Secure new CentOs install

Step 1: Secure SSH

Log in as root to your server and type the following commands to backup and then edit the SSH configuration:

cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak; cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
vi /etc/ssh/ssh_config

Hit the i key to enter insert mode. Then uncomment all the lines after (and including) Host * (i.e. remove the hashes) and change Protocol 2,1 to 2 only. Hit Esc to exit insert mode and type ZZ to quit saving the changes. Then type the following command:

vi /etc/ssh/sshd_config

As before, in insert mode, uncomment the Port, Protocol (and change to 2 only if not already) and ListenAddress 0.0.0.0 statements. Also uncomment and change PermitRootLogin to: no. Quit and save (Esc, ZZ). Then restart the SSH service:

service sshd restart

Since we have now prevented the root user from logging in remotely (as a security measure – the root user has full access to the entire system and can break things very easily), the final step is to create a user who can log in remotely. Type in:

useradd -g wheel admin
passwd admin

Next time when you log in you can switch to the root user using the following command (enter the root password at the prompt):

su -

Step 2: Install ChkRootKit (rootkit finder)

Create a directory to hold downloaded or compiled sofware, then install some tools we will need (these may well already be installed):

mkdir -p ~admin/software
cd ~admin/software
yum -y install gcc make wget vixie-cron perl

Download and install ChkRootKit:

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar zxfv chkrootkit.tar.gz
cd chkrootkit-*
make sense

Then add a cron entry to run the script automatically (this is still done as the root user):

crontab -e

Tell it to run every day at 3am and email you the errors – add the following line (use the same commands as when using vim above):

0 3 * * * /home/admin/software/chkrootkit-*/chkrootkit -q 2>&1 | mail -s "ChkRootKit Output from `hostname`" your@email.com

You could do that bit of editing entirely on the command line by creating a temporary file and then adding that to the crontab like this:

touch crontab_temp
crontab -l > crontab_temp
echo "0 3 * * * /home/admin/software/chkrootkit-*/chkrootkit -q 2>&1 | mail -s \"ChkRootKit Output from \`hostname\`\" your@email.com" >> crontab_temp
cat crontab_temp | crontab
rm -f crontab_temp

Step 3: Install Portsentry (check for people sniffing/scanning your ports and block them)

cd ~admin/software

32-bit version – use this if your OS is 32-bit – download and install the existing package:

wget ftp://ftp.pbone.net/mirror/ftp.falsehope.net/home/tengel/centos/4/te/i386/RPMS/portsentry-1.2-1.te.i386.rpm
rpm -Uhv portsentry-1.2-1.te.i386.rpm
/etc/rc.d/init.d/portsentry start
echo "/etc/rc.d/init.d/portsentry" >> /etc/rc.d/rc.local

64-bit version – use this if your OS is 64-bit – we need to compile the original program, but there is an error in one of the files we need to fix first:

wget http://downloads.sourceforge.net/project/sentrytools/portsentry%201.x/portsentry-1.2/portsentry-1.2.tar.gz
tar zxfv portsentry-1.2.tar.gz
cd portsentry_beta
vi portsentry.c

The error is on line 1584 and will prevent the program from compiling. To see line numbers, type in :set number
Find line 1584 and remove the line break in the middle of that sentence. Then install:

make linux
make install

Next we need to create a script to control the service:

vi /etc/init.d/portsentry

Start insert mode and paste this all this into the file (careful of linebreaks – then save and quit):

#!/bin/bash

case "$1" in
start)
echo "Starting Portsentry..."
ps ax | grep -iw '/usr/local/psionic/portsentry/portsentry -atcp' | grep -iv 'grep' > /dev/null
if [ $? != 0 ]; then
/usr/local/psionic/portsentry/portsentry -atcp
fi
ps ax | grep -iw '/usr/local/psionic/portsentry/portsentry -audp' | grep -iv 'grep' > /dev/null
if [ $? != 0 ]; then
/usr/local/psionic/portsentry/portsentry -audp
fi
echo "Portsentry is now up and running!"
;;
stop)
echo "Shutting down Portsentry..."
array=(`ps ax | grep -iw '/usr/local/psionic/portsentry/portsentry' | grep -iv 'grep' \
| awk '{print $1}' | cut -f1 -d/ | tr '\n' ' '`)
element_count=${#array[@]}
index=0
while [ "$index" -lt "$element_count" ]
do
kill -9 ${array[$index]}
let "index = $index + 1"
done
echo "Portsentry stopped!"
;;
restart)
$0 stop && sleep 3
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

Then we need to make that script executable, add portsentry to the startup scripts and start it up:

chmod 755 /etc/init.d/portsentry
ln -s /etc/init.d/portsentry /etc/rc2.d/S20portsentry
ln -s /etc/init.d/portsentry /etc/rc3.d/S20portsentry
ln -s /etc/init.d/portsentry /etc/rc4.d/S20portsentry
ln -s /etc/init.d/portsentry /etc/rc5.d/S20portsentry
ln -s /etc/init.d/portsentry /etc/rc0.d/K20portsentry
ln -s /etc/init.d/portsentry /etc/rc1.d/K20portsentry
ln -s /etc/init.d/portsentry /etc/rc6.d/K20portsentry
/etc/init.d/portsentry start

Step 4: Install LibSafe (prevents buffer overflow exploits)

cd ~admin/software

Download for 32-bit:

wget http://pubs.research.avayalabs.com/src/libsafe-2.0-16.i386.rpm

Or for 64-bit:

wget ftp://ftp.pbone.net/mirror/archive.fedoraproject.org/fedora/linux/extras/3/x86_64/libsafe-2.0-16.fdr.1.rh80.x86_64.rpm

Then install:

rpm -Uhv libsafe-2.0-16*.rpm

Step 5: Install Hogwash (inline packet scrubber)

Download, install and configure Hogwash:

cd ~admin/software
wget http://hogwash.sourceforge.net/devel-0.5-latest.tgz
tar zxfv devel-0.5-latest.tgz
cd distro/devel-0.5/devel-0.5
./configure
make
cp hogwash /sbin
mkdir /var/log/hogwash
mkdir /etc/hogwash
cd rules
cp *.rules /etc/hogwash
cd ..
cp *.config /etc/hogwash
cp /etc/hogwash/stock.config /etc/hogwash/live.config

We need to create another control script, but we can do this on the command line:

touch Hog
echo '#!/bin/sh' >> Hog # needs single quotes
echo "#chkconfig: 2345 11 89" >> Hog
echo "#description: Automates Hogwash packet filter" >> Hog
echo "/sbin/hogwash -d -c /etc/hogwash/live.config -r /etc/hogwash/live.rules -l /var/log/hogwash" >> Hog
chmod 700 Hog

Make sure it starts at boot time:

cp Hog /etc/rc.d/init.d
chkconfig --add Hog

Step 6: Install DenyHosts (blocks brute force login attempts)

cd ~admin/software

Install the RPMForge repo – for 32-bit:

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm

Or for 64-bit:

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm

Install, configure and make sure your own address is not blocked (substitute your IP address in the code below)

rpm -i rpmforge-release-0.5.1-1.el5.rf.*.rpm
yum check-update
yum -y install denyhosts
echo "sshd: 11.22.33.44" >> /etc/hosts.allow
perl -pi -e "s/PURGE_DENY =/PURGE_DENY = 7d/g;" /etc/denyhosts/denyhosts.cfg
chkconfig denyhosts on
service denyhosts start

Step 7: Install RootKit Hunter (yes, another one)

Download and configure RkHunter, then set up the cronjob to execute automatically (as above) and email you if there are warnings:

yum -y install rkhunter
cd ~admin/software
perl -pi -e "s/MAIL-ON-WARNING=\"\"/MAIL-ON-WARNING=\"your\@email.com\"/g;" /etc/rkhunter.conf
touch crontab_temp
crontab -l > crontab_temp
echo "0 4 * * * /usr/bin/rkhunter --cronjob 2>&1" >> crontab_temp
echo "@monthly /usr/bin/rkhunter --update" >> crontab_temp
cat crontab_temp | crontab
rm -f crontab_temp

Update

There are a couple of other things I always do when setting up a server.

• Disable the weak ciphers in the SSH server:
sshd -T | grep ciphers | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config
service sshd restart

• Disable Apache mod_status (see httpd.conf or 00-base.conf in /etc/httpd/conf/)
• Turn off TRACK|TRACE in Apache:
echo "TraceEnable Off" >> /etc/httpd/conf/httpd.conf
service httpd reload

• If Webmin is installed tweak the SSL Options and only allow the following ciphers: ALL:!ADH:!LOW:!MEDIUM:!SSLv2:!EXP:+HIGH

Tagged , , , , , , , , . Bookmark the permalink.

2 Responses to Secure new CentOs install

  1. Ian says:

    Hi, i have followed your install guide for chkrootkit and ive been emailed this error

    /bin/sh: /home/admin/software/chkrootkit-*/chkrootkit: No such file or directory

    any ideas whats gone wrong?

    Thanks im running Centos 6.3 64bit

    • cheesefather says:

      I’ve used it on the same OS and it’s been fine. If your folder definitely does exist in that location, then try changing the asterisk to the actual name of the folder, e.g. /home/admin/software/chkrootkit-0.49/chkrootkit or whatever version you have.

Leave a Reply

Your email address will not be published. Required fields are marked *