LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-24-2010, 05:09 PM   #1
paulsm4
Guru
 
Registered: Mar 2004
Distribution: SusE 8.2
Posts: 5,863
Blog Entries: 1

Rep: Reputation: Disabled
Quick, Easy "Security Cheat Sheet" for new Centos 5.4 VPS?


Hi -

I looked at the sticky ...

... but does anybody have any recommendations for establishing "basic security" on a new Centos 5.4 VPS?

I just want to make sure:

a) I've done "due diligence" to prevent compromises
<= I'm looking for pretty much the Linux equivalent of enabling Windows Firewall and installing Symantec or McAfee

b) If, for whatever reason, I *am* compromised, I have a fighting chance of detecting it

Thank you very much in advance .. PSM
 
Old 04-24-2010, 06:17 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by paulsm4 View Post
Hi -

I looked at the sticky ...

... but does anybody have any recommendations for establishing "basic security" on a new Centos 5.4 VPS?

I just want to make sure:

a) I've done "due diligence" to prevent compromises
<= I'm looking for pretty much the Linux equivalent of enabling Windows Firewall and installing Symantec or McAfee

b) If, for whatever reason, I *am* compromised, I have a fighting chance of detecting it

Thank you very much in advance .. PSM
The NSA has a security guide for RHEL 5 (I believe that's pretty close to CentOS 5.4) on their website. As for firewall and antivirus, you already have iptables installed, and you can stick with McAfee if you really want to.

Last edited by win32sux; 04-24-2010 at 06:19 PM.
 
Old 04-24-2010, 08:15 PM   #3
paulsm4
Guru
 
Registered: Mar 2004
Distribution: SusE 8.2
Posts: 5,863
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Hi -

Thank you, but the NSA guidelines are the EXACT OPPOSITE of what I'm looking for. They're 182 pages of advice like "disable your USB ports", "use centralized authentication", and "enable SE Linux".

No: I'm looking for something short, simple and eminently practical.

Preferably somthing oriented toward "VPS Linux" in general, and "Centos 5.4" in particular. For an internet-facing, single-user environment.

Any suggestions?

Thank you in advance .. PSM

Last edited by paulsm4; 04-24-2010 at 08:17 PM.
 
Old 04-24-2010, 10:32 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by paulsm4 View Post
Hi -

Thank you, but the NSA guidelines are the EXACT OPPOSITE of what I'm looking for. They're 182 pages of advice like "disable your USB ports", "use centralized authentication", and "enable SE Linux".

No: I'm looking for something short, simple and eminently practical.

Preferably somthing oriented toward "VPS Linux" in general, and "Centos 5.4" in particular. For an internet-facing, single-user environment.

Any suggestions?

Thank you in advance .. PSM
The closest thing I can think of is Bastille, which will walk you through its hardening steps with information about each one. Maybe there's a package of it available for your CentOS version? BTW, since you're looking for the equivalent of something you saw for Windows, maybe you could post a link to that so we could have a more precise idea of what you seek?
 
1 members found this post helpful.
Old 04-24-2010, 11:18 PM   #5
paulsm4
Guru
 
Registered: Mar 2004
Distribution: SusE 8.2
Posts: 5,863
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Hi -

Thanx for the suggestion. I'll post back what I find (this might be a good opportunity to play with LQ blogs for the first time).

My new VPS comes with an iptables firewall (yay!), the iptables is enabled (yay!) .... but it's the default configuration: absolutely no rules. Essentially, no firewall

The VPS service also offers (optional) Plesk control panel and applets. I installed a bunch of the Plesk stuff: including Kapersky A/V and Plesk's own firewall. Which pretty much covers the "Windows firewall and McAfee" I mentioned (as generic metaphors, not necessarily specific items that I actually wanted to duplicate on Linux) earlier.

I was hoping to find a short (1 page or less) "Linux VPS Security for Dummies" kind of "how-to". I'm sure they exist - but I haven't found one yet. And, unfortunately, the things cited in the LQ "security" sticky seem to be relatively old (some of the links are actually broken) and not particularly relevant to my particular needs (IMHO).

Anyway - thanx again for the suggestions, and please let me know if you think of anything else.

Last edited by paulsm4; 04-24-2010 at 11:23 PM.
 
Old 04-26-2010, 02:19 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
I have a RHEL/CentOS 5 system "baseline" that I put together. It's both basic and easy to follow. (Read: it's certainly not comprehensive or specific to any one situation.) Here's a summarized version.

Install time:
  • Put /, /home, /tmp, and /var on separate filesystems
  • Set a grub bootloader password
  • For packages, select "Customize Now", and install only "Base System -> Base"
  • Skip all the Setup Agent options - just exit

Post install steps:
  1. Enable a very basic packet filtering ruleset (i.e. allow IPv4 ssh connections, and drop everything else)
    Code:
    # iptables -F
    # iptables -A INPUT -i lo -j ACCEPT 
    # iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    # iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
    # iptables -A INPUT -j DROP
    # service iptables save && chkconfig iptables on
  2. Update packages with yum
  3. Enforce strong passwords system-wide (see following diff)
    Code:
    # rcsdiff -u /etc/pam.d/system-auth
    ===================================================================
    RCS file: /etc/pam.d/RCS/system-auth,v
    retrieving revision 1.1
    diff -u -r1.1 /etc/pam.d/system-auth
    --- /etc/pam.d/system-auth	2009/11/12 02:02:31	1.1
    +++ /etc/pam.d/system-auth	2009/11/12 18:33:28
    @@ -10,7 +10,7 @@
     account     sufficient    pam_succeed_if.so uid < 500 quiet
     account     required      pam_permit.so
     
    -password    requisite     pam_cracklib.so try_first_pass retry=3
    +password    requisite    pam_passwdqc.so min=disabled,disabled,15,12,12 random=0
     password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
     password    required      pam_deny.so
  4. Ensure the following sshd_config directives are in place
    Code:
    Protocol 2
    AddressFamily inet
    PermitRootLogin no
    then
    Code:
    # service sshd reload
  5. Review enabled services (there are a lot)
    Code:
    # chkconfig --list | grep ':on' | awk '{print $1}' > on-by-default
    ... and disable unneeded ones
  6. Install and configure ntp

-------

That's the starting point for everything else I do to each system.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Google Talk Cheat Sheet LXer Syndicated Linux News 0 01-18-2010 10:11 PM
LXer: Truth is Treason in the Empire of Lies: Linspire "Fact Sheet" Coming Soon LXer Syndicated Linux News 0 04-14-2008 04:50 AM
discovered easy "cheat" to get slackware installed with raid nemestrinus LinuxQuestions.org Member Success Stories 0 01-02-2007 11:51 PM
LXer: My MySQL - Cheat Sheet LXer Syndicated Linux News 0 01-20-2006 09:01 AM
Linux command cheat sheet freddieB Linux - General 1 02-22-2002 10:50 AM


All times are GMT -5. The time now is 04:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration