I've recently had to migrate some services (relatively quickly) from one machine to another. One of the requirements of the system is that it should be relatively securely setup. So here's a checklist of some of the software and things to watch out for (at least for me when setting things up).
Some, if not all of the notes were taken from the Centos wiki as a reference for myself.
Software
- shorewall - for firewalling
- etckeeper - for tracking changes in /etc/
Checklist for setting up the machine
- Did a stock SL5x install with only the server option ticked. I left selinux turned on in targetted mode.
- Used the default partition layout, ideally sometime should be spent on partitioning things correctly and enable nosuid,noexec where appropriate.
- Generate a list of installed apps for reference, you can do this by doing either yum list installed > ~/installed.txt or rpm -qa --qf "%{name}\n" | sort | uniq > ~/installed.txt
- Make sure regular updates are on, in my case I have a prepared rpm for our local mirrors and repos which I install and then run an upgrade/update to make sure I have all the latest security fixes, then reboot.
- Install etckeeper
- Run a chkconfig --list and see what is enabled, then turn off what I don't need.
- Do the suggested changes to protect the machine at a physical level, I haven't done all these steps yet. I'm not sure if I need all the extra security since the machine is in a secure physical location.
- Enable a bios password
- Change boot order of the machine to not allow booting from network or removable physical media.
- Require a password for the bootloader (grub or lilo)
- Require a password for single user mode
echo "Require the root pw when booting into single user mode" >> /etc/inittab
echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
echo "Don't allow any nut to kill the server"
perl -npe 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/shutdown/' -i /etc/inittab
- Disable USB mass storage devices
echo "Disabling USB Mass Storage"
echo "blacklist usb-storage" > /etc/modprobe.d/blacklist-usbstorage
- Restrict the root account
echo "tty1" > /etc/securetty
chmod 700 /root
- Setup some password policies
echo "Passwords expire every 180 days"
perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 180/' -i /etc/login.defs
echo "Passwords may only be changed once a day"
perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs
- Change the default password hashing from MD5 to sha512
authconfig --passalgo=sha512 --update
- Change the default umask restrictions
perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc
perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc
- Enable pam_tally2 such that if a user fails to login after three attempts, lock them out for 60mins before they can try again. The file /var/log/tallylog is a binary log containing failed login records for pam. You can see the failed attempts by running the pam_tally2 command without any options, and unlock user accounts early by using pam_tally2 --reset -u username
touch /var/log/tallylog
cat << 'EOF' > /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth required pam_tally2.so deny=3 onerr=fail unlock_time=60
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally2.so per_user
password requisite pam_cracklib.so try_first_pass retry=3 minlen=9 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=10
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
EOF
- Logging users out automatically after 15mins
echo "Idle users will be removed after 15 minutes"
echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
chmod +x /etc/profile.d/os-security.sh
- Restrict cron and at
echo "Locking down Cron"
touch /etc/cron.allow
chmod 600 /etc/cron.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny
echo "Locking down AT"
touch /etc/at.allow
chmod 600 /etc/at.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny
- Turn of wireless if it exists
for i in $(find /lib/modules/`uname -r`/kernel/drivers/net/wireless -name "*.ko" -type f) ;
do echo blacklist $i >> /etc/modprobe.d/blacklist-wireless ;
done
- Sysctl Security (/etc/sysctl.conf)
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0
- Use TCP Wrappers
echo "ALL:ALL" >> /etc/hosts.deny
echo "sshd:ALL" >> /etc/hosts.allow
Disable remote root logins
- edit /etc/ssh/sshd_config and make sure that PermitRootLogin=no
Create a wheel group if it doesn't exist add a line like this for the sudoers file
%wheel ALL=(ALL) ALL
- Add some users to the wheel group
gpasswd -a jtang wheel
- Check that selinux is enabled, and confine applications/users as needed, but generally speaking the defaults are fine.
sestatus
Configure sendmail so I get system emails. Make sure tcpwrappers is configured to only allow localhost to connect
Configure shorewall, edited these files
- policy
- routestopped
- rules
- shorewall.conf
- interfaces
- zones
Add a comment
