Complete CentOS secure server setup

complete-centos-secure-server-setup
Remove ambigous packages:

yum remove aspell libX11 dos2unix libselinux-python apmd nss_ldap wireless-tools \ pcmciautils iptables-ipv6 desktop-file-utils xorg-x11-filesystem talk gpm words \ nfs-utils-lib rp-pppoe irda-utils coolkey tcl oddjob-libs cups-libs bluez-libs

Disable unnecessary services. Type as root:

setup

Chose System services and uncheck:

anacron atd auditd cpuspeed kudzu mcstrans netfs pcscd portmap

Update all software:

yum update

Disable Ipv6. Edit /etc/sysconfig/network and set:

NETWORKING_IPV6=no HOSTNAME=sscserver

After that add the following to /etc/modprobe.conf:

alias ipv6 off alias net-pf-10 off

and reboot:

reboot

Install Apache, start it and put the webserver to startup:

yum install httpd httpd-devel service httpd start chkconfig httpd on

Secure Apache. Edit the config:

nano -w /etc/httpd/conf/httpd.conf

and set:

ServerSignature Off

Install PHP:

yum install php-common php-gd php-mcrypt php-pear php-pecl-memcache php-mhash \ php-mysql php-xml

Secure PHP. Open php.ini:

nano -w /etc/php.ini

and change the following:

safe_mode = Off register_globals = Off expose_php = Off allow_url_fopen = Off log_errors = On error_log = /var/log/phperror.log display_errors = off

Create a file for PHP errors:

touch /var/log/phperror.log chmod 666 /var/log/phperror.log

Restart webserver to load PHP:

service httpd restart

Test PHP. Create a file named 1.php in /var/www/html/ with the following contents:

<?php phpinfo(); ?>

Then point your browser to http://x.x.x.x/1.php

Install MySQL, start it and put the database server to startup:

yum install mysql mysql-server mysql-devel service mysqld start chkconfig mysqld on

Secure MySQL. Change MySQL root password:

mysql> USE mysql; mysql> UPDATE user SET Password=PASSWORD('pa$$w0rd') WHERE user='root';

Drop test database:

mysql> drop database test; mysql> DELETE FROM user WHERE user = ''; mysql> FLUSH PRIVILEGES;

Alter /etc/my.cnf and change the options:

local-infile=0 bind-address=127.0.0.1

Restart MySQL to make config changes to work:

service mysql restart

Install phpMyAdmin:

yum install phpmyadmin

Configure it. Open /etc/httpd/conf.d/phpmyadmin.conf and uncomment the line:

# Deny from all

Also, the configuration file now needs a secret passphrase. Open config:

nano -w /usr/share/phpmyadmin/config.inc.php

look for a line and enter a password:

$cfg['blowfish_secret'] = 'p@$$w0rd'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

Restart Apache to be able to acces phpMyAdmin:

service httpd restart

Test phpMyAdmin. Point your browser to http://x.x.x.x/phpmyadmin

Add the www.domain.tld virtual web site. Create directories:

mkdir -p /home/domain.tld/{public_html,logs} chown -R apache:apache /home/domain.tld

Open config:

nano -w /etc/httpd/conf/httpd.conf

Alter NameVirtualHost directive:

NameVirtualHost ip.address:80

Add the following VirtualHost container and paste it at the end of the file:

<VirtualHost ip.address:80> ServerAdmin webmaster@domain.tld ServerName www.domain.tld ServerAlias domain.tld DocumentRoot /home/domain.tld/public_html <Directory /> Options -Indexes FollowSymLinks AllowOverride None Order allow,deny allow from all </Directory> ErrorLog /home/domain.tld/logs/domain.tld-error_log CustomLog /home/domain.tld/logs/domain.tld-access_log common </VirtualHost>

Test the syntax:

httpd -t httpd -D DUMP_VHOSTS

Restart Apache:

service httpd restart

Install Webmin. Navigate to http://www.webmin.com/download.html and download a RPM package:

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.470-1.noarch.rpm rpm -ivh webmin-1.470-1.noarch.rpm

Point your browser to: http://ip.address:10000 and login with your root password:

Secure server. Change your root password:

passwd

For security reasons we will add a new user sscadmin for administration purposes:

adduser sscadmin && passwd sscadmin

Add the user sscadmin to the wheel group:

usermod -a -G wheel sscadmin

User sscadmin will use sudo for administrative tasks. Ensure the wheel group has the correct privileges. Run:

visudo

and uncomment the line:

%wheel ALL=(ALL) ALL

to allow people in group wheel to have full sudo privileges

Secure SSH access to the server - use a public/private key. On local machine create SSH keys:

ssh-keygen -t dsa

Copy the public key to the server. Issue this on your local machine:

scp ~/.ssh/id_dsa.pub sscadmin@ip.address:~/.ssh/authorized_keys2

Edit config file to secure the daemon:

sudo nano /etc/ssh/sshd_config

and set:

Port 2202 PermitRootLogin no

Restart SSHd:

service sshd restart

Secure temporary folders:

dd if=/dev/zero of=/home/tmpmnt bs=1024 count=1024000 mke2fs /home/tmpmnt cp -R /tmp/ /tmp_backup mount -o loop,rw,nosuid,noexec /home/tmpmnt /tmp chmod 1777 /tmp cp -R /tmp_backup/* /tmp/

Modify /etc/fstab and add the line:

/home/tmpmnt /tmp ext2 loop,rw,nosuid,noexec 0 0

Secure /var/tmp:

mv /var/tmp /tmp_backup ln -s /tmp /var/tmp cp -R /tmp_backup/* /tmp/ ls -al /tmp

Install CSF (ConfigServer Security & Firewall):

cd /root/work wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf sh install.sh rm -Rf /root/work/csf*

Next, test whether you have the required iptables modules:

perl /etc/csf/csftest.pl

Backup orginal config:

cp /etc/csf/csf.conf /etc/csf/csf.conf.bak

Edit the current config:

nano -w /etc/csf/csf.conf

Changes from orginal config:

AUTO_UPDATES = "1" LF_DSHIELD = "86400" LF_SPAMHAUS = "86400" LF_BOGON = "86400"

Start CSF:

service csf start

Now relogin again, and if it works you can disable testing mode. Open config:

nano -w /etc/csf/csf.conf

Find:

TESTING = "1"

and change it to:

TESTING = "0"

In case of bad config CSF will flush iptables after 5 minutes.

Restart CSF:

service csf restart

Install the CSF Webmin module. Go to:
Webmin > Webmin Configuration > Webmin Modules >
From local file > /etc/csf/csfwebmin.tgz > Install Module

Perform security test. Go to System > ConfigServer Security & Firewall > Check Server Security

Install PostgreSQL database server

yum install postgresql postgresql-server

Start it and set it to run at startup:

service postgresql start chkconfig postgresql on

Connect to PostgreSQL server:

su - postgres psql -d template1 -U postgres

You'll get the following output:

Welcome to psql 8.1.11, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit template1=#

Install Postfix and remove Sendmail:

yum install postfix yum remove sendmail

Edit Postfix configuration file and change the following lines:

queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.3.3/samples readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_security_options = noanonymous mynetworks = 127.0.0.0/8 smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom myhostname = domain.tld

Setup SASL + TLS to authenticate users. Install the required software:

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 \ cyrus-sasl-plain

Edit config file to allow plain and login logins:

nano -w /usr/lib/sasl2/smtpd.conf

and add the following:

pwcheck_method: saslauthd mech_list: plain login

Create the certificates for TLS:

mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Install Dovecot:

yum install dovecot

Open the Dovecot config file /etc/dovecot.conf and make the following changes:

protocols = imap imaps pop3 pop3s

Install Squirrelmail. Setup the Squirrelmail under Apache. Open /etc/httpd/conf/httpd.conf and insert the following lines:

Alias /squirrelmail "/usr/share/squirrelmail" <Directory /usr/share/squirrelmail/> Options Indexes AllowOverride none DirectoryIndex index.php Order allow,deny allow from all </Directory>

Run the configuration utility and set the server settings to SMTP and change your domain name to domain.tld:

/usr/share/squirrelmail/config/conf.pl

Restart all email services:

service postfix start service dovecot start service saslauthd start service httpd restart

Create a local user (to test the email):

adduser dima -s /sbin/nologin

Update a password for it:

passwd dima

To test the email open Squirrelmail and enter the username and the password

Make email services to run at startup:

chkconfig --levels 235 sendmail off chkconfig --levels 235 postfix on chkconfig --levels 235 saslauthd on chkconfig --levels 235 dovecot on

Sursa
2009-05-21 17:05:21



Comenteaza





Ultimele 25 posturi adăugate

11:40:13BANZAI —» Andrei LANGA. Blogul personal
05:56:05JURNAL 1977 —» Leo Butnaru
05:40:15POEM ÎNCIFRAT —» Andrei LANGA. Blogul personal
12:37:19Ce rămâne din noi —» Andrei LANGA. Blogul personal
06:32:32O CREIONARE DESPRE... CREIOANE —» Leo Butnaru
07:36:25ÎN PALMA LUI DUMNEZEU —» Leo Butnaru
14:22:53DIN LEOLOGISME —» Leo Butnaru
13:45:08UMBRĂ —» Andrei LANGA. Blogul personal
10:23:51Drujbaşi în boscheți. Defrișări în serie, Parcul IOR! —» Curaj.TV | Media alternativă
10:00:00Sancţiuni în contextul războiului din Ucraina. Georgia are „preşedinte” —» Curaj.TV | Media alternativă
06:54:55ÎN MEMORIA MAȘINII DE SCRIS —» Leo Butnaru
05:47:41CÂNTEC —» Andrei LANGA. Blogul personal
21:54:34Pastila contraceptivă și conștiința împovărată – Vasile Filat —» Moldova Creștină
12:43:18EROS —» Andrei LANGA. Blogul personal
12:41:20POEM ÎNCIFRAT —» Andrei LANGA. Blogul personal
11:11:56APOCALIPSĂ —» Andrei LANGA. Blogul personal
11:08:12ÎNCEPUT/ EL PRINCIPIO —» Andrei LANGA. Blogul personal
06:42:08CALENDAR —» Leo Butnaru
08:21:58Cartea cărților —» Leo Butnaru
21:32:52Dezbateri la Parlamentul Republicii Moldova —» Liceul Teoretic “Mihail Sadoveanu”, Călăraşi
20:26:44Până la ce vârstă trebuie să asculți de părinți dacă te simți ca un rob? – Vasile Filat —» Moldova Creștină
07:58:45Feteasca Neagră Vintage, preferata Vernisajului —» Fine Wine
06:52:54INTERMEZZO ÎNTRE ANI 2024 / 2025 —» Leo Butnaru
07:25:40După ore de ședință lirică —» Leo Butnaru
12:57:10POEM CIFRAT —» Andrei LANGA. Blogul personal