I've recently had to migrate some services (relatively quickly) from one machine to another. One of the requirements of the system is that it should be relatively securely setup. So here's a checklist of some of the software and things to watch out for (at least for me when setting things up).
Some, if not all of the notes were taken from the Centos wiki as a reference for myself.
Software
- shorewall - for firewalling
- etckeeper - for tracking changes in /etc/
Checklist for setting up the machine
- Did a stock SL5x install with only the server option ticked. I left selinux turned on in targetted mode.
- Used the default partition layout, ideally sometime should be spent on partitioning things correctly and enable nosuid,noexec where appropriate.
- Generate a list of installed apps for reference, you can do this by doing either yum list installed > ~/installed.txt or rpm -qa --qf "%{name}\n" | sort | uniq > ~/installed.txt
- Make sure regular updates are on, in my case I have a prepared rpm for our local mirrors and repos which I install and then run an upgrade/update to make sure I have all the latest security fixes, then reboot.
- Install etckeeper
- Run a chkconfig --list and see what is enabled, then turn off what I don't need.
- Do the suggested changes to protect the machine at a physical level, I haven't done all these steps yet. I'm not sure if I need all the extra security since the machine is in a secure physical location.
- Enable a bios password
- Change boot order of the machine to not allow booting from network or removable physical media.
- Require a password for the bootloader (grub or lilo)
- Require a password for single user mode
echo "Require the root pw when booting into single user mode" >> /etc/inittab
echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
echo "Don't allow any nut to kill the server"
perl -npe 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/shutdown/' -i /etc/inittab
- Disable USB mass storage devices
echo "Disabling USB Mass Storage"
echo "blacklist usb-storage" > /etc/modprobe.d/blacklist-usbstorage
- Restrict the root account
echo "tty1" > /etc/securetty
chmod 700 /root
- Setup some password policies
echo "Passwords expire every 180 days"
perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 180/' -i /etc/login.defs
echo "Passwords may only be changed once a day"
perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs
- Change the default password hashing from MD5 to sha512
authconfig --passalgo=sha512 --update
- Change the default umask restrictions
perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc
perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc
- Enable pam_tally2 such that if a user fails to login after three attempts, lock them out for 60mins before they can try again. The file /var/log/tallylog is a binary log containing failed login records for pam. You can see the failed attempts by running the pam_tally2 command without any options, and unlock user accounts early by using pam_tally2 --reset -u username
touch /var/log/tallylog
cat << 'EOF' > /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth required pam_tally2.so deny=3 onerr=fail unlock_time=60
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally2.so per_user
password requisite pam_cracklib.so try_first_pass retry=3 minlen=9 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=10
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
EOF
- Logging users out automatically after 15mins
echo "Idle users will be removed after 15 minutes"
echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
chmod +x /etc/profile.d/os-security.sh
- Restrict cron and at
echo "Locking down Cron"
touch /etc/cron.allow
chmod 600 /etc/cron.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny
echo "Locking down AT"
touch /etc/at.allow
chmod 600 /etc/at.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny
- Turn of wireless if it exists
for i in $(find /lib/modules/`uname -r`/kernel/drivers/net/wireless -name "*.ko" -type f) ;
do echo blacklist $i >> /etc/modprobe.d/blacklist-wireless ;
done
- Sysctl Security (/etc/sysctl.conf)
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0
- Use TCP Wrappers
echo "ALL:ALL" >> /etc/hosts.deny
echo "sshd:ALL" >> /etc/hosts.allow
Disable remote root logins
- edit /etc/ssh/sshd_config and make sure that PermitRootLogin=no
Create a wheel group if it doesn't exist add a line like this for the sudoers file
%wheel ALL=(ALL) ALL
- Add some users to the wheel group
gpasswd -a jtang wheel
- Check that selinux is enabled, and confine applications/users as needed, but generally speaking the defaults are fine.
sestatus
Configure sendmail so I get system emails. Make sure tcpwrappers is configured to only allow localhost to connect
Configure shorewall, edited these files
- policy
- routestopped
- rules
- shorewall.conf
- interfaces
- zones
Graffiti for the past few weeks, I've been pretty bad recently with uploading snaps, I've been away on holidays :)
I always seem to forget what tool I use to checksum files when I'm building packages for macports, so here's a note for myself
openssl sha1 fossil-src-20100805100943.tar.gz
openssl rmd160 fossil-src-20100805100943.tar.gz
openssl md5 fossil-src-20100805100943.tar.gz
OpenSSL should be available on most if not all unix/linux/osx like systems.
While I'm at it, here's a macports file for fossil scm
# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-
# vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
# $Id$
PortSystem 1.0
name fossil
version 20100805100943
categories devel
maintainers tchpc.tcd.ie:jtang
description Fossil: Simple, high-reliability, distributed software configuration management
homepage http://www.fossil-scm.org/
master_sites http://www.fossil-scm.org/download
distfiles ${name}-src-${version}${extract.suffix}
distname ${name}
worksrcdir ${name}-src-${version}
depends_lib port:zlib
use_configure no
checksums md5 33c2cf512c72f5b153dbfc26867e16ed \
sha1 8840609b75106a9d685486a2778d9b1319b37bc8 \
rmd160 80b92c63fd431c35a793eddcab067e992de0bd3b
destroot.destdir DESTDIR=${destroot} prefix=${prefix}
build.target all
configure {}
destroot {
xinstall -m 755 -d ${destroot}${prefix}/bin
xinstall -m 755 ${worksrcpath}/fossil ${destroot}${prefix}/bin
}
Having recently completely moved to OSX in work, I really miss DWM and I'm want automatic window management. I previously wrote about using DWM on OSX but that was long ago on OSX 10.5. OSX 10.6 has changed a few things and my previous setup now no longer works.
Firstly, download and install XQuartz from http://xquartz.macosforge.org/trac/wiki/X112.5.3 and then... checkout these instructions from here http://gist.github.com/311377 this has saved me lots of time figuring stuff out, but it's more or less easy to get DWM to work on OSX.
Not much to say about this really, but it isn't too hard to get going.
Since we migrated to this new machine I left the gitweb.cgi disabled, but I recently wanted to publish some stuff with git. Of course having a web based interface would be nice. So I thought, what the hey, I should try cgit. Feature wise it's probably on par with gitweb. Installation wise, it's pretty straight forward if you read the docs. The best thing was the configuration is much clearer than gitweb imho.
What was nice was the config for ikiwiki is now...
historyurl => 'http://www.sgenomics.org/cgi-bin/cgit.cgi/jtang/wiki.git/log/[[file]]',
diffurl => 'http://www.sgenomics.org/cgi-bin/cgit.cgi/jtang/wiki.git/commit/?id=[[sha1_commit]]',
which wasn't too hard to figure out and setup.
Here's this months batch of tags and graffiti and so on... sadly some of the later images a bit blurry cause my LX3's shutter button gets stuck sometimes so I can't get good focus for every shot. I probably just need to get the camera cleaned or serviced.
I've recently discovered the whole idea of UniWB for maximising the dynamic range of digital cameras that can take raw images. In principle it sounds like a great idea if you are already shooting raws. I'm lazy but I was curious anyway. To be honest it's a bit useless on my LX3 due to the amount of optical distortions I get, plus I'm too lazy to process the images. Anyway, as a result of messing around with UniWB I found setting the white balance of the images to be interesting. I was reading this site http://www.guillermoluijk.com/tutorial/uniwb/index_en.htm. So to make a UniWB you just take a dark frame (lens cap on) at say ISO100, f/22, 1/4000sec, note that these files are usually camera model specific. Take the resulting raw file and check it with dcraw by doing
dcraw -v -w FILENAME.RW2
The multipliers are all supposed to be as close to 1 as possible (say with in a 5% error, this is just a guess), if it is then great, if not try again. You then take this raw file and set it as your custom white balance and then take pictures as normal. The previews will all come out greenish, so you will need to post process the image and correct the white balance. The basic idea is that the custom white balance will cause the histograms on your camera to give you a more realistic view of what's happening, you could probably get 1 or so stops more out of your shots.
So I got these settings by using dcraw -v -w FILENAME.RW2 for my LX3
- Daylight
- 2.049430 1.000000 1.661597 1.000000
- Cloudy
- 2.281369 1.000000 1.539924 1.000000
- Shade
- 2.528517 1.000000 1.418251 1.000000
- Flash
- 2.326996 1.000000 1.517110 1.000000
- Halogen
- 1.361217 1.000000 2.319392 1.000000
Some sample images....
This is what the camera see's in terms of white balance based on the UniWB custom white balance
This is dcraw's auto white balance
This is applying the mulitplier's got from above
This one was balanced using my whibal keyring using ufraw cause I was too lazy to figure out the patch to use dcraw to calibrate the image
The auto white balance in dcraw was pretty similar in look to the whibal calibrated image. I'm not too sure if I and committed enough to use raws. I do like being able to maximise my exposures for HDR or panoramic stitches though. It's more useful on my DSLR than on the LX3, since the LX3 doesn't have an RGB histogram.
I've been playing more with UniWB, it's interesting so far. From the limited messing, when the colours are right, you can get some real nice pop effect. I'm not too confident with adjusting white balance myself.
If the auto white balance from dcraw was a bit better I'd probably use UniWB more.
