Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Last revision Both sides next revision | ||
linux:centos [2009/07/23 15:16] 193.164.137.40 |
linux:centos [2012/10/12 05:41] 94.23.1.28 XDsgycwu |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== CentOS | + | Most of the racist Ive enetrnocued voted for Obama because he was black. |
- | + | ||
- | ===== Harden CentOS distro ===== | + | |
- | Script to harden a fresh CentOS 4 or 5 base server install, which installs any updated packages plus a few useful extras, removes unnecessary services and setuid bits, and does a little performance tuning. | + | |
- | + | ||
- | or you can simply download **{{linux: | + | |
- | \\ | + | |
- | also see this great site: http:// | + | |
- | + | ||
- | === Installing useful packages === | + | |
- | + | ||
- | | + | |
- | zsh ntp mysql mysql-server lm_sensors gdb perl | + | |
- | + | ||
- | === Removing unnecessary daemons and setuid binaries === | + | |
- | + | ||
- | yum -y remove squid krb5-workstation cups at rsh sudo isdn4k-utils sendmail \ | + | |
- | slocate apmd irda-utils mt-st gpm samba-common sendmail-cf talk \ | + | |
- | up2date ypbind yp-tools wvdial lockdev procmail xorg-x11-font-utils \ | + | |
- | pam_ccreds gdm bluez-utils | + | |
- | + | ||
- | === Upgrading | + | |
- | + | ||
- | yum -y upgrade | + | |
- | + | ||
- | === Removing unnecessary setuid bits === | + | |
- | + | ||
- | find / /usr -xdev -type f -perm +04000 | \ | + | |
- | grep -vP ' | + | |
- | xargs -r chmod ug-s | + | |
- | + | ||
- | === Removing unnecessary setgid bits === | + | |
- | + | ||
- | find / /usr -xdev -type f -perm +02000 | \ | + | |
- | grep -vP ' | + | |
- | xargs -r chmod g-s | + | |
- | + | ||
- | === Setting nosuid,nodev on user partitions, noatime on ext2 and ext3 === | + | |
- | + | ||
- | perl -i~ -p -e ' | + | |
- | + | ||
- | === Adding blackhole routes for bogons === | + | |
- | + | ||
- | [ -f / | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | EOF | + | |
- | + | ||
- | === Add useful settings | + | |
- | + | ||
- | grep -q kernel.panic / | + | |
- | + | ||
- | # Reboot | + | |
- | | + | |
- | # Syncookies make SYN flood attacks ineffective | + | |
- | net.ipv4.tcp_syncookies = 1 | + | |
- | # Ignore bad ICMP | + | |
- | net.ipv4.icmp_echo_ignore_broadcasts = 1 | + | |
- | net.ipv4.icmp_ignore_bogus_error_responses = 1 | + | |
- | # Reply to ARPs only from correct interface (required for DSR load-balancers) | + | |
- | net.ipv4.conf.all.arp_announce = 2 | + | |
- | | + | |
- | EOF | + | |
- | | + | |
- | + | ||
- | === Shutting down unwanted services === | + | |
- | + | ||
- | for d in rpcidmapd rpcgssd nfslock netfs portmap avahi-daemon avahi-dnsconfd pcscd bluetooth; do | + | |
- | | + | |
- | | + | |
- | | + | |
- | + | ||
- | **COMPLETED! | + | |
- | + | ||
- | + | ||
- | + |