I’ve completed a few Installs now with CENTOs and thought I would share my experience with you.
I used Cent OS 4.1 and the Fedora Core Setup Guide.
However There are some minor changes to include Software Raid and I've made and a few security additions too that you may be interested in.
My First change is with the filesystem layout.
I Recommend some thing like.
the rest as /var/www
Boot will hardly ever fill up but a 100mb will always ensure you have enough space incase you update a lot of kernels.
Root can be fairly small here, because ideally this box is not going to change very often, apart from upgrades.
I keep /home separate since this system is going to used for ISPconfig and apart from 1 or 2 system accounts it will not need alot of space.
/tmp an important one to keep separate from root as this will help prevent against denial of service attacks.
/var again separate from /var/www where we are going to store our web sites and user files also suexec is complied to use this it.
swap is whatever you need in my case 512mb is enough.
During the installation I also used Software Raid – Here’s my Raid configuration.
Primary Master = hda
Secondary Master = hdc
CD-Rom = hdd.
Create the RAID devices during the installation, once installation is completed you will need to do some safe guards to protect against disk failure.
You need to do this for both disks.
Firstly need to backup the disk's MBR, and basic partition table.
dd if=/dev/hda of=hda.mbr bs=512 count=1
dd if=/dev/hdc of=hdc.mbr bs=512 count=1
Second - backup the disks partition table (including the extended information).
sfdisk -d /dev/hda > hda.sfd
sfdisk -d /dev/hdc > hdc.sfd
If you have a failed disk and it has been replaced, lets assume it was hda.
Restore the MBR.
dd if=hda.mbr of=/dev/hda bs=512 count=1
Restore the Extended Partition information as well.
sfdisk -O change.log /dev/hda <hda.sfd
Check that the partition table is loaded
fdisk -l /dev/hda
Restart the Mirror sync process.
raidhotadd /dev/md? /dev/hda
to see the progress of the mirroring - watch -n1 cat /proc/mdstat
Also to note that I'm using LILO - this seams to be installed on both disks, but grub only gets install on the primary disk. If you loose the primary disk - you cannot boot, but you can still boot if you loose the secondary disk. With lilo either disk can be lost and the system boots without problem.
Follow the Guide but on page 3 you need to use yum instead of apt. I also use Dag Wieers as well, see (http://dag.wieers.com/home-made/apt/
) you will need to add his Redhat Enterprise Repository. You will also need to import his GPG key.
Make sure you do a complete system update to ensure you have the latest versions and plug any security holes.
Ok Now when you edit the /etc/fstab also add these :
Add nosuid,noexec to your /tmp entry for example mine looks like this. I also added quota’s to /home as well.
The nosuid and noexec stop any program from being executable in tmp and prevent suid.
/dev/md3 /home ext3 defaults,usrquota,grpquota 1 2
/dev/md4 /tmp ext3 defaults,nosuid,noexec 1 2
Follow the reaming steps in the Fedora Guide.
Also centos ships with dovecot, this seams to work fine out of the box, however if you want to provide imap services you will need to edit its config file.
Theses also quite a lot we can remove as well to help make the server more secure. The less there is on the system that we need the better, by removing everything we don’t need we hopefully remove any security problems that might come up in the future or take away tools a hacker might use. If you find you might need some thing you can always install it later.
Remove power manager and its agents – we don’t want the system sleeping on us. (also disable it in the bios too)
Yum remove apmd acpid
yum remove samba-client system-config-samba samba-common samba
yum remove finger
remove cups printing service
yum remove cups
remove isdn tools.
yum remove isdn4k-utils
stop netplugd if you don’t need it. (chkconfig –level 12345 netplugd off)
remove ypbind (nis client/server)
yum remove ypbind
Remove Squid proxy server.
yum remove squid
yum remove autofs
Remove Network File System.
yum remove nfs-utils system-config-nfs
yum remove tux
If you not using RAID remove these.
yum remove mdadm
Remove Infra Red Tools.
yum remove irda-utils
yum remove pcmcia-cs
Remove RPC services.
Yum remove portmap
Remove Kernel Netdump
Yum remove netdump
Ok now for harding the system. I would recommend the following
Tripwire – Install Tripwire and configure for your system
Chkrootkit – Install and configure to run In cron make sure you get a copy of the report from the cronjob (ensure you get the system mail)
rkhunter - does the same job as chkrootkit (looks for root kits)
Process accounting – Ensure your watching how much each users using CPU time, - good indicator if the cpu is too high that either there’s a run away process or something more of a problem like a password cracker. Also It can check for missing time entires in the wtmp files.
Log rotation – Keep lots of logs and email yourself your old log files.
Missing Zlib – Zlib is missing from the centos build, you can install it yourself as an rpm (from dag) or compile from source.
Install ISP config.
Remove Compiler Tools - remove gcc gcc-++ after installation, this will stop any body trying to compile their own tools etc.
Complete Tripwire install – create custom policy once your have installed Ispconfig.
I would be really Interested in hearing about anything any one else has done to help secure their system or know of any more packages that can be removed to keep the system as basic as possible.