{"id":5003,"date":"2015-08-02T16:56:13","date_gmt":"2015-08-02T08:56:13","guid":{"rendered":"http:\/\/rmohan.com\/?p=5003"},"modified":"2015-08-03T17:22:39","modified_gmt":"2015-08-03T09:22:39","slug":"centos-7-redhat-installation-best-practice","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=5003","title":{"rendered":"CentOS 7 – Redhat Installation Best practice"},"content":{"rendered":"

Partitioning<\/h1>\n
\n

By separating file systems into various partitions, you can fine tune permissions and functionality. Doing so will provide you greater granularity for permissions, as well as adding a layer of security for any potential bad guys to work through.<\/p>\n

Steve Grubb suggests, and quite rightly so, that areas where users have write privileges be kept on their own partition. This allows you to prevent hard link privilege escalation attempts, prevent creative device additions, and other unsavory behavior.<\/p>\n

Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible. An example of a decently restricted \/etc\/fstab file is below:<\/p>\n

  Disk OS with LVM (required)\r\n  Disks data with LVM (required)<\/pre>\n
\n\n\n\n\n\n\n\n\n\n\n\n
<\/th>\ntype<\/th>\nname<\/th>\nsize<\/th>\nmount point<\/th>\n<\/tr>\n
disk 1 (18GB)<\/td>\nstatic<\/td>\n\/dev\/sda1<\/td>\n512M<\/td>\n\/boot<\/td>\n<\/tr>\n
<\/td>\nLVM<\/td>\n\/dev\/mapper\/rootvg-root<\/td>\n2G<\/td>\n\/<\/td>\n<\/tr>\n
<\/td>\nLVM<\/td>\n\/dev\/mapper\/rootvg-usr<\/td>\n6G<\/td>\n\/usr<\/td>\n<\/tr>\n
<\/td>\nLVM<\/td>\n\/dev\/mapper\/rootvg-var<\/td>\n2G<\/td>\n\/var<\/td>\n<\/tr>\n
<\/td>\nLVM<\/td>\n\/dev\/mapper\/rootvg-opt<\/td>\n1G<\/td>\n\/opt<\/td>\n<\/tr>\n
<\/td>\nLVM<\/td>\n\/dev\/mapper\/rootvg-tmp<\/td>\n2G<\/td>\n\/tmp<\/td>\n<\/tr>\n
<\/td>\nLVM<\/td>\n\/dev\/mapper\/rootvg-home<\/td>\n2G<\/td>\n\/home<\/td>\n<\/tr>\n
<\/td>\nLVM<\/td>\n\/dev\/mapper\/rootvg-swap<\/td>\n2G<\/td>\nswap<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
|disk2|LVM|\/dev\/mapper\/datavg-data|10G|\/data|<\/p>\n<\/div>\n
Modifying fstab<\/h3>\n
\n
Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible.<\/p>\n
An example of a decently restricted \/etc\/fstab file is below:<\/strong><\/p>\n
\/dev\/mapper\/rootvg-root \/                       ext4    defaults        1 1\r\n\/dev\/sda1               \/boot                   ext4    defaults,nosuid,noexec,nodev        1 2\r\n\/dev\/mapper\/rootvg-home \/home                   ext4    defaults,nosuid,nodev        1 2\r\n\/dev\/mapper\/rootvg-opt  \/opt                    ext4    defaults        1 2\r\n\/dev\/mapper\/rootvg-tmp  \/tmp                    ext4    defaults,nosuid,noexec,nodev        1 2\r\n\/dev\/mapper\/rootvg-usr  \/usr                    ext4    defaults        1 2\r\n\/dev\/mapper\/rootvg-var  \/var                    ext4    defaults,nosuid        1 2\r\n\/dev\/mapper\/rootvg-swap swap                    swap    defaults        0 0\r\n\/dev\/mapper\/reposvg-reposlv \/repos              ext4    defaults        1 2\r\n\/dev\/mapper\/reposvg-repcentoslv \/repos\/CentOS   ext4    defaults        1 2\r\n\/dev\/mapper\/reposvg-weblv        \/var\/www ext4      defaults,nosuid,nodev  1 2<\/pre>\n<\/div>\n
Install additional packages<\/h2>\n
\n
Adapt the yum repositories in \/etc\/yum.repos.d\/ to be able to reach the right repositories
\nAdd ntp and net-tools (for ifconfig command), and other utilities<\/p>\n
yum -y install ntp\r\nyum -y install telnet             #(client only to debug)\r\nyum -y install net-tools          #(ifconfig, arp, netstat)\r\nyum -y install lsof\r\nyum -y install mlocate            #(locate)\r\nyum -y install bind-utils         #(host, nslookup)\r\nyum -y install open-vm-tools      #(VMware Tools)\r\nyum -y install sg3_utils          #(scsi-rescan)\r\nyum -y install cpulimit           #(limit CPU usage per process)\r\nyum -y install nmap-ncat          # nc command<\/pre>\n<\/div>\n
List and remove unused services<\/h2>\n
\n
On Redhat and CentOS 7, some services are interesting, but more related to mobility than static production, so I’ve disabled some services to replace by their older versions:<\/p>\n
NetworkManager.service (network service) I use network.service<\/strong>
\nchronyd.service (NTP service) I use ntpd.service<\/strong>
\nfirewalld.service (firewall service) I use iptable.service<\/strong> and ip6tables.services<\/em><\/p>\n
[root@centos7 ~]#<\/span> systemctl list-unit-files | egrep -i \"firew|Network|chrony|postfix|tables|bluetooth\"<\/span>\r\nchrony-wait.service                        disabled<\/span>\r\nchronyd.service                            enabled<\/span>\r\nfirewalld.service                          disabled<\/span>\r\nNetworkManager-dispatcher.service          disabled<\/span>\r\nNetworkManager-wait-online.service         disabled<\/span>\r\nNetworkManager.service                     disabled<\/span>\r\npostfix.service                            disabled<\/span>\r\nnetwork-online.target                      static<\/span>\r\nnetwork.target                             static<\/span>\r\niptables.service                           disabled<\/span>\r\nip6tables.service                          disabled<\/span>\r\nbluetooth.service                          disabled<\/span>\r\nbluetooth.target                           static<\/span>\r\n\r\n[root@centos7 ~]#<\/span> systemctl list-units | grep network<\/span>\r\nnetwork.service                               loaded active exited    LSB: Bring up\/down networking<\/span>\r\nrhel-import-state.service                     loaded active exited    Import network configuration from initramfs<\/span>\r\nnetwork.target                                loaded active active    Network<\/span>\r\n<\/pre>\n<\/div>\n
Disable unused services<\/h3>\n
\n
Example of disable\/enable services:<\/p>\n
[root@centos7 ~]#<\/span> for i in NetworkManager.service postfix.service firewalld.service chronyd.service bluetooth.service<\/span>\r\ndo<\/span>\r\nsystemctl disable $i<\/span>\r\nsystemctl stop $i<\/span>\r\ndone<\/span>\r\n<\/pre>\n<\/div>\n
Install ntp package and enable some services<\/h3>\n
\n
network.service, ntpd.service, and if needed iptable.service<\/p>\n
[root@centos7 ~]#<\/span> yum -y install ntp<\/span>\r\n[root@centos7 ~]#<\/span> for i in network.service ntpd.service iptable.service<\/span>\r\ndo<\/span>\r\nsystemctl enable $i<\/span>\r\nsystemctl start $i<\/span>\r\ndone<\/span>\r\n[root@centos7 ~]#<\/span> systemctl list-unit-files  | grep \"ntp\"<\/span>\r\nntpd.service                               enabled<\/span>\r\nntpdate.service                            disabled<\/span>\r\n[root@centos7 ~]#<\/span> systemctl list-units | grep \"netw\"<\/span>\r\nnetwork.service                                 loaded active exited    LSB: Bring up\/down networking<\/span>\r\nnetwork.target                                  loaded active active    Network<\/span>\r\n<\/pre>\n
Enable useful services if needed<\/p>\n
[root@centos7 scripts]#<\/span> systemctl enable httpd.service<\/span>\r\nln -s '\/usr\/lib\/systemd\/system\/httpd.service' '\/etc\/systemd\/system\/multi-user.target.wants\/httpd.service'<\/span>\r\n[root@centos7 scripts]#<\/span> systemctl start httpd.service<\/span>\r\n<\/pre>\n<\/div>\n
Remove services that are in LISTEN state<\/h3>\n
\n
In this example, you could disable the rpcbind.service<\/p>\n
[root@centos7 ~]#<\/span> netstat -an | grep LIST<\/span>\r\ntcp        0      0 0.0.0.0:51579           0.0.0.0:*               LISTEN<\/span>\r\ntcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN<\/span>\r\ntcp        0      0 192.168.22.136:80       0.0.0.0:*               LISTEN<\/span>\r\ntcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     14412    @ISCSIADM_ABSTRACT_NAMESPACE<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     10242    \/run\/lvm\/lvmetad.socket<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     16930    @\/tmp\/dbus-wEGN6K01Pn<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     16307    \/tmp\/.X11-unix\/X0<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     17599    \/tmp\/.ICE-unix\/1146<\/span>\r\nunix  2      [ ACC ]     SEQPACKET  LISTENING     10256    \/run\/udev\/control<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     15164    \/var\/run\/lsm\/ipc\/sim<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     15166    \/var\/run\/lsm\/ipc\/simc<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     14413    @ISCSID_UIP_ABSTRACT_NAMESPACE<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     14414    \/var\/run\/avahi-daemon\/socket<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     14417    \/var\/run\/rpcbind.sock<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     16306    @\/tmp\/.X11-unix\/X0<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     8042     \/run\/systemd\/private<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     18796    \/run\/user\/42\/pulse\/native<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     1388     \/run\/systemd\/journal\/stdout<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     17778    \/var\/run\/rpcbind.sock<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     14458    \/var\/run\/dbus\/system_bus_socket<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     18556    \/var\/run\/libvirt\/libvirt-sock<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     18558    \/var\/run\/libvirt\/libvirt-sock-ro<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     17598    @\/tmp\/.ICE-unix\/1146<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     16036    \/var\/run\/abrt\/abrt.socket<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     17418    @\/tmp\/dbus-0PYMRpYu<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     16892    @\/tmp\/dbus-bKDTQeVf<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     16893    @\/tmp\/dbus-Skwj1TBB<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     17543    @\/tmp\/dbus-qVKMoS2bff<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     18410    @\/tmp\/dbus-V9cHUqaM<\/span>\r\nunix  2      [ ACC ]     STREAM     LISTENING     17419    @\/tmp\/dbus-9XjDfCN8<\/span>\r\n[root@centos7 ~]#<\/span> lsof -i :111<\/span>\r\nCOMMAND  PID USER   FD   TYPE DEVICE SIZE\/OFF NODE NAME<\/span>\r\nrpcbind 1243  rpc    7u  IPv4  17780      0t0  UDP *:sunrpc<\/span>\r\nrpcbind 1243  rpc    9u  IPv4  17782      0t0  TCP *:sunrpc (LISTEN)<\/span>\r\n[root@lstor2rrd ~]#<\/span> systemctl list-unit-files  | egrep -i \"rpc\"<\/span>\r\nvar-lib-nfs-rpc_pipefs.mount               static<\/span>\r\nrpcbind.service                            enabled<\/span>\r\nrpcgssd.service                            disabled<\/span>\r\nrpcidmapd.service                          disabled<\/span>\r\nrpcsvcgssd.service                         disabled<\/span>\r\nrpcbind.socket                             enabled<\/span>\r\nrpcbind.target                             static<\/span>\r\n[root@centos7 ~]#<\/span> systemctl list-units  | egrep -i \"rpc\"<\/span>\r\nproc-fs-nfsd.mount                                                                               loaded active mounted   RPC Pipe File System<\/span>\r\nvar-lib-nfs-rpc_pipefs.mount                                                                     loaded active mounted   RPC Pipe File System<\/span>\r\nrpcbind.service                                                                                  loaded active running   RPC bind service<\/span>\r\nrpcbind.socket                                                                                   loaded active running   RPCbind Server Activation Socket <\/span>\r\n<\/pre>\n<\/div>\n
Configure the network<\/h2>\n
\n
Change your ifcfg file located in \/etc\/sysconfig\/network-scripts\/, to add NM_CONTROLLED=no
\nEx:<\/p>\n
[root@centos7 network-scripts]#<\/span> cat \/etc\/sysconfig\/network-scripts\/ifcfg-eno16780032<\/span>\r\nTYPE=Ethernet<\/span>\r\nBOOTPROTO=none<\/span>\r\nDEFROUTE=yes<\/span>\r\nIPV4_FAILURE_FATAL=no<\/span>\r\nIPV6INIT=no<\/span>\r\nIPV6_AUTOCONF=no<\/span>\r\nIPV6_DEFROUTE=no<\/span>\r\nIPV6_FAILURE_FATAL=no<\/span>\r\nDEVICE=eno16780032<\/span>\r\nONBOOT=yes<\/span>\r\nNM_CONTROLLED=no<\/span>\r\nIPADDR=192.168.1.19<\/span>\r\nNETMASK=255.255.255.0<\/span>\r\nGATEWAY=192.168.1.1<\/span>\r\nDNS1=192.168.1.10<\/span>\r\nDNS2=192.168.1.11<\/span>\r\nDOMAIN=centos.org<\/span>\r\nIPV6_PEERDNS=no<\/span>\r\nIPV6_PEERROUTES=no<\/span>\r\n<\/pre>\n
Disable NetworkManager , and enable old network service<\/p>\n
[root@centos7 ~]#<\/span> systemctl disable NetworkManager.service<\/span>\r\n[root@centos7 ~]#<\/span> systemctl stop NetworkManager.service<\/span>\r\n[root@centos7 ~]#<\/span> chkconfig network on<\/span>\r\n[root@centos7 ~]#<\/span> chkconfig --list network<\/span>\r\nnetwork         0:off   1:off   2:on    3:on    4:on    5:on    6:off<\/span>\r\n<\/pre>\n
Check your IP config and routes<\/p>\n
[root@centos7 sysctl.d]#<\/span> ip a<\/span>\r\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN<\/span>\r\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<\/span>\r\n    inet 127.0.0.1\/8 scope host lo<\/span>\r\n       valid_lft forever preferred_lft forever<\/span>\r\n2: eno16780032: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000<\/span>\r\n    link\/ether 00:50:56:83:33:1e brd ff:ff:ff:ff:ff:ff<\/span>\r\n    inet 192.168.1.19\/24 brd 192.168.21.255 scope global eno16780032<\/span>\r\n       valid_lft forever preferred_lft forever<\/span>\r\n[root@lproxymail sysctl.d]#<\/span> ip route<\/span>\r\ndefault via 192.168.21.250 dev eno16780032<\/span>\r\n169.254.0.0\/16 dev eno16780032  scope link  metric 1002<\/span>\r\n192.168.21.0\/24 dev eno16780032  proto kernel  scope link  src 192.168.21.194<\/span>\r\n<\/pre>\n
For information<\/strong> Due to new network adapter naming convention, you ‘ll find network interface called enp6s0 or enp4s2f0 doesn\u2019t satisfy everybody.
\nEx:<\/p>\n
[root@centos7 ~]#<\/span> dmesg | grep NIC<\/span>\r\n[    2.318327] VMware vmxnet3 virtual NIC driver - version 1.1.30.0-k-NAPI<\/span>\r\n[    2.333886] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps<\/span>\r\n[    3.373209] vmxnet3 0000:0b:00.0 eno16780032: NIC Link is Up 10000 Mbps<\/span>\r\n<\/pre>\n
You can switch to the old naming convention eth0, eth1\u2026 by changing boot parameters:<\/p>\n
grubby --update-kernel=ALL --args=\"net.ifnames=0 biosdevname=0\"<\/pre>\n<\/div>\n
Stop IPV6 best practice<\/h2>\n
<\/div>\n
Disable IPV6 on network adapter<\/h3>\n
\n
On most current OS<\/abbr>, IPV6 is activate by default. It wouldn’t be a good practice to completely unload the kernel module, but better disable it for most applications. You have to know that some application, like SELINUX will load IPV6 module if needed!<\/p>\n
Create a file \/etc\/sysctl.d\/98-disable_ipv6.conf<\/p>\n
[root@centos7 ~]#<\/span> cat \/etc\/sysctl.d\/98-disable_ipv6.conf<\/span>\r\nnet.ipv6.conf.all.disable_ipv6 = 1<\/span>\r\nnet.ipv6.conf.default.disable_ipv6 = 1 <\/span>\r\n<\/pre>\n
To disable in the running system:<\/p>\n
[root@centos7 ~]#<\/span> echo 1 > \/proc\/sys\/net\/ipv6\/conf\/all\/disable_ipv6<\/span>\r\n[root@lstor2rrd ~]#<\/span> echo 1 > \/proc\/sys\/net\/ipv6\/conf\/default\/disable_ipv6<\/span>\r\n<\/pre>\n
or<\/p>\n
[root@centos7 ~]#<\/span> sysctl -w net.ipv6.conf.all.disable_ipv6=1<\/span>\r\n[root@lstor2rrd ~]#<\/span> sysctl -w net.ipv6.conf.default.disable_ipv6=1<\/span>\r\n<\/pre>\n<\/div>\n
Disable IPV6 on SSH server<\/h3>\n
\n
If problems with X forwarding are encountered on systems with IPv6 disabled, edit \/etc\/ssh\/sshd_config and make either of the following changes:<\/p>\n
(1) Change the line<\/p>\n
#AddressFamily any<\/p>\n
to<\/pre>\n
AddressFamily inet<\/p>\n
(inet is ipv4 only; inet6 is ipv6 only)<\/p>\n
or<\/p>\n
(2) Remove the hash mark (#) in front of the line<\/p>\n
#ListenAddress 0.0.0.0<\/p>\n
Then restart ssh.<\/p>\n
systemctl restart sshd.service<\/pre>\n<\/div>\n
Disable IPV6 on postfix<\/h3>\n
\n
If problems with starting postfix are encountered on systems with IPv6 disabled, either<\/p>\n
edit \/etc\/postfix\/main.cf and comment out the localhost part of the config and use ipv4 loopback.<\/p>\n
#<\/span>inet_interfaces = localhost<\/span>\r\ninet_interfaces = 127.0.0.1<\/span>\r\n<\/pre>\n<\/div>\n
Disable IPV6 on NTP client<\/h3>\n
\n
Edit the file \/etc\/ntp.conf, and comment the line related to IPV6<\/p>\n
#<\/span> restrict ::1<\/span>\r\n<\/pre>\n<\/div>\n
Disable IPV6 on RPCBIND<\/h3>\n
\n
To disable RPCBIND ipv6 (rpcbind, rpc.mountd, prc.statd) remark out the udp6 and tcp6 lines in \/etc\/netconfig:<\/p>\n
udp        tpi_clts      v     inet     udp     -       -\r\ntcp        tpi_cots_ord  v     inet     tcp     -       -\r\n#udp6      tpi_clts      v     inet6    udp     -       -\r\n#tcp6      tpi_cots_ord  v     inet6    tcp     -       -\r\nrawip      tpi_raw       -     inet      -      -       -\r\nlocal      tpi_cots_ord  -     loopback  -      -       -\r\nunix       tpi_cots_ord  -     loopback  -      -       -<\/pre>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
Partitioning <\/p>\n
By separating file systems into various partitions, you can fine tune permissions and functionality. Doing so will provide you greater granularity for permissions, as well as adding a layer of security for any potential bad guys to work through.<\/p>\n
Steve Grubb suggests, and quite rightly so, that areas where users have write privileges be […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5003"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5003"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5003\/revisions"}],"predecessor-version":[{"id":5004,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5003\/revisions\/5004"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5003"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5003"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}