Complete CentOS secure server setup
Remove ambigous packages:
Disable unnecessary services. Type as root:
Chose System services and uncheck:
anacron atd auditd cpuspeed kudzu mcstrans netfs pcscd portmapUpdate all software:
yum updateDisable Ipv6. Edit /etc/sysconfig/network and set:
NETWORKING_IPV6=no HOSTNAME=sscserverAfter that add the following to /etc/modprobe.conf:
alias ipv6 off alias net-pf-10 offand reboot:
rebootInstall Apache, start it and put the webserver to startup:
yum install httpd httpd-devel service httpd start chkconfig httpd onSecure Apache. Edit the config:
nano -w /etc/httpd/conf/httpd.confand set:
ServerSignature OffInstall PHP:
yum install php-common php-gd php-mcrypt php-pear php-pecl-memcache php-mhash \ php-mysql php-xmlSecure PHP. Open php.ini:
nano -w /etc/php.iniand change the following:
safe_mode = Off register_globals = Off expose_php = Off allow_url_fopen = Off log_errors = On error_log = /var/log/phperror.log display_errors = offCreate a file for PHP errors:
touch /var/log/phperror.log chmod 666 /var/log/phperror.logRestart webserver to load PHP:
service httpd restartTest PHP. Create a file named 1.php in /var/www/html/ with the following contents:
<?php phpinfo(); ?>Then point your browser to http://x.x.x.x/1.php
Install MySQL, start it and put the database server to startup:
yum install mysql mysql-server mysql-devel service mysqld start chkconfig mysqld onSecure MySQL. Change MySQL root password:
mysql> USE mysql; mysql> UPDATE user SET Password=PASSWORD('pa$$w0rd') WHERE user='root';Drop test database:
mysql> drop database test; mysql> DELETE FROM user WHERE user = ''; mysql> FLUSH PRIVILEGES;Alter /etc/my.cnf and change the options:
local-infile=0 bind-address=127.0.0.1Restart MySQL to make config changes to work:
service mysql restartInstall phpMyAdmin:
yum install phpmyadminConfigure it. Open /etc/httpd/conf.d/phpmyadmin.conf and uncomment the line:
# Deny from allAlso, the configuration file now needs a secret passphrase. Open config:
nano -w /usr/share/phpmyadmin/config.inc.phplook for a line and enter a password:
$cfg['blowfish_secret'] = 'p@$$w0rd'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */Restart Apache to be able to acces phpMyAdmin:
service httpd restartTest phpMyAdmin. Point your browser to http://x.x.x.x/phpmyadmin
Add the www.domain.tld virtual web site. Create directories:
mkdir -p /home/domain.tld/{public_html,logs} chown -R apache:apache /home/domain.tldOpen config:
nano -w /etc/httpd/conf/httpd.confAlter NameVirtualHost directive:
NameVirtualHost ip.address:80Add the following VirtualHost container and paste it at the end of the file:
<VirtualHost ip.address:80> ServerAdmin webmaster@domain.tld ServerName www.domain.tld ServerAlias domain.tld DocumentRoot /home/domain.tld/public_html <Directory /> Options -Indexes FollowSymLinks AllowOverride None Order allow,deny allow from all </Directory> ErrorLog /home/domain.tld/logs/domain.tld-error_log CustomLog /home/domain.tld/logs/domain.tld-access_log common </VirtualHost>Test the syntax:
httpd -t httpd -D DUMP_VHOSTSRestart Apache:
service httpd restartInstall Webmin. Navigate to http://www.webmin.com/download.html and download a RPM package:
wget http://prdownloads.sourceforge.net/webadmin/webmin-1.470-1.noarch.rpm rpm -ivh webmin-1.470-1.noarch.rpmPoint your browser to: http://ip.address:10000 and login with your root password:
Secure server. Change your root password:
passwdFor security reasons we will add a new user sscadmin for administration purposes:
adduser sscadmin && passwd sscadminAdd the user sscadmin to the wheel group:
usermod -a -G wheel sscadminUser sscadmin will use sudo for administrative tasks. Ensure the wheel group has the correct privileges. Run:
visudoand uncomment the line:
%wheel ALL=(ALL) ALLto allow people in group wheel to have full sudo privileges
Secure SSH access to the server - use a public/private key. On local machine create SSH keys:
ssh-keygen -t dsaCopy the public key to the server. Issue this on your local machine:
scp ~/.ssh/id_dsa.pub sscadmin@ip.address:~/.ssh/authorized_keys2Edit config file to secure the daemon:
sudo nano /etc/ssh/sshd_configand set:
Port 2202 PermitRootLogin noRestart SSHd:
service sshd restartSecure temporary folders:
dd if=/dev/zero of=/home/tmpmnt bs=1024 count=1024000 mke2fs /home/tmpmnt cp -R /tmp/ /tmp_backup mount -o loop,rw,nosuid,noexec /home/tmpmnt /tmp chmod 1777 /tmp cp -R /tmp_backup/* /tmp/Modify /etc/fstab and add the line:
/home/tmpmnt /tmp ext2 loop,rw,nosuid,noexec 0 0Secure /var/tmp:
mv /var/tmp /tmp_backup ln -s /tmp /var/tmp cp -R /tmp_backup/* /tmp/ ls -al /tmpInstall CSF (ConfigServer Security & Firewall):
cd /root/work wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf sh install.sh rm -Rf /root/work/csf*Next, test whether you have the required iptables modules:
perl /etc/csf/csftest.plBackup orginal config:
cp /etc/csf/csf.conf /etc/csf/csf.conf.bakEdit the current config:
nano -w /etc/csf/csf.confChanges from orginal config:
AUTO_UPDATES = "1" LF_DSHIELD = "86400" LF_SPAMHAUS = "86400" LF_BOGON = "86400"Start CSF:
service csf startNow relogin again, and if it works you can disable testing mode. Open config:
nano -w /etc/csf/csf.confFind:
TESTING = "1"and change it to:
TESTING = "0"In case of bad config CSF will flush iptables after 5 minutes.
Restart CSF:
service csf restartInstall the CSF Webmin module. Go to:
Webmin > Webmin Configuration > Webmin Modules >
From local file > /etc/csf/csfwebmin.tgz > Install Module
Perform security test. Go to System > ConfigServer Security & Firewall > Check Server Security
Install PostgreSQL database server
yum install postgresql postgresql-serverStart it and set it to run at startup:
service postgresql start chkconfig postgresql onConnect to PostgreSQL server:
su - postgres psql -d template1 -U postgresYou'll get the following output:
Welcome to psql 8.1.11, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit template1=#Install Postfix and remove Sendmail:
yum install postfix yum remove sendmailEdit Postfix configuration file and change the following lines:
queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.3.3/samples readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_security_options = noanonymous mynetworks = 127.0.0.0/8 smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom myhostname = domain.tldSetup SASL + TLS to authenticate users. Install the required software:
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 \ cyrus-sasl-plainEdit config file to allow plain and login logins:
nano -w /usr/lib/sasl2/smtpd.confand add the following:
pwcheck_method: saslauthd mech_list: plain loginCreate the certificates for TLS:
mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650Install Dovecot:
yum install dovecotOpen the Dovecot config file /etc/dovecot.conf and make the following changes:
protocols = imap imaps pop3 pop3sInstall Squirrelmail. Setup the Squirrelmail under Apache. Open /etc/httpd/conf/httpd.conf and insert the following lines:
Alias /squirrelmail "/usr/share/squirrelmail" <Directory /usr/share/squirrelmail/> Options Indexes AllowOverride none DirectoryIndex index.php Order allow,deny allow from all </Directory>Run the configuration utility and set the server settings to SMTP and change your domain name to domain.tld:
/usr/share/squirrelmail/config/conf.plRestart all email services:
service postfix start service dovecot start service saslauthd start service httpd restartCreate a local user (to test the email):
adduser dima -s /sbin/nologinUpdate a password for it:
passwd dimaTo test the email open Squirrelmail and enter the username and the password
Make email services to run at startup:
chkconfig --levels 235 sendmail off chkconfig --levels 235 postfix on chkconfig --levels 235 saslauthd on chkconfig --levels 235 dovecot onSursa
2009-05-21 17:05:21