Following this guide will assist you in installing CentOS 6.3 for a server environment. It will cover basic installation and post installation hardening. This guide assumes you have downloaded the CentOS installation media (I used the CentOS x64 netinstall iso) and have booted your system from the media.
Part One: Installation
The first portion of the install is merely following the guided prompts, answering the questions as necessary. For tradition storage hardware (i.e. your server is not hooked up to a SAN or using iSCSI for storage) choose “Basic Storage Devices”.
Next insert your hostname, timezone, and root password information. Please use a LONG and complex password for your root password.
Next you will come to the storage configuration screen. I select “Use All Space” as well as checking “Review and modify partitioning layout”. This way the system automatically removes and existing partitions, and configures the CentOS default LVMs allowing me to customize.
I then remove the “lv_home” partition since I prefer not to have a separate /home on my servers, and then resize the “lv_root” to fill the free’d space. Something you might want to consider, especially on a server with limited storage space, is putting /var on a separate partition/LVM since that’s the directory most likely to grow with time.
Select where you want your bootloader installed (usually default choice is fine as this is going to be the same drive as your root partition).
Select the “class” of system to install. For a server I highly recommend selecting “Minimal” as this leaves you with a small as possible security footprint and you can add whatever packages you require for this system later. I definitely do not recommend installing any kind of GUI environment, I’m a firm believe in the statement “servers should not have GUIs”.
The installation will proceed and install the required packages. Afterwards you will be presented with a command prompt.
Part Two: Base Hardening
Once the installation is complete, you will be required to reboot and then presented with a command prompt. Log in to the system with the root account, and create a user to use for daily administrative tasks (we do not use root for day to day use), I will call this user “nbeach”
[root@lab0 ~]# useradd nbeach [root@lab0 ~]# passwd nbeach
The two commands above create a user called nbeach, and assign a password for nbeach. Next enable the user to use the sudo command to perform administrative tasks. We do this by issuing the command visudo and uncommenting the line pertaining to the wheel group.
[root@lab0 ~]# visudo Uncomment the following line: ## Allows people in group wheel to run all commands #%wheel ALL=(ALL) ALL
Once that is complete, your user will need to be added to the wheel group. Do so by issuing the following command (substituting your username). Once that is complete log out and back in as your user.
[root@lab0 ~]# usermod -a -G wheel nbeach
Now lets make sure the system is 100% up to date. Issue the following command:
[nbeach@lab0 ~]# sudo yum update
You will be prompted for YOUR password and then be presented with a screen of text similar to the following:
Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package dbus-glib.x86_64 0:0.86-5.el6 will be updated ---> Package dbus-glib.x86_64 0:0.86-6.el6 will be an update ---> Package kernel.x86_64 0:2.6.32-358.0.1.el6 will be installed ---> Package kernel-firmware.noarch 0:2.6.32-358.el6 will be updated ---> Package kernel-firmware.noarch 0:2.6.32-358.0.1.el6 will be an update ---> Package libxml2.x86_64 0:2.7.6-8.el6_3.4 will be updated ---> Package libxml2.x86_64 0:2.7.6-12.el6_4.1 will be an update ---> Package mysql-libs.x86_64 0:5.1.66-2.el6_3 will be updated ---> Package mysql-libs.x86_64 0:5.1.67-1.el6_3 will be an update ---> Package openldap.x86_64 0:2.4.23-31.el6 will be updated ---> Package openldap.x86_64 0:2.4.23-32.el6_4 will be an update ---> Package openssl.x86_64 0:1.0.0-27.el6 will be updated ---> Package openssl.x86_64 0:1.0.0-27.el6_4.2 will be an update ---> Package selinux-policy.noarch 0:3.7.19-195.el6 will be updated ---> Package selinux-policy.noarch 0:3.7.19-195.el6_4.3 will be an update ---> Package selinux-policy-targeted.noarch 0:3.7.19-195.el6 will be updated ---> Package selinux-policy-targeted.noarch 0:3.7.19-195.el6_4.3 will be an update ---> Package tzdata.noarch 0:2012j-1.el6 will be updated ---> Package tzdata.noarch 0:2012j-2.el6 will be an update --> Finished Dependency Resolution Dependencies Resolved ... Transaction Summary ===================================================================================================== Install 1 Package(s) Upgrade 9 Package(s) Total download size: 46 M Is this ok [y/N]:
Say “y” to this prompt and accept any key prompts that appear and wait for the updates to complete. Once they complete reboot the system:
[nbeach@lab0 ~]# sudo reboot
Log back into your system as your admin user. First thing we should harden is SSH. Some items to change include removing the ability for the root account to log in via SSH, set up a warning banner, and allow only members of a group to log in via SSH. First lets create the group and add our user to the group, I’ll call it sshusers.
[nbeach@lab0 ~]# sudo groupadd sshusers [nbeach@lab0 ~]# sudo usermod -a -G sshusers nbeach
Now edit the file /etc/ssh/sshd_config and uncomment and/or change the following lines:
[nbeach@lab0 ~]# sudo vi /etc/ssh/sshd_config Uncomment the line: Port 22
Uncomment the following line and change yes to no:
Uncomment the following line and change none to the following path:
Add the following line to the bottom of the file:
Now create the file /etc/ssh/ssh_banner and enter something similar to the following (it might need to be tweaked to comply with your local laws).
[nbeach@lab0 ~]# sudo vi /etc/ssh/ssh_banner
THIS IS A PRIVATE COMPUTER SYSTEM. THIS COMPUTER SYSTEM, INCLUDING ALL RELATED EQUIPMENT, NETWORKS AND NETWORK DEVICES (SPECIFICALLY INCLUDING INTERNET ACCESS), ARE PROVIDED ONLY FOR AUTHORIZED USE. ALL SYSTEMS MAY BE MONITORED FOR ALL LAWFUL PURPOSES, INCLUDING TO ENSURE THAT THEIR USE IS AUTHORIZED, FOR MANAGEMENT OF THE SYSTEM, TO FACILITATE PROTECTION AGAINST UNAUTHORIZED ACCESS, AND TO VERIFY SECURITY PROCEDURES, SURVIVABILITY AND OPERATIONAL SECURITY. MONITORING INCLUDES ACTIVE ATTACKS BY AUTHORIZED COMPANY ENTITIES TO TEST OR VERIFY THE SECURITY OF THIS SYSTEM. DURING MONITORING, INFORMATION MAY BE EXAMINED, RECORDED, COPIED AND USED FOR AUTHORIZED PURPOSES. ALL INFORMATION, INCLUDING PERSONAL INFORMATION, PLACED ON OR SENT OVER THIS SYSTEM MAY BE MONITORED.
USE OF THIS PRIVATE SYSTEM, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL PROSECUTION. EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING FOR THESE PURPOSES.
Once this file is created, restart the ssh service by issuing the following command:
[nbeach@lab0 ~]# sudo service sshd restart
I will be using an MTA (mail transfer agent) called SSMTP (Simple STMP) rather than the default (larger attack footprint/more complex) Postfix. Because of this, I will be removing Postfix.
[nbeach@lab0 ~]# sudo yum remove postfix
Despite what a lot of blogs and posts suggest, disabling SELinux is not a good idea, most of the time it doesn’t get in the way, and when it does simple policy configurations can resolve the problem quickly. So leave SELinux enabled.
Finally, unless your system/policy/network requires IPV6, you’re better off disabling it:
Edit /etc/modprobe.d/blacklist.conf and add the following line to the end: #Prevent kmod for IPV6 from loading install ipv6 /bin/true Edit /etc/sysconfig/network and add the following lines: NETWORKING_IPV6=no IPV6INIT=no
Now you have a running CentOS system that’s ready to be expanded upon for your specific application. The initial hardening has been completed and the system is much more secure than a base system. Of course there is always more you can do to secure your system, so check out my other posts on Security for more advanced settings.