サーバー技術 2014.03.10 2019.10.18 げんき☆ひろき. Install the package yum-utils for better consistency checking of the package database. This guide is based on a minimal CentOS 7 install following the idea that you only install software that you require. Set a password for the newly created user account using the passwd command (remember to set a secure strong password). CUPS stands for Common UNIX Printing System. None of these should be installed on CentOS 7 minimal: Disable everything that is not required, e.g. Sysstat may provide useful insight into system usage and performance, however, unless used, the service should be disabled, or not installed at all. Run the following to determine if any interface is running in promiscuous mode: Install the libreswan package if implementation of IPsec and IKE is required. But as per Red Hat’s hardening guide we should create symbolic links: Yes doing it all on a test server first. For those using Ansible, below is a playbook containing pretty much the same and then some (mainly sysctl tuning etc..) For those familiar with OpenSCAP, you will notice the guide divided into two major sections: System Settings and Services.The first part contains rules that check system settings, where the second part is aimed towards hardening services. NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5, https://highon.coffee/blog/security-harden-centos-7/, https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/, https://www.openssh.com/releasenotes.html, What is pam_faillock and how to use it in Red Hat Enterprise Linux. Consider installing a commercial AV product that provides real-time on-access scanning capabilities. Harden removeable media mounts by adding nodev, noexec and nosuid, e.g. Do you have an updated one for CentOS 8 yet? Minimum number of character classes in a password – 4. I was able to lock the terminal with screen. Unless firewalld is required, mask it and replace with iptables: Add the following to /etc/sysconfig/iptables to allow only minimal outgoing traffic (DNS, NTP, HTTP/S and SMTPS): Note that the rule allowing all incoming SSH traffic should be removed restricting access to an IP whitelist only, or hiding SSH behind a VPN. Prelinking is done by the prelink package, which is not installed by default. So, next, add the new user tecmint to the wheel group using the usermod command. 3. Get introduced to the process of port scanning with this Nmap Tutorial and a series of more advanced tips.. With a basic understanding of networking (IP addresses and Service Ports), learn to run a port scanner, and understand what is happening under the hood.. Nmap is the world's leading port scanner, and a popular part of our hosted security tools. Rkhunter adds itself to /etc/cron.daily/ for daily execution therefore no configuration is required. Open Source Tripwire is an alternative to AIDE. 当前输入用户后，并没有显示任何欢迎信息，而是直接弹出输入密码提示。 查看 /etc/ssh/sshd_config 中的 Banner 设置，显示当前没有定义该文件： [root@ryan ~]# cat /etc/ssh/sshd_config -n |grep -i Banner 112 # no default banner path 113 #Banner none account required pam_faillock.so Create a normal user account called tecmint using the useradd command, the -m option means to create the user’s home directory if it doesn’t exist, -s defines the new user’s login shell program (which is /bin/bash in this case) and -c defines a comment indicating that this is an administrative user account. * stands for facility.severity. Have someone make all this a sh script and willing to share? Could this guide be used on a VPS server? vlock is. https://people.redhat.com/swells/scap-security-guide/tables/table-rhel7-stig.html Create a service file /etc/systemd/system/usb-auth.service with the following content: Set permissions, enable and start the service: If required, disable kernel support for USB via bootloader configuration. While this may sometimes be useful it is also dangerious. The easiest way to encrypt a partition is during Kickstart installation. # find / -ignore_readdir_race -nogroup -print -exec chgrp root {} \; # find / -ignore_readdir_race \ 10 Useful Sudoers Configurations for Setting ‘sudo’ in Linux, How to Show Asterisks While Typing Sudo Password in Linux, How to Keep ‘sudo’ Password Timeout Session Longer in Linux, How to Install Apache with Virtual Hosts on Debian 10, A Beginners Guide To Learn Linux for Free [with Examples], Red Hat RHCSA/RHCE 8 Certification Study Guide [eBooks], Linux Foundation LFCS and LFCE Certification Study Guide [eBooks]. To do so, append nousb to the kernel line GRUB_CMDLINE_LINUX in /etc/default/grub and generate the Grub2 configuration file: Note that disabling all kernel support for USB will likely cause problems for systems with USB-based keyboards etc. The playbook looks good, really helpful. Honestly, I think that the Red Hat’s hardening guide provides a “nicer” solution, but using chattr does the job too. Configure periodic execution of AIDE by adding to cron: Periodically running AIDE is necessary in order to reveal system changes. The following command will enable SHA512 as well as set the above password requirements: Open /etc/security/pwquality.conf and add the following: These will ensure that 8 characters in the new password must not be present in the old password, and will check for the words from the passwd entry GECOS string of the user. All Rights Reserved. 6. Red Hat Satellite), then HTTP/S traffic can also be further hardened, depending on a set up. Required fields are marked *, Copyright © 2013-2021 LISENET.COM, All Rights Reserved |, auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900, auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900, account required pam_faillock.so. Learn how your comment data is processed. When modifying authentication configuration using the authconfig utility, the system-auth and password-auth files are overwritten with the settings from the authconfig utility. It also ensures that the system cannot be halted because of some partition running out of disk space. Here, the -a flag means to append user to a supplementary group and -G specifies the group. This will deny binary execution from /tmp, disable any binary to be suid root, and disable any block devices from being created. Require at least one digit in a password. # useradd -m -s /bin/bash -c "Administrator" tecmint In case you want to change the default SSH port to something else, you will need to tell SELinux about it. Add the following to /etc/yum/yum-cron.conf to get notified via email when new updates are available: Add the following to /etc/yum/yum-cron-hourly.conf to check for bugfix-related updates every hour and automatically download and install them: Note: security information is provided by RedHat only. Quand je fais faire ssh webmin, ça va m'ouvrir un tunnel SSH entre mon PC et le serveur ayant l'IP 192.168.1.11. Any errors? Difference Between su and sudo and How to Configure sudo in Linux, How to Start Linux Command in Background and Detach Process in Terminal, How to Impose High CPU Load and Stress Test on Linux Using ‘Stress-ng’ Tool, 4 Useful Tools to Run Commands on Multiple Linux Servers, Autojump – An Advanced ‘cd’ Command to Quickly Navigate Linux Filesystem, How to Find Out List of All Open Ports in Linux. Thanks, I’ve updated the page to reflect this. Very usefull , We appreciate that! secure SSH login to the server. Read Also: Difference Between su and sudo and How to Configure sudo in Linux. The company behind Grsecurity stopped publicly distributing stable patches back in 2015, with an exception of the test series continuing to be available to the public in order to avoid impact to the Gentoo Hardened and Arch Linux communities. This site uses Akismet to reduce spam. Interestingly, this error is also in the DISA STIGs. Set admin_space_left_action=single if you want to cause the system to switch to single user mode for corrective action rather than send an email.