#!/bin/sh set -ve # Script to harden a fresh CentOS 4 or 5 base server install, which installs # any updated packages plus a few useful extras, removes unnecessary # services and setuid bits, and does a little performance tuning. Running # it more than once shouldn't hurt anything. # PATH=/bin:/usr/bin:/sbin:/usr/sbin # Installing useful packages yum -y install joe tcpdump mtr postfix make gcc cproto bison strace ltrace \ zsh ntp mysql mysql-server lm_sensors gdb perl # Removing unnecessary daemons and setuid binaries yum -y remove squid krb5-workstation cups at rsh sudo isdn4k-utils sendmail \ slocate apmd irda-utils mt-st gpm samba-common sendmail-cf talk \ up2date ypbind yp-tools wvdial lockdev procmail xorg-x11-font-utils \ pam_ccreds gdm bluez-utils # Upgrading to latest packages yum -y upgrade # Removing unnecessary setuid bits find / /usr -xdev -type f -perm +04000 | \ grep -vP '^(/bin/(su|ping|traceroute)|/usr/bin/(passwd|chsh|crontab)|/usr/libexec/openssh/ssh-keysign)$' | \ xargs -r chmod ug-s # Removing unnecessary setgid bits find / /usr -xdev -type f -perm +02000 | \ grep -vP '^(/usr/sbin/(utempter|postdrop|postqueue)|/usr/bin/ssh-agent)$' | \ xargs -r chmod g-s # Setting nosuid,nodev on user partitions, noatime on ext2 and ext3 perl -i~ -p -e 's/(\sext[23]\s+)(defaults)(?=\s)/$1$2,noatime/;next if m#\s/(?:usr|bin)?\s#;next unless m#\s(ext[23]|tmpfs|auto)\s#;s/(?<=\s)(defaults(?:,noatime)?)(?=\s)/$1,nosuid,nodev/' /etc/fstab # Adding blackhole routes for bogons [ -f /etc/sysconfig/network-scripts/route-lo ] || cat < /etc/sysconfig/network-scripts/route-lo blackhole 0.0.0.0/8 blackhole 10.0.0.0/8 blackhole 169.254.0.0/16 blackhole 172.16.0.0/12 blackhole 192.168.0.0/16 blackhole 198.18.0.0/15 EOF # Add useful settings to /etc/sysctl.conf grep -q kernel.panic /etc/sysctl.conf || cat<> /etc/sysctl.conf # Reboot a minute after an Oops kernel.panic = 60 # Syncookies make SYN flood attacks ineffective net.ipv4.tcp_syncookies = 1 # Ignore bad ICMP net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 # Reply to ARPs only from correct interface (required for DSR load-balancers) net.ipv4.conf.all.arp_announce = 2 net.ipv4.conf.all.arp_ignore = 1 EOF sysctl -p # Allow any following commands to fail without stopping set +e # Shutting down unwanted services for d in rpcidmapd rpcgssd nfslock netfs portmap avahi-daemon avahi-dnsconfd pcscd bluetooth; do chkconfig $d off service $d stop done # COMPLETED! Reboot to switch to new kernel.