Linux/RHEL: Difference between revisions
From Bibliotheca Anonoma
Antonizoon (talk | contribs) |
Antonizoon (talk | contribs) (→Facts) |
||
Line 7: | Line 7: | ||
* RHEL uses the YUM package manager, and RPMs as package files. | * RHEL uses the YUM package manager, and RPMs as package files. | ||
* RHEL 7 will remain supported as the main version until 2019. | * RHEL 7 will remain supported as the main version until 2019. | ||
* SELinux is used as the primary Mandatory Access Control System. | * SELinux is used as the primary Mandatory Access Control System. If you don't like SELinux, tough luck, use Debian for AppArmor. | ||
** If you are using OpenVZ, SELinux will have to be disabled, so you might as well use Debian/Ubuntu with AppArmor. | |||
* Systemd is used as the primary initscript system. | * Systemd is used as the primary initscript system. | ||
Revision as of 15:16, 5 October 2017
Red Hat Enterprise Linux (and it's open-source clone, CentOS) is a popular Linux distribtuion targeting the corporate server market.
Facts
- RHEL and CentOS are effectively interchangeable when it comes to support instructions.
- RHEL offers an extended support level for corporations, though when it comes to us we take care of our own servers.
- RHEL uses the YUM package manager, and RPMs as package files.
- RHEL 7 will remain supported as the main version until 2019.
- SELinux is used as the primary Mandatory Access Control System. If you don't like SELinux, tough luck, use Debian for AppArmor.
- If you are using OpenVZ, SELinux will have to be disabled, so you might as well use Debian/Ubuntu with AppArmor.
- Systemd is used as the primary initscript system.
Initial Setup
- Set up a as admin with sudo and ssh key, as well as any other users. Also set up a password (it's like a PIN, last line of defense against privilege escalation).
- Do not allow root user login via SSH. If this is enabled, disable it.
- For AWS, The private key created by Amazon should only be used in case of emergency by the effective owner (if other admins forget their passphrases or passwords).
- Change the hostname to the current one using hostnamectl.
- Set up the EPEL repository.
- Install Byobu, and enable it for all new users.
- Set up Nginx and also Server Blocks to make things easier.
Hardening
- First, make sure to disable password authentication and use an SSH key to log in. Since SSH keys authenticate with asymmetric encryption, they cannot be brute forced by an attacker.
- Next, change the SSH port from 22 and make sure to register this change with SELinux. Although all this does is hide the login port, it goes a long way to stopping automated SSH bots which try the basic ports and then leave.
Tools worth Using
- SELinux - Mandatory Access Control, to stop exploits by preventing applications from exhibiting unauthorized behavior, even if they have root access.
- If you're on OpenVZ and cannot use SELinux, an AppArmor compatible system such as Debian/Ubuntu/OpenSUSE is probably a better idea. But if you need CentOS anyway, consider setting up SMACK as an alternative, a MAC system integrated into the Linux kernel.
- Fail2Ban - Looks out for malicious or excessive SSH login attempts and then bans them.
- Smart - Check the health of your drives and notify the admin by email or whatever if they are bad.
- Logwatch - Send the admin a digest of what's happened daily.
---
- Good Hardening Guide - Good practices and tools to use.
- [1]
- Part 1: Basic Bare Metal Security - Fix the gaping holes in security in hardware and system setup before moving on to the software fixes.
- Part 2: Advanced Software Security - Software level methods to harden CentOS
RHEL
On Red Hat, you will want to utilize package subscription channels. CentOS's corresponding elements are EPEL.
https://access.redhat.com/solutions/265523
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional