Kenneth: /* Minimal Install - Anaconda Kickstart */

2016-06-04T07:39:05Z

Minimal Install - Anaconda Kickstart

New page

==Summary==

==Minimal Secure Install==
Install CentOS 5 (minimal install):
# boot to CD 1
linux text
# do minimal install (deselect ALL package options)

Disable SELinux
# DISABLE SELINUX - not as secure, but much easier to work with
system-config-securitylevel-tui
reboot

Remove Extra Packages:
# Packages with no dependencies...
yum -y remove Deployment_Guide-en-US autofs conman finger gpm nfs-utils nfs-utils* pcmciautils xorg*
# ADDITIONAL: cpuspeed
# Packages with dependencies...
yum -y remove atk bluez-* cairo ccid cups* desktop-file-utils libX11
# ADDITIONAL: fontconfig freetype portmap
# This remove the following depenencies:
# GConf2 coolkey gtk2 htmlview libXcursor libXext libXfixes libXft libXi libXinerama libXrandr
# libXrender libXres libXt libXxf86vm libnotify libwnck mesa-libGL notification-daemon pango
# paps pinfo redhat-lsb redhat-menus startup-notification yp-tools ypbind

# DISABLE EXTRA SERVICES
# No longer needed as removal of packages takes care of most of these
# for service in apmd autofs bluetooth cpuspeed cups gpm netfs nfslock portmap rpcgssd rpcidmapd ; do chkconfig $service off ; done
# except for apmd cpuspeed

# SETUP NTPD
# Use time-a.nist.gov instead of time.nist.gov
yum -y install ntp ; ntpdate -t 10 time-a.nist.gov ; hwclock -w ; chkconfig ntpd on ; service ntpd start

# SETUP ALIASES
echo -e "root:\t\tkenneth@oeey.com" >> /etc/aliases
newaliases

# DISABLE ROOT SSH LOGIN
adduser kenneth
passwd kenneth
visudo
# %wheel ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
vi /etc/group
wheel:x:10:root,kenneth
vi /etc/ssh/sshd_config
#PermitRootLogin yes
PermitRootLogin no
service sshd restart

# To Configure firewall
system-config-securitylevel-tui

# DO SYSTEM UPDATE AND REBOOT
yum -y update ; reboot

==Security Tools==
*[http://sectools.org/tools2003.html Top 75 Security Tools]
*[http://sectools.org/tools2000.html Top 50 Security Tools]
*[http://sectools.org/ Top 100 Network Security Tools]

==Ports==
Linux TCP Ports:
TCP 22 SSH (sshd)
TCP 25 SMTP (sendmail/postfix)
TCP 80 HTTP (httpd)
TCP 110 POP3 (courier/dovcot)
TCP 143 IMAP (courier)
TCP 389 LDAP
TCP 443 HTTPS (httpd)
TCP 465 SMTPS (stunnel->sendmail)
TCP 636 LDAP/SSL (stunnel->LDAP)
TCP 993 IMAPS (stunnel->courier)
TCP 995 POP3S (stunnel->courier)

Linux UDP Ports:
UDP 53 DNS (named)
UDP 123 NTP (ntpd)

Windows Ports:
TCP 3389 Remote Desktop (Windows)

==Minimal Install - Anaconda Kickstart==
anaconda-ks.cfg:
<nowiki>
# Kickstart file automatically generated by anaconda.

install
cdrom
lang en_US.UTF-8
keyboard us
network --device eth0 --bootproto static --ip 10.0.0.41 --netmask 255.255.255.0 --gateway 10.0.0.1 --nameserver 10.0.0.1 --hostname gatekeeper.oeey.com
network --device eth1 --bootproto dhcp --hostname gatekeeper.oeey.com
rootpw --iscrypted $1$Np12nOAS$Nkxxxxxx7i.
firewall --enabled --port=22:tcp
authconfig --enableshadow --enablemd5
selinux --enforcing
timezone --utc America/Boise
bootloader --location=mbr --driveorder=sda
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
#clearpart --all --drives=sda
#part /boot --fstype ext3 --size=101 --asprimary
#part swap --size=3968 --asprimary
#part / --fstype ext3 --size=1 --grow --asprimary

%packages
@base
@core
</nowiki>

==Remove Extra Services==
#Block ping requests:
#*enable firewall
#*$IPTABLES -A INPUT -p ICMP –icmp-type timestamp-request -i $EXTIFACE -j DROP
#Secure SSH:
#*vi /etc/ssh/sshd_config
#*Protocol 2
#*ListenAddress 0.0.0.0
#*PermitRootLogin no
#Disable extra services:
#*netfs
#*nfslock
#*portmap
#*rpcgssd
#*rpcidmapd
#*acpid (Power Management Related)
#*apmd (Power Management Related)
#*cups
#*isdn (Only used if you have an ISDN card in the machine)
#*pcmcia (Most likely you either don’t have or will not use a pcmcia device in the machine)
#*bluetooth
#*autofs
#*xfs
#*gpm

for service in netfs nfslock portmap rpcgssd rpcidmapd acpid apmd cups isdn pcmcia bluetooth autofs xfs gpm ; do chkconfig $service off ; done

Current list of enabled services:
[kenneth@dev ~]$ sudo /sbin/chkconfig --list | grep 3:on
acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
firstboot 0:off 1:off 2:off 3:on 4:off 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
hidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irqbalance 0:off 1:off 2:on 3:on 4:on 5:on 6:off
jexec 0:on 1:on 2:on 3:on 4:on 5:on 6:on
kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off
mcstrans 0:off 1:off 2:on 3:on 4:on 5:on 6:off
mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off
mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
readahead_early 0:off 1:off 2:on 3:on 4:on 5:on 6:off
restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
yum-updatesd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

getent protocols 50
# find which service has been allocated the port 5353 (in UDP) by IANA.
getent services 5353

Additional items to remove: [http://www.hornfordassociates.com/resources/how-to-library/centos-set-up.html]
yum remove Deployment_Guide-en-US
yum remove finger gaim cups-libs cups bluez-libs desktop-file-utils

This removed also:
bluez-utils GConf2 cups-libs libnotify desktop-file-utils bluez-libs
htmlview paps finger redhat-lsb cups libwnck notification-daemon
redhat-menus pinfo gtk2 bluez-gnome

Some other options:
yum remove apmd acpid cpuspeed
yum remove atk autofs cairo ccid conman fontconfig freetype libX11 pcmciautils
yum remove xorg*

==Disabling Root Logins==
[http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-wstation-privileges.html Disallowing Root Access]

Prevent access to the root shell and logs the attempt. Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin.

Prevent access to the root account via the console or the network. An empty /etc/securetty file prevents root login on any devices attached to the computer.
echo > /etc/securetty

Prevent root access via the OpenSSH suit of tools. Edit the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no.

Prevent root access to network services that are PAM aware. Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is required for authentication.

==Windows Password Security==
<blockquote>"Interestingly, if you run windows (shudder) and want to see just how secure your passwords are, have a look at Ophcrack. Scary stuff!
 
http://ophcrack.sourceforge.net/
 
This thing will find any 14 character alphanumeric password in a matter of minutes!" [http://www.centos.org/modules/newbb/viewtopic.php?topic_id=7115&forum=14] </blockquote>

==Security Watches==
*[http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html PayPal Security Flaw allows Identity Theft]
*[http://www.theregister.co.uk/2002/08/12/ssl_defeated_in_ie/ SSL defeated in IE and Konqueror]

==NMAP==
See [[nmap]]

==Auditor Security Collection==
[http://en.wikipedia.org/wiki/Auditor_Security_Collection Wiki Auditor Security Collection]

<blockquote>"The Auditor security collection is a LiveCD based on Knoppix. Auditor was planned and developed with the targets of user-friendliness and an optimal toolset. For example, the menu structure is organised into the typical phases of a security check: footprinting, analysis, scanning, wireless scanning, brute-forcing, and cracking. Auditor Security Collection is now known as BackTrack."[http://en.wikipedia.org/wiki/Auditor_Security_Collection] </blockquote>

*[http://freshmeat.net/projects/auditor/ Freshmeat: Auditor security collection]
*[http://www.linux.com/articles/48225 Auditor: The security tool collection]

==BackTrack==
[http://www.remote-exploit.org/backtrack.html BackTrack]

<blockquote>"BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes. [http://www.remote-exploit.org/backtrack.html] </blockquote>

<blockquote>"BackTrack is a Linux distribution distributed as a LiveDistro that results from the merger of WHAX and Auditor-based Auditor Security Collection." [http://en.wikipedia.org/wiki/BackTrack] </blockquote>

*[http://en.wikipedia.org/wiki/BackTrack Wiki: BackTrack]

== DenyHosts ==

DenyHosts - http://denyhosts.sourceforge.net/

"DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?

DenyHosts attempts to address the above"

NOTE: DenyHosts is a Python script! :-)

-

[http://www.linux-mag.com/cache/7729/1.html Got Security? You’re in Denial | Linux Magazine]:
:"Do you think your systems are secure? Install DenyHosts and you’ll realize that you were in denial. "

:"Exposing a system to the Internet means that you’ll soon (within hours) experience login attempts from random locations, from people you don’t know and from those with unclear motivations. DenyHosts is an SSH security tool in the form of a python script that helps prevent brute force and dictionary-based attacks against your systems. On my home system, I have at least one such attempt added to my /etc/hosts.deny file per day. I use DenyHosts to maintain that stealth watch over my insignificant system here in my dusty little corner of the Internet that I call home."

=== DenyHosts Installation ===

Installation:
yum install --enablerepo=rpmforge denyhosts

Start service:
service denyhosts start
starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts/denyhosts.cfg

Config:
/etc/denyhosts/denyhosts.cfg

-- Manual Installation --

apt-get install python python2.3-dev python2.3

cd /tmp
wget http://mesh.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.0.tar.gz
tar xvfz DenyHosts-2.0.tar.gz
cd DenyHosts-2.0
python setup.py install

cd /usr/share/denyhosts
cp denyhosts.cfg-dist denyhosts.cfg

Preventing SSH Dictionary Attacks With DenyHosts | HowtoForge - Linux Howtos and Tutorials - http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts

== Tutorials ==

=== [http://crashrecovery.org/hardening.html The R Zone: Hardening a Linux Server in 10 Minutes] ===

<pre>
Wed Mar 1 16:14:18 CET 2006 (as copied from :
http://rudd-o.com/archives/2006/02/27/hardening-a-linux-server-in-10-minutes/ )

Did you know that a freshly installed Linux server can be hardened in
less than 10 minutes? Heres how!

Print these instructions out, and keep them posted on a wall in your
office or home. Before plugging a freshly installed network server,
simply remember to follow these instructions. Make these instructions
second nature to you.

Youll need a bit of experience with the Linux command-line environment,
as the following commands are usually issued in a terminal. You will
need root access on your server as well. By the way, the following
instructions apply to any LSB-compliant Linux distribution, but Ill use
Fedora Core as an example.
</pre>

*Step 1: turn all unneeded services off
*Step 2: limit access to running services using iptables

=== [http://www.ibm.com/developerworks/linux/edu/l-dw-linux-harden-server-i.html IBM - Hardening the Linux server] ===
:"Servers—whether used for testing or production—are primary targets for attackers. By taking the proper steps, you can turn a vulnerable box into a hardened server and help thwart outside attackers. Learn how to secure SSH sessions, configure firewall rules, and set up intrusion detection to alert you to any possible attacks on your GNU/Linux® server. Once you've gained a solid foundation in the basics of securing your server, you can build on this knowledge to further harden your systems."

== References ==

*CentOS 4 Security Assessment [http://tech.scottp.net/index.php/2005/11/22/centos-4-security-assessment/]:
*Securing CentOS Linux installations by disabling unneeded services [http://prefetch.net/blog/index.php/2006/12/27/securing-centos-installations-by-disabling-unneeded-services/]
*[http://koltsoff.com/pub/securing-centos/]
*[http://www.net-security.org/article.php?id=109]
*[http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/index.html Securing and Optimizing Linux (HTML eBook)]
*[http://www.puschitz.com/SecuringLinux.shtml Securing and Hardening Red Hat Linux Production Systems]
**Good article to read!
*[http://www.openna.com/pdfs/Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0.pdf Securing & Optimizing Linux: The Ultimate Solution (PDF eBook)]
*[http://www.openna.com/pdfs/Securing-Optimizing-Linux-RH-Edition-v1.3.pdf Securing & Optimizing Linux: Red Hat Edition (PDF eBook)]
*[http://www.anchorite.org/blog/2006/11/13/minimal-services-on-centos-44-mini-howto/ Minimal Services on CentOS 4.4 Mini-HowTo]
**Includes an extensive list of services to disable.
*[http://wdl.lug.ro/documentation/passwords_guide.pdf My guide to a secure password by Marc Mercer]
*[http://www.openna.com/products/books.php OpenNA Security Books]
*[http://www.openna.com/documentations/documentations.php OpenNA Documentation]
**Several good articles to read

== http://www.faqs.org/docs/gazette/tips.html Linux Security Tips By Kapil Sharma ==

"In this article I will explain how to make your Linux box secure by taking basic security measures. This article will enable anybody to tighten the security of a redhat Linux box."

Summary:
* BIOS Security - password protect
* LILO Security - password protect
* Disable all special accounts - delete unused accounts
* Choose a Right password - set password definitions
* Enable shadow password support - /usr/sbin/authconfig, pwconv, grpconv
* The root account - timeout
* Disable all console-equivalent access for regular users
* Disable & uninstall all unused services - inetd
* TCP_WRAPPERS - disallow all by default
* Don't let system issue file to be displayed - telnetd
* Change the "/etc/host.conf" file
* Immunize the "/etc/services" file - immutable
* Disallow root login from different consoles - /etc/securetty
* Blocking anyone to su to root - pam, wheel account
* Shell logging - history size
* Disable the Control-Alt-Delete keyboard shutdown command - /etc/inittab
* Fix the permissions under "/etc/rc.d/init.d" directory for script files - chmod 700
* Hide your system information - /etc/issue
* Disable unused SUID/SGID programs - find with chmod

== keywords ==

linux security

[[Category:Linux]]

Linux/Security - Revision history

Kenneth: /* Minimal Install - Anaconda Kickstart */