hardening centos

8/19/2019 Hardening CentOS

1/38

Hardening CentOS Linux Servers:The Ninja way

Lorenzo Martínez R. (@lawwait)


2/38

Hardening CentOS Linux

© All Rights reserved

Thanks Karanbir!


3/38



[root@localhost ~]# whoami

• 13 years of security professional experience • Integrators -> Vendors -> Entrepeneur • CTO && Founder www.securizame.com •

ANCITE (www.ancite.es)• CISSP, CISA• www.SecurityByDefault.com editor • Tools: Securewin

, amispammer

, scalparser •

Twitter: @lawwait, @securizame, @secbydefault • Email: [email protected]


4/38



Why did I choose CentOS?

• Red Hat 8 & 9

• Fedora Core • LTS Distros: Debian, RHEL, Suse, Ubuntu,...

• Now: RHEL, CentOS, Scient ific Linux, Oracle


5/38




6/38



What will the server do?


7/38



What will the server do?


8/38



Linux and the NSA


9/38



Disabling SELinux


10/38



Linux Internals

• Virtual File system /proc


11/38



Kernel Parameters


12/38



Sysctl Support


13/38



Disabling IPv6


14/38



/etc/sysctl.conf


15/38



• net.ipv4.ip_forward = 0 -> # Controls IP packetforwarding

• net.ipv4.conf.default.rp_filter = 1 -> # Controls sourceroute verification

• net.ipv4.conf.default.accept_source_route = 0 -> # Donot accept source routing• kernel.sysrq = 0 -> # Controls the System Request

debugging funct ionalit y of the kernel• kernel.core_uses_pid = 1 -> # Controls whether core

dumps wil l append the PID to the core filename • net.ipv4.tcp_syncookies = 1 -> # Controls the use of TCPsyncookies

/etc/sysctl.conf


16/38



• net.bridge.bridge-nf-call-ip6tables = 0 -> # Disablenetfilter on bridges

• net.bridge.bridge-nf-cal l-iptables = 0• net.bridge.bridge-nf-cal l-arptables = 0•

kernel.panic=5 -> #Reboot 5 seconds after kernel panic• net.ipv4.tcp_fin_timeout = 15 -> # Decrease the t ime

default value for tcp_fin_timeout connection• net.ipv4.tcp_keepalive_time = 1800 -> # Decrease the

time default value for tcp_keepali ve_time connection•

net.ipv4.tcp_window_scaling = 0 -> # Turn off the tcp_window_scaling

/etc/sysctl.conf


17/38



• net.ipv4.tcp_sack = 0 -> # Turn off the tcp_sack • net.ipv4.tcp_timestamps = 0 -> # Turn off the tcp_timestamps• net.ipv4.icmp_echo_ignore_broadcasts = 1 -> # Enable ignoring

broadcasts request • net.ipv4.icmp_ignore_bogus_error_responses = 1 -> # Enable bad

error message Protect ion• net.ipv4.conf.al l.log_mart ians = 1 -> # Log Spoofed Packets,

Source Routed Packets, Redirect Packets•

kerne l.shmmax = 268435456 -> # Set maximum amount ofmemory allocated to shm to 256MB

/etc/sysctl.conf


18/38



• net.ipv4.tcp_max_syn_backlog = 1280 -> # Increases thesize of the socket queue (effecti vely, q0)

• net.ipv4.tcp_mem = 57344 57344 65536 -> # Increase themaximum total TCP buffer-space

• allocatablenet.ipv4.tcp_wmem = 32768 65536 524288 -># Increase the maximum TCP write-buffer-space allocatable

• net.ipv4.tcp_rmem = 98304 196608 1572864 -> # Increase the maximum TCP read-buffer space allocatable

• net.core.rmem_max = 524280 -> # Increase the maximum

recei ve socket buffer size • net.core.rmem_default = 524280 -> # Increase the default

recei ve socket buffer size

/etc/sysctl.conf


19/38



• net.core.wmem_max = 524280 -> # Increase themaximum send socket buffer size

• net.core.wmem_default = 524280 -> -> # Increase the default send socket buffer size

• net.ipv4.tcp_max_tw_buckets = 1440000 -> #Increase the tcp-time-wait buckets pool size

• net.ipv4.ip_local_port_range = 16384 65536 -> #Allowed local port range

• net.ipv4.ipfrag_high_thresh = 512000 -> #Increase the maximum memory used to reassembleIP fragments

/etc/sysctl.conf


20/38



• net.ipv4.ipfrag_low_thresh = 446464• net.core.optmem_max = 57344 -> # Increase the

maximum amount of option memory buf fers• net.ipv4.conf.all .accept_redirects=0 -> # Do notaccept redirects. Avoid MiTM

