Securing Linux - CentOS7
-
@JaredBusch said:
@travisdh1 said:
fail2ban - Watches for failed login attempts, if the same account tries to login to many times the account gets locked out of the system for a set period of time. On CentOS 6 the default is 5 failed attempts over 5 minutes gets locked out for 30 minutes. Makes brute forcing any decent password even harder. Once fail2ban is installed and configured for each service to monitor it's good to go.
This is not correct.
fail2ban
does not lock out anything. By using the term lock out, you are implying it has some access to user account information, which it does not.What it does is add rules to the firewall to cause connections form the source IP to be dropped.
Ah yes, quite right.
-
When you can, within reason, you want to have SELinux or AppArmor turned on. They are there for a reason, they provide rather a significant amount of additional protection.
-
SELinux writes logs to the /var/log/audit/audit.log file, if auditd isn't running then its the /var/log/messages. If you check the logs, it pretty much tells you what you need to do to allow your service.
-
Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.
-
@wirestyle22 said:
Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.
Have you been following SAM's new Linux guide? That's CentOS.
http://mangolassi.it/topic/7825/sam-learning-linux-system-administration
-
@Reid-Cooper said:
@wirestyle22 said:
Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.
Have you been following SAM's new Linux guide? That's CentOS.
http://mangolassi.it/topic/7825/sam-learning-linux-system-administration
I hear that it comes highly recommended.
-
@scottalanmiller said:
@Reid-Cooper said:
@wirestyle22 said:
Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.
Have you been following SAM's new Linux guide? That's CentOS.
http://mangolassi.it/topic/7825/sam-learning-linux-system-administration
I hear that it comes highly recommended.
There may be a bit of bias there.
-
@scottalanmiller said:
@Reid-Cooper said:
@wirestyle22 said:
Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.
Have you been following SAM's new Linux guide? That's CentOS.
http://mangolassi.it/topic/7825/sam-learning-linux-system-administration
I hear that it comes highly recommended.
I will certainly check it out. I'm building my Linux Test Environment Server. I'm going to use it for a myriad of things.
-
I am trying hard to keep several new articles coming each week.
-
@scottalanmiller said:
I am trying hard to keep several new articles coming each week.
I appreciate that greatly. I'll be updating my progress and I'm sure I'll be asking a lot of questions to break everything down and provide hypotheticals.
-
If you're running Fedora, there is an SELinux Troubleshooter tool that comes in really handy. I just moved my KVM images to a different folder. I had to change the context of the folder to allow KVM to read the images. As soon as the error happened, I got a notification from the troubleshooter. Highlighted is the commands you need to allow the action.
-
What about users?
At the moment I don't create a new user I just use root with a strong password.Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?
-
@hobbit666 said:
What about users?
At the moment I don't create a new user I just use root with a strong password.Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?
Really depends on how you plan to use the system.
-
@scottalanmiller said:
@hobbit666 said:
What about users?
At the moment I don't create a new user I just use root with a strong password.Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?
Really depends on how you plan to use the system.
At the moment its one VM for FOG and another VM for SnipeIT
-
@hobbit666 said:
What about users?
At the moment I don't create a new user I just use root with a strong password.Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?
If you're only going to have a few Linux boxes its probably easier to just script the user/key creation.
-
thinking about it ...... it's more the backend I guess as FOG and SnipeIT (soon to be Zabbix and Unifi as well) all have there own User control. So more for running yum update command once in a while
-
@hobbit666 said:
thinking about it ...... it's more the backend I guess as FOG and SnipeIT (soon to be Zabbix and Unifi as well) all have there own User control. So more for running yum update command once in a while
Yeah, UNIX logins are actually not all that common for end users. We have them, but it is because we use Linux as terminal servers.
-
@scottalanmiller I almost never use them. A few service accounts and that's about it.