How to harden the centos 5 or centos 6.2
SPRI (Priority Scheduler)
cd /root/
wget http://www.rfxn.com/downloads/spri-current.tar.gz
tar xvfz spri-*.tar.gz
cd spri-*
./install.sh
spri -v
PRM (Process Resource Monitor)
cd /root
wget http://www.rfxn.com/downloads/prm-current.tar.gz
tar xvfz prm-*.tar.gz
cd prm-*
./install.sh
prm -j
Temporary Directory Hardening
-----------------------------
/bin/cp /etc/fstab /etc/fstab.bak
Use df to check if a /tmp partition is already present.
[if no /tmp partition present]
cd /usr
dd if=/dev/zero of=/usr/tmpMnt bs=1024 count=2000000
mke2fs -j /usr/tmpMnt
cd /
cp -R /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /usr/tmpMnt /tmp
chmod 0777 /tmp
/bin/cp -R /tmp_backup/* /tmp/
rm -rf /tmp_backup
nano -w /etc/fstab
At the very bottom add
/usr/tmpMnt /tmp ext3 loop,noexec,nosuid,rw 0 0
nano -w /etc/fstab
change “defaults” to loop,noexec,nosuid,rw
mount /tmp
rm -rf /var/tmp
ln -s /tmp /var/tmp
If a symlink is not possible, then /var/tmp is most likely also a partition. In this case, /var/tmp must be hardened with loop,noexec,nosuid,rw in fstab as well.
IF /tmp is hardened by cpanel’s /scripts/securetmp. Remove the line from /etc/rc.d/rc.local and then reboot. It will come back without a /tmp partition and then you can follow the instructions above
SSH Server Hardening
---------------------
nano -w /etc/ssh/sshd_config
Uncomment #Protocol 2, 1
Change to Protocol 2
Append these lines to the bottom:
LoginGraceTime 120
IgnoreRhosts yes
X11Forwarding no
/etc/rc.d/init.d/sshd restart
DISABLE DIRECT ROOT LOGIN
If he already has an su user, good. If not:
REPLACE XXX with 3 numbers
groupadd anyuserxxx
useradd anyuserXXX –ganyuserXXX
passwd anyuserXXX
type password
nano -w /etc/group
Search for wheel, then append “anyuserxxx”
So it should be “root,anyuserXXX”
nano -w /etc/ssh/sshd_config
PermitRootLogin no (and uncomment)
At the bottom add
AllowUsers anyuserXXX
ChkRootKit
--------------
cd /root/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
mv chkrootkit.tar.gz /usr/local/src/
cd /usr/local/src/
tar -zxf chkrootkit.tar.gz
cd /usr/local/src/chkrootkit*
make sense
cd /root
mv /usr/local/src/chkrootkit* /usr/local/chkrootkit
cd /etc/cron.weekly
Code: Select all
#!/bin/bash
EMAIL=your@domain.com
/usr/local/chkrootkit/chkrootkit -q | mail -s "ChrootKit Scan Report - $(hostname)" $EMAIL
chmod 755 /etc/cron.weekly/chkrootkit.sh
RkHunter
------------
cd /root
wget http://space.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz
wget http://space.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz
tar -zxf rkhunter-1.3.4.tar.gz
cd rkhunter*
./installer.sh --layout default --install
cd /etc/cron.weekly
Code: Select all
#!/bin/bash
EMAIL=your@domain.com
rkhunter -c --sk --summary -q | mail -s "Rkhunter Scan Report - $(hostname)" $EMAIL
chmod 755 /etc/cron.weekly/rkhunter.sh
Installing CSF firewall
------
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Next, test whether you have the required iptables modules:
perl /etc/csf/csftest.pl
SPRI (Priority Scheduler)
cd /root/
wget http://www.rfxn.com/downloads/spri-current.tar.gz
tar xvfz spri-*.tar.gz
cd spri-*
./install.sh
spri -v
PRM (Process Resource Monitor)
cd /root
wget http://www.rfxn.com/downloads/prm-current.tar.gz
tar xvfz prm-*.tar.gz
cd prm-*
./install.sh
prm -j
Temporary Directory Hardening
-----------------------------
/bin/cp /etc/fstab /etc/fstab.bak
Use df to check if a /tmp partition is already present.
[if no /tmp partition present]
cd /usr
dd if=/dev/zero of=/usr/tmpMnt bs=1024 count=2000000
mke2fs -j /usr/tmpMnt
cd /
cp -R /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /usr/tmpMnt /tmp
chmod 0777 /tmp
/bin/cp -R /tmp_backup/* /tmp/
rm -rf /tmp_backup
nano -w /etc/fstab
At the very bottom add
/usr/tmpMnt /tmp ext3 loop,noexec,nosuid,rw 0 0
nano -w /etc/fstab
change “defaults” to loop,noexec,nosuid,rw
mount /tmp
rm -rf /var/tmp
ln -s /tmp /var/tmp
If a symlink is not possible, then /var/tmp is most likely also a partition. In this case, /var/tmp must be hardened with loop,noexec,nosuid,rw in fstab as well.
IF /tmp is hardened by cpanel’s /scripts/securetmp. Remove the line from /etc/rc.d/rc.local and then reboot. It will come back without a /tmp partition and then you can follow the instructions above
SSH Server Hardening
---------------------
nano -w /etc/ssh/sshd_config
Uncomment #Protocol 2, 1
Change to Protocol 2
Append these lines to the bottom:
LoginGraceTime 120
IgnoreRhosts yes
X11Forwarding no
/etc/rc.d/init.d/sshd restart
DISABLE DIRECT ROOT LOGIN
If he already has an su user, good. If not:
REPLACE XXX with 3 numbers
groupadd anyuserxxx
useradd anyuserXXX –ganyuserXXX
passwd anyuserXXX
type password
nano -w /etc/group
Search for wheel, then append “anyuserxxx”
So it should be “root,anyuserXXX”
nano -w /etc/ssh/sshd_config
PermitRootLogin no (and uncomment)
At the bottom add
AllowUsers anyuserXXX
ChkRootKit
--------------
cd /root/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
mv chkrootkit.tar.gz /usr/local/src/
cd /usr/local/src/
tar -zxf chkrootkit.tar.gz
cd /usr/local/src/chkrootkit*
make sense
cd /root
mv /usr/local/src/chkrootkit* /usr/local/chkrootkit
cd /etc/cron.weekly
Code: Select all
#!/bin/bash
EMAIL=your@domain.com
/usr/local/chkrootkit/chkrootkit -q | mail -s "ChrootKit Scan Report - $(hostname)" $EMAIL
chmod 755 /etc/cron.weekly/chkrootkit.sh
RkHunter
------------
cd /root
wget http://space.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz
wget http://space.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz
tar -zxf rkhunter-1.3.4.tar.gz
cd rkhunter*
./installer.sh --layout default --install
cd /etc/cron.weekly
Code: Select all
#!/bin/bash
EMAIL=your@domain.com
rkhunter -c --sk --summary -q | mail -s "Rkhunter Scan Report - $(hostname)" $EMAIL
chmod 755 /etc/cron.weekly/rkhunter.sh
Installing CSF firewall
------
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Next, test whether you have the required iptables modules:
perl /etc/csf/csftest.pl
3 comments:
Astonishing illustration about the installation process of linux server as we generally faces the problem in installation.
Hello,
The installation packages where upgraded over period of time where the packages are being changes.
kindly follow these two url for the chkrootkit and rkhunder.
http://sourceforge.net/projects/rkhunter/
http://www.chkrootkit.org/download.htm
---
Hemanth
This is extremely helpful for me as i have problem in hardening centos in linux operating system
Post a Comment