Hardening CentOS

SbD
Hardening CentOS Linux Servers:

The Ninja way
Lorenzo Martnez R. (@lawwait)
Hardening CentOS Linux
Thanks Karanbir!
All Rights reser ved
[root@localhost ~]# whoami
13 years of security professional experience

Integrators -> Vendors -> Entrepeneur
CTO && Founder www.securizame.com
ANCITE (www.ancite.es)
CISSP, CISA
www.SecurityByDefault.com editor
Tools: Securewin, amispammer, scalparser
Twitter: @lawwait, @securizame, @secbydefault
Email: lorenzo@securizame.com
Why did I choose CentOS?
Red Hat 8 & 9

Fedora Core
LTS Distros: Debian, RHEL, Suse, Ubuntu,...
Now: RHEL, CentOS, Scientific Linux, Oracle
What will the server do?
What will the server do?
Linux and the NSA
Disabling SELinux
Linux Internals
Virtual Filesystem /proc
Kernel Parameters
Sysctl Support
Disabling IPv6
/etc/sysctl.conf
/etc/sysctl.conf
net.ipv4.ip_for ward = 0 -> # Controls IP packet
for warding
net.ipv4.conf.default.rp_filter = 1 -> # Controls source
route verification
net.ipv4.conf.default.accept_source_route = 0 -> # Do
not accept source routing
kernel.sysrq = 0 -> # Controls the System Request
debugging functionality of the kernel
kernel.core_uses_pid = 1 -> # Controls whether core
dumps will append the PID to the core filename
net.ipv4.tcp_syncookies = 1 -> # Controls the use of TCP
syncookies
/etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 0 -> # Disable
netfilter on bridges
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
kernel.panic=5 -> #Reboot 5 seconds after kernel panic
net.ipv4.tcp_fin_timeout = 15 -> # Decrease the time
default value for tcp_fin_timeout connection
net.ipv4.tcp_keepalive_time = 1800 -> # Decrease the
time default value for tcp_keepalive_time connection
net.ipv4.tcp_window_scaling = 0 -> # Turn off the
tcp_window_scaling
/etc/sysctl.conf
net.ipv4.tcp_sack = 0 -> # Turn off the tcp_sack
net.ipv4.tcp_timestamps = 0 -> # Turn off the tcp_timestamps
net.ipv4.icmp_echo_ignore_broadcasts = 1 -> # Enable ignoring
broadcasts request
net.ipv4.icmp_ignore_bogus_error_responses = 1 -> # Enable bad
error message Protection
net.ipv4.conf.all.log_martians = 1 -> # Log Spoofed Packets,
Source Routed Packets, Redirect Packets
kernel.shmmax = 268435456 -> # Set maximum amount of
memory allocated to shm to 256MB
/etc/sysctl.conf
net.ipv4.tcp_max_syn_backlog = 1280 -> # Increases the
size of the socket queue (effectively, q0)
net.ipv4.tcp_mem = 57344 57344 65536 -> # Increase the
maximum total TCP buffer-space
allocatablenet.ipv4.tcp_wmem = 32768 65536 524288 ->
# Increase the maximum TCP write-buffer-space allocatable
net.ipv4.tcp_rmem = 98304 196608 1572864 -> # Increase
the maximum TCP read-buffer space allocatable
net.core.rmem_max = 524280 -> # Increase the maximum
receive socket buffer size
net.core.rmem_default = 524280 -> # Increase the default
receive socket buffer size
/etc/sysctl.conf
net.core.wmem_max = 524280 -> # Increase the
maximum send socket buffer size
net.core.wmem_default = 524280 -> -> # Increase
the default send socket buffer size
net.ipv4.tcp_max_t w_buckets = 1440000 -> #
Increase the tcp-time-wait buckets pool size
net.ipv4.ip_local_port_range = 16384 65536 -> #
Allowed local port range
net.ipv4.ipfrag_high_thresh = 512000 -> #
Increase the maximum memory used to reassemble
IP fragments
/etc/sysctl.conf
net.ipv4.ipfrag_low_thresh = 446464
net.core.optmem_max = 57344 -> # Increase the
maximum amount of option memory buffers
net.ipv4.conf.all.accept_redirects=0 -> # Do not
accept redirects. Avoid MiTM
net.ipv4.conf.all.send_redirects=0 -> # Forbid
sending ICMP redirect
net.ipv6.conf.all.disable_ipv6 = 1 -> #Disable IPv6
Understanding services
The purpose the machine was built for

Load at startup time
Init process
/sbin/runlevel
netstat -[t | u]anp | grep LISTEN
Path -> /etc/rc<runlevel>.d/SXX<service> && KXX<ser vice>
/sbin/chkconfig --list | less
RPMs: setuptool && ntsysv
The less ser vices, the better
/etc/rc.local
Understanding services
By Default Enabled services
auditd
blk-availability
crond
iptables && ip6tables
lvm2-monitor
netfs
net work
postfix
rsyslogd
sshd
udev-post
IPTables
Firewalling rule set

iptables is made command line
/sbin/iptables
Chains: INPUT, OUTPUT, FORWARD
GUIs: fbuilder, shorewall, firestarter, etc,..
Script started before net work/ser vices are
loaded
/etc/rcX.d/S08iptables
Firewall Policy: Best Practices

