Saturday, May 29, 2010

HOW-TO: Harden A Fresh CentOS 5.x Server

Category: , SkyHi @ Saturday, May 29, 2010
HOW-TO: Harden A Fresh CentOS 5.x Server


#!/bin/sh



set -ve



# Script to harden a fresh CentOS 4 or 5 base server install, which installs



# any updated packages plus a few useful extras, removes unnecessary



# services and setuid bits, and does a little performance tuning. Running it more than once shouldn't hurt anything.



#



# Run with:


Code:

wget -O- http://ftp.die.net/pub/harden-centos/harden-centos | sh

PATH=/bin:/usr/bin:/sbin:/usr/sbin



# Update rpm and yum if possible. (Limit dependencies.)


Code:

yum -y install rpm yum



# Installing useful packages


Code:

yum -y install joe tcpdump mtr postfix strace zsh gdb perl vixie-cron logrotate



# Removing unnecessary daemons and setuid binaries


Code:

yum -y remove squid krb5-workstation cups at rsh sudo isdn4k-utils sendmail \



slocate apmd irda-utils mt-st gpm samba-common sendmail-cf talk \



up2date ypbind yp-tools wvdial lockdev procmail xorg-x11-font-utils \



pam_ccreds gdm bluez-utils yum-updatesd



# Upgrading to latest packages


Code:

yum -y upgrade



# Removing unnecessary setuid bits


Code:

find / /usr -xdev -type f -perm +04000 | \



grep -vP '^(/bin/(su|ping|traceroute)|/usr/bin/(passwd|chsh|crontab)|/usr/libexec/openssh/ssh-keysign)$' | \



xargs -r chmod ug-s



# Removing unnecessary setgid bits


Code:

find / /usr -xdev -type f -perm +02000 | \



grep -vP '^(/usr/sbin/(utempter|postdrop|postqueue)|/usr/bin/ssh-agent)$' | \



xargs -r chmod g-s



# Setting nosuid,nodev on user partitions, noatime on ext2 and ext3


Code:

perl -i~ -p -e 's/(\sext[23]\s+)(defaults)(?=\s)/$1$2,noatime/;next if m#\s/(?:usr|bin)?\s#;next unless m#\s(ext[23]|tmpfs|auto)\s#;s/(?<=\s)(defaults(?:,noatime)?)(?=\s

)/$1,nosuid,nodev/' /etc/fstab



# Adding blackhole routes for bogons


Code:

[ -f /etc/sysconfig/network-scripts/route-lo ] || cat <<EOF > /etc/sysconfig/network-scripts/route-lo



blackhole 0.0.0.0/8



blackhole 10.0.0.0/8



blackhole 169.254.0.0/16



blackhole 172.16.0.0/12



blackhole 192.168.0.0/16



blackhole 198.18.0.0/15



EOF



# Add useful settings to /etc/sysctl.conf


Code:

grep -q kernel.panic /etc/sysctl.conf || cat<<EOF >> /etc/sysctl.conf



# Reboot a minute after an Oops


Code:

kernel.panic = 60



# Syncookies make SYN flood attacks ineffective


Code:

net.ipv4.tcp_syncookies = 1



# Ignore bad ICMP


Code:

net.ipv4.icmp_echo_ignore_broadcasts = 1



net.ipv4.icmp_ignore_bogus_error_responses = 1



# Reply to ARPs only from correct interface (required for DSR load-balancers)


Code:

net.ipv4.conf.all.arp_announce = 2



net.ipv4.conf.all.arp_ignore = 1



EOF



sysctl -p



# Allow any following commands to fail without stopping


Code:

set +e



# Shutting down unwanted services


Code:

for d in acpid rpcidmapd rpcgssd nfslock netfs portmap avahi-daemon avahi-dnsconfd pcscd bluetooth; do



chkconfig $d off



service $d stop



done



# Turn on cron-based auto-updates


Code:

yum -y install yum-cron



for d in crond yum yum-cron; do



chkconfig $d on



service $d start



done



# COMPLETED!



Thanks to webicero for creating this guides.

For more informations and guides about harndening and securing your server, you may also read the guides in SecureCentOS.com

REFERENCES
http://www.elevatedservers.net/forums/how-harden-fresh-centos-server-t-28.html