- +
-===== Harden CentOS distro ===== +
-Script to harden a fresh CentOS 4 or 5 base server install, which installs any updated packages plus a few useful extras, removes unnecessary services and setuid bits, and does little performance tuning.  Running  it more than once shouldn't hurt anything. +
- +
-or you can simply download **{{linux:harden-centos.sh|this file}}** and run it :) \\ +
-\\ +
-also see this great site: http://securecentos.com/ +
- +
-=== Installing useful packages === +
- +
-   yum -y install joe tcpdump mtr postfix make gcc cproto bison strace ltrace \ +
-           zsh ntp mysql mysql-server lm_sensors gdb perl +
- +
-=== Removing unnecessary daemons and setuid binaries === +
- +
-   yum -y remove squid krb5-workstation cups at rsh sudo isdn4k-utils sendmail \ +
-          slocate apmd irda-utils mt-st gpm samba-common sendmail-cf talk \ +
-          up2date ypbind yp-tools wvdial lockdev procmail xorg-x11-font-utils \ +
-          pam_ccreds gdm bluez-utils +
- +
-=== Upgrading to latest packages === +
- +
-   yum -y upgrade +
- +
-=== Removing unnecessary setuid bits === +
- +
-   find / /usr -xdev -type f -perm +04000 | \ +
-           grep -vP '^(/bin/(su|ping|traceroute)|/usr/bin/(passwd|chsh|crontab)|/usr/libexec/openssh/ssh-keysign)$' | \ +
-           xargs -r chmod ug-s  +
- +
-=== Removing unnecessary setgid bits === +
- +
-   find / /usr -xdev -type f -perm +02000 | \ +
-           grep -vP '^(/usr/sbin/(utempter|postdrop|postqueue)|/usr/bin/ssh-agent)$' | \ +
-           xargs -r chmod g-s +
- +
-=== Setting nosuid,nodev on user partitionsnoatime on ext2 and ext3 === +
- +
-   perl -i~ -p -e 's/(\sext[23]\s+)(defaults)(?=\s)/$1$2,noatime/;next if m#\s/(?:usr|bin)?\s#;next unless  m#\s(ext[23]|tmpfs|auto)\s#;s/(?<=\s)(defaults(?:,noatime)?)(?=\s)/$1,nosuid,nodev/' /etc/fstab +
- +
-=== Adding blackhole routes for bogons === +
- +
-   [ -f /etc/sysconfig/network-scripts/route-lo ] || cat <<EOF > /etc/sysconfig/network-scripts/route-lo +
-   blackhole +
-   blackhole
-   blackhole +
-   blackhole +
-   blackhole +
-   blackhole +
-   EOF +
- +
-=== Add useful settings to /etc/sysctl.conf === +
- +
-   grep -q kernel.panic /etc/sysctl.conf || cat<<EOF >> /etc/sysctl.conf +
-    +
-   # Reboot minute after an Oops +
-   kernel.panic = 60 +
-   # Syncookies make SYN flood attacks ineffective +
-   net.ipv4.tcp_syncookies = 1 +
-   # Ignore bad ICMP +
-   net.ipv4.icmp_echo_ignore_broadcasts = 1 +
-   net.ipv4.icmp_ignore_bogus_error_responses = 1 +
-   # Reply to ARPs only from correct interface (required for DSR load-balancers) +
-   net.ipv4.conf.all.arp_announce = 2 +
-   net.ipv4.conf.all.arp_ignore = 1 +
-   EOF +
-   sysctl -p +
- +
-=== Shutting down unwanted services === +
- +
-   for d in rpcidmapd rpcgssd nfslock netfs portmap avahi-daemon avahi-dnsconfd pcscd bluetooth; do +
-       chkconfig $d off +
-       service $d stop +
-   done +
- +
-**COMPLETED!  Reboot to switch to new kernel.** +
- +
- +
- +
