Linux/RHEL: Difference between revisions
From Bibliotheca Anonoma
Antonizoon (talk | contribs) |
Antonizoon (talk | contribs) |
||
Line 34: | Line 34: | ||
--- | --- | ||
* [https://highon.coffee/blog/security-harden-centos-7/ Good Hardening Guide] - Good practices and tools to use. | |||
* [http://stealingthe.network/centos-7-server-hardening-guide/] | * [http://stealingthe.network/centos-7-server-hardening-guide/] | ||
* [https://www.tecmint.com/security-and-hardening-centos-7-guide/ Part 1: Basic Bare Metal Security] - Fix the gaping holes in security in hardware and system setup before moving on to the software fixes. | * [https://www.tecmint.com/security-and-hardening-centos-7-guide/ Part 1: Basic Bare Metal Security] - Fix the gaping holes in security in hardware and system setup before moving on to the software fixes. |
Revision as of 23:51, 4 October 2017
Red Hat Enterprise Linux (and it's open-source clone, CentOS) is a popular Linux distribtuion targeting the corporate server market.
Facts
- RHEL and CentOS are effectively interchangeable when it comes to support instructions.
- RHEL offers an extended support level for corporations, though when it comes to us we take care of our own servers.
- RHEL uses the YUM package manager, and RPMs as package files.
- RHEL 7 will remain supported as the main version until 2019.
- SELinux is used as the primary Mandatory Access Control System.
- Systemd is used as the primary initscript system.
Initial Setup
- Set up a as admin with sudo and ssh key, as well as any other users. Also set up a password (it's like a PIN, last line of defense against privilege escalation).
- Do not allow root user login via SSH. If this is enabled, disable it.
- For AWS, The private key created by Amazon should only be used in case of emergency by the effective owner (if other admins forget their passphrases or passwords).
- Change the hostname to the current one using hostnamectl.
- Set up the EPEL repository.
- Install Byobu, and enable it for all new users.
- Set up Nginx and also Server Blocks to make things easier.
Hardening
- First, make sure to disable password authentication and use an SSH key to log in. Since SSH keys authenticate with asymmetric encryption, they cannot be brute forced by an attacker.
- Next, change the SSH port from 22 and make sure to register this change with SELinux. Although all this does is hide the login port, it goes a long way to stopping automated SSH bots which try the basic ports and then leave.
Tools worth Using
- SELinux - Mandatory Access Control, to stop exploits by preventing applications from exhibiting unauthorized behavior, even if they have root access.
- Fail2Ban - Looks out for malicious or excessive SSH login attempts and then bans them.
- Smart - Check the health of your drives and notify the admin by email or whatever if they are bad.
- Logwatch - Send the admin a digest of what's happened daily.
---
- Good Hardening Guide - Good practices and tools to use.
- [1]
- Part 1: Basic Bare Metal Security - Fix the gaping holes in security in hardware and system setup before moving on to the software fixes.
- Part 2: Advanced Software Security - Software level methods to harden CentOS
RHEL
On Red Hat, you will want to utilize package subscription channels. CentOS's corresponding elements are EPEL.
https://access.redhat.com/solutions/265523
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional