LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-06-2011, 09:33 AM   #1
MartinPrestovic
LQ Newbie
 
Registered: Nov 2010
Posts: 12

Rep: Reputation: 0
CentOS Hardening - Removing Packages


Hi,

I am following the CentOS Hardening guide over here, specifically the section on Package Installs.

When I first started with removing packages there were 370 (this is a brand new server, not currently used for anything). I have now trimmed this down to 258 packages by researching via Google and looking up the package descriptions on rpmfind.net as well as removing packages I know that I don't want such as sendmail.

So far I have removed the following:

Code:
yum remove aspell aspell-en atk authconfig autofs bitstream-vera-fonts bluez-gnome bluez-libs bluez-utils
 cairo ccid coolkey cpuspeed crash cups-libs desktop-file-utils dhcpv6-client dnsmasq dos2unix dosfstools
 ecryptfs-utils ed eject fbset finger firstboot-tui fontconfig freetype GConf2 gpm gtk2 hicolor-icon-theme
 htmlview ifd-egate iptables-ipv6 irda-utils irqbalance jwhois krb5-workstation ksh libICE libjpeg libnotify
 libpng libSM libtiff libwnck libX11 libXau libXcursor libXdmcp libXext libXfixes libXft libXi libXinerama
 libXrandr libXrender libXres logwatch mailcap man man-pages mdadm microcode_ctl mkbootdisk mtools nano
 NetworkManager NetworkManager-glib newt notification-daemon ntsysv numactl ORBit2 pam_ccreds pam_krb5
 pam_pkcs11 pam_smb pango pcmciautils pcsc-lite pcsc-lite-libs pinfo procmail rdate redhat-lsb redhat-menus
 rhpl rp-pppoe rsh sendmail setuptool slang sos specspo startup-notification syslinux system-config-network-tui
 system-config-securitylevel-tui tcpdump trousers unix2dos vconfig vim-enhanced wireless-tools words
 wpa_supplicant xorg-x11-filesystem ypbind yp-tools yum-updatesd
I am now left with these packages.

Code:
MAKEDEV.i386                             3.23-1.2                      installed
SysVinit.i386                            2.86-15.el5                   installed
acl.i386                                 2.2.39-6.el5                  installed
acpid.i386                               1.0.4-9.el5_4.2               installed
amtu.i386                                1.0.6-2.el5                   installed
anacron.i386                             2.3-45.el5.centos             installed
apmd.i386                                1:3.2.2-5                     installed
at.i386                                  3.1.8-84.el5                  installed
attr.i386                                2.4.32-1.1                    installed
audit.i386                               1.7.18-2.el5                  installed
audit-libs.i386                          1.7.18-2.el5                  installed
audit-libs-python.i386                   1.7.18-2.el5                  installed
basesystem.noarch                        8.0-5.1.1.el5.centos          installed
bash.i386                                3.2-24.el5                    installed
bc.i386                                  1.06-21                       installed
bind-libs.i386                           30:9.3.6-16.P1.el5            installed
bind-utils.i386                          30:9.3.6-16.P1.el5            installed
binutils.i386                            2.17.50.0.6-14.el5            installed
bzip2.i386                               1.0.3-6.el5_5                 installed
bzip2-libs.i386                          1.0.3-6.el5_5                 installed
centos-release.i386                      10:5-6.el5.centos.1           installed
centos-release-notes.i386                5.6-0                         installed
checkpolicy.i386                         1.33.1-6.el5                  installed
chkconfig.i386                           1.3.30.2-2.el5                installed
conman.i386                              0.1.9.2-8.el5                 installed
coreutils.i386                           5.97-23.el5_4.2               installed
cpio.i386                                2.6-23.el5_4.1                installed
cpp.i386                                 4.1.2-50.el5                  installed
cracklib.i386                            2.8.9-3.3                     installed
cracklib-dicts.i386                      2.8.9-3.3                     installed
crontabs.noarch                          1.10-8                        installed
cryptsetup-luks.i386                     1.0.3-5.el5                   installed
curl.i386                                7.15.5-9.el5                  installed
cyrus-sasl.i386                          2.1.22-5.el5_4.3              installed
cyrus-sasl-lib.i386                      2.1.22-5.el5_4.3              installed
cyrus-sasl-plain.i386                    2.1.22-5.el5_4.3              installed
db4.i386                                 4.3.29-10.el5_5.2             installed
dbus.i386                                1.1.2-14.el5                  installed
dbus-glib.i386                           0.73-10.el5_5                 installed
dbus-libs.i386                           1.1.2-14.el5                  installed
dbus-python.i386                         0.70-9.el5_4                  installed
device-mapper.i386                       1.02.55-2.el5                 installed
device-mapper-event.i386                 1.02.55-2.el5                 installed
device-mapper-multipath.i386             0.4.7-42.el5                  installed
dhclient.i386                            12:3.0.5-23.el5_5.2           installed
diffutils.i386                           2.8.1-15.2.3.el5              installed
dmidecode.i386                           1:2.10-3.el5                  installed
dmraid.i386                              1.0.0.rc13-63.el5             installed
dmraid-events.i386                       1.0.0.rc13-63.el5             installed
dump.i386                                0.4b41-5.el5                  installed
e2fsprogs.i386                           1.39-23.el5_5.1               installed
e2fsprogs-libs.i386                      1.39-23.el5_5.1               installed
elfutils-libelf.i386                     0.137-3.el5                   installed
ethtool.i386                             6-4.el5                       installed
expat.i386                               1.95.8-8.3.el5_5.3            installed
file.i386                                4.17-15.el5_3.1               installed
filesystem.i386                          2.4.0-3.el5                   installed
findutils.i386                           1:4.2.27-6.el5                installed
fipscheck.i386                           1.2.0-1.el5                   installed
fipscheck-lib.i386                       1.2.0-1.el5                   installed
flex.i386                                2.5.4a-41.fc6                 installed
ftp.i386                                 0.17-35.el5                   installed
gamin.i386                               0.1.7-8.el5                   installed
gamin-python.i386                        0.1.7-8.el5                   installed
gawk.i386                                3.1.5-14.el5                  installed
gcc.i386                                 4.1.2-50.el5                  installed
gcc-c++.i386                             4.1.2-50.el5                  installed
gdbm.i386                                1.8.0-26.2.1                  installed
gettext.i386                             0.17-1.el5                    installed
glib2.i386                               2.12.3-4.el5_3.1              installed
glibc.i686                               2.5-58                        installed
glibc-common.i386                        2.5-58                        installed
glibc-devel.i386                         2.5-58                        installed
glibc-headers.i386                       2.5-58                        installed
gnu-efi.i386                             3.0c-1.1                      installed
gnupg.i386                               1.4.5-14.el5_5.1              installed
gnutls.i386                              1.4.1-3.el5_4.8               installed
grep.i386                                2.5.1-55.el5                  installed
groff.i386                               1.18.1.1-11.1                 installed
grub.i386                                0.97-13.5                     installed
gzip.i386                                1.3.5-11.el5.centos.1         installed
hal.i386                                 0.5.8.1-62.el5                installed
hdparm.i386                              6.6-2                         installed
hesiod.i386                              3.1.0-8                       installed
hmaccalc.i386                            0.9.6-3.el5                   installed
hwdata.noarch                            0.213.22-1.el5                installed
ibmasm.i386                              3.0-9                         installed
info.i386                                4.8-14.el5                    installed
initscripts.i386                         8.45.33-1.el5.centos          installed
iproute.i386                             2.6.18-11.el5                 installed
ipsec-tools.i386                         0.6.5-14.el5_5.5              installed
iptables.i386                            1.3.5-5.3.el5_4.1             installed
iptraf.i386                              3.0.0-5.el5                   installed
iptstate.i386                            1.4-2.el5                     installed
iputils.i386                             20020927-46.el5               installed
iscsi-initiator-utils.i386               6.2.0.872-6.el5               installed
kbd.i386                                 1.12-21.el5                   installed
kernel.i686                              2.6.18-238.el5                installed
kernel-PAE.i686                          2.6.18-238.el5                installed
kernel-PAE-devel.i686                    2.6.18-238.el5                installed
kernel-devel.i686                        2.6.18-238.el5                installed
kernel-headers.i386                      2.6.18-238.el5                installed
keyutils.i386                            1.2-1.el5                     installed
keyutils-libs.i386                       1.2-1.el5                     installed
kpartx.i386                              0.4.7-42.el5                  installed
krb5-libs.i386                           1.6.1-55.el5                  installed
kudzu.i386                               1.2.57.1.26-1.el5.centos      installed
less.i386                                436-7.el5                     installed
lftp.i386                                3.7.11-4.el5_5.3              installed
libIDL.i386                              0.8.7-1.fc6                   installed
libacl.i386                              2.2.39-6.el5                  installed
libaio.i386                              0.3.106-5                     installed
libattr.i386                             2.4.32-1.1                    installed
libcap.i386                              1.10-26                       installed
libdaemon.i386                           0.10-5.el5                    installed
libevent.i386                            1.4.13-1                      installed
libgcc.i386                              4.1.2-50.el5                  installed
libgcrypt.i386                           1.4.4-5.el5                   installed
libgomp.i386                             4.4.4-13.el5                  installed
libgpg-error.i386                        1.4-2                         installed
libgssapi.i386                           0.10-2                        installed
libhugetlbfs.i386                        1.3-8.2.el5                   installed
libidn.i386                              0.6.5-1.1                     installed
libpcap.i386                             14:0.9.4-15.el5               installed
libselinux.i386                          1.33.4-5.7.el5                installed
libselinux-python.i386                   1.33.4-5.7.el5                installed
libselinux-utils.i386                    1.33.4-5.7.el5                installed
libsemanage.i386                         1.9.1-4.4.el5                 installed
libsepol.i386                            1.15.2-3.el5                  installed
libstdc++.i386                           4.1.2-50.el5                  installed
libstdc++-devel.i386                     4.1.2-50.el5                  installed
libsysfs.i386                            2.0.0-6                       installed
libtermcap.i386                          2.0.8-46.1                    installed
libusb.i386                              0.1.12-5.1                    installed
libuser.i386                             0.54.7-2.1.el5_4.1            installed
libutempter.i386                         1.1.4-4.el5                   installed
libvolume_id.i386                        095-14.24.el5                 installed
libxml2.i386                             2.6.26-2.1.2.8.el5_5.1        installed
libxml2-python.i386                      2.6.26-2.1.2.8.el5_5.1        installed
logrotate.i386                           3.7.4-9.el5_5.2               installed
lsof.i386                                4.78-3                        installed
lvm2.i386                                2.02.74-5.el5                 installed
m2crypto.i386                            0.16-6.el5.8                  installed
m4.i386                                  1.4.5-3.el5.1                 installed
mailx.i386                               8.1.1-44.2.2                  installed
make.i386                                1:3.81-3.el5                  installed
mcstrans.i386                            0.2.11-3.el5                  installed
mgetty.i386                              1.1.33-9.fc6                  installed
mingetty.i386                            1.07-5.2.2                    installed
mkinitrd.i386                            5.1.19.6-68.el5               installed
mktemp.i386                              3:1.5-23.2.2                  installed
mlocate.i386                             0.15-1.el5.2                  installed
module-init-tools.i386                   3.3-0.pre3.1.60.el5_5.1       installed
mtr.i386                                 2:0.71-3.1                    installed
nash.i386                                5.1.19.6-68.el5               installed
nc.i386                                  1.84-10.fc6                   installed
ncurses.i386                             5.5-24.20060715               installed
net-tools.i386                           1.60-81.el5                   installed
nfs-utils.i386                           1:1.0.9-50.el5                installed
nfs-utils-lib.i386                       1.0.8-7.6.el5                 installed
nscd.i386                                2.5-58                        installed
nspr.i386                                4.8.6-1.el5                   installed
nss.i386                                 3.12.8-1.el5.centos           installed
nss-tools.i386                           3.12.8-1.el5.centos           installed
nss_db.i386                              2.2-35.4.el5_5                installed
nss_ldap.i386                            253-37.el5                    installed
oddjob.i386                              0.27-11.el5                   installed
oddjob-libs.i386                         0.27-11.el5                   installed
openldap.i386                            2.3.43-12.el5_5.3             installed
openssh.i386                             4.3p2-72.el5                  installed
openssh-clients.i386                     4.3p2-72.el5                  installed
openssh-server.i386                      4.3p2-72.el5                  installed
openssl.i686                             0.9.8e-12.el5_5.7             installed
pam.i386                                 0.99.6.2-6.el5_5.2            installed
pam_passwdqc.i386                        1.0.2-1.2.2                   installed
parted.i386                              1.8.1-27.el5                  installed
passwd.i386                              0.73-2                        installed
patch.i386                               2.5.4-31.el5                  installed
pax.i386                                 3.4-2.el5_4                   installed
pciutils.i386                            3.1.7-3.el5                   installed
pcre.i386                                6.6-6.el5                     installed
perl.i386                                4:5.8.8-32.el5_5.2            installed
perl-String-CRC32.i386                   1.4-2.fc6                     installed
pkinit-nss.i386                          0.7.6-1.el5                   installed
pm-utils.i386                            0.99.3-10.el5.centos          installed
policycoreutils.i386                     1.33.12-14.8.el5              installed
popt.i386                                1.10.2.3-22.el5               installed
portmap.i386                             4.0-65.2.2.1                  installed
ppp.i386                                 2.4.4-2.el5                   installed
prelink.i386                             0.4.0-2.el5                   installed
procps.i386                              3.2.7-16.el5                  installed
psacct.i386                              6.3.2-44.el5                  installed
psmisc.i386                              22.2-7                        installed
pygobject2.i386                          2.12.1-5.el5                  installed
python.i386                              2.4.3-43.el5                  installed
python-elementtree.i386                  1.2.6-5                       installed
python-iniparse.noarch                   0.2.3-4.el5                   installed
python-libs.i386                         2.4.3-43.el5                  installed
python-sqlite.i386                       1.1.7-1.2.1                   installed
python-urlgrabber.noarch                 3.1.0-6.el5                   installed
quota.i386                               1:3.13-4.el5                  installed
rdist.i386                               1:6.1.5-44                    installed
readahead.i386                           1:1.3-8.el5                   installed
readline.i386                            5.1-3.el5                     installed
redhat-logos.noarch                      4.9.99-11.el5.centos          installed
rmt.i386                                 0.4b41-5.el5                  installed
rng-utils.i386                           1:2.0-4.el5                   installed
rootfiles.noarch                         8.1-1.1.1                     installed
rpm.i386                                 4.4.2.3-22.el5                installed
rpm-libs.i386                            4.4.2.3-22.el5                installed
rpm-python.i386                          4.4.2.3-22.el5                installed
rsync.i386                               2.6.8-3.1                     installed
screen.i386                              4.0.3-3.el5                   installed
sed.i386                                 4.1.5-5.fc6                   installed
selinux-policy.noarch                    2.4.6-300.el5                 installed
selinux-policy-targeted.noarch           2.4.6-300.el5                 installed
setarch.i386                             2.0-1.1                       installed
setools.i386                             3.0-3.el5                     installed
setserial.i386                           2.17-19.2.2                   installed
setup.noarch                             2.5.58-7.el5                  installed
sgpio.i386                               1.2.0_10-2.el5                installed
shadow-utils.i386                        2:4.0.17-18.el5               installed
smartmontools.i386                       1:5.38-2.el5                  installed
sqlite.i386                              3.3.6-5                       installed
stunnel.i386                             4.15-2.el5.1                  installed
sudo.i386                                1.7.2p1-10.el5                installed
symlinks.i386                            1.2-24.2.2                    installed
sysfsutils.i386                          2.0.0-6                       installed
sysklogd.i386                            1.4.1-46.el5                  installed
talk.i386                                0.17-29.2.2                   installed
tar.i386                                 2:1.15.1-30.el5               installed
tcl.i386                                 8.4.13-4.el5                  installed
tcp_wrappers.i386                        7.6-40.7.el5                  installed
tcsh.i386                                6.14-17.el5_5.2               installed
telnet.i386                              1:0.17-39.el5                 installed
termcap.noarch                           1:5.5-1.20060701.1            installed
time.i386                                1.7-27.2.2                    installed
tmpwatch.i386                            2.9.7-1.1.el5.5               installed
traceroute.i386                          3:2.0.1-5.el5                 installed
tree.i386                                1.5.0-4                       installed
tzdata.i386                              2010l-1.el5                   installed
udev.i386                                095-14.24.el5                 installed
udftools.i386                            1.0.0b3-0.1.el5               installed
unzip.i386                               5.52-3.el5                    installed
usbutils.i386                            0.71-2.1                      installed
usermode.i386                            1.88-3.el5.2                  installed
util-linux.i386                          2.13-0.56.el5                 installed
vim-common.i386                          2:7.0.109-7.el5               installed
vim-minimal.i386                         2:7.0.109-7.el5               installed
vixie-cron.i386                          4:4.1-77.el5_4.1              installed
vsftpd.i386                              2.0.5-16.el5_6.1              installed
wget.i386                                1.11.4-2.el5_4.1              installed
which.i386                               2.16-7                        installed
yum.noarch                               3.2.22-33.el5.centos          installed
yum-fastestmirror.noarch                 1.1.16-14.el5.centos.1        installed
yum-metadata-parser.i386                 1.1.2-3.el5.centos            installed
zip.i386                                 2.31-2.el5                    installed
zlib.i386                                1.2.3-3                       installed
So my question is this, do you see anything else in that list which I could safely remove from the server.

The only thing this server will be used for is to serve a single web site, I will install httpd, php and mysql once the clean up is complete. I will be using SSH and vsftp both of which have already been firewalled through iptables.

I will be the only "user" on the server, there will be no email, no DNS or anything else.

Edit: Forgot to mention this is CentOS release 5.6 (Final)

Last edited by MartinPrestovic; 05-06-2011 at 09:43 AM.
 
Old 05-06-2011, 08:27 PM   #2
plpl303a
Member
 
Registered: May 2011
Posts: 52

Rep: Reputation: 3
If you won't be compiling anything on the machine, you likely don't need any of the -devel packages or -headers packages.
 
Old 05-07-2011, 03:32 AM   #3
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 16,825

Rep: Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408
Quote:
I don't want such as sendmail.
you are aware that kernel massages and other are sent by sendmail to some of the logs

i would leave it installed

also you are uninstalling "NetworkManager" ???
so you will be using the older "Network " daemon - this IS as static ip address ?? right ??

nano
you DO NOT want to remove that - it is BY FAR one of the most useful terminal editors

autofs
? ok if you never intend to boot from usb in an emergency

dos2unix
-- very handy in removing MS formatting in MS formated text files

ecryptfs-utils
so you do not intend to encrypt files to SECURE them .
or use hashes


iptables-ipv6
?? seeing as there are NO MORE ipv4 addresses this IS A MUST HAVE - so why remove it ?

and
yum-updatesd

so you DO NOT want to know if there are security updates to install ???
 
Old 05-07-2011, 06:24 AM   #4
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
hmmm, if you want to remove everything unnecessary then run the following command "rm -rf /*". Ok that's a joke and seriously NEVER run that command (I have had to try and recover data from people's servers who have actually run that very command...).

Having packages on your server that you are not using won't necessarily effect it's security, you'd be much better focusing on how people can touch your server (main area to check here would be iptables) and vulnerabilities that any net facing processes might have. You have mentioned you are planning to use vsftp but what protocols are you going to allow and how will they be used. normal FTP is fine if it's for anonymous downloading from the server only, however FTP is a very insecure protocol so if you are looking for uploading or logins I'd suggest alternatives like SFTP and SCP.

Overall I am going to say focus on iptables more then anything however. One script I use on iptables on all my own servers & VPSs is as follows

Code:
# Create chain for ssh attacks
iptables -N SSH_CHECK
# ssh chain
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 120 --hitcount 5 --name SSH -j DROP
Other people might use or prefer different methods but this reduce the effect of brute force attacks by limiting the number of connection attempts over the SSH port. You can even change the SSH port and use key authentication for additional security, tho if you do use this, remember you will need to do "service iptables save" or it will be lost when iptables is restarted. This is only a filter however, it's not an allow rule, you'd still need a rule that allows port 22, it just has to come after this, so to speak.

Quote:
Originally Posted by John VV View Post
also you are uninstalling "NetworkManager" ???
so you will be using the older "Network " daemon - this IS as static ip address ?? right ??
That's the one process I think I could say I never use, then again I do use static ip addresses both on my servers and at home (tho naturally private/internal ip addresses at home with the Router using NAT).

tho I'd also like to point out something else he removed

man
So you don't want the details of how processes/applications work or are called should you need to perform any maintenance right to hand?

just to confirm as well, when you start "yum remove" this was the command you ran, you didn't actually remove yum, right? Actually if you are after security I'd probably suggest placing "yum update" in crontab as a daily or weekly task.
 
Old 05-07-2011, 12:21 PM   #5
MartinPrestovic
LQ Newbie
 
Registered: Nov 2010
Posts: 12

Original Poster
Rep: Reputation: 0
Thanks for all your responses thus far. In reply:

Quote:
Originally Posted by plpl303a View Post
If you won't be compiling anything on the machine, you likely don't need any of the -devel packages or -headers packages.
Nope I wont be compiling anything, so your saying it should be safe to remove these packages?

glibc-devel.i386
glibc-headers.i386
kernel-PAE-devel.i686
kernel-devel.i686
kernel-headers.i386
libstdc++-devel.i386

Quote:
Originally Posted by John VV View Post
you are aware that kernel massages and other are sent by sendmail to some of the logs

i would leave it installed

also you are uninstalling "NetworkManager" ???
so you will be using the older "Network " daemon - this IS as static ip address ?? right ??

nano
you DO NOT want to remove that - it is BY FAR one of the most useful terminal editors

autofs
? ok if you never intend to boot from usb in an emergency

dos2unix
-- very handy in removing MS formatting in MS formated text files

ecryptfs-utils
so you do not intend to encrypt files to SECURE them .
or use hashes


iptables-ipv6
?? seeing as there are NO MORE ipv4 addresses this IS A MUST HAVE - so why remove it ?

and
yum-updatesd

so you DO NOT want to know if there are security updates to install ???
John, I'll go through them one by one as you have:

sendmail - No I was not aware that kernel messages are sent through sendmail. If that is the case, what happens when people choose to replace sendmail with alternatives, the kernel starts using the alternative? The only two items I knew would be using sendmail was LogWatch which has been removed and cron, which I intend to disable the mailing aspect for.

NetworkManager - From the package description on rpmfind.net "NetworkManager attempts to keep an active network connection available at all times. It is intended only for the desktop use-case, and is not intended for usage on servers". As this is a server hosted in a datacenter and not a desktop I see no reason to keep this. Yes it is a static IP.

nano - I have been doing basic maintenance (installing PHP, configuring Apache, etc) on other peoples servers for several years through SSH and I have never used this editor. I have always used vi to edit files.

autofs - I don't have physical access to the machine so wouldn't be able to boot from a USB stick anyway.

dos2unix - Again, I have never had the need to use this.

ecryptfs-utils - No I wont be doing any file encryption. The web site that will eventually reside on this server won't be doing anything with secure information.

iptables-ipv6 - From my understanding I would only need this if my server were assigned an IPV6 address. Which it hasn't been, it is on an IVP4 address so this wouldn't be used?

yum-updatesd - This is known to cause issues. The server will be updated via cron instead.

Quote:
Originally Posted by r3sistance View Post
hmmm, if you want to remove everything unnecessary then run the following command "rm -rf /*". Ok that's a joke and seriously NEVER run that command (I have had to try and recover data from people's servers who have actually run that very command...).
I'll give that one a miss

Quote:
Originally Posted by r3sistance View Post
Having packages on your server that you are not using won't necessarily effect it's security, you'd be much better focusing on how people can touch your server (main area to check here would be iptables) and vulnerabilities that any net facing processes might have. You have mentioned you are planning to use vsftp but what protocols are you going to allow and how will they be used. normal FTP is fine if it's for anonymous downloading from the server only, however FTP is a very insecure protocol so if you are looking for uploading or logins I'd suggest alternatives like SFTP and SCP.

Overall I am going to say focus on iptables more then anything however. One script I use on iptables on all my own servers & VPSs is as follows

Code:
# Create chain for ssh attacks
iptables -N SSH_CHECK
# ssh chain
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 120 --hitcount 5 --name SSH -j DROP
Other people might use or prefer different methods but this reduce the effect of brute force attacks by limiting the number of connection attempts over the SSH port. You can even change the SSH port and use key authentication for additional security, tho if you do use this, remember you will need to do "service iptables save" or it will be lost when iptables is restarted. This is only a filter however, it's not an allow rule, you'd still need a rule that allows port 22, it just has to come after this, so to speak.
The first thing I did when I received the login details for this server from the hosting company was login to the server, add a new user and then disable root login for SSH. I also added a line that only allows the new user account to login via SSH and switched the port number.

Once that was complete I set up iptables with the following config file I created from earlier research and testing:

Code:
#!/bin/sh

# Clear All Rules
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X

# Allow Loopback Taffic (Must Come First)
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Allow Server Access to Outside World
/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT

# Allow Established Sessions
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow SSH
/sbin/iptables -A INPUT -s 000.000.000.000 -p tcp --dport 22XX -j ACCEPT
/sbin/iptables -A OUTPUT -s 000.000.000.000 -p udp --sport 22XX -j ACCEPT

# Allow FTP
/sbin/iptables -A INPUT -s 000.000.000.000 -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -s 000.000.000.000 -p tcp --dport 1024:65535 -j ACCEPT

# Allow HTTP
/sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

# Allow HTTPS
#/sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#/sbin/iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

# Block Everything Else Except Internal
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A FORWARD -j DROP
/sbin/iptables -P OUTPUT ACCEPT
Most of the above was actually put together from research on this forum. I have commented out HTTPS because that wont be used on this server. So all I did was added in my static IP for the SSH and FTP and change the port number on the SHH save that to iptables.

Quote:
Originally Posted by r3sistance View Post
man
So you don't want the details of how processes/applications work or are called should you need to perform any maintenance right to hand?

just to confirm as well, when you start "yum remove" this was the command you ran, you didn't actually remove yum, right? Actually if you are after security I'd probably suggest placing "yum update" in crontab as a daily or weekly task.
I hardly ever use man and if I ever find myself in the situation where I do need to, I have access to other servers where I could issue the command, or there is always Google

No, I didn't remove yum... I don't have this set up on cron yet as I am still cleaning packages, but when I have finished with the clean up I will be adding the following to the root cron to keep the system up to date once a week:

Code:
0 1 * * 1 /usr/bin/yum -y update >> /dev/null 2>&1
0 1 1 * * /usr/bin/yum clean all >> /dev/null 2>&1
 
Old 05-07-2011, 12:43 PM   #6
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
I guess I will give my thoughts on a few of them.



I'd agree that you don't need network manager and should not be using it in a datacenter (as a datacenter lead technician I say this!)

nano is a quick simple editor, if you don't want/need it then don't use it. However vi has been used in the past for several exploits as well, so if you have other users at all using the system I'd be careful about how they can use vi and instead give them nano what is less powerful and does not open such things.

you might not have access to the machine but the people in the data center do, in fact if it's a dedicated server, if anything happens the on-site technicians may use USB based tools (I know I have before).

IPv6 will be very important within the next 18 months, even before that it's likely people will start being rolled out only IPv6 addresses, when this occurs those users will be unable to browse your website since they do not have an IPv4 address. While it could probably wait a year, it's good to get such configurations in place early and this will happen, there is no two ways about this.

Looks like you have a fairly good set-up, however an nmap or similar methods of port prodding may still allow some hackers to discover your SSH port despite the change, I'd still suggest a firewall rule or set-up that ensures a limit of login attempts over a certain amount of time or authentication keys. Essentially make that job a little bit harder.

Last edited by r3sistance; 05-07-2011 at 12:50 PM. Reason: sendmail
 
Old 05-07-2011, 12:50 PM   #7
arizonagroovejet
Senior Member
 
Registered: Jun 2005
Location: England
Distribution: openSUSE, Fedora, CentOS
Posts: 1,078

Rep: Reputation: 195Reputation: 195
Quote:
Originally Posted by r3sistance View Post
nano is a quick simple editor, if you don't want/need it then don't use it. However vi has been used in the past for several exploits as well, so if you have other users at all using the system I'd be careful about how they can use vi and instead give them nano what is less powerful and does not open such things.
Can you provide examples of how 'vi has been used in the past for several exploits'?

I don't understand what you mean when you say that nano 'does not open such things'? What 'things' are you referring to?
 
Old 05-07-2011, 12:56 PM   #8
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
Quote:
Originally Posted by arizonagroovejet View Post
Can you provide examples of how 'vi has been used in the past for several exploits'?

I don't understand what you mean when you say that nano 'does not open such things'? What 'things' are you referring to?
I could be mistaken, it could be vim, it's been sometime since I have looked into it tho, I know one of the editors had some lovely stuff it could break, I think it was related to regular expressions but I can only say my memory on this comes mainly from scanning anyway, I don't know the in-depths of it.
 
Old 05-07-2011, 01:04 PM   #9
MartinPrestovic
LQ Newbie
 
Registered: Nov 2010
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by r3sistance View Post
IPv6 will be very important within the next 18 months, even before that it's likely people will start being rolled out only IPv6 addresses, when this occurs those users will be unable to browse your website since they do not have an IPv4 address. While it could probably wait a year, it's good to get such configurations in place early and this will happen, there is no two ways about this.

Looks like you have a fairly good set-up, however an nmap or similar methods of port prodding may still allow some hackers to discover your SSH port despite the change, I'd still suggest a firewall rule or set-up that ensures a limit of login attempts over a certain amount of time or authentication keys. Essentially make that job a little bit harder
Thanks for your input. I will be the only user on the machine, no one else will have access.

Regarding IPv6 I think I misunderstood how this works. I thought it was intended for servers which had been assigned IPv6 addresses rather than for users. If I install this back onto the server, do I need to then configure it seperately or will it use the same configuration that I have installed for IPv4?

Lastly, yes I agree that limiting the number of attempts would be a good idea. I have merged your ssh chain with my version that limits the ip and port would you mind checking over it to see if it's correct.

Code:
# Allow SSH
/sbin/iptables -N SSH_CHECK
/sbin/iptables -A INPUT -s 000.000.000.000 -p tcp --dport 22XX -j SSH_CHECK
/sbin/iptables -A SSH_CHECK -m recent --set --name SSH
/sbin/iptables -A SSH_CHECK -m recent --update --seconds 120 --hitcount 5 --name SSH -j DROP
/sbin/iptables -A OUTPUT -s 000.000.000.000 -p udp --sport 22XX -j ACCEPT
 
Old 05-07-2011, 01:19 PM   #10
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
looks good but best to test it, at a random point when you have no interest of doing anything just purposefully fail to put the password in correctly 5 times in 2 minutes, see if it blocks you from further attempts until the 2 minutes is up. (possibly best to do this from a machine/ip other then the one you use to administrate it too, I have managed to blackhole myself out of a few VPSs in the past but was able to get around it since they are just VPSs!)

As for IPv6, to confirm, both the user and the server require IPv6 addresses for communication over IPv6. I have yet to play around with iptables-ipv6, presumably it's the same expect you need to pass it IPv6 addresses instead of IPv4 addresses, perhaps someone else can confirm or maybe google can do that. Of course you will also have to get an IPv6 IP as well.

Last edited by r3sistance; 05-07-2011 at 01:21 PM.
 
Old 05-11-2011, 11:06 AM   #11
MartinPrestovic
LQ Newbie
 
Registered: Nov 2010
Posts: 12

Original Poster
Rep: Reputation: 0
Removal Complete

Hi Guys,

I just thought I would come back and let everyone know how I got on with this exercise. I managed to get the package list down to 143, the final list is as follows:

