Thanks. Nice collection :) On Fri, Jul 9, 2010 at 1:38 AM, Boardstretcher <[email protected]>wrote:
> #### > # Centos 5.2, 5.3 > # hardening, customizing and removing excess > # > # Boardstretcher: Updated June 6, 2010 > # > #### > # Contents: > # > # ExCESS:: > # Service Definitions > # Remove Services > # Remove IP6 > # Remove RPMs > # > # CUSTOMIZE: > # Add date to history > # Colorized grep, dir and prompt > # > # HARDEN: > # Protect webserver upload directory > # Require password for single user mode > # Disable USB storage in kernel > # Allow root login only from console > # Store passwords in sha512 rather than md5 > # Install Intrusion Detection System > #### > > > ################################################# > #DISABLING EXCESS STUFF > ################################################# > > #DISABLE SELINUX (SET TO DISABLED/DISABLED) > # > #I leave SELINUX on when I am using the box as a webserver. Otherwise, > I turn it off. > > system-config-securitylevel-tui > reboot > > #Service DEFINITIONS: > > #chkconfig avahi-daemon off #dhcp > #chkconfig NetworkManager off #Wireless > #chkconfig NetworkManagerDispatcher off #wireless > #chkconfig anacron off #runs (at)time of day > scripts > #chkconfig bluetooth off #bluetooth > #chkconfig cpuspeed off #changes speed of cpu > #chkconfig cups off #printer daemon > #chkconfig gpm off #mouse pointer > #chkconfig hidd off #human interface input > device > #chkconfig ip6tables off #IP6 > #chkconfig iptables off #doesnt need a firewall > #chkconfig irda off #infrared > #chkconfig mdmonitor off #drive monitor > #chkconfig mdmpd off #drive monitor > #chkconfig pcscd off #pc card > #chkconfig portmap off #port mapping > #chkconfig yum-updatesd off #yum updates > #Chkconfig smartd off #smartd hard disk monitoring > #chkconfig firstboot off #only for first boot > > > #REMOVE SERVICES: (Paste from this) > # > #Obviously you should only remove whas you don't need > > chkconfig avahi-daemon off > chkconfig NetworkManager off > chkconfig NetworkManagerDispatcher off > chkconfig anacron off > chkconfig bluetooth off > chkconfig cpuspeed off > chkconfig cups off > chkconfig gpm off > chkconfig hidd off > chkconfig ip6tables off > chkconfig iptables off > chkconfig irda off > chkconfig mdmonitor off > chkconfig mdmpd off > chkconfig pcscd off > chkconfig portmap off > chkconfig yum-updatesd off > chkconfig smartd off > chkconfig firstboot off > service pcscd stop > service firstboot stop > service anacron stop > service cups stop > service avahi-daemon stop > Service smartd stop > service NetworkManager stop > service NetworkManagerDispatcher stop > service anacron stop > service atd stop > service bluetooth stop > service cpuspeed stop > service cups stop > service gpm stop > service hidd stop > service ip6tables stop > service iptables stop > service irda stop > service mdmonitor stop > service mdmpd stop > service pcscd stop > service portmap stop > service yum-updatesd stop > > > #REMOVE IP6 SUPPORT: > > echo "alias ipv6 off" >> /etc/modprobe.conf > echo "alias net-pf-10 off" >> /etc/modprobe.conf > sed -i 's/NETWORKING_IPV6=yes/NETWORKING_IPV6=no/' /etc/sysconfig/ > network > service network restart > reboot > > #REMOVE USELESS RPMS > > rpm -e unix2dos-2.2-26.2.3.el5 > rpm -e mkbootdisk-1.5.3-2.1.x86_64 > rpm -e dosfstools-2.11-7.el5 > rpm -e dos2unix-3.1-27.2.el5 > rpm -e finger-0.17-32.2.1.1 > rpm -e firstboot-tui-1.4.27.7-1.el5.centos > > > #UPDATE ALL SYSTEM PACKAGES and INSTALL YOUR KERNEL SOURCES > > yum update > yum install kernel* > reboot > > ################################################# > #CUSTOMIZATION > ################################################# > > #ADD DATE and TIME TO HISTORY OUTPUT > > echo "export HISTTIMEFORMAT=\"%h/%d - %H:%M:%S \"" >> /etc/bashrc > > #ADD Color to GREP > > echo "export GREP_COLOR='1;32'" >> /root/.bash_profile > echo "export GREP_OPTIONS=--color=auto" >> /root/.bash_profile > echo "export GREP_COLOR='1;32'" >> /etc/skel/.bash_profile > echo "export GREP_OPTIONS=--color=auto" >> /etc/skel/.bash_profile > > > #BETTER DIRECTORY COLORS > #PUT IN FILE CALLED /root/.dircolors and /etc/skel/.dircolors > > COLOR tty > OPTIONS -F -T 0 > TERM linux > TERM console > TERM con132x25 > TERM con132x30 > TERM con132x43 > TERM con132x60 > TERM con80x25 > TERM con80x28 > TERM con80x30 > TERM con80x43 > TERM con80x50 > TERM con80x60 > TERM cons25 > TERM xterm > TERM rxvt > TERM xterm-color > TERM color-xterm > TERM vt100 > TERM dtterm > TERM color_xterm > TERM ansi > TERM screen > TERM screen.linux > TERM kon > TERM kterm > TERM gnome > TERM konsole > EIGHTBIT 1 > NORMAL 01;30 > FILE 00;37 > DIR 01;37 > LINK 01;31 > FIFO 40;33 > SOCK 01;35 > BLK 40;33;01 > CHR 40;33;01 > ORPHAN 01;05;37;41 > MISSING 01;05;37;41 > EXEC 01;34 > SETUID 37;41 # file that is setuid (u+s) > SETGID 30;43 # file that is setgid (g+s) > STICKY_OTHER_WRITABLE 31;40 # dir that is sticky and other-writable > (+t,o+w) > OTHER_WRITABLE 34;40 # dir that is other-writable (o+w) and not sticky > STICKY 37;44 # dir with the sticky bit set (+t) and not other-writable > .tar 01;36 > .tgz 01;36 > .gz 01;36 > .bz2 01;36 > .bz 01;36 > > > #BETTER COMMAND PROMPT > #PUT AT BOTTOM OF /root/.bash_profile and /etc/skel/.bash_profile > > CLr0="\[\033[1;31m\]" > CLr1="\[\033[0;34m\]" > CLr2="\[\033[0;32m\]" > CLr3="\[\033[0;36m\]" > CLr4="\[\033[1;30m\]" # Brackets > CLr5="\[\033[0;35m\]" > CLr6="\[\033[0;33m\]" > CLr7="\[\033[0;37m\]" # Hostname > CLr8="\[\033[1;34m\]" # Username > CLr9="\[\033[1;34m\]" > CLr10="\[\033[1;32m\]" > CLr11="\[\033[1;36m\]" > CLr12="\[\033[1;32m\]" #directory > CLr13="\[\033[1;35m\]" > CLr14="\[\033[1;33m\]" > CLr15="\[\033[1;37m\]" # (at) symbol > > PS1="$CLr4($CLr8\u$CLr15(at)$CLr7\h$CLr4)-($CLr7\(at)$CLr2 $CLr8\d > $CLr4)-($CLr12\w$CLr4)$CLr1\n$CLr8\\$ $CLr15>$CLr7" > export PS1 > > ################################################# > #HARDENING SECURITY > ################################################# > > #IF YOU ARE RUNNING A WEBSERVER WITH AN UPLOAD DIRECTORY, MAKE THE > UPLOAD DIRECTORY A SEPERATE MOUNT POINT > #AND FLAG IT AS NOEXEC > fdisk /dev/sdb > mkfs -t ext3 /dev/sdb1 > mount /dev/sdb1 /mnt/upload > vi /etc/fstab > /dev/sdb1 /mnt/upload ext3 defaults,noexec 1 2 > > #LOCK DOWN SINGLE USER ACCESS IF THE SERVER IS PHYSICALLY ACCESSIBLE > echo "#Require the root pw when booting into single user mode" >> / > etc/inittab > echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab > perl -npe > 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/ > shutdown/' -i /etc/inittab > > #DISABLE USB DRIVES IF SERVER IS ACCESSIBLE OR HAS SENSITIVE DATA > echo "blacklist usb-storage" > /etc/modprobe.d/blacklist-usbstorage > > #ALLOW ROOT LOGIN ONLY FROM CONSOLE OR VMWARE CONSOLE > echo "tty1" > /etc/securetty > chmod 700 /root > > #DISALLOW ROOT SSH LOGIN (MUST SU TO ROOT) > echo "PermitRootLogin no" >> /etc/ssh/sshd_config > > #PASSWORDS SHOULD BE STORED IN SHA512 INSTEAD OF MD5 > authconfig --passalgo=sha512 --update > > #INSTALL AND INITIALIZE AIDE (intrusion detection) > #**ANY TIME YOU MAKE A CHANGE TO THE SYSTEM -- YOU WILL HAVE TO RE- > INITIALIZE THE DB > yum install aide > aide --init > mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz > > #script to email on differences in aide db > aide --check > /tmp/aide.tmp.out > grep -Fq "AIDE found differences" /tmp/aide.tmp.out && sendmail -v > whoever(at)wherever.com < /tmp/aide.tmp.out > > -- > You received this message because you are subscribed to the Linux Users > Group. > To post a message, send email to [email protected] > To unsubscribe, send email to [email protected] > For more options, visit our group at > http://groups.google.com/group/linuxusersgroup -- ------------------------------------------------------------- "Penguin, penguin, and more penguin !" www.madforubuntu.com baudizm.blogsome.com -- You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup
