####
# Centos 5.2, 5.3
# hardening, customizing and removing excess
#
# Boardstretcher: Updated June 6, 2010
#
####
# Contents:
#
# ExCESS::
# Service Definitions
# Remove Services
# Remove IP6
# Remove RPMs
#
# CUSTOMIZE:
# Add date to history
# Colorized grep, dir and prompt
#
# HARDEN:
# Protect webserver upload directory
# Require password for single user mode
# Disable USB storage in kernel
# Allow root login only from console
# Store passwords in sha512 rather than md5
# Install Intrusion Detection System
####
#################################################
#DISABLING EXCESS STUFF
#################################################
#DISABLE SELINUX (SET TO DISABLED/DISABLED)
#
#I leave SELINUX on when I am using the box as a webserver. Otherwise,
I turn it off.
system-config-securitylevel-tui
reboot
#Service DEFINITIONS:
#chkconfig avahi-daemon off #dhcp
#chkconfig NetworkManager off #Wireless
#chkconfig NetworkManagerDispatcher off #wireless
#chkconfig anacron off #runs (at)time of day scripts
#chkconfig bluetooth off #bluetooth
#chkconfig cpuspeed off #changes speed of cpu
#chkconfig cups off #printer daemon
#chkconfig gpm off #mouse pointer
#chkconfig hidd off #human interface input device
#chkconfig ip6tables off #IP6
#chkconfig iptables off #doesnt need a firewall
#chkconfig irda off #infrared
#chkconfig mdmonitor off #drive monitor
#chkconfig mdmpd off #drive monitor
#chkconfig pcscd off #pc card
#chkconfig portmap off #port mapping
#chkconfig yum-updatesd off #yum updates
#Chkconfig smartd off #smartd hard disk monitoring
#chkconfig firstboot off #only for first boot
#REMOVE SERVICES: (Paste from this)
#
#Obviously you should only remove whas you don't need
chkconfig avahi-daemon off
chkconfig NetworkManager off
chkconfig NetworkManagerDispatcher off
chkconfig anacron off
chkconfig bluetooth off
chkconfig cpuspeed off
chkconfig cups off
chkconfig gpm off
chkconfig hidd off
chkconfig ip6tables off
chkconfig iptables off
chkconfig irda off
chkconfig mdmonitor off
chkconfig mdmpd off
chkconfig pcscd off
chkconfig portmap off
chkconfig yum-updatesd off
chkconfig smartd off
chkconfig firstboot off
service pcscd stop
service firstboot stop
service anacron stop
service cups stop
service avahi-daemon stop
Service smartd stop
service NetworkManager stop
service NetworkManagerDispatcher stop
service anacron stop
service atd stop
service bluetooth stop
service cpuspeed stop
service cups stop
service gpm stop
service hidd stop
service ip6tables stop
service iptables stop
service irda stop
service mdmonitor stop
service mdmpd stop
service pcscd stop
service portmap stop
service yum-updatesd stop
#REMOVE IP6 SUPPORT:
echo "alias ipv6 off" >> /etc/modprobe.conf
echo "alias net-pf-10 off" >> /etc/modprobe.conf
sed -i 's/NETWORKING_IPV6=yes/NETWORKING_IPV6=no/' /etc/sysconfig/
network
service network restart
reboot
#REMOVE USELESS RPMS
rpm -e unix2dos-2.2-26.2.3.el5
rpm -e mkbootdisk-1.5.3-2.1.x86_64
rpm -e dosfstools-2.11-7.el5
rpm -e dos2unix-3.1-27.2.el5
rpm -e finger-0.17-32.2.1.1
rpm -e firstboot-tui-1.4.27.7-1.el5.centos
#UPDATE ALL SYSTEM PACKAGES and INSTALL YOUR KERNEL SOURCES
yum update
yum install kernel*
reboot
#################################################
#CUSTOMIZATION
#################################################
#ADD DATE and TIME TO HISTORY OUTPUT
echo "export HISTTIMEFORMAT=\"%h/%d - %H:%M:%S \"" >> /etc/bashrc
#ADD Color to GREP
echo "export GREP_COLOR='1;32'" >> /root/.bash_profile
echo "export GREP_OPTIONS=--color=auto" >> /root/.bash_profile
