Hi Guys. I’ve completed a few Installs now with CENTOs and thought I would share my experience with you. I used Cent OS 4.1 and the Fedora Core Setup Guide. However There are some minor changes to include Software Raid and I've made and a few security additions too that you may be interested in. My First change is with the filesystem layout. I Recommend some thing like. 100mb Boot 2GB root 2GB home 1GB tmp 3GB var the rest as /var/www Boot will hardly ever fill up but a 100mb will always ensure you have enough space incase you update a lot of kernels. Root can be fairly small here, because ideally this box is not going to change very often, apart from upgrades. I keep /home separate since this system is going to used for ISPconfig and apart from 1 or 2 system accounts it will not need alot of space. /tmp an important one to keep separate from root as this will help prevent against denial of service attacks. /var again separate from /var/www where we are going to store our web sites and user files also suexec is complied to use this it. swap is whatever you need in my case 512mb is enough. During the installation I also used Software Raid – Here’s my Raid configuration. Primary Master = hda Secondary Master = hdc CD-Rom = hdd. Create the RAID devices during the installation, once installation is completed you will need to do some safe guards to protect against disk failure. You need to do this for both disks. Firstly need to backup the disk's MBR, and basic partition table. dd if=/dev/hda of=hda.mbr bs=512 count=1 dd if=/dev/hdc of=hdc.mbr bs=512 count=1 Second - backup the disks partition table (including the extended information). sfdisk -d /dev/hda > hda.sfd sfdisk -d /dev/hdc > hdc.sfd If you have a failed disk and it has been replaced, lets assume it was hda. Restore the MBR. dd if=hda.mbr of=/dev/hda bs=512 count=1 Restore the Extended Partition information as well. sfdisk -O change.log /dev/hda <hda.sfd Check that the partition table is loaded fdisk -l /dev/hda Restart the Mirror sync process. raidhotadd /dev/md? /dev/hda to see the progress of the mirroring - watch -n1 cat /proc/mdstat Also to note that I'm using LILO - this seams to be installed on both disks, but grub only gets install on the primary disk. If you loose the primary disk - you cannot boot, but you can still boot if you loose the secondary disk. With lilo either disk can be lost and the system boots without problem. Follow the Guide but on page 3 you need to use yum instead of apt. I also use Dag Wieers as well, see (http://dag.wieers.com/home-made/apt/) you will need to add his Redhat Enterprise Repository. You will also need to import his GPG key. Make sure you do a complete system update to ensure you have the latest versions and plug any security holes. Ok Now when you edit the /etc/fstab also add these : Add nosuid,noexec to your /tmp entry for example mine looks like this. I also added quota’s to /home as well. The nosuid and noexec stop any program from being executable in tmp and prevent suid. /dev/md3 /home ext3 defaults,usrquota,grpquota 1 2 /dev/md4 /tmp ext3 defaults,nosuid,noexec 1 2 Follow the reaming steps in the Fedora Guide. Also centos ships with dovecot, this seams to work fine out of the box, however if you want to provide imap services you will need to edit its config file. Theses also quite a lot we can remove as well to help make the server more secure. The less there is on the system that we need the better, by removing everything we don’t need we hopefully remove any security problems that might come up in the future or take away tools a hacker might use. If you find you might need some thing you can always install it later. Remove power manager and its agents – we don’t want the system sleeping on us. (also disable it in the bios too) Yum remove apmd acpid Remove Samba yum remove samba-client system-config-samba samba-common samba remove finger yum remove finger remove cups printing service yum remove cups remove isdn tools. yum remove isdn4k-utils stop netplugd if you don’t need it. (chkconfig –level 12345 netplugd off) remove ypbind (nis client/server) yum remove ypbind Remove Squid proxy server. yum remove squid Remove automounter yum remove autofs Remove Network File System. yum remove nfs-utils system-config-nfs Remove tux yum remove tux If you not using RAID remove these. yum remove mdadm Remove Infra Red Tools. yum remove irda-utils Remove PCMCIA. yum remove pcmcia-cs Remove RPC services. Yum remove portmap Remove Kernel Netdump Yum remove netdump Ok now for harding the system. I would recommend the following Tripwire – Install Tripwire and configure for your system Chkrootkit – Install and configure to run In cron make sure you get a copy of the report from the cronjob (ensure you get the system mail) rkhunter - does the same job as chkrootkit (looks for root kits) Process accounting – Ensure your watching how much each users using CPU time, - good indicator if the cpu is too high that either there’s a run away process or something more of a problem like a password cracker. Also It can check for missing time entires in the wtmp files. Log rotation – Keep lots of logs and email yourself your old log files. Missing Zlib – Zlib is missing from the centos build, you can install it yourself as an rpm (from dag) or compile from source. Install ISP config. Remove Compiler Tools - remove gcc gcc-++ after installation, this will stop any body trying to compile their own tools etc. Complete Tripwire install – create custom policy once your have installed Ispconfig. I would be really Interested in hearing about anything any one else has done to help secure their system or know of any more packages that can be removed to keep the system as basic as possible. Keith.
excellent Hi Keith, since no one else has said it - I will, excellent article. Thanks. I was wondering though, do you have some more information about your tripwire setup? I have not used this before, but it does seem a good product. Also, I could never quite get the RAID working in linux. Being a MCSE, I have only being 'playing' with linux for a couple of years and are very happy with it, however - I have only tried to setup RAID a couple of times, and messed it up both times, so did not bother. At the moment, I have hardware RAID on my web box - which I have two of. They have two SATA 160GB HDD. The first is a Windows .Net one, which - on install, reconises that the is only one drive (as it should at 160GB), but the Linux box when I built it, says there are two drives (which of course there is, but I wanted the OS to see it as ONE drive). Would your setup resolve this issue, as I am really paranoid that one HDD will 'crash' one day and it will be a full rebuild. Obviously, under Windows, I just down the system, replace the HDD and regenerate. I guess, it SHOULD be this easy under linux? Thanks for your time. regards steve
Hi Steve, I found a really good document on tripwire from one of the original redhat 9 manuals, which are still there, it has a section on tripwire, which is what I use, its great and takes you step by step on getting tripwire going.I have boxes with both software and hardware raid. For Hardware RAID where the BIOS takes care of the mirroring the problem is the os will see the same disk twice, for example /dev/hda and /dev/hdc, well its seeing the two individual disks, but they look the same. The way round this is to build the system first on a single disk, add noprobe=/dev/hdc (this might need checking now its been a long time since I did it this way) to the boot looder kernel paramater to exclude the second disk and then add the second disk to the system. The O/S will totally ignore it. The problem is if you loose a disk you will need to move the second disk to the master location and reboot for the system to work, I've not found away round this problem, so I mainly use software raid, which seams to work fine and on my limited systems has no performance problems, and will handle a drive failure without crashing etc. As for the RAID I think it mainly depends on your BIOS. For software RAID. I have for example each disk as the master on each controller (to stripe accross the controllers as well for performance and redundancy) so the os see's /dev/hda (-first disk first controller) and /dev/hdc (first disk on the second controller) if you have SATA disks then I would expect them to be /dev/sda etc etc, the O/S then seans /dev/md0 which is a logical reference to both disks, so for example /dev/hda1 (partition1 for example here) and /dev/hdc1 = /dev/md0 Disk Failure is fairly easy, you first replace the disk of course, and then replace the disk partitioning infomation so that your new disk contains the same partitions as the old one, finally re-sync the disks. The only think I've not played with much is logical volumes and RAID, its possible and I've kinda managed once, but was difficult to setup. I have played with RAID stuff quite a bit, pulling disks out on the fly and trying to replace them etc etc and it seams to work well. Hope this all makes sense let me know how you get on. Keith.