Mgmt IPs To Firewall IFs - Mgmt
ports -> Allow
Any To Firewall IFs - Mgmt ports
-> Deny [Stealth Rule]
<Needed Services rules> -> Allow
[Cleanup Rule]
Hardening SSH
Auth: User/pass vs certificates

Change default SSH port (TCP/22)
Protocol 2
PermitRootLogin -> NO
ListenAddress
AllowUsers
AllowGroups
Hardening SSH
MaxAuthTries (Default 6) -> 3

LoginGraceTime (Default 120) -> 60
PasswordAuthentication (Default Yes) -> NO
Banner (none)
AllowAgentFor warding y AllowTcpFor warding (Default Yes) ->
If it is not going to be used, change to NO
MaxStartups (Default 10) -> If few connected users, change
to 3
Ciphers -> aes128-ctr, aes256-ctr, arcfour256, arcfour,
aes128-cbc, aes256-cbc
X11for warding y PermitEmptyPasswords -> If not needed, NO
Hardening BASH
Define Read-Only environment variables -> To avoid
being over writen by users (declare r
HISTFILE=~/.bash_history && chattr +I .bash_history)
HISTFILESIZE -> Maximum number of lines to keep
HISTFSIZE -> Maximum stored commands in memory
HISTTIMEFORMAT -> Date/Time format to store
commands execution
Force to commit HISTFILE every time a command is
typed instead of logout -> readonly || declare -r
PROMPT_COMMAND="history -a"
Hardening BASH
Limit Timeout login session -> declare -r TMOUT=120
Limits -> ulimit command
-c maximum size core files
-s maximum stack size
-t maximum CPU seconds
-u maximum time available per process users
-v maximum virtual memory size available for shell
-x maximum file block
Default file mask for every user -> umask 077 r wx --- ---
Hardening Apache
Installation:
Use rpm package or static compilation
Right permissions: chown + chroot
chmod R go-r /etc/httpd
chmod R go-r /var/log/httpd
Disable not needed/used default modules (http://

www.cyberciti.biz/faq/howto-disable-apachemodules-under-linux-unix/)
Hardening Apache
Listen [IP Address:]<Port>
Allow from Directives
Deny from All
Allow from 192.168.X.Y/24
Security through obscurity

ServerTokens ProductOnly
ServerSignature Off
With mod_security
SecSer verSignature Powered by Securizame 8.0
Disable Trace method

TraceEnable Off
Patches Management
Optional package: yum-cron
/etc/sysconfig/yum-cron
Auditing Tools
Check security/health
Misconfigurations && Malware
Tools:
Lynis, checklist-linux,
rkhunter, chkrootkit
unhide
Filesystems Integrity
AFICK, AIDE, Tripwire
Other stuff: IDS/IPS

Lynis/checklistlinux
Logs
Send to a remote event collector: syslog
NTP (Net work Time Protocol)
LIDS: OSSEC
OSSEC
Conclusions
CentOS Linux FTW!

Corporate Distribution
Community support
Security concepts in mind
Minimalism is the key
Harden, audit and monitor
Email me: lorenzo@securizame.com

Twitter: @lawwait @securizame @secbydefault

Hardening CentOS

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Hardening CentOS

Hochgeladen von

Copyright:

Verfügbare Formate

SbD

Hardening CentOS Linux Servers:

Lorenzo Martnez R. (@lawwait)

Hardening CentOS Linux

All Rights reser ved

Hardening CentOS Linux

[root@localhost ~]# whoami

13 years of security professional experience

Hardening CentOS Linux

Why did I choose CentOS?

Red Hat 8 & 9

All Rights reser ved

Hardening CentOS Linux

All Rights reser ved

Hardening CentOS Linux

What will the server do?

All Rights reser ved

Hardening CentOS Linux

What will the server do?

All Rights reser ved

Hardening CentOS Linux

Linux and the NSA

All Rights reser ved

Hardening CentOS Linux

All Rights reser ved

Hardening CentOS Linux

All Rights reser ved

Hardening CentOS Linux

All Rights reser ved

Hardening CentOS Linux

All Rights reser ved

Hardening CentOS Linux

All Rights reser ved

Hardening CentOS Linux

All Rights reser ved

Hardening CentOS Linux

Hardening CentOS Linux

All Rights reser ved

Hardening CentOS Linux

All Rights reser ved

Hardening CentOS Linux

Hardening CentOS Linux

Hardening CentOS Linux

All Rights reser ved

Hardening CentOS Linux

The purpose the machine was built for

Hardening CentOS Linux

All Rights reser ved

Hardening CentOS Linux

By Default Enabled services

All Rights reser ved

Hardening CentOS Linux

Firewalling rule set

Hardening CentOS Linux

Firewall Policy: Best Practices

All Rights reser ved

Hardening CentOS Linux

Auth: User/pass vs certificates

All Rights reser ved

Hardening CentOS Linux

MaxAuthTries (Default 6) -> 3

Ciphers -> aes128-ctr, aes256-ctr, arcfour256, arcfour,

Hardening CentOS Linux

Hardening CentOS Linux