-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Activate the available shields to protect your server

The default CentOS security has progressed since CentOS 6, but in my opinion, there’s still some things that need to be tightened a bit more.

Prerequisites and Scope

Well, It has been reproached by in my previous article about Securing CentOS 6 installation that the way I provided the scripts that applied modifications to the default CentOS installation was a bad practice because it was basically pipelining a script and executing it, being blind. Well, on this particular point, let me be particularly clear: It is your responsibility to read and verify that the effort put to describe actions in the puppet module do match what is written in this particular page. I really do think that the effort put for enhancing clarity of the documentation, and the fact that the repository is wide open should play in my favor.

That being said, in order to start using the puppet module, you need to have puppet and git installed on your server (that should obviously run CentOS 7):

yum localinstall http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
yum install -y puppet git

Now, clone my module :

git clone https://legeek@bitbucket.org/legeek/bkraft-securingc7.git
Careful, recently, Puppet changed to version 4.0 and as my manifests aren’t that nicely written, the DSL changed. Please be sure to checkout branch master if you’re using Puppet 3.8 and checkout puppet4.0 branch if you’re using Puppet >4.0

Obviously, if you are running a puppet master, use classes as you like.

Unnecessary services

Rather than stopping, disabling and deleting packets like I suggested in Securing CentOS 6 installation, here I’ll skip the uninstallation phase because of some dependencies between some packets that I’ll use later on (NetworkManager/Firewalld and Fail2ban). I’ll just disable and stop them. Here’s the list of the services that will be disabled and stopped:

  • iprinit
  • iprupdate
  • iprdump
  • avahi-daemon
  • NetworkManager
  • firewalld

This is done in bkraft-securingcentos7/manifests/services.pp. If you do want to apply only this, please run the following :

puppet apply --modulepath /path/to/modulesdir -e 'include bkraft-securingc7::services'

Protecting SSH service

Installing fail2ban is straight forward but as I choosed to disable firewalld (as I don’t want to use Either NetworkManager not firewalld on production servers, but this discussion is way out of the scope of this documentation), it is now required that the legacy iptables init scripts should be reinstalled. This is achieved by installing the iptables-scripts package.

Please note that the default configuration file for fail2ban is replaced by one provided in this module at bkraft-securingcentos7/files/fail2ban-jail.conf that only ignores failed attempts from localhost. You might want to broaden the ignore hosts to your eventual management nodes.

This part is done in bkraft-securingcentos7/manifests/fail2ban.pp. If you do want to apply only this, please run the following :

puppet apply --modulepath /path/to/modulesdir -e 'include bkraft-securingc7::fail2ban'

On top of installing this wonderful daemon that fail2ban is, we still need to do some modifications to OpenSSH’s core configuration file to apply the following modifications:

  • Prevent root login
  • Change the default banner to the contents of /etc/issue (this will be changed in another part of this module)
  • Change the default SSH key size from 1024 to 2048 (although default keys were generated with 2048 bits)
  • Lower the number of failed connection attempts before exiting
  • Enforce Protocol 2
  • Enable strict mode
  • Disable tcp forwarding
  • Disable X11 forwarding

Note on the method used to do this modification in the puppet module. I want pretty disappointed with the usage of augeas, because I did find it very complex to uncomment and also match key:values, so I just went for an ugly in place update. Yep, could have used sed.

This part is done in bkraft-securingcentos7/manifests/openssh.pp. If you do want to apply only this, please run the following :

puppet apply --modulepath /path/to/modulesdir -e 'include bkraft-securingc7::openssh'

Setting up rights and general configuration

This part will:

  • Enforce minimum password length to 9 caracters
  • Setup automatic disconnection of users after 15 minutes of inactivity
  • Enforce default umask to 027
  • Prevent cron and at access to all users but root
  • Put a big scary text in /etc/issue
  • Narrow down rights on /root, /var/log/audit, /etc/skel, /sbin/iptables

Also, we’re going to customize sysctl with the following:

  • net.ipv4.ip_forward = 0
  • net.ipv4.conf.all.send_redirects = 0
  • net.ipv4.conf.default.send_redirects = 0
  • net.ipv4.conf.all.accept_redirects = 0
  • net.ipv4.conf.all.secure_redirects = 0
  • net.ipv4.conf.default.accept_redirects = 0
  • net.ipv4.conf.default.secure_redirects = 0
  • net.ipv4.tcp_max_syn_backlog = 2048
  • net.ipv4.icmp_echo_ignore_broadcasts = 1
  • net.ipv4.conf.all.accept_source_route = 0
  • net.ipv4.conf.default.accept_source_route = 0
  • net.ipv4.conf.all.log_martians = 1
  • net.ipv4.icmp_ignore_bogus_error_responses = 1
  • net.ipv4.tcp_syncookies = 1
  • net.ipv4.conf.all.rp_filter = 1
  • net.ipv4.conf.default.rp_filter = 1
  • net.ipv4.tcp_timestamps = 0

Finally, let’s blacklist some unnecessary modules from the kernel as they are -imho- useless for a production server:

  • pcspkr
  • btusb
  • bluetooth
  • rfkill
  • floppy

This part is done in bkraft-securingcentos7/manifests/general.pp. If you do want to apply only this, please run the following :

puppet apply --modulepath /path/to/modulesdir -e 'include bkraft-securingc7::general'

Delete unnecessary users

Last part, let’s delete unnecessary users. Those are the removed ones:

  • shutdown
  • halt
  • games
  • operator
  • ftp
  • gopher
  • lp

This part is done in bkraft-securingcentos7/manifests/users.pp. If you do want to apply only this, please run the following :

puppet apply --modulepath /path/to/modulesdir -e 'include bkraft-securingc7::users'

Final words

Shall you want to apply this entirely, it is possible in one shot, but remember or reread the first warning written in this page. Configurations applied here might break parts of your running environments and I really invite you to read the contents of this puppet module source. Anyway, shall you agree on everything that is done, you can apply the complete module this way:

puppet apply --modulepath /path/to/modulesdir -e 'include bkraft-securingc7'

Why using puppet and not the classical scripts like I provided in the Securing CentOS 6 installation ? Simply because this module can be repeated as will and is will check the state of the specifications. Also, I sometimes noticed that copying/pasting things like cat > file <<EOF just don’t work. Why not chef ? Bah, sorry, this module is easy (and poorly written) so you can port it -if you want- to Chef receipe.

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJW5eRKAAoJEBeKS2x6xuR7XdsP/1yy5oL1jW6oMQLHVbzs82nv
Dsmxk+iP2r2y9kj1G/AAGFspBYUApgRCy8NnI9sqMzABfh9v2dFYxKf6ceXoDEWv
NvrrvUZKuLq1I5gwb/uhkkanp2uNm5/qq1t9NNdVWGqR+rwhH1gaBm6SNn+8xEoq
qwx0uY2mqR9gDet6DgCZfF/iViZhWkCfxzP2N2o2oQTxYnIpJYR7mfdOb2ly4INk
6Qgp/BBFn9MkU5YlTV8EPtFZanq/J2dUKZRM0F7BkfGo37ufrqZxOHMOBSLGiymb
KOan5lqiX1/QS+mlE4mEfLlq1Mb7eenAOyazoDyxT8nUHN+0Zzd9Uw7XrQFljqB8
m3wt0Xbtl8OgnNAzJ1cMuygVlnyzi8DhmKELzo4n+kmBRxyq8LeRStlYnKVceYwj
Xu/ZmBksuxMTaCzlj98EmXZgRkottGwSZXMlRSINwzhg2lG9v5oOgnW+BtS1PUD4
CsgWbD8X6mwrVQSaMGVglb52bSqKOSKWl4xHZWvmai7H36177qKqSUlZu6zNydVe
OsBwOiRVYvRuxyYHwiVR+/bFm9MsPuxMe5XFYaeWtR7Z5D81rcIZdGJNwNN3uZZP
TJ2Yg8YF1tmUPgaQs/7e2B13DLQf54z99aXFYEHL593cGqpY6WpkQ2ZpaR3oVJ7j
fQaTXlsH7ZZCVGN3TRCF
=XXVN
-----END PGP SIGNATURE-----

Hint: To validate signature, please view page source and copy html code between BEGIN PGP Signed message and END PGP Signature anchors.

Created the 2015-02-23

Share this


Article content

Resources

10 last blog posts

Related to this article

blog comments powered by Disqus