BNPL – SDD CentOS 7 Hardening Guide

Last Modified: 15/07/2016

CentOS 7 Hardening Guide

PART I: -

1. Lock down and secure the access: As soon as the server is online at the IDC and the passwords
are given to us.
2. Login in to server with the user root and password for it.
3. Disable the default firewall.

To use the iptables and ip6tables services, first check the status of firewalld and disable it by running the
following command as root:

# systemctl status firewalld

Which will give you an output such as:

firewalld.service - firewalld - dynamic firewall daemon

Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Wed 2015-01-14 14:32:53 IST; 5s ago
Main PID: 11360 (firewalld)
CGroup: /system.slice/firewalld.service
11360 /usr/bin/python -Es /usr/sbin/firewalld --nofork –nopid

# systemctl disable firewalld

# systemctl stop firewalld

4. Then install the iptables-services package by entering the following command:

# yum install iptables-services

The iptables-services package contains the iptables service and the ip6tables service.

To start the iptables or ip6tables services, run below command:

# systemctl start iptables

# systemctl enable iptables

OR

# systemctl start ip6tables

# systemctl enable ip6tables

Edit /etc/sysconfig/iptables

1
BNPL – SDD CentOS 7 Hardening Guide

# vim /etc/sysconfig/iptables

Add the following rules:

# sample configuration for iptables service

# you can edit this manually or use system-config-firewall
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Balasai Office IPs
-A INPUT -s 115.108.33.7 -j ACCEPT
-A INPUT -s 115.108.42.134 -j ACCEPT
-A INPUT -s 122.169.99.109 -j ACCEPT

# Balasai Network Monitoring IP

-A INPUT -s 203.199.134.8 -j ACCEPT

# Balasai Network Monitoring (Int) IP

-A INPUT -s 103.228.50.1 -j ACCEPT

#Balasai VSNL IDC(Reserv for laptop)

-A INPUT -s 203.199.134.2 -j ACCEPT

# Data Center specific rules - enable only the correct ones.

# Balasai Internal Network - Only for servers at Tata IDC - Pune
# -A INPUT -s 192.168.1.0/24 -j ACCEPT
# SoftLayer Internal Network & Balasai VPN - Only for servers at SL IDC - US
# -A INPUT -s 10.0.0.0/8 -j ACCEPT
# Balasai Internal Network - Only for servers at CtrlS IDC - Mumbai
# -A INPUT -s 192.168.100.0/24 -j ACCEPT
# Balasai Internal Network - Only for servers at TCL IDC - Pune
# -A INPUT -s 192.168.20.0/24 -j ACCEPT
# Balasai Internal Network - Only for servers at TCL IDC - Pune
# -A INPUT -s 192.168.21.0/24 -j ACCEPT
# Global
# Service Specific rules - enable the following rules only if and when required.
# Web Servers - HTTP & HTTPS
# -A INPUT -p tcp --dport 80 -j ACCEPT
# -A INPUT -p tcp --dport 443 -j ACCEPT
# Mail Servers - SMTP & SMTPS
# -A INPUT -p tcp --dport 25 -j ACCEPT
# -A INPUT -p tcp --dport 465 -j ACCEPT
# POP3 Servers - POP3 & POP3S
# -A INPUT -p tcp --dport 110 -j ACCEPT
# -A INPUT -p tcp --dport 995 -j ACCEPT

2
BNPL – SDD CentOS 7 Hardening Guide

# End of Service Specific Rules

# -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed

5. Give a Hostname to the server with following process:

# hostnamectl set-hostname test.balasai.com

# systemctl restart systemd-hostnamed
# hostnamectl status

With the last command you will be able to view the Hostname which has been set.
NOTE: In the first command test.balasai.com is only given as an example. Give the actual Hostname of
the server.

6. To have Date and Time stamp along with command history

# cd /root
# vi .bashrc
Add the following line at the end of the file:
export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "

7. Disable all unwanted services. Disable following services for now:

# systemctl stop postfix.service

# systemctl disable postfix.service

Run the command:

# systemctl list-unit-files --type=service | grep enabled
You should see the following output:

auditd.service enabled
avahi-daemon.service enabled
crond.service enabled
dbus-org.freedesktop.Avahi.service enabled
dbus-org.freedesktop.NetworkManager.service enabled
dbus-org.freedesktop.nm-dispatcher.service enabled
[email protected] enabled
iptables.service enabled
irqbalance.service enabled
kdump.service enabled
lvm2-monitor.service enabled
microcode.service enabled
NetworkManager-dispatcher.service enabled
NetworkManager.service enabled
rsyslog.service enabled

3
BNPL – SDD CentOS 7 Hardening Guide

sshd.service enabled
systemd-readahead-collect.service enabled
systemd-readahead-drop.service enabled
systemd-readahead-replay.service enabled
tuned.service enabled

Further tweaking may be required depending on the hardware, and the use of the server.

8. Secure SSH and Access.

(1) Add a new user bn_admin (User may get changed depending upon Customer’s Server)

# useradd bn_admin
# passwd bn_admin
Give a strong password which contains alpha-numeric characters.

(2) Edit SSH configuration file

# vi /etc/ssh/sshd_config
Make sure that below mentioned changes are enabled.

 Protocol 2
 PermitRootLogin No
 StrictModes yes
 AllowUsers bn_admin
 HostbasedAuthentication no
 PermitEmptyPasswords no
 X11Forwarding no
 UsePrivilegeSeparation sandbox
 AllowTcpForwarding yes

Reload the SSH service by using the command:

# /etc/init.d/sshd reload

** If it is a cpanel server, edit /etc/groups and add bn_admin in wheel group.

** wheel : root,bn_admin

(3) Confirm SSH hardening: Start a new putty session to the server while you are already logged on
through existing shell.
Confirm whether you are still able to login from root. If yes then you SSH hardening is not proper.
Recheck.
You should be able to login with bn_admin as first user
Then su - press Enter key and give root password.
If you are successful then it's OK.
You can log out of the first shell.

(4) Change the root password and set a strong password which contains alpha-numeric characters.

4
BNPL – SDD CentOS 7 Hardening Guide

# passwd
Type new password,
Re-type.

(5) Update the system

# yum update yum

# yum update

(6) Install Webmin

All additional installations are done from /usr/local/src

# cd /usr/local/src

Package Dependencies:
Ensure openssl and openssl-devel are installed.
# rpm -q openssl
# rpm -q openssl-devel
If they are not installed, install them using:
# yum install openssl openssl-devel

Download latest Webmin RPM from below link:

http://www.webmin.com/download.html

# yum install wget

# wget RPM Download Link

As Webmin is developed in Perl, so install Perl before proceeding with Webmin installation.
# yum install perl

Now install Webmin from RPM.

# rpm -Uvh webmin-<downloaded rpm>

The rest of the install will be done automatically to the directory /usr/libexec/webmin, the
administration Username set to root and the password to your current root password. You should now
be able to login to Webmin at the URL http://<host>:10000/. Or if accessing it remotely, replace
localhost with your system's IP address.

Edit /etc/webmin/miniserv.conf

The first line says: port=10000

Change Webmin listening port to following :
BNPL Servers : 54554. (port=54554)
Customer Servers : 54014 (port=54014)

Look for the line: listen=10000

5
BNPL – SDD CentOS 7 Hardening Guide

Comment the line. #listen=10000

Restart Webmin for these changes to take effect: systemctl restart webmin

Login to the Webmin.

Click on Webmin Configuration under Webmin tab.
Click on Logging icon.

Enable the below mentioned options by clicking on Yes which is parallel to each:
Include Webmin logins and logouts in actions log?
Log changes made to files by each action?
Record all modified files before actions, for rollbacks?

And the Save.

(7) Minor important tweaks:

I] Edit /etc/hosts

# vi /etc/hosts

Remove the existing lines and add the following:

127.0.0.1 localhost.localdomain localhost

Server's Public IP Server's Hostname
115.108.33.7 Tata_DSL_FO
115.108.42.134 Tata_DSL_FO2
122.169.99.109 Airtel_DSL_FO2
203.199.134.8 xn015.balasai.com xn015
203.199.134.5 xn015.balasai.com xn015
103.228.50.1 pnq01.balasai.com pnq01

Save the file.

If it is a customer server, and if customer has given their static IPs accessing the server, we can add
those IPs too.

II] Correct the resolvers.

# vi /etc/resolv.conf
Check the resolvers to be used. The resolvers are nameservers as defined by the data center where the
server is located.

Suggested nameservers :

For Softlayer servers:

nameserver 10.0.80.11
nameserver 10.0.80.12
nameserver 203.199.134.8

6
BNPL – SDD CentOS 7 Hardening Guide

For VSNL datacenter

nameserver 203.197.12.42
nameserver 202.54.10.2
nameserver 203.199.134.8

For CtrlS IDC:

If we do not have nameservers there, please use as follows-
nameserver 203.199.134.5
nameserver 8.8.8.8
nameserver 8.8.4.4

For TCL IDC (Depends upon the Private IP range)

nameserver 192.168.20.1
nameserver 192.168.20.5
nameserver 203.199.134.5

For TCL IDC (Depends upon the Private IP range)

nameserver 192.168.21.252
nameserver 203.199.134.5
nameserver 8.8.8.8

Save the file after making changes.

9. root mails, hosts and portmap tweaks

(1) Set alias of all roots mail to [email protected]

# vi /etc/aliases

Press Shift G
You will notice:-
# Person who should get root's mail
#root: marc

Make following changes:-

# Person who should get root's mail
root: [email protected]
Save file.

run newaliases
# newaliases
(newaliases command will not work until and unless sendmail is not installed, so it is suggested to run
this command only after the sendmail/mail server installation without fail)

NOTE : in cPanel based servers, we get "EXIM" as mail server. There is no need of installing sendmail if
"newaliases" command does not works.
You can simply restart EXIM.

7
BNPL – SDD CentOS 7 Hardening Guide

# service exim restart

2. Add hostname.
# vi /etc/localdomains (only if cPanel based.)

add the FQDN host name.

eg. hostname for bnet117 server will be bnet117.balasai.com

(2) Check /etc/host.conf

order bind, hosts

multi on
nospoof on

(3) Disable portmap.

# vi /etc/hosts.deny

Add the following at the end of the file:

portmap: ALL
Save file.
This file describes the names of the hosts which are *not* allowed to use the local INET services, as
decided by the server. Portmap is common way of hacking so deny the portmap service to all.

10. Disble IPv6 : Prevent the kernel module from loading at boot time and disable IPv6 networking.

# touch /etc/modprobe.d/disable-ipv6.conf
# echo "options ipv6 disable=1" >> /etc/modprobe.d/disable-ipv6.conf

Edit /etc/sysconfig/network, enter:

# vi /etc/sysconfig/network
Update / add as follows:
NETWORKING_IPV6=no
IPV6INIT=no
Save and close the file. Restart network service.
# systemctl restart network.service

11. SELinux : Confirm that selinux is disabled.

# vi /etc/sysconfig/selinux
Set SELINUX=disabled

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled

8
BNPL – SDD CentOS 7 Hardening Guide

# SELINUXTYPE= type of policy in use. Possible values are:

# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes

SETLOCALDEFS=0

Save file.

12. Reboot server.

# sync
# sync
# reboot
Wait for the server to come back online. Note down how much time it takes to come back online.

PART II: - Security and Performance Tweakings.

Now that the server is rebooted in locked down environment, you can do the other tasks with ease. Read
/var/log/messages completely. Make sure there are no errors related to hardware and kernel.

1. SYSCTL

Sysctl config is not a cut and paste job. sysctl configure kernel parameters at run time. Any error in this
config will not boot the system with network access. Only physical console access required to rectify,
hence it is utmost important to do the settings and verify before committing the changes.

The config depends on how the interfaces are connected. Public interface, whether eth0 or eth1 and
private interface needs to be tuned properly.

Now edit the file /etc/sysctl.conf, remove the exiting contents from file if any and paste the below
contents:

# Controls IP packet forwarding

net.ipv4.ip_forward = 0

# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies

net.ipv4.tcp_syncookies = 1

# Controls the maximum size of a message, in bytes

kernel.msgmnb = 65536

9
BNPL – SDD CentOS 7 Hardening Guide

# Controls the default maxmimum size of a mesage queue

kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes

kernel.shmmax = 4294967295

# Controls the maximum number of shared memory segments, in pages

kernel.shmall = 268435456

# Enable control of syn packets

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2

# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1

#Enable IP spoofing protection,turn on source route verification

net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.lo.rp_filter=1
net.ipv4.conf.eth0.rp_filter=1
net.ipv4.conf.eth1.rp_filter=1
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing

# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.lo.accept_source_route=0
net.ipv4.conf.eth0.accept_source_route=0
net.ipv4.conf.eth1.accept_source_route=0
net.ipv4.conf.default.accept_source_route = 0

#Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.lo.accept_redirects=0
net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.eth1.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0

#Enable Log Spoofed Packets, Source Routed Packets, Redirects Packets

net.ipv4.conf.all.log_martians=1
net.ipv4.conf.lo.log_martians=1
net.ipv4.conf.eth0.log_martians=1
net.ipv4.conf.eth1.log_martians=1

# Controls the System Request debugging functionality of the kernel

#Disables the magic-sysrq key
kernel.sysrq=0

10
BNPL – SDD CentOS 7 Hardening Guide

#Enable ignoring broadcasts request

net.ipv4.icmp_echo_ignore_broadcasts=1
#net.ipv4.icmp_ignore_bogus_error_messages=1

#Increase the tcp_time_wait buckets pool size

net.ipv4.tcp_max_tw_buckets=1440000

Save file.

Reload the new configurations.

# sysctl –p

Check for errors.

Fix errors. (Comment the offending lines)
Save file.
Check again.

# sysctl -p
If no errors, we are good to save the file.
# sysctl -w net.ipv4.route.flush=1

Disable IPv6, by creating a file disable-ipv6.conf in /etc/sysctl.d

Put following entry in the file:

# Disable IPv6 for all adapters
net.ipv6.conf.all.disable_ipv6 = 1

In order to disable IPv6 for a particular adapter(suppose if the network card name is eno16777736)
net.ipv6.conf.eno16777736.disable_ipv6 = 1

Save file.
# systemctl restart network.service
Check if any errors while restarting the service.
# sync
# sync
# reboot

2. Secure installers.

Set the following file permissions:

# chmod 750 /usr/bin/wget
# chmod 755 /usr/bin/scp

3. Install CSF/LFD

# cd /usr/local/src
# wget https://download.configserver.com/csf.tgz
# tar -xzf csf.tgz

11
BNPL – SDD CentOS 7 Hardening Guide

# cd csf
# sh install.sh

Install below Perl packages if not installed:

# yum install perl-libwww-perl perl-Net-SSLeay perl-IO-Socket-SSL.noarch perl-Crypt-SSLeay.x86_64

Install the CSF webmin module:

Login to Webmin.
Go to Webmin tab >> Webmin Configuration >> Webmin Modules
From local file >> /etc/csf/csfwebmin.tgz >> Install Module

For CSF/LFD tweaking, follow the below given URL:

http://intra2.balasai.com/mt-new/opsprocs/2016/07/configserver-security-firewall-tweak-csflfd.html

4. Install RKhunter

Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool
scans for rootkits, backdoors and local exploits by running tests like:
- Looks for default files used by rootkits
- Wrong file permissions for binaries
- Looks for suspected strings in LKM and KLD modules
- Looks for hidden files
Optional scan within plaintext and binary files.

# cd /usr/local/src
Download rkhunter from the URL : http://www.rootkit.nl/projects/rootkit_hunter.html

# tar -zxf rkhunter-<downloaded version> .tar.gz

# cd rkhunter-<downloaded version>
# sh installer.sh --layout /usr/local –install

Now you can check your system with commands:

# rkhunter --check
Verify the output. Fix the warnings. Some warnings are false, do ascertain that.
If something looks fishy, check the package and reinstall it.
# rpm -qa /usr/bin /<whatever>.
Note the rpm.
# yum reinstall < the suspect package>

Add below cron jobs to crontab using:

# crontab -e

00 05 * * * /usr/local/bin/rkhunter --createlogfile --cronjob 2>&1

15 05 * * * cat /var/log/rkhunter.log | mail -s "Daily Rkhunter Scan Report : HostName"
[email protected]

12
BNPL – SDD CentOS 7 Hardening Guide

5. Reboot server.

PART III: - Services Security and Performance Tweakings.

Services security tunning is different for cpanel based and core linux servers. This section is for the core
linux servers. The services also depend on the role of the deployed servers. Some may be only web and
java, some only mail, or some clubbing all services.

1. Filesystem

Make changes in a file /etc/fstab

Replace defaults with noexec, nodev, nosuid for partitions /tmp, /var and /home

LABEL=/usr /usr xfs defaults 12

LABEL=/home /home xfs noexec,nosuid,nodev 12
LABEL=/tmp /tmp xfs noexec,nosuid,nodev 12
LABEL=/var /var xfs noexec,nosuid,nodev 12

 noexec: Binaries are not allowed to be executed (Do not use this option with root filesystem(/))
 nosuid: Blocks the operation of suid and sgid bits
 nodev: Prevent any user to mount the file system

The XFS file system replaces ext4 as the default file system, and is now supported to a maximum file
system size of 500 TB, and a maximum file offset of 8 EB (sparse files).
The ext4 file system is now supported to a maximum file system size of 50 TB and a maximum file size of
16 TB. Tuning recommendations have been updated accordingly. Additionally, support for the ext2 and
ext3 file systems is now provided by the ext4 driver.

2. Yum Configuration

Install priorities.
# yum install yum-priorities

- Edit the /etc/yum/pluginconf.d/priorities.conf

ensure that it contains the following lines:
[main]
enabled = 1

- Add priorities to repositories by adding the line in repo configs. (cd /etc/yum/repos.d/)
# vi /etc/yum.repos.d/CentOS-Base.repo
priority=N

[base], [updates], [extras] priority=1

[centosplus] priority=1 (same priority as base and updates) but should be left disabled

Third Party Repos. priority=N (where N is > 10 and based on your preference)

create /etc/cron.daily/yumupdate.sh to apply updates one a day.

13
BNPL – SDD CentOS 7 Hardening Guide

#!/bin/bash

YUM=/usr/bin/yum

$YUM -y -R 120 -d 0 -e 0 update yum

$YUM -y -R 10 -e 0 -d 0 update

Save file.

(1) Perl Modules.

Install perl cpan modules.

# yum install links

# yum install perl-CPAN

# yum install perl-Time-HiRes
# perl -MCPAN -e shell
Follow configuration questions. Answer all default.
At cpan prompt:

Cpan> install Bundle::CPAN

Make sure it is installed correctly.

Cpan> install Net::SSLeay

Quit cpan.

Cpan> q

(2) Configuration of Webmin

# vi /etc/webmin/miniserv.conf

Look for the line: ssl=0

Change it to: ssl=1
Restart Webmin for these changes to take effect: systemctl restart webmin

Only for BNPL Servers, install wild card SSL for webmin:

http://intra2.balasai.com/mt-new/opsprocs/2015/10/installing-wild-card-ssl-certificate-of-balasaicom-
for-webmin.html

Authentication and session options:

Auto-logout after 10 minutes of inactivity.

3. Users and files

- Verify No Accounts Have Empty Passwords.

Type the following command:
# awk -F: '($2 == "") {print}' /etc/shadow

14
BNPL – SDD CentOS 7 Hardening Guide

- Make Sure No Non-Root Accounts Have UID Set To 0.

Only root account have UID 0 with full permissions to access the system. Type the following command
to display all accounts with UID set to 0:

# awk -F: '($3 == "0") {print}' /etc/passwd

Only root should be displayed. Any other user is displayed then the system may be compromised.
Remove the user, check system for mitigation from a suspect compromise.

- Noowner Files
Files not owned by any user or group can pose a security problem. Just find them with the following
command which do not belong to a valid user and a valid group:

# find /usr/local/src -xdev \( -nouser -o -nogroup \) –print

Change the ownership to root or bn_admin, if the default installs of any packages like rkhunter, webmin,
Nagios plugins etc. Have left no owners files or directories.

4. VsFTP

# yum install vsftpd vsftpd-sysvinit

Some of the important parameters need to be added/modified in /etc/vsftpd/vsftpd.conf are:

anonymous_enable=NO
chroot_local_user=YES
async_abor_enable=YES
anon_world_readable_only=NO
guest_enable=NO
guest_username=ftp
hide_ids=YES
max_clients=60
max_per_ip=2
session_support=NO
use_localtime=YES
user_config_dir=/etc/vsftpd/user_list
userlist_file=/etc/vsftpd/denied_users
dirlist_enable=YES
anon_umask=0027

>> Make the change for below directive: Change listen to YES
When "listen" directive is enabled, vsftpd runs in standalone mode and
listens on IPv4 sockets. This directive cannot be used in conjunction
with the listen_ipv6 directive.
listen=YES

>> Make the change for below directive: Comment the line listen_ipv6=YES
This directive enables listening on IPv6 sockets. By default, listening

15
BNPL – SDD CentOS 7 Hardening Guide

on the IPv6 "any" address (::) will accept connections from both IPv6
and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
sockets. If you want that (perhaps because you want to listen on specific
addresses) then you must run two copies of vsftpd with two configuration
files.
Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

Create a blank file denied_users under /etc/vsftpd:

# touch denied_user
Start the VsFTPD service:
# systemctl status vsftpd.service

Enable VsFTPD on boot up:

# systemctl enable vsftpd

5. Apache

Install HTTP:
# yum install httpd*

# /var/www/html/
# vi index.html
<html>
<head>
<meta http-equiv="refresh" content="1;url=https://www.balasai.com">
</head>
</html>

For customer servers, can just create a blank index.html page or put the Hostname in index.html page.

HTTP and PHP TWEAKS

(1) Minimize information disclosures and Loadable Modules

Edit /etc/httpd/conf/httpd.conf

Secure httpd contents.

Change the followings.

a> From:
#ServerName www.example.com:80
To:
ServerName Server_FQDN

# Add the following sections to the end of the httpd.conf file:

Timeout 60
# Maximum size of the request body.
LimitRequestBody 10000

16
BNPL – SDD CentOS 7 Hardening Guide

# Maximum number of request headers in a request.

LimitRequestFields 40
# Maximum size of request header lines.
LimitRequestFieldSize 4094
# Maximum size of the request line.
LimitRequestLine 500

Run httpd -S to verify changes are correct and syntax is valid. Fix errors/warnings if any.
Start httpd:
# systemctl start httpd.service
Enable httpd service at boot up:
# systemctl enable httpd

(2) Restrict File and Directory Access

Minimize access to critical Apache files and directories:

# chmod 511 /usr/sbin/httpd
# chmod 750 /var/log/httpd/
# chmod 750 /etc/httpd/conf/
# chmod 640 /etc/httpd/conf/*
# chgrp -R apache /etc/httpd/conf

<IfModule mod_security.c>
# enable mod security
SecFilterEngine On

AddHandler application/x-httpd-php .php

SecAuditLog logs/audit_log
SecFilterDefaultAction "deny,log,status:500"

# enable POST filtering

SecFilterScanPost On
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Prevent directory traversal
SecFilter "\.\./"
# Filter on specific system specific paths
SecFilter /etc/passwd
SecFilter /bin/
# Prevent cross-site scripting
SecFilter "<[[:space:]]* script"
# Prevent SQL injection
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
</IfModule>

17
BNPL – SDD CentOS 7 Hardening Guide

6. Secure PHP

(1) Install the Stock PHP through yum:

# yum install php

(2) Change the permissions on the php.ini file:

# chmod 640 /etc/php.ini

(3) edit php.ini

# vi /etc/php.ini
Replace the following values:

allow_url_fopen = Off
enable_dl = Off
expose_php = Off

From:
mysql.default_host =
To:
mysql.default_host = 127.0.0.1:3306

From:
;open_basedir =
To:
open_basedir = "/var/www/html/"

From:
disable_functions =
To: disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open,
allow_url_fopen

More Secure :
To: disable_functions =
fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_ini_scanne
d_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software,
get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc
_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfif,
posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,po
six_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,
posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrli
mit,system,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_time,
posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod,posix_strerror,posix_initgr
oups,posix_setsidposix_setuid

From:
;include_path = ".:/php/includes"
To:
include_path = "/usr/local/lib/php"

18
BNPL – SDD CentOS 7 Hardening Guide

display_errors = Off
display_startup_errors = Off

Configure limits:
max_execution_time = 30 ; Max script execution time
max_input_time = 60 ; Max time spent parsing input
memory_limit = 16M ; Max memory used by one script (Can be increased as per the
requirement)
upload_max_filesize = 2M ; Max upload file size (Can be increased as per the requirement)
post_max_size = 8M ; Max post size

7. Sendmail

Install the sendmail-cf, which is required in order to compile a new configuration file:
# yum install sendmail-cf
# systemctl start sendmail.service
# systemctl enable sendmail

Mail relay is only for localhost.

Ensure that /etc/mail/access contains only the following lines:

Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY

Ensure that the sendmail is sending out mails from the server:
# yum install mailx
# mail –s “Subject” <Recipient Email ID>
Body
Press Ctrl+D

Check if the mail is received on the mentioned Email ID.

Run the following commands to ensure correct permissions on the mail log:
# chown root:root /var/log/maillog
# chmod 600 /var/log/maillog

PART IV: - Logwatch, Log rotation and Remote monitoring with Nagios.

1. Nagios Plugins installation and configuration

Prerequisites:

# cd /usr/local/src
# yum install net-snmp net-snmp-devel openssl-devel openssl-perl xinetd
# useradd Nagios
# mkdir /usr/local/nagios
# cd /usr/local/nagios

19
BNPL – SDD CentOS 7 Hardening Guide

# mkdir etc bin sbin libexec var share

# chown nagios:nagios /usr/local/nagios –R

Download Nagios Plugins from:

http://www.nagios.org/download/plugins
-> Current at the time of documenting http://nagios-plugins.org/download/nagios-plugins-2.0.3.tar.gz

# tar -zxvf nagios-plugins-<downloaded>.tar.gz

# cd nagios-plugins<latest version>
# yum install gcc
# ./configure
# make
# make install
# cd ..

Download latest NRPE from URL:

http://exchange.nagios.org/directory/Addons/Monitoring-Agents/NRPE--2D-Nagios-Remote-Plugin-
Executor/details
-> Current at the time of documenting http://sourceforge.net/projects/nagios/files/nrpe-2.x/nrpe-
2.15/nrpe-2.15.tar.gz

# tar -zxvf nrpe-<downloaded>.tar.gz

# cd nrpe<latest version>
# ./configure -enable-command-args
# make all
# cp src/nrpe /usr/local/nagios
# cp sample-config/nrpe.cfg /usr/local/nagios/etc

-edit /usr/local/nagios/etc/nrpe.cfg
Search for "dont_blame_nrpe=0"
and Change the value to 1 i.e. "dont_blame_nrpe=1"

Search for all external commands at the bottom and comment them with "#"
paste the following external commands at the end of the file:

command[check_local_disk]=/usr/local/nagios/libexec/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$

command[check_local_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$
command[check_local_load]=/usr/local/nagios/libexec/check_load -w $ARG1$ -c $ARG2$
command[check_local_procs]=/usr/local/nagios/libexec/check_procs -w $ARG1$ -c $ARG2$
command[check_ping]=/usr/local/nagios/libexec/check_ping -H $ARG1$ -w $ARG2$ -c $AGR3$ -p 5
# command[check_mailq]=sudo /usr/local/nagios/libexec/check_eximmailq -w $ARG1$ -c $ARG2$ (Add
only if needed)
# command[show_users]=/usr/local/nagios/libexec/show_users -m $ARG1$ (Add only if needed)
# command[check_mysql]=/usr/local/nagios/libexec/check_mysql -u $ARG1$ -p $ARG2$ (Add only if
needed)
# command[check_mem]=/usr/local/nagios/libexec/check_mem.sh -w $ARG1$ -c $ARG2$ (Add only if
needed)

Save file and Exit.

20
BNPL – SDD CentOS 7 Hardening Guide

Now enter the command:

# visudo
Add the following line at the end of file (On Non-cPanel servers):
nagios ALL=(ALL) NOPASSWD: /usr/local/nagios/libexec/

Add the following line at the end of file (On cPanel servers):
nagios ALL=(ALL) NOPASSWD: /usr/sbin/exim, /usr/local/nagios/libexec/

Comment the following line (Only on cPanel servers):

Defaults requiretty

# chown root:root /usr/bin/sudo

# chmod 4111 /usr/bin/sudo
# chown nagios:nagios /usr/local/nagios –R

- Add nrpe as a service

# cd /etc/xinetd.d/
# vi nrpe
Add the following lines:

# default: on
# description: NRPE
service nrpe
{
flags = REUSE
socket_type = stream
wait = no
user = nagios
server = /usr/local/nagios/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 103.228.50.1 115.108.42.134
}

- Add nrpe service:

# vi /etc/services
Add at bottom:
nrpe 5666/tcp # NRPE

Save and Exit.

# systemctl restart xinetd.service
# systemctl enable xinetd

Configure SNMP

21
BNPL – SDD CentOS 7 Hardening Guide

# vi /etc/snmp/snmpd.conf
Remove all existing lines and add following. Edit the server names and location.

com2sec local localhost bnpl-bnet00

com2sec mynetwork 115.108.42.134 bnpl-bnet00
com2sec mynetwork 103.228.50.1 bnpl-bnet00

group MyROGroup v1 local

group MyROGroup v1 mynetwork

view all included .1 80

access MyROGroup "" any noauth exact all none none

syslocation TATA IDC.

syscontact BNPL [email protected]
Save file.
# systemctl start snmpd.service

2. Logwatch installation and configuration

Download latest RPM from:

http://www.logwatch.org/
--> Current at the time of documenting
http://sourceforge.net/projects/logwatch/files/logwatch-7.4.1/logwatch-7.4.1-1.noarch.rpm

# cd /usr/local/src/
# wget RPM download link
# rpm -ivh logwatch-<downloaded>.rpm

The logwatch configuration files are in /etc/logwatch/ and the default configuration is in
/usr/share/logwatch/. This is not to be modified. We will modify the localized copy.

# cd /etc/logwatch/conf
# cp /usr/share/logwatch/default.conf/logwatch.conf logwatch.conf
# vi logwatch.conf
Find and change following parameters:

Output = mail
MailTo = root
MailFrom = root@hostname [Eg. MailFrom = [email protected]]
Detail = Med
Add the following under the option "# You can also disable certain services (when specifying all)"
Service = "-iptables"

Save file.

Now test the logwatch by command:

# logwatch

22
BNPL – SDD CentOS 7 Hardening Guide

Logwatch will be received on the Email ID which is set in /etc/aliases file.

3. Logrotation

# vi /etc/logrotate.conf
Change "weekly" to "daily"
Change "rotate 4" to "rotate 31"
Remove the comment for compress

23