Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

CentOS 7.6 ; Initial settings to be done after OS installation

In this page, you will need to configure many settings such as remote connection from Windows by SSH, antivirus, encryption of information by SSl certificate, and database installation.

I'll try to explain them as sequentially as possible. There is a lot of information on the net, but I have tried to make it easy to understand.

This time, we will install from source without using yum.

1.Disable SELinux

First, disable selinux. selinux is a feature that improves auditing and security in Linux, but when it is enabled, it restricts the behavior of services and settings to a great extent. For this reason, selinux is basically disabled in most cases.

If you build a server while looking at a website and it does not work as expected, it may be due to the fact that selinux is enabled. So, don't forget to disable it after installation.
You can disable it by doing the following (In this page, the general user name is "jimy" and the host name is "Lepard")
After logging in as a general user, we will proceed with the known method of changing the permissions to the root user.

If this is the case, seinux will be enabled again when the server is restarted, so to permanently disable selinux, modify the /etc/sysconfig/selinux file

Change "SELINUX=enforcing" to "SELINUX=disabled" in the red box.

After change

2.Remote connection using SSH

SSH is a service to connect to a server remotely, and is basically running right after the OS installation, but the default settings are somewhat insecure.
In this section, we will configure the settings to change the default settings and increase the security of the ssh connection.

2.1Change the configuration file of SSH service.

Modify the configuration file to change the settings of the SSH service.
The configuration file for the SSH service is "/etc/ssh/sshd_config". Open the configuration file with vi editor. (There is a lot of information on the net about how to use the vi editor, so please check it out)

When you open it with the vi editor, you will see a screen like the following.

「Find "Port 22" and change it to any port number other than the Wernon-Port, in this case, "Port 3333" and proceed (just changing this port number will reduce unauthorized access).
②To find and comment out "#ListenAddress 0.0.0.0", delete the preceding "#".
③Look for "#PermitRootLogin yes" and change it to "PermitRootLogin no".
Since the root user already knows the user name, if the password is found, the user can log in to the server with administrative privileges, so we will configure the settings to deny this.

Restarting SSH

2.2 Temporarily disable the firewall

Disable it for now, and then re-enable it (install iptables).
After disabling, log out and log back in.

2.3 Setting up in Windows

Let's start the setup for remote connection from Windows. The terminal emulator is "Tera Term".
Start Tera Term, cancel the startup screen, and select "TCP/IP" from "Setup" in the Tera Term menu.
In the "TCP port number" field, enter the port number which is set in the "Change SSH service configuration file" above. Finally, click "OK".

When you select "New connection" from "File" in the Tera Term menu again, the above screen appears.

Click "Continue" on the screen above, and you will see the following screen

If the information is correct, you should be able to log in normally as shown below.

3. Disable unnecessary services

Disable (stop auto-starting) services that are obviously not used in the operation of the server. The purpose of this is to prevent unnecessary port opening and waste of server resources.
To disable a service, use the systemctl command, which can be obtained by setting the disable option to systemctl.
We will simplify the command input screen in the future.

4.Deploying a firewall with iptables

CentOS has been using firewalld as its firewall since version 7. In this page, we will use iptables, which we are familiar with.
I created the sh file by referring to the samples and how to fill in "iptables" found around the net.
Server's lokal IP address: 192.168.11.***
SSH port; 3333
iptables.sh sample

#!/bin/sh

#Clear Settings
/sbin/iptables -F

#policy settings
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -P FORWARD DROP
/sbin/iptables -t filter -P OUTPUT ACCEPT

# PING( ICMP )
/sbin/iptables -A INPUT -p icmp -j ACCEPT

# localhost
/sbin/iptables -A INPUT -i lo -j ACCEPT

# my network
/sbin/iptables -A INPUT -s 192.168.11.0/24 -d 0/0 -p tcp -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.11.0/24 -d 0/0 -p udp -j ACCEPT

# httpd
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 443 -j ACCEPT

# ssh remote connection
/sbin/iptables -A INPUT -s 0/0 -p tcp --dport 3333 -j ACCEPT

# SMTP
/sbin/iptables -A INPUT -p tcp --dport 25 -j LOG
/sbin/iptables -A INPUT -p tcp --sport 25 -j LOG
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 25 -j ACCEPT

# pop3
/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 110 -j ACCEPT

# named
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT

# ftp
/sbin/iptables -A INPUT -p tcp --dport 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 21 -j ACCEPT

# ntpd
/sbin/iptables -A INPUT -p udp --dport 123 -j ACCEPT

# restart
#/etc/rc.d/init.d/iptables save
#/etc/rc.d/init.d/iptables restart

Create the above contents in a text editor and set the file name extension as ".sh".

For example, "myiptable.sh".
Save "myiptable.sh" in /etc/rc.d/, give it permissions, and enable it.

Open the "rc.local" file in the daemon directory with a vi editor and enter "myiptable.sh" to enable iptables automatically when the server starts.

Restart the server once here.

5.Settings Anti-virus

Use Clam AntiVirus, a free anti-virus software for Linux.

5.1Clam AntiVirus Download and Installation

The installation of Linux packages is very complicated, and the files that depend on each other are strictly specified, so if you don't include all the files, errors will occur frequently.
Also, it is difficult to find the necessary files on the Internet, so please try your best. The following is a list of the files that are required for dependencies.

Required files
clamav-0.100.2-2.el7.x86_64.rpm
clamav-data-0.100.2-2.el7.noarch.rpm
clamav-filesystem-0.100.2-2.el7.noarch.rpm
clamav-lib-0.100.2-2.el7.x86_64.rpm
clamav-scanner-systemd-0.100.2-2.el7.x86_64.rpm
clamav-server-systemd-0.100.2-2.el7.x86_64.rpm
clamav-update-0.100.2-2.el7.x86_64.rpm
clamd-0.100.2-2.el7.x86_64.rpm
pcre2-10.23-2.el7.x86_64.rpm

Install the rpm file

Edit the /etc/freshclam.conf file.

Edit the /etc/clamd.d/scan.conf file.

Update definition files

Start Clam AntiVirus

Run regular virus scans (using crontab)

※ cron は定期的にコマンドやプログラムを実行させる機能があります。

 6.Install  Tripwire

Tripwire is a software for detecting file modification and tampering.

A commercial product by Tripwire, Inc. is also available, but here we will implement the OSS version available on GitHub. https://github.com/Tripwire/tripwire-open-source

Tripwire cannot detect tampering in real time, but it can detect and report file changes and tampering by running checks on a regular basis.

6.1 Download and install Tripwire

The rpm source files are a little outdated and have disappeared, but I think you can do the same with newer versions.
Download

Install

6.2 Generating Site Keys and Local Keys

Generate site key and local key for cryptographic signing.

After executing the above command, you will be prompted to enter your site passphrase and local passphrase, so set them separately

6.3 Configure and generate the cfg file

Edit the text file from which the settings are derived.

Generate a cryptographically signed configuration file.

6.4 Configuring and generating policy files

The policy file defines the policy of which files and directories will be monitored by Tripwire and under what rules.
You can find more information about how to write the policy at About Tripwire|Tripwire Japan K.K.

Edit the text file that will be the source of the policy settings.

Generate a cryptographically signed policy configuration file.

6.5 Initialize the database

Create a baseline database by recording the current state of the file system.
Initialize the database

6.6 Run tampering checks on a regular basis.

How to check

Confirmation of check results

The path of the report file is the path set by REPORTFILE in the cfg configuration file.

Updating the database
After a tamper is detected, it will continue to be detected unless the file system state is corrected or the Tripwire database is updated. If the current file system is correct, the current state will be updated as the base database.

6.7 Update the tampering detection policy

Edit the text file that will be the source of the policy settings.

Regenerate the policy configuration file and update the baseline.

7. Install chkrootkit

Install a rootkit detection tool called chkrootkit to check if rootkit has been installed on the Linux server.
Since chkrootkit is checked using the following command, it is useless after the command itself has been tampered with so that rootkit cannot be detected, so it should be installed in the early stage after Linux installation.

【The command used by chkrootkit.】
awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings, sed, uname

7.1 Download chkrootkit

7.2 Check chkrootkit

7.3 chkrootkit regular auto-run setting

Create chkrootkit.sh in a text editor with the following contents

#!/bin/bash

PATH=/usr/bin:/bin:/root/bin
LOG=/tmp/$(basename ${0})

# run chkrootkit
chkrootkit > $LOG 2>&1

# Log output
cat $LOG | logger -t $(basename ${0})

# SMTPS handling of bindshell false positives
if [ ! -z "$(grep 465 $LOG)" ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i '/465/d' $LOG
fi

# Fix Suckit false positive when updating upstart package
if [ ! -z "$(grep Suckit $LOG)" ] && \
[ -z "$(rpm -V rpm -qf /sbin/init)" ]; then
sed -i '/Suckit/d' $LOG
fi

# Send mail to root only when rootkit is detected
[ ! -z "$(grep INFECTED $LOG)" ] && \
grep INFECTED $LOG | mail -s "chkrootkit report in hostname" root

7.4 Save chkrootkit.sh, change permissions, and add to cron

Save chkrootkit.sh to /var/www/system/chkrootkit.sh.
change of authority

Add to cron

 About cron
# 0 5 * * * /var/www/system/chkrootkit.sh
(Please use half-width alphanumeric characters.)
*is the type of date, time, and day to execute.
From left to right, "minutes", "time", "day", "month", and "day of the week".
In the example above, "0 5 * * *" will execute the process at 5:00 every day.

This is the end of "CentOS 7.6 Server Installation: Initial Settings to be Performed after OS Installation".

タイトルとURLをコピーしました