Linux/RHEL: Difference between revisions

From Bibliotheca Anonoma
 
(One intermediate revision by the same user not shown)
Line 8: Line 8:
* RHEL 7 will remain supported as the main version until 2019.
* RHEL 7 will remain supported as the main version until 2019.
* SELinux is used as the primary Mandatory Access Control System. If you don't like SELinux, tough luck, use Debian for AppArmor.
* SELinux is used as the primary Mandatory Access Control System. If you don't like SELinux, tough luck, use Debian for AppArmor.
** If you are using OpenVZ, SELinux will have to be disabled, so you might as well use Debian/Ubuntu with AppArmor.
* Systemd is used as the primary initscript system.
* Systemd is used as the primary initscript system.


Line 29: Line 28:


* [[SELinux]] - Mandatory Access Control, to stop exploits by preventing applications from exhibiting unauthorized behavior, even if they have root access.
* [[SELinux]] - Mandatory Access Control, to stop exploits by preventing applications from exhibiting unauthorized behavior, even if they have root access.
** If you're on OpenVZ and cannot use SELinux, an AppArmor compatible system such as Debian/Ubuntu/OpenSUSE is probably a better idea. But if you need CentOS anyway, consider setting up SMACK as an alternative, a MAC system integrated into the Linux kernel.
** Notice that OpenVZ cannot use SELinux: it would be ineffective anyway. The Host kernel has to handle Mandatory Access Control for all containers, and Proxmox OpenVZ does this with AppArmor. If this is not acceptable, use KVM instead.  
* [[Fail2Ban]] - Looks out for malicious or excessive SSH login attempts and then bans them.
* [[Fail2Ban]] - Looks out for malicious or excessive SSH login attempts and then bans them.
* Smart - Check the health of your drives and notify the admin by email or whatever if they are bad.
* Smart - Check the health of your drives and notify the admin by email or whatever if they are bad.

Latest revision as of 15:20, 5 October 2017

Red Hat Enterprise Linux (and it's open-source clone, CentOS) is a popular Linux distribtuion targeting the corporate server market.

Facts[edit]

  • RHEL and CentOS are effectively interchangeable when it comes to support instructions.
  • RHEL offers an extended support level for corporations, though when it comes to us we take care of our own servers.
  • RHEL uses the YUM package manager, and RPMs as package files.
  • RHEL 7 will remain supported as the main version until 2019.
  • SELinux is used as the primary Mandatory Access Control System. If you don't like SELinux, tough luck, use Debian for AppArmor.
  • Systemd is used as the primary initscript system.

Initial Setup[edit]

  1. Set up a as admin with sudo and ssh key, as well as any other users. Also set up a password (it's like a PIN, last line of defense against privilege escalation).
    • Do not allow root user login via SSH. If this is enabled, disable it.
    • For AWS, The private key created by Amazon should only be used in case of emergency by the effective owner (if other admins forget their passphrases or passwords).
  2. Change the hostname to the current one using hostnamectl.
  3. Set up the EPEL repository.
  4. Install Byobu, and enable it for all new users.
  5. Set up Nginx and also Server Blocks to make things easier.

Hardening[edit]

  1. First, make sure to disable password authentication and use an SSH key to log in. Since SSH keys authenticate with asymmetric encryption, they cannot be brute forced by an attacker.
  2. Next, change the SSH port from 22 and make sure to register this change with SELinux. Although all this does is hide the login port, it goes a long way to stopping automated SSH bots which try the basic ports and then leave.

Tools worth Using[edit]

  • SELinux - Mandatory Access Control, to stop exploits by preventing applications from exhibiting unauthorized behavior, even if they have root access.
    • Notice that OpenVZ cannot use SELinux: it would be ineffective anyway. The Host kernel has to handle Mandatory Access Control for all containers, and Proxmox OpenVZ does this with AppArmor. If this is not acceptable, use KVM instead.
  • Fail2Ban - Looks out for malicious or excessive SSH login attempts and then bans them.
  • Smart - Check the health of your drives and notify the admin by email or whatever if they are bad.
  • Logwatch - Send the admin a digest of what's happened daily.

---

RHEL[edit]

On Red Hat, you will want to utilize package subscription channels. CentOS's corresponding elements are EPEL.

https://access.redhat.com/solutions/265523

yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

Databases[edit]