Hardening CentOS
|
View:
New views
18 Messages
—
Rating Filter:
Alert me
|
 |
Hardening CentOS
by Florin Iliescu
::
Rate this Message:
Helo,
Can anybody help me with some procedures to secure a CentOS server? I am going to use it for receiving files over Internet with SFTP. Thank you, Florin |
|
|
Re: Hardening CentOS
by David A. Kennel
::
Rate this Message:
A good place to start would be the Center For Internet Security Red Hat
Enterprise Benchmark and the NSA Secure Configuration Guide. You could also check out the Security Blanket tool by Trusted Computing Solutions or Bastille. Link farm: http://www.nsa.gov/snac/downloads_redhat.cfm?MenuID=scg10.3.1.1 http://www.cisecurity.org/ http://www.trustedcs.com/SecurityBlanket.html http://bastille-linux.sourceforge.net/ Florin Iliescu wrote: > Helo, > > Can anybody help me with some procedures to secure a CentOS server? I am going to use it for receiving files over Internet with SFTP. > > Thank you, > > Florin > > > > -- -- David Kennel |
|
|
Re: Hardening CentOS
by Mohd Irwan Jamaluddin
::
Rate this Message:
On Thu, Jul 3, 2008 at 11:53 PM, Florin Iliescu <iliescufm@...> wrote:
> Helo, > > Can anybody help me with some procedures to secure a CentOS server? I am going to use it for receiving files over Internet with SFTP. > > Thank you, > Shouldn't be different from RHEL, hence you might to read the RHEL docs; RHEL 5: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/pt-security.html RHEL 4: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Security_Guide/ -- Regards, Mohd Irwan Jamaluddin Web: http://www.irwan.name/ Blog: http://blog.irwan.name/ |
|
|
Re: Hardening CentOS
by Jeronimo Zucco
::
Rate this Message:
Florin Iliescu wrote:
> Helo, > > Can anybody help me with some procedures to secure a CentOS server? I am going to use it for receiving files over Internet with SFTP. > > http://www.nsa.gov/snac/downloads_redhat.cfm?MenuID=scg10.3.1.1 I also suggest use of SELinux. -- Jeronimo Zucco LPIC-1 Linux Professional Institute Certified Núcleo de Processamento de Dados Universidade de Caxias do Sul http://jczucco.blogspot.com |
|
|
Re: Hardening CentOS
by aurbain
::
Rate this Message:
http://www.howtoforge.com/bastille_firewall_centos
Florin Iliescu wrote: > Helo, > > Can anybody help me with some procedures to secure a CentOS server? I am going to use it for receiving files over Internet with SFTP. > > Thank you, > > Florin > > > > |
|
|
Re: Hardening CentOS
by Peter Hinse
::
Rate this Message:
Florin Iliescu wrote:
> Can anybody help me with some procedures to secure a CentOS server? I > am going to use it for receiving files over Internet with SFTP. > > Thank you, Since CentOS is based on RHEL, you can use the NSA Guides: Hardening Tips for the Red Hat Enterprise Linux 5 http://www.nsa.gov/snac/os/redhat/rhel5-pamphlet-i731.pdf Guide to the Secure Configuration of Red Hat Enterprise Linux 5 http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.pdf Regards, Peter |
|
|
RE: Hardening CentOS
by Tony UcedaVelez-2
::
Rate this Message:
I'd begin by checking out the CentOS LAMP Hardening project. It's not
complete but mostly talks about what security software is used to secure a CentOS host. Below is the link: http://www.securecentos.com/security.html Also, run nessus against it as it has a suite of CentOS plug-in in order to check related vulnerabilities. Hope this helps. Tony UcedaVelez, CISM, CISA, GSEC VerSprite - Navigate Beyond Risk www.versprite.com -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Florin Iliescu Sent: Thursday, July 03, 2008 11:54 AM To: focus-linux@... Subject: Hardening CentOS Helo, Can anybody help me with some procedures to secure a CentOS server? I am going to use it for receiving files over Internet with SFTP. Thank you, Florin |
|
|
Re: Hardening CentOS
by Jure Krasovic
::
Rate this Message:
Florin Iliescu pravi:
> Helo, > > Can anybody help me with some procedures to secure a CentOS server? I am going to use it for receiving files over Internet with SFTP. > > Thank you, > > Florin > > > > > if I were you what I would do is: 1. Close all ports from outside except port 22 with iptables, 2. establish ssh key + user name and password authentication, 3. if you know from which IP's connections are coming then use tcpwrappers (/etc/hosts.allow + /etc/hosts.deny) to allow sftp connection from specific ip addresses, 4. Sftp use the same port than ssh. Actually it is subsystem of ssh so users will be allowed to login to your system (will have shell on your machine), 5. system should be up to date all the time, 6. IDS/IPS .... These are just some thinks I would consider. I hope it helps a little. Best regards! Jure |
|
|
Re: Hardening CentOS
by Chase Simms
::
Rate this Message:
Florin,
I recommend a two prong approach. Do some general research into hardening Linux at places like SANS(www.sans.org) and Center for Internet Security(www.cisecurity.org). Basically update everything, disable unnecessary services, limit access. You should probably look at the Bastille hardening program(bastille-linux.sourceforge.net). I really think Bastille will help you. I hesitate to say stay away from SE Linux, but it can be quite a bear to get your apps running with it. It's just as important to secure the app. You really need to look at the SFTP application you will be using and evaluate it's security level. If you lock down the OS, block all the bad ports in the firewall, but leave the FTP app with weak security you're just wasting your time. Your server is only as secure as the weakest link. I know this is the Linux list, but you really will need to take a wider approach and secure the entire system. A few other things to consider are backups and integrity checking. How much data loss is acceptable? How long will the files sit on the FTP server before they are copied/moved off? Tripwire is a great way to monitor critical files and notifying the sysadmin if they change. Best of luck, Chase >>> Florin Iliescu <iliescufm@...> 7/3/2008 11:53 AM >>> Helo, Can anybody help me with some procedures to secure a CentOS server? I am going to use it for receiving files over Internet with SFTP. Thank you, Florin The information in this email is intended for the sole use of the addressees and may be confidential and subject to protection under the law. If you are not the intended recipient, you are hereby notified that any distribution or copying of this email is strictly prohibited. If you have received this message in error, please reply and delete your copy. |
|
|
Re: Hardening CentOS
by Mario Spinthiras
::
Rate this Message:
If this is behind a firewall then block all other ports on the
firewall. If not then I would suggest IPTABLES for you. Also check for any services running that you do not need and disable them. In addition to those basics , run your SFTP daemon as a local user to avoid exposing a service under root to the Internet. If your external users that will be using the service are fixed IP machines then allow only those machines. I would also suggest an IDS such as snort for example. Other things to account for are services this machine offers to more than one network. If you have other services being offered to your internal LAN for example then you might want to bind each service to it's corresponding network address to avoid external users for example , using your internal services. Could you tell me more about your setup and the machine? Regards, Mario |
|
|
|
|
|
Re: Hardening CentOS
by flying mayo
::
Rate this Message:
On Thu, Jul 3, 2008 at 8:53 AM, Florin Iliescu <iliescufm@...> wrote:
> Helo, > > Can anybody help me with some procedures to secure a CentOS server? I am going to use it for receiving files over Internet with SFTP. > > Thank you, > > Florin > > > > 1. Don't connect the server to the net until all other steps are done. 2. Apply all vendor supplied patches/updates and devise a plan for getting new updates in a timely manner. 3. Get yourself connected to a security email alert portal where you can find out about new vulnerabilities that might affect you. I suggest bugtraq. 4. Stop/disable all unnecessary services 5. Do some research into SELinux and bastille to see if they can be of some benefit in your specific situation. 6. Scan your system with a network security tool such as Nessus. If you're doing this prior to launching into production you'll have the luxury of safely doing a penetrating test as opposed to a safer non-penetrating test. I'd suggest you let nessus down your server if it can. Better to know now than later. If your summary report doesn't come back all green, make sure you know why. SSH/SFTP specific: 1. Ensure sshv1 is turned off (protocol 2 in your sshd_config) 2. Ensure that PermitRootLogin is set to 'no' in your sshd_config 3. Ensure that your SSH daemon chroot's (jail/sandbox) incoming connections. You don't want your users being able to traverse your / filesystem. 4. If at all possible, run your service on a non-standard port. This suggestion is inevitably followed by outcry that this is security by obscurity. To which I would reply that no, this is security though all and every means possible including, but not limited to, obscurity. In a nut shell, you can count on your SFTP server being pounded daily by automated brute force attacks. Moving the service off of port 22 will eliminate 90% of this traffic. Given that these attacks are largely based on the statistical probability that they will guess a password on one of your account, side stepping the majority of such attacks is only going to help you. And then there's the fact that this will hop the size of your auth logs to a fraction of what they would otherwise be. 5. Use a restrictive shell for connections. 6. Turn off PubkeyAuthentication 7. Most importantly, manage your user accounts. Don't be afraid to implement a policy that locks accounts after N days of inactivity. |
|
|
RE: Hardening CentOS
by Nokin Jérôme
::
Rate this Message:
This could be useful for you
http://anchorite.org/blog/2006/11/13/minimal-services-on-centos-44-mini-howto/ Regards, Jerome -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Florin Iliescu Sent: jeudi 3 juillet 2008 17:54 To: focus-linux@... Subject: Hardening CentOS Helo, Can anybody help me with some procedures to secure a CentOS server? I am going to use it for receiving files over Internet with SFTP. Thank you, Florin |
|
|
Re: Hardening CentOS
by roos
::
Rate this Message:
I recommend closing as much ports as possible.
E.g.: If you need to ssh to the machine, allow port 22 only from known, trusted IPs and subnets. There are so many things you have to pay attention to, like patch management etc. that it would be best to use the NSA hardening guide or things like that. Robert |
|
|
Re: Hardening CentOS
by Seth Mattinen
::
Rate this Message:
flying mayo wrote:
>> > My personal pre-production check list includes as a default: > > 6. Turn off PubkeyAuthentication Out of curiosity, why do you recommend disabling keys? -- Seth Mattinen sethm@... Roller Network LLC |
|
|
Re: Hardening CentOS
by Andraz Sraka
::
Rate this Message:
re
On Thu, 2008-07-03 at 08:53 -0700, Florin Iliescu wrote: > Can anybody help me with some procedures to secure a CentOS server? I > am going to use it for receiving files over Internet with SFTP. see also: <http://tnt.aufbix.org/linux/centos> Regards, Andraz -- BOFH excuse #388: Bad user karma. |
|
|
Re: Hardening CentOS
by Tony Murphy
::
Rate this Message:
David,
Thanks for the mention of Security Blanket. I've written a quick synopsis of the product and provided a link for a free trial here. Security Blanket by Trusted Computer Systems Linux Solaris Hardening Lockdown <script src="http://n2.nabble.com/embed/f3121579"></script>
|
|
|
Re: Hardening CentOS
by Tony Murphy
::
Rate this Message:
Here is a link to a YouTube demo of the 3.1 product that was shot at the RedHat Summit earlier this year. The new product coming out in Dec 2009 will also support Novell SUSE and OpenSUSE and Fedora 11.
http://tcs-security-blanket.blogspot.com/ is the technical blog for the product and has tons of great content. Demo
|
signature.asc (206 bytes) | Free embeddable forum powered by Nabble | Forum Help |
