Results 1 to 1 of 1
####
# Centos 5.2, 5.3
# hardening, customizing and removing excess
#
# Boardstretcher: Updated June 6, 2010
#
####
# Contents:
#
# ExCESS::
# Service Definitions
# Remove ...
- 07-08-2010 #1Just Joined!
- Join Date
- Jul 2010
- Posts
- 2
RedHat / Centos hardening, customizing and removing excess
####
# Centos 5.2, 5.3
# hardening, customizing and removing excess
#
# Boardstretcher: Updated June 6, 2010
#
####
# Contents:
#
# ExCESS::
# Service Definitions
# Remove Services
# Remove IP6
# Remove RPMs
#
# CUSTOMIZE:
# Add date to history
# Colorized grep, dir and prompt
#
# HARDEN:
# Protect webserver upload directory
# Require password for single user mode
# Disable USB storage in kernel
# Allow root login only from console
# Store passwords in sha512 rather than md5
# Install Intrusion Detection System
####
#################################################
#DISABLING EXCESS STUFF
#################################################
#DISABLE SELINUX (SET TO DISABLED/DISABLED)
#
#I leave SELINUX on when I am using the box as a webserver. Otherwise, I turn it off.
#Service DEFINITIONS:Code:system-config-securitylevel-tui reboot
#chkconfig avahi-daemon off #dhcp
#chkconfig NetworkManager off #Wireless
#chkconfig NetworkManagerDispatcher off #wireless
#chkconfig anacron off #runs (at)time of day scripts
#chkconfig bluetooth off #bluetooth
#chkconfig cpuspeed off #changes speed of cpu
#chkconfig cups off #printer daemon
#chkconfig gpm off #mouse pointer
#chkconfig hidd off #human interface input device
#chkconfig ip6tables off #IP6
#chkconfig iptables off #doesnt need a firewall
#chkconfig irda off #infrared
#chkconfig mdmonitor off #drive monitor
#chkconfig mdmpd off #drive monitor
#chkconfig pcscd off #pc card
#chkconfig portmap off #port mapping
#chkconfig yum-updatesd off #yum updates
#Chkconfig smartd off #smartd hard disk monitoring
#chkconfig firstboot off #only for first boot
#REMOVE SERVICES: (Paste from this)
#
#Obviously you should only remove whas you don't need
Code:chkconfig avahi-daemon off chkconfig NetworkManager off chkconfig NetworkManagerDispatcher off chkconfig anacron off chkconfig bluetooth off chkconfig cpuspeed off chkconfig cups off chkconfig gpm off chkconfig hidd off chkconfig ip6tables off chkconfig iptables off chkconfig irda off chkconfig mdmonitor off chkconfig mdmpd off chkconfig pcscd off chkconfig portmap off chkconfig yum-updatesd off chkconfig smartd off chkconfig firstboot off service pcscd stop service firstboot stop service anacron stop service cups stop service avahi-daemon stop Service smartd stop service NetworkManager stop service NetworkManagerDispatcher stop service anacron stop service atd stop service bluetooth stop service cpuspeed stop service cups stop service gpm stop service hidd stop service ip6tables stop service iptables stop service irda stop service mdmonitor stop service mdmpd stop service pcscd stop service portmap stop service yum-updatesd stop
#REMOVE IP6 SUPPORT:
#REMOVE USELESS RPMSCode:echo "alias ipv6 off" >> /etc/modprobe.conf echo "alias net-pf-10 off" >> /etc/modprobe.conf sed -i 's/NETWORKING_IPV6=yes/NETWORKING_IPV6=no/' /etc/sysconfig/network service network restart reboot
Code:rpm -e unix2dos-2.2-26.2.3.el5 rpm -e mkbootdisk-1.5.3-2.1.x86_64 rpm -e dosfstools-2.11-7.el5 rpm -e dos2unix-3.1-27.2.el5 rpm -e finger-0.17-32.2.1.1 rpm -e firstboot-tui-1.4.27.7-1.el5.centos
#UPDATE ALL SYSTEM PACKAGES and INSTALL YOUR KERNEL SOURCES
#################################################Code:yum update yum install kernel* reboot
#CUSTOMIZATION
#################################################
#ADD DATE and TIME TO HISTORY OUTPUT
#ADD Color to GREPCode:echo "export HISTTIMEFORMAT=\"%h/%d - %H:%M:%S \"" >> /etc/bashrc
Code:echo "export GREP_COLOR='1;32'" >> /root/.bash_profile echo "export GREP_OPTIONS=--color=auto" >> /root/.bash_profile echo "export GREP_COLOR='1;32'" >> /etc/skel/.bash_profile echo "export GREP_OPTIONS=--color=auto" >> /etc/skel/.bash_profile
#BETTER DIRECTORY COLORS
#PUT IN FILE CALLED /root/.dircolors and /etc/skel/.dircolors
Code:COLOR tty OPTIONS -F -T 0 TERM linux TERM console TERM con132x25 TERM con132x30 TERM con132x43 TERM con132x60 TERM con80x25 TERM con80x28 TERM con80x30 TERM con80x43 TERM con80x50 TERM con80x60 TERM cons25 TERM xterm TERM rxvt TERM xterm-color TERM color-xterm TERM vt100 TERM dtterm TERM color_xterm TERM ansi TERM screen TERM screen.linux TERM kon TERM kterm TERM gnome TERM konsole EIGHTBIT 1 NORMAL 01;30 FILE 00;37 DIR 01;37 LINK 01;31 FIFO 40;33 SOCK 01;35 BLK 40;33;01 CHR 40;33;01 ORPHAN 01;05;37;41 MISSING 01;05;37;41 EXEC 01;34 SETUID 37;41 # file that is setuid (u+s) SETGID 30;43 # file that is setgid (g+s) STICKY_OTHER_WRITABLE 31;40 # dir that is sticky and other-writable (+t,o+w) OTHER_WRITABLE 34;40 # dir that is other-writable (o+w) and not sticky STICKY 37;44 # dir with the sticky bit set (+t) and not other-writable .tar 01;36 .tgz 01;36 .gz 01;36 .bz2 01;36 .bz 01;36
#BETTER COMMAND PROMPT
#PUT AT BOTTOM OF /root/.bash_profile and /etc/skel/.bash_profile
#################################################Code:CLr0="\[\033[1;31m\]" CLr1="\[\033[0;34m\]" CLr2="\[\033[0;32m\]" CLr3="\[\033[0;36m\]" CLr4="\[\033[1;30m\]" # Brackets CLr5="\[\033[0;35m\]" CLr6="\[\033[0;33m\]" CLr7="\[\033[0;37m\]" # Hostname CLr8="\[\033[1;34m\]" # Username CLr9="\[\033[1;34m\]" CLr10="\[\033[1;32m\]" CLr11="\[\033[1;36m\]" CLr12="\[\033[1;32m\]" #directory CLr13="\[\033[1;35m\]" CLr14="\[\033[1;33m\]" CLr15="\[\033[1;37m\]" # (at) symbol PS1="$CLr4($CLr8\u$CLr15(at)$CLr7\h$CLr4)-($CLr7\(at)$CLr2 $CLr8\d$CLr4)-($CLr12\w$CLr4)$CLr1\n$CLr8\\$ $CLr15>$CLr7" export PS1
#HARDENING SECURITY
#################################################
#IF YOU ARE RUNNING A WEBSERVER WITH AN UPLOAD DIRECTORY, MAKE THE UPLOAD DIRECTORY A SEPERATE MOUNT POINT
#AND FLAG IT AS NOEXEC
#LOCK DOWN SINGLE USER ACCESS IF THE SERVER IS PHYSICALLY ACCESSIBLECode:fdisk /dev/sdb mkfs -t ext3 /dev/sdb1 mount /dev/sdb1 /mnt/upload vi /etc/fstab /dev/sdb1 /mnt/upload ext3 defaults,noexec 1 2
#DISABLE USB DRIVES IF SERVER IS ACCESSIBLE OR HAS SENSITIVE DATACode:echo "#Require the root pw when booting into single user mode" >> /etc/inittab echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab perl -npe 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/shutdown/' -i /etc/inittab
#ALLOW ROOT LOGIN ONLY FROM CONSOLE OR VMWARE CONSOLECode:echo "blacklist usb-storage" > /etc/modprobe.d/blacklist-usbstorage
#DISALLOW ROOT SSH LOGIN (MUST SU TO ROOT)Code:echo "tty1" > /etc/securetty chmod 700 /root
#PASSWORDS SHOULD BE STORED IN SHA512 INSTEAD OF MD5Code:echo "PermitRootLogin no" >> /etc/ssh/sshd_config
authconfig --passalgo=sha512 --update
#INSTALL AND INITIALIZE AIDE (intrusion detection)
#**ANY TIME YOU MAKE A CHANGE TO THE SYSTEM -- YOU WILL HAVE TO RE-INITIALIZE THE DB
Code:yum install aide aide --init mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz #script to email on differences in aide db aide --check > /tmp/aide.tmp.out grep -Fq "AIDE found differences" /tmp/aide.tmp.out && sendmail -v whoever(at)wherever.com < /tmp/aide.tmp.out
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts