Post on 08-Jul-2018
8/19/2019 Hardening CentOS
1/38
Hardening CentOS Linux Servers:The Ninja way
Lorenzo Martínez R. (@lawwait)
8/19/2019 Hardening CentOS
2/38
Hardening CentOS Linux
© All Rights reserved
Thanks Karanbir!
8/19/2019 Hardening CentOS
3/38
Hardening CentOS Linux
© All Rights reserved
[root@localhost ~]# whoami
• 13 years of security professional experience • Integrators -> Vendors -> Entrepeneur • CTO && Founder www.securizame.com •
ANCITE (www.ancite.es)• CISSP, CISA• www.SecurityByDefault.com editor • Tools: Securewin
, amispammer
, scalparser •
Twitter: @lawwait, @securizame, @secbydefault • Email: lorenzo@securizame.com
8/19/2019 Hardening CentOS
4/38
Hardening CentOS Linux
© All Rights reserved
Why did I choose CentOS?
• Red Hat 8 & 9
• Fedora Core • LTS Distros: Debian, RHEL, Suse, Ubuntu,...
• Now: RHEL, CentOS, Scient ific Linux, Oracle
8/19/2019 Hardening CentOS
5/38
Hardening CentOS Linux
© All Rights reserved
8/19/2019 Hardening CentOS
6/38
Hardening CentOS Linux
© All Rights reserved
What will the server do?
8/19/2019 Hardening CentOS
7/38
Hardening CentOS Linux
© All Rights reserved
What will the server do?
8/19/2019 Hardening CentOS
8/38
Hardening CentOS Linux
© All Rights reserved
Linux and the NSA
8/19/2019 Hardening CentOS
9/38
Hardening CentOS Linux
© All Rights reserved
Disabling SELinux
8/19/2019 Hardening CentOS
10/38
Hardening CentOS Linux
© All Rights reserved
Linux Internals
• Virtual File system /proc
8/19/2019 Hardening CentOS
11/38
Hardening CentOS Linux
© All Rights reserved
Kernel Parameters
8/19/2019 Hardening CentOS
12/38
Hardening CentOS Linux
© All Rights reserved
Sysctl Support
8/19/2019 Hardening CentOS
13/38
Hardening CentOS Linux
© All Rights reserved
Disabling IPv6
8/19/2019 Hardening CentOS
14/38
Hardening CentOS Linux
© All Rights reserved
/etc/sysctl.conf
8/19/2019 Hardening CentOS
15/38
Hardening CentOS Linux
© All Rights reserved
• net.ipv4.ip_forward = 0 -> # Controls IP packetforwarding
• net.ipv4.conf.default.rp_filter = 1 -> # Controls sourceroute verification
• net.ipv4.conf.default.accept_source_route = 0 -> # Donot accept source routing• kernel.sysrq = 0 -> # Controls the System Request
debugging funct ionalit y of the kernel• kernel.core_uses_pid = 1 -> # Controls whether core
dumps wil l append the PID to the core filename • net.ipv4.tcp_syncookies = 1 -> # Controls the use of TCPsyncookies
/etc/sysctl.conf
8/19/2019 Hardening CentOS
16/38
Hardening CentOS Linux
© All Rights reserved
• net.bridge.bridge-nf-call-ip6tables = 0 -> # Disablenetfilter on bridges
• net.bridge.bridge-nf-cal l-iptables = 0• net.bridge.bridge-nf-cal l-arptables = 0•
kernel.panic=5 -> #Reboot 5 seconds after kernel panic• net.ipv4.tcp_fin_timeout = 15 -> # Decrease the t ime
default value for tcp_fin_timeout connection• net.ipv4.tcp_keepalive_time = 1800 -> # Decrease the
time default value for tcp_keepali ve_time connection•
net.ipv4.tcp_window_scaling = 0 -> # Turn off the tcp_window_scaling
/etc/sysctl.conf
8/19/2019 Hardening CentOS
17/38
Hardening CentOS Linux
© All Rights reserved
• net.ipv4.tcp_sack = 0 -> # Turn off the tcp_sack • net.ipv4.tcp_timestamps = 0 -> # Turn off the tcp_timestamps• net.ipv4.icmp_echo_ignore_broadcasts = 1 -> # Enable ignoring
broadcasts request • net.ipv4.icmp_ignore_bogus_error_responses = 1 -> # Enable bad
error message Protect ion• net.ipv4.conf.al l.log_mart ians = 1 -> # Log Spoofed Packets,
Source Routed Packets, Redirect Packets•
kerne l.shmmax = 268435456 -> # Set maximum amount ofmemory allocated to shm to 256MB
/etc/sysctl.conf
8/19/2019 Hardening CentOS
18/38
Hardening CentOS Linux
© All Rights reserved
• net.ipv4.tcp_max_syn_backlog = 1280 -> # Increases thesize of the socket queue (effecti vely, q0)
• net.ipv4.tcp_mem = 57344 57344 65536 -> # Increase themaximum total TCP buffer-space
• allocatablenet.ipv4.tcp_wmem = 32768 65536 524288 -># Increase the maximum TCP write-buffer-space allocatable
• net.ipv4.tcp_rmem = 98304 196608 1572864 -> # Increase the maximum TCP read-buffer space allocatable
• net.core.rmem_max = 524280 -> # Increase the maximum
recei ve socket buffer size • net.core.rmem_default = 524280 -> # Increase the default
recei ve socket buffer size
/etc/sysctl.conf
8/19/2019 Hardening CentOS
19/38
Hardening CentOS Linux
© All Rights reserved
• net.core.wmem_max = 524280 -> # Increase themaximum send socket buffer size
• net.core.wmem_default = 524280 -> -> # Increase the default send socket buffer size
• net.ipv4.tcp_max_tw_buckets = 1440000 -> #Increase the tcp-time-wait buckets pool size
• net.ipv4.ip_local_port_range = 16384 65536 -> #Allowed local port range
• net.ipv4.ipfrag_high_thresh = 512000 -> #Increase the maximum memory used to reassembleIP fragments
/etc/sysctl.conf
8/19/2019 Hardening CentOS
20/38
Hardening CentOS Linux
© All Rights reserved
• net.ipv4.ipfrag_low_thresh = 446464• net.core.optmem_max = 57344 -> # Increase the
maximum amount of option memory buf fers• net.ipv4.conf.all .accept_redirects=0 -> # Do notaccept redirects. Avoid MiTM
• net.ipv4.conf.all .send_redirects=0 -> # Forbidsending ICMP redirect
•
net.ipv6.conf.all.disable_ipv6 = 1 -> #Disable IPv6
/etc/sysctl.conf
8/19/2019 Hardening CentOS
21/38
Hardening CentOS Linux
© All Rights reserved
Understanding services• The purpose the machine was built for • Load at startup time • Init process
• /sbin/runlevel
• netstat -[t | u]anp | grep LISTEN• Path -> /etc/rc.d/SXX && KXX• /sbin/chkconfig --list | less
• RPMs: setuptool && ntsysv
• The less services, the better • /etc/rc.local
8/19/2019 Hardening CentOS
22/38
Hardening CentOS Linux
© All Rights reserved
Understanding services
8/19/2019 Hardening CentOS
23/38
Hardening CentOS Linux
© All Rights reserved
“By Default” Enabled services
• auditd
• blk-availability• crond
• iptables && ip6tables• lvm2-monitor • netfs
• network
• postfix
• rsyslogd
• sshd
• udev-post
8/19/2019 Hardening CentOS
24/38
Hardening CentOS Linux
© All Rights reserved
IPTables
• Firewalling rule set
• iptables is made command line • /sbin/iptables
• Chains: INPUT, OUTPUT, FORWARD• GUIs: fbuilder, shorewall, firestarter, etc,..• Script started before network/services are
loaded
• /etc/rcX.d/S08iptables
8/19/2019 Hardening CentOS
25/38
• Mgmt IPs To Firewall IFs - Mgmtports -> Allow
• Any To Firewall IFs - Mgmt ports-> Deny [Stealth Rule]
• -> Allow
• [Cleanup Rule]
Hardening CentOS Linux
© All Rights reserved
Firewall Policy: Best Practices
8/19/2019 Hardening CentOS
26/38
Hardening CentOS Linux
© All Rights reserved
Hardening SSH
• Auth: User/pass vs certificates• Change default SSH port (TCP/22)• Protocol 2• PermitRootLogin -> NO• ListenAddress• AllowUsers• AllowGroups
8/19/2019 Hardening CentOS
27/38
Hardening CentOS Linux
© All Rights reserved
Hardening SSH• MaxAuthTrie s (Default 6) -> 3• LoginGraceTime (Default 120) -> 60• PasswordAuthenticat ion (Default Yes) -> NO• Banner (none)
• AllowAgentForwarding y AllowTcpForwarding (Default Yes) ->If it is not going to be used, change to NO• MaxStartups (Default 10) -> If few connected users, change
to 3
• Ciphers -> aes128-ctr, aes256-ctr, arcfour256, arcfour,aes128-cbc, aes256-cbc
• X11forwarding y PermitEmptyPasswords -> If not needed, NO
8/19/2019 Hardening CentOS
28/38
Hardening CentOS Linux
© All Rights reserved
Hardening BASH• Define Read-Only environment variables -> To avoid
being overwriten by users (declare –rHISTFILE=~/.bash_history && chattr +I .bash_history)
• HISTFILESIZE -> Maximum number of lines to keep• HISTFSIZE -> Maximum stored commands in memory• HISTTIMEFORMAT -> Date/Time format to store
commands execution•
Force to commit HISTFILE every time a command is typed instead of logout -> readonly || declare -rPROMPT_COMMAND="history -a"
8/19/2019 Hardening CentOS
29/38
Hardening CentOS Linux
© All Rights reserved
• Limit Timeout login session -> declare -r TMOUT=120• Limits -> ulimit command
-c maximum size core files-s maximum stack size -t maximum CPU seconds-u maximum time available per process users-v maximum virtual memory size available for shel l-x maximum file block
• Default file mask for every user -> umask 077 “rwx --- ---”
Hardening BASH
8/19/2019 Hardening CentOS
30/38
Hardening CentOS Linux
© All Rights reserved
Hardening Apache
• Installation: – Use rpm package… or stat ic compilation – Right permissions: chown + chroot
• chmod –R go-r /etc/ht tpd• chmod –R go-r /var/log/ht tpd
– Disable not needed/used default modules (http:// www.cyberciti.biz/faq/howto-disable-apache-modules-under-linux-unix/)
8/19/2019 Hardening CentOS
31/38
Hardening CentOS Linux
© All Rights reserved
• Listen [IP Address:]• Allow from Direct ives
– Deny from All – Allow from 192.168.X.Y/24
• Security through obscurity – Ser verTokens ProductOnly – ServerSignature Off
• With mod_secur ity –
SecServerSignature “Powered by Secur izame 8.0”• Disable Trace method
– TraceEnable Off
Hardening Apache
8/19/2019 Hardening CentOS
32/38
Hardening CentOS Linux
© All Rights reserved
Patches Management• Optional package: yum-cron• /etc/sysconfig/yum-cron
8/19/2019 Hardening CentOS
33/38
Hardening CentOS Linux
© All Rights reserved
Auditing Tools
• Check securit y/health• Misconfigurat ions && Malware• Tools:
–
Lynis, checklist-linux, – rkhunter, chkrootkit – unhide
• Filesystems Integrity
– AFICK, AIDE, Tripwire• Other stuff: IDS/IPS
8/19/2019 Hardening CentOS
34/38
Hardening CentOS Linux
© All Rights reserved
Lynis/checklistlinux
8/19/2019 Hardening CentOS
35/38
Hardening CentOS Linux
© All Rights reserved
Logs• Send to a remote event collector: syslog• NTP (Net work Time Protocol)• LIDS: OSSEC
8/19/2019 Hardening CentOS
36/38
Hardening CentOS Linux
© All Rights reserved
OSSEC
8/19/2019 Hardening CentOS
37/38
Hardening CentOS Linux
© All Rights reserved
Conclusions
• CentOS Linux FTW!
• Corporate Distribution•
Community support • Security concepts in mind
• Minimalism is the key• Harden, audit and monitor
8/19/2019 Hardening CentOS
38/38
Hardening CentOS Linux
© All Rights reserved
Email me: lorenzo@securizame.comTwitter: @lawwait @securizame @secbydefault