Securing the CentOS Perfect Setup with Bastille

Want to support HowtoForge? Become a subscriber!
 
Submitted by treed (Contact Author) (Forums) on Fri, 2006-08-18 15:22. :: CentOS | Security

Securing the CentOS Perfect Setup with Bastille

This article shows how to secure a CentOS server using psad, Bastille, and some other tweaks. psad is a tool that helps detect port scans and other suspicious traffic, and the Bastille hardening program locks down an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise.

Create an additional account for Systems Administration

The "adduser" command will create an account.

adduser service

The "passwd" command will set the password for the "service" account.

passwd service

 

Creating a directory for downloads.

This will create a directory to download the RPMs and other files.

mkdir /downloads
cd /downloads

 

Installing PSAD

psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze Netfilter log messages to detect port scans and other suspicious traffic. More information can be found here.

wget http://www.cipherdyne.com/psad/download/psad-1.4.6-1.i386.rpm
rpm -Uvh psad-1.4.6-1.i386.rpm

 

Installing Bastille

The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works. More information can be found here.

wget http://easynews.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-3.0.9-1.0.noarch.rpm
wget ftp://ftp.icm.edu.pl/vol/rzm4/linux-dag/redhat/el4/en/i386/RPMS.dag/perl-Curses-1.12-1.2.el4.rf.i386.rpm

rpm -ivh Bastille-3.0.9-1.0.noarch.rpm
rpm -Uvh perl-Curses-1.12-1.2.el4.rf.i386.rpm

 

Running Bastille

This will start the interactive prompt.

/usr/sbin/bastille -c

 

Interactive prompt response

These settings are recommendations for the Perfect Setup install. There may be certian values that may need to change if other software or packages have been installed.

accept

<ENTER>

Would you like to set more restrictive permissions on the administration utilities? -> YES

<ENTER>

Would you like to disable SUID status for mount/umount? -> YES
Would you like to disable SUID status for ping? -> YES
Would you like to disable SUID status for at? -> YES
Would you like to disable the r-tools? -> YES
Would you like to disable SUID status for usernetctl? -> YES
Would you like to disable SUID status for traceroute? -> YES
Should Bastille disable clear-text r-protocols that use IP-based authentication? -> YES
Would you like to enforce password aging? -> YES
Do you want to set the default umask? -> YES
What umask would you like to set for users on the system? -> 007
Should we disallow root login on tty's 1-6? -> NO
Should Bastille ask you for extraneous accounts to delete? -> NO
Would you like to password-protect the GRUB prompt? -> NO
Would you like to disable CTRL-ALT-DELETE rebooting? -> YES
Would you like to password protect single-user mode? -> NO
Would you like to set a default-deny on TCP Wrappers and xinetd? -> NO
Would you like to display "Authorized Use" messages at log-in time? -> YES
Who is responsible for granting authorization to use this machine? -> YOUR COMPANY NAME
Would you like to put limits on system resource usage? -> YES

<ENTER>

Should we restrict console access to a small group of user accounts? -> YES
Which accounts should be able to login at console? -> root
Would you like to set up process accounting? -> NO

<ENTER>

Would you like to disable acpid and/or apmd? -> YES
Would you like to disable PCMCIA services? -> YES
Would you like to disable GPM? -> YES
Would you like to deactivate the HP OfficeJet (hpoj) script on this machine? -> YES
Would you like to deactivate the ISDN script on this machine? -> YES
Would you like to deactivate kudzu's run at boot? -> YES
Do you want to stop sendmail from running in daemon mode? -> YES
Would you like to deactivate named, at least for now? -> NO
Would you like to deactivate the Apache web server? -> NO
Would you like to bind the Web server to listen only to the localhost? -> NO
Would you like to bind the web server to a particular interface? -> NO

<ENTER>

Would you like to deactivate the following of symbolic links? -> YES
Would you like to disable printing? -> YES
Would you like to install TMPDIR/TMP scripts? -> NO
Would you like to run the packet filtering script? -> YES

<ENTER>

Do you need the advanced networking options? -> NO
DNS Servers: [0.0.0.0/0] -> **LEAVE DEFAULT**
Public interfaces: -> eth+
TCP services to audit: -> telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh
UDP services to audit: -> 31337
ICMP services to audit: -> **BLANK**
TCP service names or port numbers to allow on public interfaces: -> 21 22 25 53 80 110 111 143 443 631 953 993 995 3306
UDP service names or port numbers to allow on public interfaces: -> **BLANK**
Force passive mode? -> YES
TCP services to block: -> 2049 2065:2090 6000:6020 7100
UDP services to block: -> 2049 6770
ICMP allowed types: -> destination-unreachable echo-reply time-exceeded
Enable source address verification? -> YES
Reject method: -> DENY
Interfaces for DHCP queries: -> **BLANK**
NTP servers to query: -> **BLANK**
ICMP types to disallow outbound: -> destination-unreachable time-exceeded
Should Bastille run the firewall and enable it at boot time? -> YES
Would you like to setup psad? -> YES
psad check interval: -> 15
Port range scan threshold: -> 1
Enable scan persistence? -> NO
Scan timeout: -> 3600
Show all scan signatures? -> NO
Danger Levels: -> 5 50 1000 5000 10000
Email addresses: -> root@localhost
Email alert danger level: -> 1
Alert on all new packets? -> YES
Enable automatic blocking of scanning IPs? -> NO
Should Bastille enable psad at boot time? -> YES
Are you finished answering the questions, i.e. may we make the changes? -> YES

<TAB>

 

Edit SSH Configuration

This will take an extra step to secure SSH. The following settings will:

  • ensure that SSHv2 is used
  • the root user cannot log on directly via SSH
  • accounts with no passwords will not be permitted to log in
  • a login banner will be displayed.

vi /etc/ssh/sshd_config

Edit the following lines and remove the remark. Do not forget to save and exit.

#Protocol 2,1 -> Protocol 2
#PermitRootLogin yes -> PermitRootLogin no
#PermitEmptyPasswords no -> PermitEmptyPasswords no
#Banner /some/path -> Banner /etc/issue

 

Reboot the system

Please reboot the system as a final check. Ensure everything starts properly.

reboot

 

 


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by dunxd (registered user) on Fri, 2008-06-06 15:36.

This is a bit out of date now - PSAD is in version 2 and Bastille is now Bastille-UNIX version 3.  Check the sites to download the latest versions.

I had a few problems getting these installed as CentOS 4.6 kept reporting that  libc.so.6(GLIBC_2.4) and rtld(GNU_HASH) weren't installed.  I wonder if this is due to use of yum to install things?

Regarding ssh - if you are copying and pasting authorized_keys strings from PuTTY Gen on Windows, make sure that you remove any newlines from what you paste.  These newlines will cause ssh to kick you out before you get a chance to login!