Wednesday, December 9, 2009

Complete CentOS secure server setup

SkyHi @ Wednesday, December 09, 2009
Remove ambigous packages:
yum remove aspell libX11 dos2unix libselinux-python apmd nss_ldap wireless-tools \ pcmciautils iptables-ipv6 desktop-file-utils xorg-x11-filesystem talk gpm words \ nfs-utils-lib rp-pppoe irda-utils coolkey tcl oddjob-libs cups-libs bluez-libs Disable unnecessary services. Type as root:

setup Chose System services and uncheck:
anacron atd auditd cpuspeed kudzu mcstrans netfs pcscd portmap Update all software:
yum update Disable Ipv6. Edit /etc/sysconfig/network and set:
NETWORKING_IPV6=no HOSTNAME=sscserver After that add the following to /etc/modprobe.conf:
alias ipv6 off alias net-pf-10 off and reboot:
reboot Install Apache, start it and put the webserver to startup:
yum install httpd httpd-devel service httpd start chkconfig httpd on Secure Apache. Edit the config:
nano -w /etc/httpd/conf/httpd.conf and set:
ServerSignature Off Install PHP:
yum install php-common php-gd php-mcrypt php-pear php-pecl-memcache php-mhash \ php-mysql php-xml Secure PHP. Open php.ini:
nano -w /etc/php.ini and change the following:
safe_mode = Off register_globals = Off expose_php = Off allow_url_fopen = Off log_errors = On error_log = /var/log/phperror.log display_errors = off Create a file for PHP errors:
touch /var/log/phperror.log chmod 666 /var/log/phperror.log Restart webserver to load PHP:
service httpd restart Test PHP. Create a file named 1.php in /var/www/html/ with the following contents:
Then point your browser to http://x.x.x.x/1.php
Install MySQL, start it and put the database server to startup:
yum install mysql mysql-server mysql-devel service mysqld start chkconfig mysqld on Secure MySQL. Change MySQL root password:
mysql> USE mysql; mysql> UPDATE user SET Password=PASSWORD('pa$$w0rd') WHERE user='root'; Drop test database:
mysql> drop database test; mysql> DELETE FROM user WHERE user = ''; mysql> FLUSH PRIVILEGES; Alter /etc/my.cnf and change the options:
local-infile=0 bind-address= Restart MySQL to make config changes to work:
service mysql restart Install phpMyAdmin:
yum install phpmyadmin Configure it. Open /etc/httpd/conf.d/phpmyadmin.conf and uncomment the line:
# Deny from all Also, the configuration file now needs a secret passphrase. Open config:
nano -w /usr/share/phpmyadmin/ look for a line and enter a password:
$cfg['blowfish_secret'] = 'p@$$w0rd'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ Restart Apache to be able to acces phpMyAdmin:
service httpd restart Test phpMyAdmin. Point your browser to http://x.x.x.x/phpmyadmin
Add the www.domain.tld virtual web site. Create directories:
mkdir -p /home/domain.tld/{public_html,logs} chown -R apache:apache /home/domain.tld Open config:
nano -w /etc/httpd/conf/httpd.conf Alter NameVirtualHost directive:
NameVirtualHost ip.address:80 Add the following VirtualHost container and paste it at the end of the file:
ServerAdmin webmaster@domain.tld ServerName www.domain.tld ServerAlias domain.tld DocumentRoot /home/domain.tld/public_html Options -Indexes FollowSymLinks AllowOverride None Order allow,deny allow from all ErrorLog /home/domain.tld/logs/domain.tld-error_log CustomLog /home/domain.tld/logs/domain.tld-access_log common Test the syntax:
httpd -t httpd -D DUMP_VHOSTS Restart Apache:
service httpd restart Install Webmin. Navigate to and download a RPM package:
wget rpm -ivh webmin-1.470-1.noarch.rpm Point your browser to: http://ip.address:10000 and login with your root password:
Secure server. Change your root password:
passwd For security reasons we will add a new user sscadmin for administration purposes:
adduser sscadmin && passwd sscadmin Add the user sscadmin to the wheel group:
usermod -a -G wheel sscadmin User sscadmin will use sudo for administrative tasks. Ensure the wheel group has the correct privileges. Run:
visudo and uncomment the line:
%wheel ALL=(ALL) ALL to allow people in group wheel to have full sudo privileges
Secure SSH access to the server - use a public/private key. On local machine create SSH keys:
ssh-keygen -t dsa Copy the public key to the server. Issue this on your local machine:
scp ~/.ssh/ sscadmin@ip.address:~/.ssh/authorized_keys2 Edit config file to secure the daemon:
sudo nano /etc/ssh/sshd_config and set:
Port 2202 PermitRootLogin no Restart SSHd:
service sshd restart Secure temporary folders:
dd if=/dev/zero of=/home/tmpmnt bs=1024 count=1024000 mke2fs /home/tmpmnt cp -R /tmp/ /tmp_backup mount -o loop,rw,nosuid,noexec /home/tmpmnt /tmp chmod 1777 /tmp cp -R /tmp_backup/* /tmp/ Modify /etc/fstab and add the line:
/home/tmpmnt /tmp ext2 loop,rw,nosuid,noexec 0 0 Secure /var/tmp:
mv /var/tmp /tmp_backup ln -s /tmp /var/tmp cp -R /tmp_backup/* /tmp/ ls -al /tmp Install CSF (ConfigServer Security & Firewall):
cd /root/work wget tar -xzf csf.tgz cd csf sh rm -Rf /root/work/csf* Next, test whether you have the required iptables modules:
perl /etc/csf/ Backup orginal config:
cp /etc/csf/csf.conf /etc/csf/csf.conf.bak Edit the current config:
nano -w /etc/csf/csf.conf Changes from orginal config:
AUTO_UPDATES = "1" LF_DSHIELD = "86400" LF_SPAMHAUS = "86400" LF_BOGON = "86400" Start CSF:
service csf start Now relogin again, and if it works you can disable testing mode. Open config:
nano -w /etc/csf/csf.conf Find:
TESTING = "1" and change it to:
TESTING = "0" In case of bad config CSF will flush iptables after 5 minutes.
Restart CSF:
service csf restart Install the CSF Webmin module. Go to:
Webmin > Webmin Configuration > Webmin Modules >
From local file > /etc/csf/csfwebmin.tgz > Install Module
Perform security test. Go to System > ConfigServer Security & Firewall > Check Server Security
Install PostgreSQL database server
yum install postgresql postgresql-server Start it and set it to run at startup:
service postgresql start chkconfig postgresql on Connect to PostgreSQL server:
su - postgres psql -d template1 -U postgres You'll get the following output:
Welcome to psql 8.1.11, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit template1=# Install Postfix and remove Sendmail:
yum install postfix yum remove sendmail Edit Postfix configuration file and change the following lines:
queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.3.3/samples readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_security_options = noanonymous mynetworks = smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom myhostname = domain.tld Setup SASL + TLS to authenticate users. Install the required software:
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 \ cyrus-sasl-plain Edit config file to allow plain and login logins:
nano -w /usr/lib/sasl2/smtpd.conf and add the following:
pwcheck_method: saslauthd mech_list: plain login Create the certificates for TLS:
mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 Install Dovecot:
yum install dovecot Open the Dovecot config file /etc/dovecot.conf and make the following changes:
protocols = imap imaps pop3 pop3s Install Squirrelmail. Setup the Squirrelmail under Apache. Open /etc/httpd/conf/httpd.conf and insert the following lines:
Alias /squirrelmail "/usr/share/squirrelmail" Options Indexes AllowOverride none DirectoryIndex index.php Order allow,deny allow from all Run the configuration utility and set the server settings to SMTP and change your domain name to domain.tld:
/usr/share/squirrelmail/config/ Restart all email services:
service postfix start service dovecot start service saslauthd start service httpd restart Create a local user (to test the email):
adduser dima -s /sbin/nologin Update a password for it:
passwd dima To test the email open Squirrelmail and enter the username and the password
Make email services to run at startup:
chkconfig --levels 235 sendmail off chkconfig --levels 235 postfix on chkconfig --levels 235 saslauthd on chkconfig --levels 235 dovecot on