echo "export GREP_COLOR='1;32'" >> /etc/skel/.bash_profile
echo "export GREP_OPTIONS=--color=auto" >> /etc/skel/.bash_profile
#BETTER DIRECTORY COLORS
#PUT IN FILE CALLED /root/.dircolors and /etc/skel/.dircolors
COLOR tty
OPTIONS -F -T 0
TERM linux
TERM console
TERM con132x25
TERM con132x30
TERM con132x43
TERM con132x60
TERM con80x25
TERM con80x28
TERM con80x30
TERM con80x43
TERM con80x50
TERM con80x60
TERM cons25
TERM xterm
TERM rxvt
TERM xterm-color
TERM color-xterm
TERM vt100
TERM dtterm
TERM color_xterm
TERM ansi
TERM screen
TERM screen.linux
TERM kon
TERM kterm
TERM gnome
TERM konsole
EIGHTBIT 1
NORMAL 01;30
FILE 00;37
DIR 01;37
LINK 01;31
FIFO 40;33
SOCK 01;35
BLK 40;33;01
CHR 40;33;01
ORPHAN 01;05;37;41
MISSING 01;05;37;41
EXEC 01;34
SETUID 37;41 # file that is setuid (u+s)
SETGID 30;43 # file that is setgid (g+s)
STICKY_OTHER_WRITABLE 31;40 # dir that is sticky and other-writable
(+t,o+w)
OTHER_WRITABLE 34;40 # dir that is other-writable (o+w) and not sticky
STICKY 37;44 # dir with the sticky bit set (+t) and not other-writable
.tar 01;36
.tgz 01;36
.gz 01;36
.bz2 01;36
.bz 01;36
#BETTER COMMAND PROMPT
#PUT AT BOTTOM OF /root/.bash_profile and /etc/skel/.bash_profile
CLr0="\[\033[1;31m\]"
CLr1="\[\033[0;34m\]"
CLr2="\[\033[0;32m\]"
CLr3="\[\033[0;36m\]"
CLr4="\[\033[1;30m\]" # Brackets
CLr5="\[\033[0;35m\]"
CLr6="\[\033[0;33m\]"
CLr7="\[\033[0;37m\]" # Hostname
CLr8="\[\033[1;34m\]" # Username
CLr9="\[\033[1;34m\]"
CLr10="\[\033[1;32m\]"
CLr11="\[\033[1;36m\]"
CLr12="\[\033[1;32m\]" #directory
CLr13="\[\033[1;35m\]"
CLr14="\[\033[1;33m\]"
CLr15="\[\033[1;37m\]" # (at) symbol
PS1="$CLr4($CLr8\u$CLr15(at)$CLr7\h$CLr4)-($CLr7\(at)$CLr2 $CLr8\d
$CLr4)-($CLr12\w$CLr4)$CLr1\n$CLr8\\$ $CLr15>$CLr7"
export PS1
#################################################
#HARDENING SECURITY
#################################################
#IF YOU ARE RUNNING A WEBSERVER WITH AN UPLOAD DIRECTORY, MAKE THE
UPLOAD DIRECTORY A SEPERATE MOUNT POINT
#AND FLAG IT AS NOEXEC
fdisk /dev/sdb
mkfs -t ext3 /dev/sdb1
mount /dev/sdb1 /mnt/upload
vi /etc/fstab
/dev/sdb1 /mnt/upload ext3 defaults,noexec 1 2
#LOCK DOWN SINGLE USER ACCESS IF THE SERVER IS PHYSICALLY ACCESSIBLE
echo "#Require the root pw when booting into single user mode" >> /
etc/inittab
echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
perl -npe 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/
shutdown/' -i /etc/inittab
#DISABLE USB DRIVES IF SERVER IS ACCESSIBLE OR HAS SENSITIVE DATA
echo "blacklist usb-storage" > /etc/modprobe.d/blacklist-usbstorage
#ALLOW ROOT LOGIN ONLY FROM CONSOLE OR VMWARE CONSOLE
echo "tty1" > /etc/securetty
chmod 700 /root
#DISALLOW ROOT SSH LOGIN (MUST SU TO ROOT)
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
#PASSWORDS SHOULD BE STORED IN SHA512 INSTEAD OF MD5
authconfig --passalgo=sha512 --update
#INSTALL AND INITIALIZE AIDE (intrusion detection)
#**ANY TIME YOU MAKE A CHANGE TO THE SYSTEM -- YOU WILL HAVE TO RE-
INITIALIZE THE DB
yum install aide
aide --init
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
#script to email on differences in aide db
aide --check > /tmp/aide.tmp.out
grep -Fq "AIDE found differences" /tmp/aide.tmp.out && sendmail -v
whoever(at)wherever.com < /tmp/aide.tmp.out
--
You received this message because you are subscribed to the Linux Users Group.
To post a message, send email to [email protected]
To unsubscribe, send email to [email protected]
For more options, visit our group at
http://groups.google.com/group/linuxusersgroup
