Hardening.v7

From Access Information
Jump to: navigation, search


Installing New Server Mrepo smartd RAID Hardening YUM Crontabs LogWatch systemctl firewalld CentOS 7
Packages
 Apache Bind Cacti DHCP mariadb Samba Sarg Sendmail Smokeping Rsync Work Apps
Problems VPN VPN Win Extras Bash MailScanner Horde Google CE Wake Up KVM
Other Computer Lab ISO2USB aiContact Google CE Android USB Live SRS XML

Hardening the Server

dsk

Little utility to list sizes of directories. 

/bin/cat <<EOF>> /sbin/dsk
ver=2006.12.09
if [ "$1" == "" ]; then
du --max-depth=1 -h
else
du --max-depth=1 -h $1
fi
EOF
chmod 777 /sbin/dsk

killbyname

nano /sbin/killbyname

ver=2015.10.15
if [ "$1" == "" ]; then
 echo 'there are no settings'
else
 for i in `ps aux|grep $1|cut -c 8-14`
 do
  echo $i
  kill -9 $i
 done
fi

chmod 777 /sbin/killbyname

Server naming

More important than a childs name: http://xkcd.com/910/ 

export dname=ai.net.nz
export hname=mail
export addrange=192.168.20
export serverip=1
export mysqlpasswd=
export sambadomain=domain

#If this is going to be a dns server
echo -n resolve.conf #
/bin/rm /etc/resolv.conf
/bin/cat <<EOF>> /etc/resolv.conf
nameserver 127.0.0.1
search $hname
EOF

echo -n nsswitch.conf #
/bin/cat <<EOF>> /etc/nsswitch.conf
hosts: files dns
EOF

echo -n host.conf #
/bin/rm /etc/host.conf
/bin/cat <<EOF>> /etc/host.conf
order bind,hosts
multi on
nospoof on
EOF
#Setting up the network, yours will differ

echo -n ifcfg-eth0 #
/bin/rm /etc/sysconfig/network-scripts/ifcfg-eth0
/bin/cat <<EOF>> /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
IPADDR=$addrange.$serverip
NETMASK=255.255.255.0
NETWORK=$addrange.0
BROADCAST=$addrange.255
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
EOF

chkconfig network on
# default gateway
GATEWAY=10.0.0.1
# DNS server's IP address
DNS1=10.0.0.10

echo -n hosts #
/bin/cat <<EOF>> /etc/hosts
$addrange.$serverip $hname.$dname $hname
EOF

echo -n network #
/bin/rm /etc/sysconfig/network
/bin/cat <<EOF>> /etc/sysconfig/network
NETWORKING=yes
FORWARD_IPV4=true
HOSTNAME=$hname.$dname
DOMAINNAME=$dname
GATEWAY=$addrange.3
GATEWAYDEV=eth0
EOF

echo -n rc.local #
/bin/cat <<EOF>> /etc/rc.d/rc.local
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
EOF

Networking

echo -n sysctl.conf #
/bin/cat <<EOF>> /etc/sysctl.conf
# ignoring ping request
#net.ipv4.icmp_echo_ignore_all = 1
# ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# IP source routing
net.ipv4.conf.all.accept_source_route = 0
# TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
# always defragging Protection
net.ipv4.ip_always_defrag = 1
# bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Log Spoofed, Source Routed&Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
net.ipv4.conf.eth1.log_martians = 0
# packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.ip_dynaddr = 1
EOF

sysctl -w net.ipv4.ip_forward=1
# to make active temp

systemctl start NetworkManager
systemctl enable NetworkManager

For firewalld to work NetworkManager must be running 

eno1 = internal 192.169.20.1
eno2 = external xx.xx.xx.xx
firewall-cmd --permanent --zone=internal --change-interface=eno1
firewall-cmd --permanent --zone=external --change-interface=eno2
firewall-cmd --zone=external --add-masquerade --permanent
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eno2 -j MASQUERADE -s 192.168.20.0/24