• net.ipv4.conf.all .send_redirects=0 -> # Forbidsending ICMP redirect

•

net.ipv6.conf.all.disable_ipv6 = 1 -> #Disable IPv6

/etc/sysctl.conf


21/38



Understanding services• The purpose the machine was built for • Load at startup time • Init process

• /sbin/runlevel

• netstat -[t | u]anp | grep LISTEN• Path -> /etc/rc.d/SXX && KXX• /sbin/chkconfig --list | less

• RPMs: setuptool && ntsysv

• The less services, the better • /etc/rc.local


22/38



Understanding services


23/38



“By Default” Enabled services

• auditd

• blk-availability• crond

• iptables && ip6tables• lvm2-monitor • netfs

• network

• postfix

• rsyslogd

• sshd

• udev-post


24/38



IPTables

• Firewalling rule set

• iptables is made command line • /sbin/iptables

• Chains: INPUT, OUTPUT, FORWARD• GUIs: fbuilder, shorewall, firestarter, etc,..• Script started before network/services are

loaded

• /etc/rcX.d/S08iptables


25/38

• Mgmt IPs To Firewall IFs - Mgmtports -> Allow

• Any To Firewall IFs - Mgmt ports-> Deny [Stealth Rule]

• -> Allow

• [Cleanup Rule]



Firewall Policy: Best Practices


26/38



Hardening SSH

• Auth: User/pass vs certificates• Change default SSH port (TCP/22)• Protocol 2• PermitRootLogin -> NO• ListenAddress• AllowUsers• AllowGroups


27/38



Hardening SSH• MaxAuthTrie s (Default 6) -> 3• LoginGraceTime (Default 120) -> 60• PasswordAuthenticat ion (Default Yes) -> NO• Banner (none)

• AllowAgentForwarding y AllowTcpForwarding (Default Yes) ->If it is not going to be used, change to NO• MaxStartups (Default 10) -> If few connected users, change

to 3

• Ciphers -> aes128-ctr, aes256-ctr, arcfour256, arcfour,aes128-cbc, aes256-cbc

• X11forwarding y PermitEmptyPasswords -> If not needed, NO


28/38



Hardening BASH• Define Read-Only environment variables -> To avoid

being overwriten by users (declare –rHISTFILE=~/.bash_history && chattr +I .bash_history)

• HISTFILESIZE -> Maximum number of lines to keep• HISTFSIZE -> Maximum stored commands in memory• HISTTIMEFORMAT -> Date/Time format to store

commands execution•

Force to commit HISTFILE every time a command is typed instead of logout -> readonly || declare -rPROMPT_COMMAND="history -a"


29/38



• Limit Timeout login session -> declare -r TMOUT=120• Limits -> ulimit command

-c maximum size core files-s maximum stack size -t maximum CPU seconds-u maximum time available per process users-v maximum virtual memory size available for shel l-x maximum file block

• Default file mask for every user -> umask 077 “rwx --- ---”

Hardening BASH


30/38



Hardening Apache

• Installation: – Use rpm package… or stat ic compilation – Right permissions: chown + chroot

• chmod –R go-r /etc/ht tpd• chmod –R go-r /var/log/ht tpd

– Disable not needed/used default modules (http:// www.cyberciti.biz/faq/howto-disable-apache-modules-under-linux-unix/)


31/38



• Listen [IP Address:]• Allow from Direct ives

– Deny from All – Allow from 192.168.X.Y/24

• Security through obscurity – Ser verTokens ProductOnly – ServerSignature Off

• With mod_secur ity –

SecServerSignature “Powered by Secur izame 8.0”• Disable Trace method

– TraceEnable Off

Hardening Apache


32/38



Patches Management• Optional package: yum-cron• /etc/sysconfig/yum-cron


33/38



Auditing Tools

• Check securit y/health• Misconfigurat ions && Malware• Tools:

–

Lynis, checklist-linux, – rkhunter, chkrootkit – unhide

• Filesystems Integrity

– AFICK, AIDE, Tripwire• Other stuff: IDS/IPS


34/38



Lynis/checklistlinux


35/38



Logs• Send to a remote event collector: syslog• NTP (Net work Time Protocol)• LIDS: OSSEC


36/38



OSSEC


37/38



Conclusions

• CentOS Linux FTW!

• Corporate Distribution•

Community support • Security concepts in mind

• Minimalism is the key• Harden, audit and monitor


38/38



Email me: [email protected]: @lawwait @securizame @secbydefault

hardening centos

Documents