Securing Linux - CentOS7



  • Firstly i'm a complete Linux Newbie, yes I can install and get simple things working like SnipeIT, Zabbix, Web Server etc.
    But when I create these servers mainly with CentOS (don't ask I've just always used it since version 4/5 I think), but I tend to just disable Firewall and SELINUX get everything installed and working but never really re-enable anything.

    What should I be doing to "secure" the Linux servers, do I need Firewalld or SELINUX on internal only servers? or just a secure password on root do the job?



  • Every box, no matter what it is, anywhere should have a firewall. That's a bare minimum. Desktops, laptops, servers, VMs, you name it. Always a firewall.



  • So keeping the FirewallD service is good enough and just open the ports I need.
    But KILL SELINUX!



  • What @scottalanmiller said as a minimum. I like to have fail2ban running everywhere on every service that has it's own login information. I also want chrootkit running via cron anywhere I can.



  • @hobbit666 said:

    So keeping the FirewallD service is good enough and just open the ports I need.
    But KILL SELINUX!

    no, I just said that there is no circumstance where you ever remote the firewall.



  • @travisdh1 said:

    What @scottalanmiller said as a minimum. I like to have fail2ban running everywhere on every service that has it's own login information. I also want chrootkit running via cron anywhere I can.

    What added benefits does fail2ban & chrootkit have?



  • Fail2Ban stops brute force attacks by locking out aggressive IP addresses that make many attempts to log into your system. Without it, an aggressive IP could attack you with one bad password after another, as fast as it could, until it found one that worked (like happened to Alibabab today.) Fail2ban makes brute forces nearly impossible because it would make millions of attempts take a lifetime, rather than a day.



  • @hobbit666 said:

    @travisdh1 said:

    What @scottalanmiller said as a minimum. I like to have fail2ban running everywhere on every service that has it's own login information. I also want chrootkit running via cron anywhere I can.

    What added benefits does fail2ban & chrootkit have?

    I left the k out of chkrootkit, doh!

    fail2ban - Watches for failed login attempts, if the same account tries to login to many times the account gets locked out of the system for a set period of time. On CentOS 6 the default is 5 failed attempts over 5 minutes gets locked out for 30 minutes. Makes brute forcing any decent password even harder. Once fail2ban is installed and configured for each service to monitor it's good to go.

    chkrootkit - Indexes the root file system and latter on checks to see if any files have been changed. So if some hacker got into your web server and replaced the ls command with their own version that does things other than list files in a directory, chrootkit will tell you that ls has changed. After installing you need to manually run it whenever you want to run this check.



  • @scottalanmiller said:

    Fail2Ban stops brute force attacks by locking out aggressive IP addresses that make many attempts to log into your system. Without it, an aggressive IP could attack you with one bad password after another, as fast as it could, until it found one that worked (like happened to Alibabab today.) Fail2ban makes brute forces nearly impossible because it would make millions of attempts take a lifetime, rather than a day.

    Sounds like it would also mitigate denial of service attacks as well or just logins?



  • @wirestyle22 said:

    @scottalanmiller said:

    Fail2Ban stops brute force attacks by locking out aggressive IP addresses that make many attempts to log into your system. Without it, an aggressive IP could attack you with one bad password after another, as fast as it could, until it found one that worked (like happened to Alibabab today.) Fail2ban makes brute forces nearly impossible because it would make millions of attempts take a lifetime, rather than a day.

    Sounds like it would also mitigate denial of service attacks as well or just logins?

    It actually enables DoS attacks, to some degree.



  • @scottalanmiller said:

    @wirestyle22 said:

    @scottalanmiller said:

    Fail2Ban stops brute force attacks by locking out aggressive IP addresses that make many attempts to log into your system. Without it, an aggressive IP could attack you with one bad password after another, as fast as it could, until it found one that worked (like happened to Alibabab today.) Fail2ban makes brute forces nearly impossible because it would make millions of attempts take a lifetime, rather than a day.

    Sounds like it would also mitigate denial of service attacks as well or just logins?

    It actually enables DoS attacks, to some degree.

    Can you explain in more detail? Is this because it creates overhead?



  • @wirestyle22 said:

    @scottalanmiller said:

    @wirestyle22 said:

    @scottalanmiller said:

    Fail2Ban stops brute force attacks by locking out aggressive IP addresses that make many attempts to log into your system. Without it, an aggressive IP could attack you with one bad password after another, as fast as it could, until it found one that worked (like happened to Alibabab today.) Fail2ban makes brute forces nearly impossible because it would make millions of attempts take a lifetime, rather than a day.

    Sounds like it would also mitigate denial of service attacks as well or just logins?

    It actually enables DoS attacks, to some degree.

    Can you explain in more detail? Is this because it creates overhead?

    Creates overhead and causes a system to deny access from an IP address. What to block a system from being able to server requests... just hit it from lots of IP addresses and get it to start blocking them. Instant denial of service.



  • @wirestyle22 said:

    @scottalanmiller said:

    Fail2Ban stops brute force attacks by locking out aggressive IP addresses that make many attempts to log into your system. Without it, an aggressive IP could attack you with one bad password after another, as fast as it could, until it found one that worked (like happened to Alibabab today.) Fail2ban makes brute forces nearly impossible because it would make millions of attempts take a lifetime, rather than a day.

    Sounds like it would also mitigate denial of service attacks as well or just logins?

    For DoS attacks it can help, but for most of those it's only going to be a speed bump before figuring out another way to bombard you with traffic.



  • @travisdh1 said:

    fail2ban - Watches for failed login attempts, if the same account tries to login to many times the account gets locked out of the system for a set period of time. On CentOS 6 the default is 5 failed attempts over 5 minutes gets locked out for 30 minutes. Makes brute forcing any decent password even harder. Once fail2ban is installed and configured for each service to monitor it's good to go.

    This is not correct. fail2ban does not lock out anything. By using the term lock out, you are implying it has some access to user account information, which it does not.

    What it does is add rules to the firewall to cause connections from the source IP to be dropped.



  • @scottalanmiller said:

    @wirestyle22 said:

    @scottalanmiller said:

    @wirestyle22 said:

    @scottalanmiller said:

    Fail2Ban stops brute force attacks by locking out aggressive IP addresses that make many attempts to log into your system. Without it, an aggressive IP could attack you with one bad password after another, as fast as it could, until it found one that worked (like happened to Alibabab today.) Fail2ban makes brute forces nearly impossible because it would make millions of attempts take a lifetime, rather than a day.

    Sounds like it would also mitigate denial of service attacks as well or just logins?

    It actually enables DoS attacks, to some degree.

    Can you explain in more detail? Is this because it creates overhead?

    Creates overhead and causes a system to deny access from an IP address. What to block a system from being able to server requests... just hit it from lots of IP addresses and get it to start blocking them. Instant denial of service.

    Ah, that makes sense. Thanks.



  • @JaredBusch said:

    @travisdh1 said:

    fail2ban - Watches for failed login attempts, if the same account tries to login to many times the account gets locked out of the system for a set period of time. On CentOS 6 the default is 5 failed attempts over 5 minutes gets locked out for 30 minutes. Makes brute forcing any decent password even harder. Once fail2ban is installed and configured for each service to monitor it's good to go.

    This is not correct. fail2ban does not lock out anything. By using the term lock out, you are implying it has some access to user account information, which it does not.

    What it does is add rules to the firewall to cause connections form the source IP to be dropped.

    Ah yes, quite right.



  • When you can, within reason, you want to have SELinux or AppArmor turned on. They are there for a reason, they provide rather a significant amount of additional protection.



  • SELinux writes logs to the /var/log/audit/audit.log file, if auditd isn't running then its the /var/log/messages. If you check the logs, it pretty much tells you what you need to do to allow your service.



  • Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.



  • @wirestyle22 said:

    Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

    Have you been following SAM's new Linux guide? That's CentOS.

    http://mangolassi.it/topic/7825/sam-learning-linux-system-administration



  • @Reid-Cooper said:

    @wirestyle22 said:

    Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

    Have you been following SAM's new Linux guide? That's CentOS.

    http://mangolassi.it/topic/7825/sam-learning-linux-system-administration

    I hear that it comes highly recommended.



  • @scottalanmiller said:

    @Reid-Cooper said:

    @wirestyle22 said:

    Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

    Have you been following SAM's new Linux guide? That's CentOS.

    http://mangolassi.it/topic/7825/sam-learning-linux-system-administration

    I hear that it comes highly recommended.

    There may be a bit of bias there.



  • @scottalanmiller said:

    @Reid-Cooper said:

    @wirestyle22 said:

    Do you guys have any great resources for CentOS? If not, do you have any book recommendations? I need a lot of reading material.

    Have you been following SAM's new Linux guide? That's CentOS.

    http://mangolassi.it/topic/7825/sam-learning-linux-system-administration

    I hear that it comes highly recommended.

    I will certainly check it out. I'm building my Linux Test Environment Server. I'm going to use it for a myriad of things.



  • I am trying hard to keep several new articles coming each week.



  • @scottalanmiller said:

    I am trying hard to keep several new articles coming each week.

    I appreciate that greatly. I'll be updating my progress and I'm sure I'll be asking a lot of questions to break everything down and provide hypotheticals.



  • If you're running Fedora, there is an SELinux Troubleshooter tool that comes in really handy. I just moved my KVM images to a different folder. I had to change the context of the folder to allow KVM to read the images. As soon as the error happened, I got a notification from the troubleshooter. Highlighted is the commands you need to allow the action.

    0_1455063744342_selinux.png



  • What about users?
    At the moment I don't create a new user I just use root with a strong password.

    Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?



  • @hobbit666 said:

    What about users?
    At the moment I don't create a new user I just use root with a strong password.

    Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?

    Really depends on how you plan to use the system.



  • @scottalanmiller said:

    @hobbit666 said:

    What about users?
    At the moment I don't create a new user I just use root with a strong password.

    Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?

    Really depends on how you plan to use the system.

    At the moment its one VM for FOG and another VM for SnipeIT



  • @hobbit666 said:

    What about users?
    At the moment I don't create a new user I just use root with a strong password.

    Can I "link" Linux with out AD and user our usernames and passwords that way (but limit how i.e. just the IT Dept?)? Or should I create new local users on the Linux machines?

    If you're only going to have a few Linux boxes its probably easier to just script the user/key creation.


Log in to reply