Note eno2 external NIC allowing internal sub 

netfirewall-cmd --complete-reload
systemctl enable firewalld

need to add 

ZONE=internal

to ifcfg-eno1 

ZONE=external

to ifcfg-eno2 and restart firewalld also reload does not seem to work 

firewall-cmd --complete-reload

rather use 

systemctl restart firewalld

Following firewall rules needed 

firewall-cmd --zone=internal --add-port=2022/tcp --permanent
firewall-cmd --zone=internal --add-port=873/tcp --permanent
firewall-cmd --zone=internal --add-port=3389/tcp --permanent
firewall-cmd --zone=internal --add-port=1000/tcp --permanent
firewall-cmd --zone=internal --add-port=5901/tcp --permanent
firewall-cmd --zone=internal --add-port=873/tcp --permanent
firewall-cmd --zone=internal --add-service=http --permanent
firewall-cmd --zone=internal --add-service=https --permanent
 
firewall-cmd --zone=external --add-port=2022/tcp --permanent
firewall-cmd --zone=external --add-port=873/tcp --permanent
firewall-cmd --zone=external --add-port=3389/tcp --permanent
firewall-cmd --zone=external --add-port=10000/tcp --permanent
firewall-cmd --zone=external --add-port=5901/tcp --permanent

firewall-cmd --zone=external --add-service=http --permanent
firewall-cmd --zone=external --add-service=https --permanent

firewall-cmd --zone=public --add-port=2022/tcp --permanent
firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --zone=public --add-port=873/tcp --permanent
firewall-cmd --zone=public --add-port=3389/tcp --permanent
firewall-cmd --zone=public --add-port=1000/tcp --permanent
firewall-cmd --zone=public --add-port=5901/tcp --permanent
firewall-cmd --zone=public --add-port=5902/tcp --permanent
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent

cpanel 

firewall-cmd --zone=public --add-port=2087/tcp --permanent

systemctl restart firewalld

Useful commands 

firewall-cmd --get-active-zones
firewall-cmd --get-zones
firewall-cmd --zone=external --list-all
firewall-cmd --zone=internal --list-all




echo -n hosts.allow #
/bin/cat <<EOF>> /etc/hosts.allow
ALL: $addrange.
ALL: your range
 
# Extra of ai 
ALL: 202.174.160.
ALL: 202.174.161.
ALL: 202.174.162.
ALL: 202.174.163.
ALL: 202.174.164.
ALL: 202.174.165.
ALL: 202.174.166.
ALL: 202.174.167.
ALL: 202.174.168.
ALL: 202.174.169.
ALL: 202.174.170.
ALL: 202.174.171.
ALL: 202.174.172.
ALL: 202.174.173.
ALL: 202.174.174.
ALL: 202.174.175.
ALL: 107.178.214.45
EOF

echo -n hosts.deny # 

/bin/cat <<EOF>> /etc/hosts.deny
ALL:ALL@ALL, PARANOID
EOF

/usr/bin/updatedb &

Go have a coffee.

You may lose your connection with the server if you were coming in via ssh, as it's IP address has changed.

Hardening

 sed -ie 's/.*#PermitRootLogin .*$/PermitRootLogin no/' /etc/ssh/sshd_config \
 && grep PermitRootLogin /etc/ssh/sshd_config

 sed -ie 's/.*#Port 22.*$/Port 2022/' /etc/ssh/sshd_config \
 && grep Port /etc/ssh/sshd_config

 firewall-cmd --zone=public --add-port=2022/tcp --permanent
 firewall-cmd --reload
 firewall-cmd --zone=public --list-all

 sed -ie 's/.*ctrlaltdel.*$/ca\:\:ctrlaltdel\:\/sbin\/reboot/' /etc/inittab \
 && grep ctrlaltdel /etc/inittab

 sed -ie 's/.*Minimum acceptable password length.*$/# PASS_MIN_LeN Minimum acceptable password length./' \
 /etc/login.defs && grep PASS_MIN_L /etc/login.defs

 sed -ie 's/.*PASS_MIN_LEN.*$/PASS_MIN_LEN 8/' /etc/login.defs \
 && grep PASS_MIN_LEN /etc/login.defs
#Min value is 6 (/etc/security/pwquality.conf)

 sed -ie 's/.*auth required \/lib\/security\/\$ISA\/pam_wheel.so use_uid.*$/auth required \/lib\/security\/\$ISA\/pam_wheel.so use_uid/' \
 /etc/pam.d/su && grep pam_wheel.so /etc/pam.d/su

 chmod -R 700 /etc/rc.d/init.d/*

 export user1=a
 export user2=b
 export user3=c

 /usr/sbin/useradd $user1
 /usr/sbin/useradd $user2
 /usr/sbin/useradd $user3
 passwd $user1

 passwd $user2

 passwd $user3

 /usr/sbin/usermod -G10 $user1
 /usr/sbin/usermod -G10 $user2
 /usr/sbin/usermod -G10 $user3
 echo $user1 ALL=\(ALL\) ALL >> /etc/sudoers
 echo $user2 ALL=\(ALL\) ALL >> /etc/sudoers
 echo $user3 ALL=\(ALL\) ALL >> /etc/sudoers

 sed -ie 's/.*HISTSIZE=1000.*$/HISTSIZE=20/' /etc/profile \
 && grep HISTSIZE /etc/profile

 sed -ie 's/.*PATH=.*$/PATH=\$PATH:\$HOME\/bin:\/sbin:\/usr\/sbin:\/usr\/bin/' /home/$user1/.bash_profile \
 && grep PATH= /home/$user1/.bash_profile

 sed -ie 's/.*PATH=.*$/PATH=\$PATH:\$HOME\/bin:\/sbin:\/usr\/sbin:\/usr\/bin/' /home/$user1/.bash_profile \
 && grep PATH= /home/$user2/.bash_profile

 sed -ie 's/.*PATH=.*$/PATH=\$PATH:\$HOME\/bin:\/sbin:\/usr\/sbin:\/usr\/bin/' /home/$user1/.bash_profile \
 && grep PATH= /home/$user3/.bash_profile

sudoers

Use the following command as root to edit /etc/suders 

visudo

Generally I place users that need sudo rights in the 

## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL
root    ALL=(ALL) ALL

section

firewalld

ALL

firewall-cmd --zone=public --add-port=2022/tcp --permanent
firewall-cmd --zone=public --add-port=873/tcp --permanent




firewall-cmd --reload
firewall-cmd --zone=public --list-all

iptables instead of firewalld

http://www.tejasbarot.com/2014/08/02/rhel-7-centos-7-disable-firewalld-and-use-iptables

Disable Firewalld Service. 

systemctl mask firewalld

Stop Firewalld Service. 

systemctl stop firewalld

Install iptables service related packages. 

yum -y install iptables-services

Make sure service starts at boot: 

systemctl enable iptables

If you do not want ip6tables, You can skip following command. 

systemctl enable ip6tables

Now, Finally Let’s start the iptables services. 

systemctl start iptables

If you do not want ip6tables, You can skip following command. 

systemctl start ip6tables

Firewalld Service is now disabled and stop, You can use iptables.

Now run your favourite iptables script to set up the firewall with iptables they way you like.

no firewall

systemctl stop firewalld
systemctl stop iptables
systemctl mask firewalld
/sbin/iptables-save > /etc/sysconfig/iptables
iptables -L -n

Should give you 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now 

systemctl start iptables

And you should still have 

iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Finally 

systemctl enable iptables

Networks

Type “nmcli d” command in your terminal for quick identification of Ethernet cards installed in your machine. 

nmcli d
DEVICE  TYPE      STATE      CONNECTION
enp2s0  ethernet  connected  enp2s0
lo      loopback  unmanaged  --

Type this command “nmtui” to open Network manager and press enter after choosing ” Edit a connection” ( Use TAB for choosing options ) .

/etc/sysconfig/network-scripts/ifcfg-enp2s0 

TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp2s0
UUID=8752ca5c-2954-49bb-bfa9-ab35ad71f1c1
ONBOOT=yes
HWADDR=74:D4:35:BB:63:C6
IPADDR=192.168.1.254
PREFIX=32
GATEWAY=192.168.1.1
DNS1=192.168.1.1
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

systemctl restart network

https

http://wiki.centos.org/HowTos/Https

  • Did you find this page useful?
  • Do you have an issue that you have not yet fixed?

We can do this for you.

I am available for technical support. Please follow this link. Tech Support Request.
+64-6-880-0000 : ++1-808-498-7146 : help@ai.net.nz
Getting us to help you

Retrieved from "http://ai.net.nz/wiki/index.php?title=Hardening.v7&oldid=2369"