CentOS - abiXalmon.com

Secure CentOS Linux with iptables

August 20, 2011 by abiXalmon Leave a Comment

Linux Firewall

Iptables is best linux firewall available. Use this to secure your linux with iptables.

Make sure to save the iptables configuration.

vi /etc/sysconfig/iptables

Secure IPTables Configuration:

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
 
## Block IPs here
-A INPUT -s xxx.xxx.xxx.xxx -j DROP
 
-A INPUT -i eth0 -f -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
 
## Open all your needed ports here
-A INPUT -p tcp -m state -m tcp --dport 25 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
 
## Allow your IPs here
-A INPUT -p tcp -m state -m tcp -s xxx.xxx.xxx.xxx/255.255.255.0 --dport 10000 --state NEW -j ACCEPT
 
-A INPUT -p tcp -m tcp -m state ! --tcp-flags FIN,SYN,RST,ACK SYN --state NEW -j DROP
-A INPUT -f -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
 
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
 
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

Filed Under: Blogs Tagged With: CentOS, Linux Security

Secure CentOS with sysctl.conf

August 7, 2011 by abiXalmon Leave a Comment

Secure your CentOS installation with sysctl, Replace your sysctl.conf with the configuration given below, this is the best configuration you can do.

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.
 
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
 
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syncookies = 1
 
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
 
########## IPv6 networking start ##############
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0
 
# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0
 
# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
 
# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
 
#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
 
#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0
 
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1
 
########## IPv6 networking ends ##############
 
# Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1
 
# increase system file descriptor limit
fs.file-max = 65535
 
# Allow for more PIDs
kernel.pid_max = 65536
 
#Increase system IP port limits
net.ipv4.ip_local_port_range = 11000 65000
 
# Reboot after a kernel panic
kernel.panic = 30

Filed Under: Blogs Tagged With: CentOS, Linux Security

CentOS Web server with Latest Apache, PHP and MySQL

August 4, 2011 by abiXalmon Leave a Comment

Setup perfect CentOS Web server with latest Apache, PHP and MySQL.

CentOS with Apache PHP MYSQL Webmin

Make sure you have installed CentOS with minimal system tools.

I am going to use my home directory as root folder.

cd ~

import RPM-GPG-KEY

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

Update Everything using YUM

yum -y update

Reboot your Server.

reboot

Install Some Required Packages

yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils

Setup System Time

yum install ntp
chkconfig ntpd on
ntpdate pool.ntp.org
/etc/init.d/ntpd start

Install RPMForge Repo

rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm
rpm -K rpmforge-release-0.5.2-2.el5.rf.i386.rpm
rpm -i rpmforge-release-0.5.2-2.el5.rf.i386.rpm
 
yum clean all
yum update

Use Remi’s Repo for Latest PHP and MySQL

rpm --import http://rpms.famillecollet.com/RPM-GPG-KEY-remi
wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-5.rpm
rpm -Uvh remi-release-5*.rpm epel-release-5*.rpm

Enable Remi’s Repo

nano /etc/yum.repos.d/remi.repo
 
[remi]
enabled=1

Install Apache and PHP Server

yum install httpd
chkconfig --levels 235 httpd on
yum install php php-mysql php-gd php-odbc php-pear php-xml php-xmlrpc curl perl-libwww-perl ImageMagick libxml2
 
## Edit Apache Configuration, if you need.
nano /etc/httpd/conf/httpd.conf

Install MySQL Server

yum install mysql mysql-server
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
 
## Change your MySQL Password
mysql_secure_installation
 
## Check if MySQL is running
netstat -tap | grep mysql
 
## Edit MySQL Configuration, if you need.
nano /etc/my.cnf

Install eAccelerator – PHP Caching, Makes your php load faster

yum install php-eaccelerator

Install PhpMyAdmin

yum install phpmyadmin

Start Apache Server

service httpd restart

Check Apache

apachectl -M

Output

httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 ...
Syntax OK

Check PHP

php -v

Output

PHP 5.3.6 (cli) (built: May 16 2011 19:18:00)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
    with eAccelerator v0.9.6.1, Copyright (c) 2004-2010 eAccelerator, by eAccelerator

Web server with Latest PHP and MySQL is done!

Install Webmin if you want

yum install openssl perl-Net-SSLeay
rpm --import http://www.webmin.com/jcameron-key.asc

Add Webmin Repo

nano /etc/yum.repos.d/webmin.repo

Add This

[Webmin]
name=Webmin Distribution Neutral
#baseurl=http://download.webmin.com/download/yum
mirrorlist=http://download.webmin.com/download/yum/mirrorlist
enabled=1

Install Webmin

yum install webmin

Filed Under: Blogs Tagged With: Apache, CentOS, Linux, MySQL, PHP

Secure CentOS Linux with iptables

Secure CentOS with sysctl.conf

CentOS Web server with Latest Apache, PHP and MySQL

Links