====== CentOS  ======

===== Harden CentOS distro =====
Script to harden a fresh CentOS 4 or 5 base server install, which installs any updated packages plus a few useful extras, removes unnecessary services and setuid bits, and does a little performance tuning.  Running  it more than once shouldn't hurt anything.

or you can simply download **{{linux:harden-centos.sh|this file}}** and run it :) \\
\\
also see this great site: http://securecentos.com/ | **http://wiki.centos.org/HowTos/OS_Protection**

=== Installing useful packages ===

   yum -y install joe tcpdump mtr postfix make gcc cproto bison strace ltrace \
           zsh ntp mysql mysql-server lm_sensors gdb perl

=== Removing unnecessary daemons and setuid binaries ===

   yum -y remove squid krb5-workstation cups at rsh sudo isdn4k-utils sendmail \
          slocate apmd irda-utils mt-st gpm samba-common sendmail-cf talk \
          up2date ypbind yp-tools wvdial lockdev procmail xorg-x11-font-utils \
          pam_ccreds gdm bluez-utils

=== Upgrading to latest packages ===

   yum -y upgrade

=== Removing unnecessary setuid bits ===

   find / /usr -xdev -type f -perm +04000 | \
           grep -vP '^(/bin/(su|ping|traceroute)|/usr/bin/(passwd|chsh|crontab)|/usr/libexec/openssh/ssh-keysign)$' | \
           xargs -r chmod ug-s 

=== Removing unnecessary setgid bits ===

   find / /usr -xdev -type f -perm +02000 | \
           grep -vP '^(/usr/sbin/(utempter|postdrop|postqueue)|/usr/bin/ssh-agent)$' | \
           xargs -r chmod g-s

=== Setting nosuid,nodev on user partitions, noatime on ext2 and ext3 ===

   perl -i~ -p -e 's/(\sext[23]\s+)(defaults)(?=\s)/$1$2,noatime/;next if m#\s/(?:usr|bin)?\s#;next unless  m#\s(ext[23]|tmpfs|auto)\s#;s/(?<=\s)(defaults(?:,noatime)?)(?=\s)/$1,nosuid,nodev/' /etc/fstab

=== Adding blackhole routes for bogons ===

   [ -f /etc/sysconfig/network-scripts/route-lo ] || cat <<EOF > /etc/sysconfig/network-scripts/route-lo
   blackhole 0.0.0.0/8
   blackhole 10.0.0.0/8
   blackhole 169.254.0.0/16
   blackhole 172.16.0.0/12
   blackhole 192.168.0.0/16
   blackhole 198.18.0.0/15
   EOF

=== Add useful settings to /etc/sysctl.conf ===

   grep -q kernel.panic /etc/sysctl.conf || cat<<EOF >> /etc/sysctl.conf
   
   # Reboot a minute after an Oops
   kernel.panic = 60
   # Syncookies make SYN flood attacks ineffective
   net.ipv4.tcp_syncookies = 1
   # Ignore bad ICMP
   net.ipv4.icmp_echo_ignore_broadcasts = 1
   net.ipv4.icmp_ignore_bogus_error_responses = 1
   # Reply to ARPs only from correct interface (required for DSR load-balancers)
   net.ipv4.conf.all.arp_announce = 2
   net.ipv4.conf.all.arp_ignore = 1
   EOF
   sysctl -p

=== Shutting down unwanted services ===

   for d in rpcidmapd rpcgssd nfslock netfs portmap avahi-daemon avahi-dnsconfd pcscd bluetooth; do
       chkconfig $d off
       service $d stop
   done

**COMPLETED!  Reboot to switch to new kernel.**