentOS-5.html Hardening CentOS 5 Version: 0.4 Author: Aniruddha Thombare Copy Right: GPL Last Updated: August 22, 2007 12:32 AM
Configure user account. logout and relogin as user. su wherever required. useradd eg. useradd myodduser
passwd myodduser
Configure Default runlevel to runlevel 3 Use your favorite text editor to edit /etc/inittab Find a line that is similar to the following: id:3:initdefault:
Verify the no. after “id:” id-colon is 3. If it is not make it three.
To restrict virtual terminals to two: Find out following stanza to enable only two virtual terminals available:
# Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3 4:2345:respawn:/sbin/mingetty tty4 5:2345:respawn:/sbin/mingetty tty5 6:2345:respawn:/sbin/mingetty tty6
Make it to:
# Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 #3:2345:respawn:/sbin/mingetty tty3 #4:2345:respawn:/sbin/mingetty tty4 #5:2345:respawn:/sbin/mingetty tty5 #6:2345:respawn:/sbin/mingetty tty6
Save /etc/inittab and exit
Edit /etc/fstab . For the file systems /tmp, /var, and /home replace the "defaults" with "noexec,nodev,nosuid"
noexec : Binaries are not allowed to be executed. NEVER use this option for your root file system! nosuid : Blocks the operation of suid, and sgid bits. nodev : Prevent any user to mount the file system.
Disable unused services in order to save on resources and minimize potential security holes. These Services that are to be stopped are mentioned here, check appendix A in case of custom requirements.
NetworkManager NetworkManagerDispatacpid apmd autofs avahi-daemon avahi-dnsconfd bluetooth conman cpuspeed cups dc_client dc_server dhcdbd dund firstboot gpm haldaemon hidd ibmasm ip6tables ipmi irda irqbalance kdump kudzu mcstrans mdmonitor mdmpd microcode_ctl netfs netplugd nfs nfslock nscd oddjobd pand pcscd portmap rdisc restorecond rpcgssd rpcidmapd rpcsvcgssd saslauthd setroubleshoot smartd smb squid tux winbind wpa_supplicant xfs ypbind yum-updatesd
With following command format:
chkconfig –level 12345 off
To stop if any of the service is running: service stop
check /etc/hosts It must be in the format. (See the 127.0.0.1 line) 127.0.0.1 localhost.localdomain localhost IP.AD.DR.ESS machine.domain.name machine
Edit /etc/host.conf order bind,hosts multi on nospoof on
Edit /etc/sysctl.conf - tighten 1. net.ipv4.tcp_syncookies = 1 # Enable TCP SYN Cookie Protection 2. net.ipv4.conf.all.accept_source_route = 0 # Disables IP source routing 3. net.ipv4.conf.all.accept_redirects = 0 # Disable ICMP Redirect Acceptance 4. net.ipv4.conf.all.rp_filter = 1 # Enable IP spoofing protection, turn on source route verification 5. net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable ignoring broadcasts request 6. net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable bad error message Protection 7 net.ipv4.conf.all.log_martians = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packets
Edit /etc/hosts.deny portmap: ALL
Edit /etc/hosts.allow portmap: localhost portmap: 127.0.0.1
SSH: Disable RootLogin, force protocol 2, (explore restricting SSH to users/groups ) Protocol 2 HostbasedAuthentication no PermitRootLogin no PermitEmptyPasswords no UsePrivilegeSeparation yes AllowTcpForwarding no X11Forwarding no StrictModes yes AllowUsers admin user1 user2 user3 (put actual users here in place of userN)
Stripping It Down
Following rpms are to be removed (You may add or remove some packages from this list in order to satisfy your environment.)
xkeyboard-config-0.8-7.fc6 dosfstools-2.11-6.2.el5 finger-0.17-32.2.1.1 dos2unix-3.1-27.1 esound-0.2.36-3 system-config-securitylevel-1.6.29.1-1.el5 NetworkManager-0.6.4-6.el5 OpenIPMI-2.0.6-5.el5.3 apmd-3.2.2-5 acpid-1.0.4-5 system-config-network-1.3.99-1.el5 gnome-python2-gtkhtml2-2.14.2-4.fc6 gnome-python2-bonobo-2.16.0-1.fc6 xorg-x11-drv-mouse-1.1.1-1.1 system-config-display-1.0.48-2.el5 xorg-x11-server-Xorg-1.1.1-48.13.0.1.el5 xorg-x11-server-Xvfb-1.1.1-48.13.0.1.el5 gnome-mime-data-2.4.2-3.1 centos-release-notes-5.0.0-2 xorg-x11-filesystem-7.1-2.fc6 xorg-x11-xauth-1.0.1-2.1 xorg-x11-xkb-utils-1.0.2-2.1 talk-0.17-29.2.2 cpuspeed-1.2.1-1.45.el5 hicolor-icon-theme-0.9-2.1 alsa-lib-1.0.12-3.el5 GConf2-2.14.0-9.el5 xorg-x11-utils-7.1-2.fc6 bluez-gnome-0.5-5.fc6 xorg-x11-xinit-1.0.2-13.el5 ypbind-1.19-7.el5 firstboot-tui-1.4.27.2-1.el5.centos.1 system-config-soundcard-2.0.6-1.el5 yp-tools-2.9-0.1 system-config-samba-1.2.39-1.el5 system-config-kdump-1.0.9-3.el5 tux-3.2.18-9.fc6 xorg-x11-fonts-base-7.1-2.1.el5 gnome-python2-canvas-2.16.0-1.fc6 gnome-mount-0.5-3.el5 xorg-x11-drv-vesa-1.2.1-5.2.el5 xorg-x11-drv-keyboard-1.1.0-2.1 xorg-x11-drv-evdev-1.0.0.5-2.el5 samba-common-3.0.23c-2.el5.2.0.2 xorg-x11-xfs-1.0.2-4 samba-client-3.0.23c-2.el5.2.0.2 xorg-x11-server-Xnest-1.1.1-48.13.0.1.el5 samba-3.0.23c-2.el5.2.0.2 gpm-1.20.1-74.1 xorg-x11-server-utils-7.1-4.fc6 redhat-menus-6.7.8-1.el5 metacity-2.16.0-8.el5 alsa-utils-1.0.12-3.fc6 OpenIPMI-libs-2.0.6-5.el5.3 portmap-4.0-65.2.2.1 nfs-utils-1.0.9-16.el5 system-config-nfs-1.3.23-1.el5 subversion-1.4.2-2.el5 gnome-python2-gconf-2.16.0-1.fc6 gnome-python2-extras-2.14.2-4.fc6 gnome-python2-gnomevfs-2.16.0-1.fc6 xorg-x11-drv-void-1.1.0-3.1
Security and management tool installations and fine tuning:
Security Tools Download, install and run:
a. chkrootkit - //www.chkrootkit.org/download/ Download to /usr/local/src Extract using "tar -zxf" Compile & Install using "make sense" Run chkrootkit
b. rkhunter - //www.rootkit.nl/projects/rootkit_hunter.html Download to /usr/local/src Extract using "tar -zxf" Install using ./install.sh ./installer.sh --layout /usr/local –install rkhunter --update Run "rkhunter -c --createlogfile"
Management Tool:. Download, install, configure: Webmin with SSL
Package Dependencies Ensure openssl and openssl-devel are installed rpm -q openssl rpm -q openssl-devel If they are not installed, install them using: yum install openssl openssl-devel -y (Mention ONLY those packages that need to be installed).
Download the Webmin RPM - //www.webmin.com/ Download the RPM to /usr/local/src Install using rpm -Uvh Go to https://IP.AD.DR.ESS:10000 to configure. Login with user root, and password 1. Under Webmin -> Users -> Edit the root user. Rename root user to "admin" 2. Under Logging ensure all events by all users are logged 3. Change the port from 10000 to a suitable one above 50000 (and below 60000). 4. Under Authntication - set the idle time-out to 5 minutes.
d. Perl Libraries
Net::SSLeay - //www.cpan.org/modules/by-module/Net/Net_SSLeay.pm-1.30.tar.gz Download to /usr/local/src/ Extract with tar -xzf Prepare with "perl Makefile.PL" Compile & Install with "make install" Test installation with "perl -e 'use Net::SSLeay'". You should be returned to the prompt. If you get errors, the installation did not succeed.
e. Portsentry -ftp://194.199.20.114/linux/freshrpms/fedora/linux/1/portsentry/portsentry-1.1-11.fr.i386.rpm Download the RPM to /usr/local/src Install using rpm -Uvh Edit /etc/portsentry/portsentry.conf Edit /etc/portsentry/portsentry.modes Edit /etc/portsentry/portsentry.ignore Start portsentry.
f. Checksuite - //checksuite.sourceforge.net/ Download the RPM to /usr/local/src Install using rpm -Uvh
g. Fine Tuning IPTABLES: edit /etc/sysconfig/iptables
Insert rules for trusted ip addresses only which should access ssh port.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s -j ACCEPT
These rules are to be added before following rule: -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Also you will have to make sure other ports are kept open (Those considered under Pre-Installation preparation)
Create Date : 07 ตุลาคม 2553 |
Last Update : 4 เมษายน 2554 9:48:42 น. |
|
0 comments
|
Counter : 1409 Pageviews. |
|
|
|
|
| |
|
dokawa |
|
|
|
|