Linux/RHEL: Difference between revisions
From Bibliotheca Anonoma
Antonizoon (talk | contribs) No edit summary |
Antonizoon (talk | contribs) (→Facts) |
||
(7 intermediate revisions by the same user not shown) | |||
Line 7: | Line 7: | ||
* RHEL uses the YUM package manager, and RPMs as package files. | * RHEL uses the YUM package manager, and RPMs as package files. | ||
* RHEL 7 will remain supported as the main version until 2019. | * RHEL 7 will remain supported as the main version until 2019. | ||
* SELinux is used as the primary Mandatory Access Control System. | * SELinux is used as the primary Mandatory Access Control System. If you don't like SELinux, tough luck, use Debian for AppArmor. | ||
* Systemd is used as the primary initscript system. | * Systemd is used as the primary initscript system. | ||
Line 13: | Line 13: | ||
# Set up a as admin with sudo and ssh key, as well as any other users. Also set up a password (it's like a PIN, last line of defense against privilege escalation). | # Set up a as admin with sudo and ssh key, as well as any other users. Also set up a password (it's like a PIN, last line of defense against privilege escalation). | ||
#* The private key created by Amazon should only be used in case of emergency by the effective owner (if other admins forget their passphrases or passwords). | #* Do not allow root user login via SSH. If this is enabled, disable it. | ||
#* For AWS, The private key created by Amazon should only be used in case of emergency by the effective owner (if other admins forget their passphrases or passwords). | |||
# Change the hostname to the current one using [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec_Configuring_Host_Names_Using_hostnamectl.html hostnamectl.] | # Change the hostname to the current one using [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec_Configuring_Host_Names_Using_hostnamectl.html hostnamectl.] | ||
# Set up the [http://www.cyberciti.biz/faq/installing-rhel-epel-repo-on-centos-redhat-7-x/ EPEL repository.] | # Set up the [http://www.cyberciti.biz/faq/installing-rhel-epel-repo-on-centos-redhat-7-x/ EPEL repository.] | ||
# Install Byobu, and enable it for all new users. | # Install Byobu, and enable it for all new users. | ||
# Set up [https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-centos-7 Nginx] and also [https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-on-centos-7 Server Blocks] to make things easier. | # Set up [https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-centos-7 Nginx] and also [https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-on-centos-7 Server Blocks] to make things easier. | ||
== Hardening == | |||
# First, make sure to disable password authentication and use an SSH key to log in. Since SSH keys authenticate with asymmetric encryption, they cannot be brute forced by an attacker. | |||
# Next, change the SSH port from 22 and make sure to register this change with SELinux. Although all this does is hide the login port, it goes a long way to stopping automated SSH bots which try the basic ports and then leave. | |||
=== Tools worth Using === | |||
* [[SELinux]] - Mandatory Access Control, to stop exploits by preventing applications from exhibiting unauthorized behavior, even if they have root access. | |||
** Notice that OpenVZ cannot use SELinux: it would be ineffective anyway. The Host kernel has to handle Mandatory Access Control for all containers, and Proxmox OpenVZ does this with AppArmor. If this is not acceptable, use KVM instead. | |||
* [[Fail2Ban]] - Looks out for malicious or excessive SSH login attempts and then bans them. | |||
* Smart - Check the health of your drives and notify the admin by email or whatever if they are bad. | |||
* Logwatch - Send the admin a digest of what's happened daily. | |||
--- | |||
* [https://highon.coffee/blog/security-harden-centos-7/ Good Hardening Guide] - Good practices and tools to use. | |||
* [http://stealingthe.network/centos-7-server-hardening-guide/] | |||
* [https://www.tecmint.com/security-and-hardening-centos-7-guide/ Part 1: Basic Bare Metal Security] - Fix the gaping holes in security in hardware and system setup before moving on to the software fixes. | |||
* [https://www.tecmint.com/centos-7-hardening-and-security-guide/ Part 2: Advanced Software Security] - Software level methods to harden CentOS | |||
== RHEL == | == RHEL == |
Latest revision as of 15:20, 5 October 2017
Red Hat Enterprise Linux (and it's open-source clone, CentOS) is a popular Linux distribtuion targeting the corporate server market.
Facts[edit]
- RHEL and CentOS are effectively interchangeable when it comes to support instructions.
- RHEL offers an extended support level for corporations, though when it comes to us we take care of our own servers.
- RHEL uses the YUM package manager, and RPMs as package files.
- RHEL 7 will remain supported as the main version until 2019.
- SELinux is used as the primary Mandatory Access Control System. If you don't like SELinux, tough luck, use Debian for AppArmor.
- Systemd is used as the primary initscript system.
Initial Setup[edit]
- Set up a as admin with sudo and ssh key, as well as any other users. Also set up a password (it's like a PIN, last line of defense against privilege escalation).
- Do not allow root user login via SSH. If this is enabled, disable it.
- For AWS, The private key created by Amazon should only be used in case of emergency by the effective owner (if other admins forget their passphrases or passwords).
- Change the hostname to the current one using hostnamectl.
- Set up the EPEL repository.
- Install Byobu, and enable it for all new users.
- Set up Nginx and also Server Blocks to make things easier.
Hardening[edit]
- First, make sure to disable password authentication and use an SSH key to log in. Since SSH keys authenticate with asymmetric encryption, they cannot be brute forced by an attacker.
- Next, change the SSH port from 22 and make sure to register this change with SELinux. Although all this does is hide the login port, it goes a long way to stopping automated SSH bots which try the basic ports and then leave.
Tools worth Using[edit]
- SELinux - Mandatory Access Control, to stop exploits by preventing applications from exhibiting unauthorized behavior, even if they have root access.
- Notice that OpenVZ cannot use SELinux: it would be ineffective anyway. The Host kernel has to handle Mandatory Access Control for all containers, and Proxmox OpenVZ does this with AppArmor. If this is not acceptable, use KVM instead.
- Fail2Ban - Looks out for malicious or excessive SSH login attempts and then bans them.
- Smart - Check the health of your drives and notify the admin by email or whatever if they are bad.
- Logwatch - Send the admin a digest of what's happened daily.
---
- Good Hardening Guide - Good practices and tools to use.
- [1]
- Part 1: Basic Bare Metal Security - Fix the gaping holes in security in hardware and system setup before moving on to the software fixes.
- Part 2: Advanced Software Security - Software level methods to harden CentOS
RHEL[edit]
On Red Hat, you will want to utilize package subscription channels. CentOS's corresponding elements are EPEL.
https://access.redhat.com/solutions/265523
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional