I'm in the process of hardening a new CentOS 5.3 server installation...this is the result of an nmap scan of the system currently:

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-10-05 23:23 PDT
Machine MIGHT actually be listening on probe port 80
DNS resolution of 1 IPs took 0.12s.
Initiating Connect() Scan at 23:23
Discovered open port 554/tcp
Discovered open port 21/tcp
Discovered open port 443/tcp
Discovered open port 80/tcp
Discovered open port 22/tcp
Discovered open port 8443/tcp
Discovered open port 111/tcp
Discovered open port 7070/tcp
Discovered open port 817/tcp
The Connect() Scan took 3.80s to scan 1680 total ports.
Initiating service scan against 9 services at 23:23
The service scan took 55.33s to scan 9 services on 1 host.
Initiating RPCGrind Scan at 23:24
The RPCGrind Scan took 1.02s to scan 2 ports
Host appears to be up ... good.
Interesting ports:
Not shown: 1664 closed ports
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
80/tcp open http Apache httpd 2.2.3 ((CentOS))
111/tcp open rpcbind 2 (rpc #100000)
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
445/tcp filtered microsoft-ds
554/tcp open tcpwrapped
817/tcp open status 1 (rpc #100024)
901/tcp filtered samba-swat
7070/tcp open tcpwrapped
8443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))

Nmap finished: 1 IP address (1 host up) scanned in 60.847 seconds

System is a web server running a PHP app with a single administrator. I think I only need ports 22/80/443 (before discussing mail services, which are off currently)...welcoming all feedback on how to tighten this up as much as possible. TIA!

Did you run system-config-security at all?
hardening' depends on you needs, you also could play with selinux and shut the system down for security domains acl's
But I would check if the firewall is enabled at all?

Use your firewall.

the easy way is to use the command "setup" and configure the "system services" on the menu, and allow only the ports that you need. remove the asterisk before the services so it will not start on boot up, then allow ssh, http and https ports only.
there is also a menu there "Firewall Configuration" to allow certain ports to open

Then start learning packet filtering via iptables.

before you go down the firewall route, best to turn off all services that are not needed, especially as there would still be access to your server on 'allowed ports'.
assuming you are running in runlevel 3, do a sweep to see which services are on and running in this runlevel.

from here - turn off services you do not need - and make sure they are not restarted at boot.

and

will do this

Almost every reply to this thread was about hardening with iptables...
However there is a lot more to hardening a box. A good example is turning off running services that aren't needed as centosboy said, or changing config files for services to make them more secure like disallowing root login for ssh or chrooting ftp users to their home directories.

There are a lot of hardening guides out there, I would suggest maybe a good starting point would be reading the level 1 RHEL 5 hardening guide from the Center for Internet Security.

All of the benchmarks are here:
http://www.cisecurity.org/benchmarks.html

nomb

P.S. - Your box really shouldn't be on the internet while you are hardening it. Or before you get a known good baseline of your system using something like aide or tripwire.

Thanks for this, will review. Sadly, I trust the info contained in the document is more structured and functional than their website--all the graphics links on their download page are broken, the filenames and download options don't match the docs, and their ssl cert doesn't validate in my browser :-( All in all it looks like an abandoned site...

Thanks, I do appreciate this...perhaps using the term "hardening" is a little too literal in this forum--perhaps I should have titled this "making my server more secure than it would otherwise be out of the box."

acpid
anacron
apmd
atd
auditd
autofs
avahi-daemon
cpuspeed
crond
fail2ban
firstboot
gpm
haldaemon
hidd
httpd
irqbalance
kudzu
lvm2-monitor
mcstrans
mdmonitor
messagebus
microcode_ctl
mysqld
netfs
network
nfslock
pcscd
portmap
readahead_early
restorecond
rpcgssd
rpcidmapd
smartd
sshd
syslog
xinetd
yum-updatesd

While I'm reviewing this list, any input on obvious things to turn off for a web server-only config are much appreciated. I definitely don't need nfs, don't think I need anything rpc-related...

CIS level 1 RHEL 5 hardening guide looks really good at first glance...thanks for this. Has an in depth guide to recommended services to enable/disable.

Not a problem. I am working on a plugin based hardening program written in python. The first set of modules I have made followed those guides I pointed you to which is how I knew what is in them. I am hopeing that other's contribute modules to the program as well but am ok making them myself if need be.

If you are interested, feel free to create an account on my website:
http://www.nombyte.com

The program isn't up get but I am going to send out an email from my site when it is.

1st release should be sometime this weekend.

Thanks, just signed up and will watch for more info on your release...sounds like a great tool. I've already learned about fail2ban and rkhunter since hanging in here, both great.

While I'm digesting the appropriate level 3 services/ports I want active for my environment, can somebody share his/her experiences with appropriate firewall practices (beyond 'enable firewall' and 'use firewall')? I'm envisioning having very few active ports on the system, so what beyond that should/could the 'firewall' be configured to help with?

(PS: not looking for graduate-level defenses of the merits of firewalls in general but more specifically on a CentOS 5.3 web server what makes sense in order of priority from no-brainer to highly secure)

Best practice for firewalls is to drop everything and only allow what you consider acceptable traffic.

If you are running a simple web server it will be fairly easy for you.

I am leaving for work atm, but when I get home I can send you what I am currently using on my server, which serves an archlinux repo via http.

nomb

For starters, here's a general ruleset to allow inbound traffic to tcp ports 22, 80, and 443. You can fine tune it later if your needs evolve. Save the following to a file:
Next, run:
Running the script executes the iptables commands to build your ruleset. The "service" command saves the ruleset so that it survives a system reboot. The "chkconfig" command ensures that the iptables ruleset is loaded at boot time.

I'm going to have to disagree with your above example ruleset. If you are running a web server you aren't going to want to log every allowed in http and https connection.

True, Apache logs all accesses (& errors) by default. Pretty sure ssh does too, or you can configure it.
I'd only log at the iptables level for debug purposes. Just comment out those lines, but keep them there.
Incidentally, set sshd_config PermitRootLogin no.
Login as another user (if not on console) and su - up.
There's a massive amt of auto scripts on the net trying to break-in via root.
Your disk will fill up real quick if you log all that stuff above.