Differences

This shows you the differences between two versions of the page.

--- linux:centos [2012/10/12 05:41]
94.23.1.28 XDsgycwu
+++ linux:centos [2012/10/15 11:57] (current)
zagi old revision restored
@@ Line 1: / Line 1: @@
-Most of the racist Ive enetrnocued voted for Obama because he was black.  They didnt even grasp that the man hasnt ever ran a business.  The entire time he was in government he was campaigning.   Ive yet to hear one person say they wouldnt vote for a black man.  Like myself, they didnt trust his smooth rederick he was reading off a teleprompter.  Where was his family, other than his wife and 2 kids.   Most candidates Ive been exposed to have a lot of family around and people who have worked with them over the years and know their record. Where were the good people of his community that really knew him.  Where was his resume.  He graduated from Harvard.  Is that supposed to impress us.George W. graduated from Harvard.  Did that impress you on the left about G.W.?
+====== CentOS  ======
+===== Harden CentOS distro =====
+Script to harden a fresh CentOS 4 or 5 base server install, which installs any updated packages plus a few useful extras, removes unnecessary services and setuid bits, and does a little performance tuning.  Running  it more than once shouldn't hurt anything.
+or you can simply download **{{linux:harden-centos.sh|this file}}** and run it :) \\
+\\
+also see this great site: http://securecentos.com/ | **http://wiki.centos.org/HowTos/OS_Protection**
+=== Installing useful packages ===
+   yum -y install joe tcpdump mtr postfix make gcc cproto bison strace ltrace \
+           zsh ntp mysql mysql-server lm_sensors gdb perl
+=== Removing unnecessary daemons and setuid binaries ===
+   yum -y remove squid krb5-workstation cups at rsh sudo isdn4k-utils sendmail \
+          slocate apmd irda-utils mt-st gpm samba-common sendmail-cf talk \
+          up2date ypbind yp-tools wvdial lockdev procmail xorg-x11-font-utils \
+          pam_ccreds gdm bluez-utils
+=== Upgrading to latest packages ===
+   yum -y upgrade
+=== Removing unnecessary setuid bits ===
+   find / /usr -xdev -type f -perm +04000 | \
+           grep -vP '^(/bin/(su|ping|traceroute)|/usr/bin/(passwd|chsh|crontab)|/usr/libexec/openssh/ssh-keysign)$' | \
+           xargs -r chmod ug-s
+=== Removing unnecessary setgid bits ===
+   find / /usr -xdev -type f -perm +02000 | \
+           grep -vP '^(/usr/sbin/(utempter|postdrop|postqueue)|/usr/bin/ssh-agent)$' | \
+           xargs -r chmod g-s
+=== Setting nosuid,nodev on user partitions, noatime on ext2 and ext3 ===
+   perl -i~ -p -e 's/(\sext[23]\s+)(defaults)(?=\s)/$1$2,noatime/;next if m#\s/(?:usr|bin)?\s#;next unless  m#\s(ext[23]|tmpfs|auto)\s#;s/(?<=\s)(defaults(?:,noatime)?)(?=\s)/$1,nosuid,nodev/' /etc/fstab
+=== Adding blackhole routes for bogons ===
+   [ -f /etc/sysconfig/network-scripts/route-lo ] || cat <<EOF > /etc/sysconfig/network-scripts/route-lo
+   blackhole 0.0.0.0/8
+   blackhole 10.0.0.0/8
+   blackhole 169.254.0.0/16
+   blackhole 172.16.0.0/12
+   blackhole 192.168.0.0/16
+   blackhole 198.18.0.0/15
+   EOF
+=== Add useful settings to /etc/sysctl.conf ===
+   grep -q kernel.panic /etc/sysctl.conf || cat<<EOF >> /etc/sysctl.conf
+   # Reboot a minute after an Oops
+   kernel.panic = 60
+   # Syncookies make SYN flood attacks ineffective
+   net.ipv4.tcp_syncookies = 1
+   # Ignore bad ICMP
+   net.ipv4.icmp_echo_ignore_broadcasts = 1
+   net.ipv4.icmp_ignore_bogus_error_responses = 1
+   # Reply to ARPs only from correct interface (required for DSR load-balancers)
+   net.ipv4.conf.all.arp_announce = 2
+   net.ipv4.conf.all.arp_ignore = 1
+   EOF
+   sysctl -p
+=== Shutting down unwanted services ===
+   for d in rpcidmapd rpcgssd nfslock netfs portmap avahi-daemon avahi-dnsconfd pcscd bluetooth; do
+       chkconfig $d off
+       service $d stop
+   done
+**COMPLETED!  Reboot to switch to new kernel.**