Code:
MAKEDEV.i386                             3.23-1.2                      installed
SysVinit.i386                            2.86-15.el5                   installed
audit-libs.i386                          1.7.18-2.el5                  installed
audit-libs-python.i386                   1.7.18-2.el5                  installed
basesystem.noarch                        8.0-5.1.1.el5.centos          installed
bash.i386                                3.2-24.el5                    installed
bzip2-libs.i386                          1.0.3-6.el5_5                 installed
centos-release.i386                      10:5-6.el5.centos.1           installed
centos-release-notes.i386                5.6-0                         installed
checkpolicy.i386                         1.33.1-6.el5                  installed
chkconfig.i386                           1.3.30.2-2.el5                installed
coreutils.i386                           5.97-23.el5_4.2               installed
cpio.i386                                2.6-23.el5_4.1                installed
cracklib.i386                            2.8.9-3.3                     installed
cracklib-dicts.i386                      2.8.9-3.3                     installed
crontabs.noarch                          1.10-8                        installed
curl.i386                                7.15.5-9.el5                  installed
cyrus-sasl-lib.i386                      2.1.22-5.el5_4.3              installed
db4.i386                                 4.3.29-10.el5_5.2             installed
device-mapper.i386                       1.02.55-2.el5                 installed
device-mapper-event.i386                 1.02.55-2.el5                 installed
device-mapper-multipath.i386             0.4.7-42.el5                  installed
diffutils.i386                           2.8.1-15.2.3.el5              installed
dmraid.i386                              1.0.0.rc13-63.el5             installed
dmraid-events.i386                       1.0.0.rc13-63.el5             installed
e2fsprogs.i386                           1.39-23.el5_5.1               installed
e2fsprogs-libs.i386                      1.39-23.el5_5.1               installed
elfutils-libelf.i386                     0.137-3.el5                   installed
ethtool.i386                             6-4.el5                       installed
expat.i386                               1.95.8-8.3.el5_5.3            installed
filesystem.i386                          2.4.0-3.el5                   installed
findutils.i386                           1:4.2.27-6.el5                installed
fipscheck.i386                           1.2.0-1.el5                   installed
fipscheck-lib.i386                       1.2.0-1.el5                   installed
gawk.i386                                3.1.5-14.el5                  installed
gdbm.i386                                1.8.0-26.2.1                  installed
glib2.i386                               2.12.3-4.el5_3.1              installed
glibc.i686                               2.5-58                        installed
glibc-common.i386                        2.5-58                        installed
gnupg.i386                               1.4.5-14.el5_5.1              installed
gnutls.i386                              1.4.1-3.el5_4.8               installed
grep.i386                                2.5.1-55.el5                  installed
grub.i386                                0.97-13.5                     installed
gzip.i386                                1.3.5-11.el5.centos.1         installed
hmaccalc.i386                            0.9.6-3.el5                   installed
hwdata.noarch                            0.213.22-1.el5                installed
info.i386                                4.8-14.el5                    installed
initscripts.i386                         8.45.33-1.el5.centos          installed
iproute.i386                             2.6.18-11.el5                 installed
iptables.i386                            1.3.5-5.3.el5_4.1             installed
iputils.i386                             20020927-46.el5               installed
iscsi-initiator-utils.i386               6.2.0.872-6.el5               installed
kbd.i386                                 1.12-21.el5                   installed
kernel.i686                              2.6.18-238.el5                installed
keyutils-libs.i386                       1.2-1.el5                     installed
kpartx.i386                              0.4.7-42.el5                  installed
krb5-libs.i386                           1.6.1-55.el5                  installed
less.i386                                436-7.el5                     installed
libacl.i386                              2.2.39-6.el5                  installed
libattr.i386                             2.4.32-1.1                    installed
libcap.i386                              1.10-26                       installed
libgcc.i386                              4.1.2-50.el5                  installed
libgomp.i386                             4.4.4-13.el5                  installed
libgpg-error.i386                        1.4-2                         installed
libgssapi.i386                           0.10-2                        installed
libhugetlbfs.i386                        1.3-8.2.el5                   installed
libidn.i386                              0.6.5-1.1                     installed
libpcap.i386                             14:0.9.4-15.el5               installed
libselinux.i386                          1.33.4-5.7.el5                installed
libselinux-python.i386                   1.33.4-5.7.el5                installed
libselinux-utils.i386                    1.33.4-5.7.el5                installed
libsemanage.i386                         1.9.1-4.4.el5                 installed
libsepol.i386                            1.15.2-3.el5                  installed
libstdc++.i386                           4.1.2-50.el5                  installed
libsysfs.i386                            2.0.0-6                       installed
libtermcap.i386                          2.0.8-46.1                    installed
libusb.i386                              0.1.12-5.1                    installed
libuser.i386                             0.54.7-2.1.el5_4.1            installed
libutempter.i386                         1.1.4-4.el5                   installed
libxml2.i386                             2.6.26-2.1.2.8.el5_5.1        installed
logrotate.i386                           3.7.4-9.el5_5.2               installed
lvm2.i386                                2.02.74-5.el5                 installed
m2crypto.i386                            0.16-6.el5.8                  installed
mcstrans.i386                            0.2.11-3.el5                  installed
mingetty.i386                            1.07-5.2.2                    installed
mkinitrd.i386                            5.1.19.6-68.el5               installed
mktemp.i386                              3:1.5-23.2.2                  installed
module-init-tools.i386                   3.3-0.pre3.1.60.el5_5.1       installed
nash.i386                                5.1.19.6-68.el5               installed
ncurses.i386                             5.5-24.20060715               installed
net-tools.i386                           1.60-81.el5                   installed
nspr.i386                                4.8.6-1.el5                   installed
nss.i386                                 3.12.8-1.el5.centos           installed
openldap.i386                            2.3.43-12.el5_5.3             installed
openssh.i386                             4.3p2-72.el5                  installed
openssh-clients.i386                     4.3p2-72.el5                  installed
openssh-server.i386                      4.3p2-72.el5                  installed
openssl.i686                             0.9.8e-12.el5_5.7             installed
pam.i386                                 0.99.6.2-6.el5_5.2            installed
passwd.i386                              0.73-2                        installed
pciutils.i386                            3.1.7-3.el5                   installed
pcre.i386                                6.6-6.el5                     installed
policycoreutils.i386                     1.33.12-14.8.el5              installed
popt.i386                                1.10.2.3-22.el5               installed
procps.i386                              3.2.7-16.el5                  installed
psmisc.i386                              22.2-7                        installed
python.i386                              2.4.3-43.el5                  installed
python-elementtree.i386                  1.2.6-5                       installed
python-iniparse.noarch                   0.2.3-4.el5                   installed
python-libs.i386                         2.4.3-43.el5                  installed
python-sqlite.i386                       1.1.7-1.2.1                   installed
python-urlgrabber.noarch                 3.1.0-6.el5                   installed
readline.i386                            5.1-3.el5                     installed
redhat-logos.noarch                      4.9.99-11.el5.centos          installed
rootfiles.noarch                         8.1-1.1.1                     installed
rpm.i386                                 4.4.2.3-22.el5                installed
rpm-libs.i386                            4.4.2.3-22.el5                installed
rpm-python.i386                          4.4.2.3-22.el5                installed
sed.i386                                 4.1.5-5.fc6                   installed
selinux-policy.noarch                    2.4.6-300.el5                 installed
selinux-policy-targeted.noarch           2.4.6-300.el5                 installed
setup.noarch                             2.5.58-7.el5                  installed
sgpio.i386                               1.2.0_10-2.el5                installed
shadow-utils.i386                        2:4.0.17-18.el5               installed
sqlite.i386                              3.3.6-5                       installed
symlinks.i386                            1.2-24.2.2                    installed
sysklogd.i386                            1.4.1-46.el5                  installed
tar.i386                                 2:1.15.1-30.el5               installed
tcp_wrappers.i386                        7.6-40.7.el5                  installed
termcap.noarch                           1:5.5-1.20060701.1            installed
tzdata.i386                              2010l-1.el5                   installed
udev.i386                                095-14.24.el5                 installed
usermode.i386                            1.88-3.el5.2                  installed
util-linux.i386                          2.13-0.56.el5                 installed
vim-common.i386                          2:7.0.109-7.el5               installed
vim-minimal.i386                         2:7.0.109-7.el5               installed
vixie-cron.i386                          4:4.1-77.el5_4.1              installed
vsftpd.i386                              2.0.5-16.el5_6.1              installed
which.i386                               2.16-7                        installed
yum.noarch                               3.2.22-33.el5.centos          installed
yum-fastestmirror.noarch                 1.1.16-14.el5.centos.1        installed
yum-metadata-parser.i386                 1.1.2-3.el5.centos            installed
zlib.i386                                1.2.3-3                       installed
The final yum command looks like this:

Code:
yum remove acl acpid amtu apmd aspell aspell-en at attr audit anacron atk authconfig autofs bc bind-libs
 bind-utils binutils bitstream-vera-fonts bluez-gnome bluez-libs bluez-utils bzip2 cairo ccid conman coolkey
 cpp cpuspeed crash cryptsetup-luks cups-libs cyrus-sasl cyrus-sasl-plain dbus dbus-glib dbus-libs dbus-python
 desktop-file-utils dhclient dhcpv6-client dmidecode dnsmasq dos2unix dosfstools dump ecryptfs-utils ed eject
 fbset file finger firstboot-tui flex fontconfig freetype ftp gamin gamin-python gcc gcc-c++ GConf2 gettext
 glibc-devel glibc-headers gnu-efi gnutls gpm groff gtk2 hal hesiod hdparm hicolor-icon-theme htmlview ibmasm
 ifd-egate ipsec-tools iptables-ipv6 iptraf iptstate irda-utils irqbalance jwhois kernel-PAE-devel kernel-devel
 kernel-headers keyutils krb5-workstation ksh kudzu lftp libaio libdaemon libevent libgcrypt libgomp libgpg-error
 libgssapi libhugetlbfs libICE libIDL libjpeg libnotify libpng libSM libstdc++-devel libtiff libvolume_id libwnck
 libX11 libXau libXcursor libXdmcp libXext libXfixes libXft libXi libXinerama libxml2-python libXrandr libXrender
 libXres logwatch lsof m4 mailcap mailx make man man-pages mdadm mgetty microcode_ctl mkbootdisk mlocate mtools
 mtr nano nc NetworkManager NetworkManager-glib newt nfs-utils nfs-utils-lib notification-daemon nscd nss_db
 nss_ldap nss-tools ntsysv numactl ORBit2 oddjob oddjob-libs pam_ccreds pam_krb5 pam_passwdqc pam_pkcs11 pam_smb
 pango parted patch pax pcmciautils pcsc-lite pcsc-lite-libs perl perl-String-CRC32 pinfo pkinit-nss pm-utils
 portmap ppp prelink procmail psacct pygobject2 quota rdate rdist readahead redhat-lsb redhat-menus rhpl rmt
 rng-utils rp-pppoe rsh rsync screen sendmail setarch setools setserial setuptool slang smartmontools sos specspo
 startup-notification stunnel sudo sysfsutils syslinux system-config-network-tui system-config-securitylevel-tui
 talk tcl tcpdump tcsh telnet time tmpwatch traceroute tree trousers unix2dos unzip udftools usbutils vconfig
 vim-enhanced wget wireless-tools words wpa_supplicant xorg-x11-filesystem ypbind yp-tools yum-updatesd zip
Warning: Please do not just blindly run that command without checking your system and really making sure you don't want / need this stuff.

I know some people might question my reasons for minimilizing the packages, but it has been good fun playing around inside the server and I have learnt so so much from doing this. Having to go through and read through all of the individual packages, what they are there for and what they do has been invaluable.

Now I'm going to go and do some research and play around with IPv6.
 
Old 05-11-2011, 09:15 PM   #12
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,241

Rep: Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325
ipv4 & ipv6 are different protocols and you can run both (inc dual firewalls) at the same time.
At the moment there are very few systems that run ONLY ipv6. There are also various tools to allow ipv4 systems to connect to ipv6 and the reverse. Try googling ip6 to ipv4 tunnelling and such like eg http://ntrg.cs.tcd.ie/undergrad/4ba2...6/interop.html
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Hardening CentOS kernel with grsecurity LXer Syndicated Linux News 0 10-14-2010 06:50 AM
Rpmbuild spec file for virtual rpm - removing obsolete packages - CentOS/RHEL 5.3 DrLove73 Linux - Software 3 10-10-2009 11:22 AM
hardening new CentOS system spaceageliving Linux - Security 17 10-07-2009 12:32 AM
removing packages lukman Linux - Newbie 2 06-11-2006 09:02 PM
removing certain packages Smokey Red Hat 1 10-02-2004 08:55 PM


All times are GMT -5. The time now is 12:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration