Partitioning
By separating file systems into various partitions, you can fine tune permissions and functionality. Doing so will provide you greater granularity for permissions, as well as adding a layer of security for any potential bad guys to work through.
Steve Grubb suggests, and quite rightly so, that areas where users have write privileges be kept on their own partition. This allows you to prevent hard link privilege escalation attempts, prevent creative device additions, and other unsavory behavior.
Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible. An example of a decently restricted /etc/fstab file is below:
Disk OS with LVM (required) Disks data with LVM (required)
| type | name | size | mount point | |
|---|---|---|---|---|
| disk 1 (18GB) | static | /dev/sda1 | 512M | /boot |
| LVM | /dev/mapper/rootvg-root | 2G | / | |
| LVM | /dev/mapper/rootvg-usr | 6G | /usr | |
| LVM | /dev/mapper/rootvg-var | 2G | /var | |
| LVM | /dev/mapper/rootvg-opt | 1G | /opt | |
| LVM | /dev/mapper/rootvg-tmp | 2G | /tmp | |
| LVM | /dev/mapper/rootvg-home | 2G | /home | |
| LVM | /dev/mapper/rootvg-swap | 2G | swap |
|disk2|LVM|/dev/mapper/datavg-data|10G|/data|
Modifying fstab
Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible.
An example of a decently restricted /etc/fstab file is below:
/dev/mapper/rootvg-root / ext4 defaults 1 1 /dev/sda1 /boot ext4 defaults,nosuid,noexec,nodev 1 2 /dev/mapper/rootvg-home /home ext4 defaults,nosuid,nodev 1 2 /dev/mapper/rootvg-opt /opt ext4 defaults 1 2 /dev/mapper/rootvg-tmp /tmp ext4 defaults,nosuid,noexec,nodev 1 2 /dev/mapper/rootvg-usr /usr ext4 defaults 1 2 /dev/mapper/rootvg-var /var ext4 defaults,nosuid 1 2 /dev/mapper/rootvg-swap swap swap defaults 0 0 /dev/mapper/reposvg-reposlv /repos ext4 defaults 1 2 /dev/mapper/reposvg-repcentoslv /repos/CentOS ext4 defaults 1 2 /dev/mapper/reposvg-weblv /var/www ext4 defaults,nosuid,nodev 1 2
Install additional packages
Adapt the yum repositories in /etc/yum.repos.d/ to be able to reach the right repositories
Add ntp and net-tools (for ifconfig command), and other utilities
yum -y install ntp yum -y install telnet #(client only to debug) yum -y install net-tools #(ifconfig, arp, netstat) yum -y install lsof yum -y install mlocate #(locate) yum -y install bind-utils #(host, nslookup) yum -y install open-vm-tools #(VMware Tools) yum -y install sg3_utils #(scsi-rescan) yum -y install cpulimit #(limit CPU usage per process) yum -y install nmap-ncat # nc command
List and remove unused services
On Redhat and CentOS 7, some services are interesting, but more related to mobility than static production, so I’ve disabled some services to replace by their older versions:
NetworkManager.service (network service) I use network.service
chronyd.service (NTP service) I use ntpd.service
firewalld.service (firewall service) I use iptable.service and ip6tables.services
[root@centos7 ~]# systemctl list-unit-files | egrep -i "firew|Network|chrony|postfix|tables|bluetooth" chrony-wait.service disabled chronyd.service enabled firewalld.service disabled NetworkManager-dispatcher.service disabled NetworkManager-wait-online.service disabled NetworkManager.service disabled postfix.service disabled network-online.target static network.target static iptables.service disabled ip6tables.service disabled bluetooth.service disabled bluetooth.target static [root@centos7 ~]# systemctl list-units | grep network network.service loaded active exited LSB: Bring up/down networking rhel-import-state.service loaded active exited Import network configuration from initramfs network.target loaded active active Network
Disable unused services
Example of disable/enable services:
[root@centos7 ~]# for i in NetworkManager.service postfix.service firewalld.service chronyd.service bluetooth.service do systemctl disable $i systemctl stop $i done
Install ntp package and enable some services
network.service, ntpd.service, and if needed iptable.service
[root@centos7 ~]# yum -y install ntp [root@centos7 ~]# for i in network.service ntpd.service iptable.service do systemctl enable $i systemctl start $i done [root@centos7 ~]# systemctl list-unit-files | grep "ntp" ntpd.service enabled ntpdate.service disabled [root@centos7 ~]# systemctl list-units | grep "netw" network.service loaded active exited LSB: Bring up/down networking network.target loaded active active Network
Enable useful services if needed
[root@centos7 scripts]# systemctl enable httpd.service ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service' [root@centos7 scripts]# systemctl start httpd.service
Remove services that are in LISTEN state
In this example, you could disable the rpcbind.service
[root@centos7 ~]# netstat -an | grep LIST tcp 0 0 0.0.0.0:51579 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 192.168.22.136:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN unix 2 [ ACC ] STREAM LISTENING 14412 @ISCSIADM_ABSTRACT_NAMESPACE unix 2 [ ACC ] STREAM LISTENING 10242 /run/lvm/lvmetad.socket unix 2 [ ACC ] STREAM LISTENING 16930 @/tmp/dbus-wEGN6K01Pn unix 2 [ ACC ] STREAM LISTENING 16307 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 17599 /tmp/.ICE-unix/1146 unix 2 [ ACC ] SEQPACKET LISTENING 10256 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 15164 /var/run/lsm/ipc/sim unix 2 [ ACC ] STREAM LISTENING 15166 /var/run/lsm/ipc/simc unix 2 [ ACC ] STREAM LISTENING 14413 @ISCSID_UIP_ABSTRACT_NAMESPACE unix 2 [ ACC ] STREAM LISTENING 14414 /var/run/avahi-daemon/socket unix 2 [ ACC ] STREAM LISTENING 14417 /var/run/rpcbind.sock unix 2 [ ACC ] STREAM LISTENING 16306 @/tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 8042 /run/systemd/private unix 2 [ ACC ] STREAM LISTENING 18796 /run/user/42/pulse/native unix 2 [ ACC ] STREAM LISTENING 1388 /run/systemd/journal/stdout unix 2 [ ACC ] STREAM LISTENING 17778 /var/run/rpcbind.sock unix 2 [ ACC ] STREAM LISTENING 14458 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 18556 /var/run/libvirt/libvirt-sock unix 2 [ ACC ] STREAM LISTENING 18558 /var/run/libvirt/libvirt-sock-ro unix 2 [ ACC ] STREAM LISTENING 17598 @/tmp/.ICE-unix/1146 unix 2 [ ACC ] STREAM LISTENING 16036 /var/run/abrt/abrt.socket unix 2 [ ACC ] STREAM LISTENING 17418 @/tmp/dbus-0PYMRpYu unix 2 [ ACC ] STREAM LISTENING 16892 @/tmp/dbus-bKDTQeVf unix 2 [ ACC ] STREAM LISTENING 16893 @/tmp/dbus-Skwj1TBB unix 2 [ ACC ] STREAM LISTENING 17543 @/tmp/dbus-qVKMoS2bff unix 2 [ ACC ] STREAM LISTENING 18410 @/tmp/dbus-V9cHUqaM unix 2 [ ACC ] STREAM LISTENING 17419 @/tmp/dbus-9XjDfCN8 [root@centos7 ~]# lsof -i :111 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 1243 rpc 7u IPv4 17780 0t0 UDP *:sunrpc rpcbind 1243 rpc 9u IPv4 17782 0t0 TCP *:sunrpc (LISTEN) [root@lstor2rrd ~]# systemctl list-unit-files | egrep -i "rpc" var-lib-nfs-rpc_pipefs.mount static rpcbind.service enabled rpcgssd.service disabled rpcidmapd.service disabled rpcsvcgssd.service disabled rpcbind.socket enabled rpcbind.target static [root@centos7 ~]# systemctl list-units | egrep -i "rpc" proc-fs-nfsd.mount loaded active mounted RPC Pipe File System var-lib-nfs-rpc_pipefs.mount loaded active mounted RPC Pipe File System rpcbind.service loaded active running RPC bind service rpcbind.socket loaded active running RPCbind Server Activation Socket
Configure the network
Change your ifcfg file located in /etc/sysconfig/network-scripts/, to add NM_CONTROLLED=no
Ex:
[root@centos7 network-scripts]# cat /etc/sysconfig/network-scripts/ifcfg-eno16780032 TYPE=Ethernet BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=no IPV6_AUTOCONF=no IPV6_DEFROUTE=no IPV6_FAILURE_FATAL=no DEVICE=eno16780032 ONBOOT=yes NM_CONTROLLED=no IPADDR=192.168.1.19 NETMASK=255.255.255.0 GATEWAY=192.168.1.1 DNS1=192.168.1.10 DNS2=192.168.1.11 DOMAIN=centos.org IPV6_PEERDNS=no IPV6_PEERROUTES=no
Disable NetworkManager , and enable old network service
[root@centos7 ~]# systemctl disable NetworkManager.service [root@centos7 ~]# systemctl stop NetworkManager.service [root@centos7 ~]# chkconfig network on [root@centos7 ~]# chkconfig --list network network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Check your IP config and routes
[root@centos7 sysctl.d]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eno16780032: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:50:56:83:33:1e brd ff:ff:ff:ff:ff:ff inet 192.168.1.19/24 brd 192.168.21.255 scope global eno16780032 valid_lft forever preferred_lft forever [root@lproxymail sysctl.d]# ip route default via 192.168.21.250 dev eno16780032 169.254.0.0/16 dev eno16780032 scope link metric 1002 192.168.21.0/24 dev eno16780032 proto kernel scope link src 192.168.21.194
For information Due to new network adapter naming convention, you ‘ll find network interface called enp6s0 or enp4s2f0 doesn’t satisfy everybody.
Ex:
[root@centos7 ~]# dmesg | grep NIC [ 2.318327] VMware vmxnet3 virtual NIC driver - version 1.1.30.0-k-NAPI [ 2.333886] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps [ 3.373209] vmxnet3 0000:0b:00.0 eno16780032: NIC Link is Up 10000 Mbps
You can switch to the old naming convention eth0, eth1… by changing boot parameters:
grubby --update-kernel=ALL --args="net.ifnames=0 biosdevname=0"
Stop IPV6 best practice
Disable IPV6 on network adapter
On most current OS, IPV6 is activate by default. It wouldn’t be a good practice to completely unload the kernel module, but better disable it for most applications. You have to know that some application, like SELINUX will load IPV6 module if needed!
Create a file /etc/sysctl.d/98-disable_ipv6.conf
[root@centos7 ~]# cat /etc/sysctl.d/98-disable_ipv6.conf net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
To disable in the running system:
[root@centos7 ~]# echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 [root@lstor2rrd ~]# echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
or
[root@centos7 ~]# sysctl -w net.ipv6.conf.all.disable_ipv6=1 [root@lstor2rrd ~]# sysctl -w net.ipv6.conf.default.disable_ipv6=1
Disable IPV6 on SSH server
If problems with X forwarding are encountered on systems with IPv6 disabled, edit /etc/ssh/sshd_config and make either of the following changes:
(1) Change the line
#AddressFamily any
to
AddressFamily inet
(inet is ipv4 only; inet6 is ipv6 only)
or
(2) Remove the hash mark (#) in front of the line
#ListenAddress 0.0.0.0
Then restart ssh.
systemctl restart sshd.service
Disable IPV6 on postfix
If problems with starting postfix are encountered on systems with IPv6 disabled, either
edit /etc/postfix/main.cf and comment out the localhost part of the config and use ipv4 loopback.
#inet_interfaces = localhost inet_interfaces = 127.0.0.1
Disable IPV6 on NTP client
Edit the file /etc/ntp.conf, and comment the line related to IPV6
# restrict ::1
Disable IPV6 on RPCBIND
To disable RPCBIND ipv6 (rpcbind, rpc.mountd, prc.statd) remark out the udp6 and tcp6 lines in /etc/netconfig:
udp tpi_clts v inet udp - - tcp tpi_cots_ord v inet tcp - - #udp6 tpi_clts v inet6 udp - - #tcp6 tpi_cots_ord v inet6 tcp - - rawip tpi_raw - inet - - - local tpi_cots_ord - loopback - - - unix tpi_cots_ord - loopback - - -
Recent Comments