Securing Linux - CentOS7

JaredBusch

@travisdh1 said:

fail2ban - Watches for failed login attempts, if the same account tries to login to many times the account gets locked out of the system for a set period of time. On CentOS 6 the default is 5 failed attempts over 5 minutes gets locked out for 30 minutes. Makes brute forcing any decent password even harder. Once fail2ban is installed and configured for each service to monitor it's good to go.

This is not correct. fail2ban does not lock out anything. By using the term lock out, you are implying it has some access to user account information, which it does not.

What it does is add rules to the firewall to cause connections from the source IP to be dropped.

wirestyle22

@scottalanmiller said:

@wirestyle22 said:

@scottalanmiller said:

@wirestyle22 said:

@scottalanmiller said:

Fail2Ban stops brute force attacks by locking out aggressive IP addresses that make many attempts to log into your system. Without it, an aggressive IP could attack you with one bad password after another, as fast as it could, until it found one that worked (like happened to Alibabab today.) Fail2ban makes brute forces nearly impossible because it would make millions of attempts take a lifetime, rather than a day.

Sounds like it would also mitigate denial of service attacks as well or just logins?

It actually enables DoS attacks, to some degree.

Can you explain in more detail? Is this because it creates overhead?

Creates overhead and causes a system to deny access from an IP address. What to block a system from being able to server requests... just hit it from lots of IP addresses and get it to start blocking them. Instant denial of service.

Ah, that makes sense. Thanks.

travisdh1

@JaredBusch said:

@travisdh1 said:

fail2ban - Watches for failed login attempts, if the same account tries to login to many times the account gets locked out of the system for a set period of time. On CentOS 6 the default is 5 failed attempts over 5 minutes gets locked out for 30 minutes. Makes brute forcing any decent password even harder. Once fail2ban is installed and configured for each service to monitor it's good to go.

This is not correct. fail2ban does not lock out anything. By using the term lock out, you are implying it has some access to user account information, which it does not.

What it does is add rules to the firewall to cause connections form the source IP to be dropped.

Ah yes, quite right.

StrongBad

When you can, within reason, you want to have SELinux or AppArmor turned on. They are there for a reason, they provide rather a significant amount of additional protection.

stacksofplates

SELinux writes logs to the /var/log/audit/audit.log file, if auditd isn't running then its the /var/log/messages. If you check the logs, it pretty much tells you what you need to do to allow your service.

wirestyle22

Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

Reid Cooper

@wirestyle22 said:

Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

Have you been following SAM's new Linux guide? That's CentOS.

http://mangolassi.it/topic/7825/sam-learning-linux-system-administration

scottalanmiller

@Reid-Cooper said:

@wirestyle22 said:

Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

Have you been following SAM's new Linux guide? That's CentOS.

http://mangolassi.it/topic/7825/sam-learning-linux-system-administration

I hear that it comes highly recommended.

coliver

@scottalanmiller said:

@Reid-Cooper said:

@wirestyle22 said:

Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

Have you been following SAM's new Linux guide? That's CentOS.

http://mangolassi.it/topic/7825/sam-learning-linux-system-administration

I hear that it comes highly recommended.

There may be a bit of bias there.

wirestyle22

@scottalanmiller said:

@Reid-Cooper said:

@wirestyle22 said:

Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

Have you been following SAM's new Linux guide? That's CentOS.

http://mangolassi.it/topic/7825/sam-learning-linux-system-administration

I hear that it comes highly recommended.

I will certainly check it out. I'm building my Linux Test Environment Server. I'm going to use it for a myriad of things.

scottalanmiller

I am trying hard to keep several new articles coming each week.

wirestyle22

@scottalanmiller said:

I am trying hard to keep several new articles coming each week.

I appreciate that greatly. I'll be updating my progress and I'm sure I'll be asking a lot of questions to break everything down and provide hypotheticals.

stacksofplates

If you're running Fedora, there is an SELinux Troubleshooter tool that comes in really handy. I just moved my KVM images to a different folder. I had to change the context of the folder to allow KVM to read the images. As soon as the error happened, I got a notification from the troubleshooter. Highlighted is the commands you need to allow the action.

hobbit666

What about users?
At the moment I don't create a new user I just use root with a strong password.

Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?

scottalanmiller

@hobbit666 said:

What about users?
At the moment I don't create a new user I just use root with a strong password.

Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?

Really depends on how you plan to use the system.

hobbit666

@scottalanmiller said:

@hobbit666 said:

What about users?
At the moment I don't create a new user I just use root with a strong password.

Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?

Really depends on how you plan to use the system.

At the moment its one VM for FOG and another VM for SnipeIT

stacksofplates

@hobbit666 said:

What about users?
At the moment I don't create a new user I just use root with a strong password.

Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?

If you're only going to have a few Linux boxes its probably easier to just script the user/key creation.

hobbit666

thinking about it ...... it's more the backend I guess as FOG and SnipeIT (soon to be Zabbix and Unifi as well) all have there own User control. So more for running yum update command once in a while

scottalanmiller

@hobbit666 said:

thinking about it ...... it's more the backend I guess as FOG and SnipeIT (soon to be Zabbix and Unifi as well) all have there own User control. So more for running yum update command once in a while

Yeah, UNIX logins are actually not all that common for end users. We have them, but it is because we use Linux as terminal servers.

StrongBad

@scottalanmiller I almost never use them. A few service accounts and that's about it.