A fresh start, a minumal base for your server

Right, so let's get to it and build an EL5 server.

For my purposes on the articles I post here, I'm going to use the (*)EL-5 distribution. RHEL (redhat), OEL (oracle), or CentOS Linux are all pretty much identical. I usually use CentOS for fooling around with, but these instructions should work with any of the three.

Installing a server should not just happen, it should be planned. I've heard the arguments that you should install everything possible from the install disk "because you never know...". This is an emotional statement and there's rarely much thought put toward making it. This is hoarding type of behavior. Besides, you really should know, it's part of the job.

My basic philosophy in creating an install base is "install everything required, nothing more". With the inclusion of the yum utility in recent releases, there's really no excuse not to adopt this philosophy, since installing dependent rpms are a single command away.

I'm going to focus on a kickstart profile for loading our server. Unless you work alone, on your own, chances are your company will have several servers, not just one. For this, kickstart really is best. You guarantee all of the servers you load will be identical. I may write an article later on performing this same installation manually from a disk if there's enough interest.

There's plenty of good and easy instruction on how to configure a kickstart server on the net, here I will assume you know how to build one of these.  The ks file below will work with any netinstall cd booted machine on your local network.  Drop this into a local http server, configure dchp to feed your load machine with an address, and that should be it. What this will provide you with, is a ready made, secure, bare bones EL 5.4 server.  This is no frills, no extras.  You should be able to base all of your servers on this configuration and add what you need to it.

Here's a list of what's provided:

1. Only 335 rpms in this installation
2. Only 20 services started at boot time
3. Only root, swap, var and boot partitions. Less wasted space, less to manage
4. LVM used for easy resizing
5. IP version 4 only, IPv6 disabled
6. Password policy set.
• 8 character minimum
• 1 uppercase
• 1 lowercase
• 1 digit
• 1 other
• 6 password retention
• 3 character difference between passwords
• 90 day max change interval
• 2 day min change interval
7. Default umask set to 022
8. Kernel swappiness turned down to 10
9. Many kernel security parameters set
10. Sendmail run from cron to empty mail queue.  Not run in daemon mode, more secure.
11. Authorized keys only read from protected directory in /etc, writable only by root. Non-root users cannot implement their own key login.
12. Secure shell tightened up considerably, including timeouts
13. Default banner that will display prior to login
14. Shell timeouts

#Initial base Centos 5.4
#platform=x86

#System language
lang en_US

#Language modules to install
langsupport en_US

#System keyboard
keyboard us

#System timezone
timezone America/New_York

#Root password
# The easiest way to get an encrypted password is to copy one out of 
# an existing password file
rootpw --iscrypted <replace with encrypted password>

#Reboot after installation
reboot

#Use text mode install
text

#Install OS instead of upgrade
install

#Use Web installation
url --url http://mirrors.gigenet.com/centos/5.4/os/i386/

#System bootloader configuration
bootloader --location=mbr --append="rhgb quiet"

#Clear the Master Boot Record
zerombr yes

#Partition clearing information
clearpart --all --initlabel 

#Disk partitioning
part /boot --fstype ext3 --size=100 --ondisk=hda
part pv.2  --size=0 --grow --ondisk=hda
volgroup VolGroup00 --pesize=32768 pv.2
logvol /var --fstype ext3 --name=VarVol  --vgname=VolGroup00 --size=2048
logvol swap --fstype swap --name=SwapVol --vgname=VolGroup00 --size=1024
logvol /    --fstype ext3 --name=RootVol --vgname=VolGroup00 --size=4800

#System authorization infomation
auth  --useshadow  --enablemd5 

#Network information
network --bootproto=dhcp --device=eth0

#Firewall configuration
firewall --disabled 

# SELinux configuration
selinux --disabled

#Do not configure the X Window System
skipx

%post
# the chvt entry below will echo out all of the post 
# section to your screen so you can watch what's going on
chvt 3
(
# Remove boot splash
sed -ie 's/splashimage=(hd0,0)\/grub\/splash\.xpm\.gz/#splashimage=(hd0,0)\/grub\/splash\.xpm\.gz/g' /boot/grub/grub.conf

# Change kernel parameters
echo "modifying /etc/sysctl.conf"
cat >> /etc/sysctl.conf << EOF

# Change swap parameters, default is too high
vm.swappiness=10

# Tighten security a bit more than default
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
EOF

# Configure cron to empty mail queue
# This is much more secure than running sendmail in daemon mode
echo "configuring cron mail queue purging"
echo "" >> /etc/crontab
echo "# empty mail queue" >> /etc/crontab
echo "00,15,30,45 * * * * root /usr/lib/sendmail -q > /dev/null 2>&1" >> /etc/crontab

# Configure key file for automated ssh auth
echo "configure publickey file"
mkdir /etc/publickeys
touch /etc/publickeys/authorized_keys
chmod 755 /etc/publickeys/authorized_keys

# Tighten up secure shell
echo "installing increased ssh security"
sed -ie 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -ie 's/#RSAAuthentication yes/RSAAuthentication yes/g' /etc/ssh/sshd_config
sed -ie 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
sed -ie 's/#AuthorizedKeysFile     .ssh\/authorized_keys/AuthorizedKeysFile     \/etc\/publickeys\/authorized_keys/g' /etc/ssh/sshd_config
sed -ie 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' /etc/ssh/sshd_config
sed -ie 's/#PrintMotd yes/PrintMotd no/g' /etc/ssh/sshd_config
sed -ie 's/#PrintLastLog yes/PrintLastLog no/g' /etc/ssh/sshd_config
sed -ie 's/#RCPKeepAlive yes/TCPKeepAlive no/g' /etc/ssh/sshd_config
sed -ie 's/#ClientAliveInterval 0/ClientAliveInterval 300/g' /etc/ssh/sshd_config
sed -ie 's/#ClientAliveCountMax 3/ClientAliveCountMax 3/g' /etc/ssh/sshd_config
sed -ie 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
sed -ie 's/#Banner \/some\/path/Banner \/etc\/issue/g' /etc/ssh/sshd_config

# Install issue
echo "installing /etc/issue"
cat >/etc/issue<
###########################################################

This is a proprietary system requiring authorized access.
Any unauthorized access and/or use of this system are not
permitted. Any authorized use is subject to compliance with
applicable law and internal policies as may be amended from
time to time. Accordingly this system may be monitored and
the results recorded and reviewed. By using or accessing
this system you expressly acknowledge that you are an
authorized user and are not entitled to any privacy rights
with respect to your use of this system.

###########################################################
EOF
cat /dev/null > /etc/motd

# Set shell timeout
echo "setting shell TMOUT"
echo "" >> /etc/profile
echo "export TMOUT=900" >> /etc/profile

# Tighten default umask
echo "setting initial umask in /etc/login.defs"
sed -ie 's/UMASK           077/UMASK           022/g' /etc/login.defs

# Configure password constraints
echo "Configuring password policy"
sed -ie 's/PASS_MAX_DAYS   99999/PASS_MAX_DAYS   90/g' /etc/login.defs
sed -ie 's/PASS_MIN_DAYS   0/PASS_MIN_DAYS   2/g' /etc/login.defs
sed -ie 's/PASS_MIN_LEN    5/PASS_MIN_LEN    8/g' /etc/login.defs
sed -ie 's/EXPIRE=/EXPIRE=14/g' /etc/default/useradd
sed -ie 's/password    requisite     pam_cracklib.so try_first_pass retry=3/password    requisite     pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3/g' /etc/pam.d/system-auth-ac
sed -ie 's/pam_unix.so md5 shadow nullok try_first_pass use_authtok/pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=6/g' /etc/pam.d/system-auth-ac

# Remove ipv6 support. Again, omit this step if you use ipv6
echo "Disabling ipv6 support"
sed -ie 's/NETWORKING_IPV6=yes/NETWORKING_IPV6=no/g' /etc/sysconfig/network
sed -ie '/localhost6/d' /etc/hosts

#############################
# Disable unneeded services
#############################
echo "diabling uneeded services"
chkconfig autofs off
chkconfig avahi-daemon off
chkconfig cups off
chkconfig haldaemon off
chkconfig iptables off
chkconfig ip6tables off
chkconfig kudzu off
chkconfig mcstrans off
chkconfig netfs off
chkconfig nfslock off
chkconfig pcscd off
chkconfig portmap off
chkconfig restorecond off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig sendmail off
# I always like to log everything in the post section
) 2>&1 | /usr/bin/tee /root/post_install.log

%packages
@base
# I can't see a real basic need for anything below
# Of course, if you have an identified need, load it
-bluez-gnome
-bluez-libs
-bluez-utils
-dhcpv6-client
-finger
-firstboot-tui
-gpm
-irda-utils
-NetworkManager
-NetworkManager
-rdate
-rdist
-wpa_supplicant
-xorg-x11-filesystem
-ypbind
-yp-tools

Next week I'll cover some other kickstart tricks, such as loading netbackup client from kickstart.

Please try it out and leave some feedback.  I'm anxious to hear what you have to say!

Some handy references:
http://www.puschitz.com/SecuringLinux.shtml
http://www.redhat.com/docs/manuals/enterprise/
http://wiki.centos.org/