For my purposes on the articles I post here, I'm going to use the (*)EL-5 distribution. RHEL (redhat), OEL (oracle), or CentOS Linux are all pretty much identical. I usually use CentOS for fooling around with, but these instructions should work with any of the three.
Installing a server should not just happen, it should be planned. I've heard the arguments that you should install everything possible from the install disk "because you never know...". This is an emotional statement and there's rarely much thought put toward making it. This is hoarding type of behavior. Besides, you really should know, it's part of the job.
My basic philosophy in creating an install base is "install everything required, nothing more". With the inclusion of the yum utility in recent releases, there's really no excuse not to adopt this philosophy, since installing dependent rpms are a single command away.
I'm going to focus on a kickstart profile for loading our server. Unless you work alone, on your own, chances are your company will have several servers, not just one. For this, kickstart really is best. You guarantee all of the servers you load will be identical. I may write an article later on performing this same installation manually from a disk if there's enough interest.
There's plenty of good and easy instruction on how to configure a kickstart server on the net, here I will assume you know how to build one of these. The ks file below will work with any netinstall cd booted machine on your local network. Drop this into a local http server, configure dchp to feed your load machine with an address, and that should be it. What this will provide you with, is a ready made, secure, bare bones EL 5.4 server. This is no frills, no extras. You should be able to base all of your servers on this configuration and add what you need to it.
Here's a list of what's provided:
- Only 335 rpms in this installation
- Only 20 services started at boot time
- Only root, swap, var and boot partitions. Less wasted space, less to manage
- LVM used for easy resizing
- IP version 4 only, IPv6 disabled
- Password policy set.
- 8 character minimum
- 1 uppercase
- 1 lowercase
- 1 digit
- 1 other
- 6 password retention
- 3 character difference between passwords
- 90 day max change interval
- 2 day min change interval
- Default umask set to 022
- Kernel swappiness turned down to 10
- Many kernel security parameters set
- Sendmail run from cron to empty mail queue. Not run in daemon mode, more secure.
- Authorized keys only read from protected directory in /etc, writable only by root. Non-root users cannot implement their own key login.
- Secure shell tightened up considerably, including timeouts
- Default banner that will display prior to login
- Shell timeouts
#Initial base Centos 5.4 #platform=x86 #System language lang en_US #Language modules to install langsupport en_US #System keyboard keyboard us #System timezone timezone America/New_York #Root password # The easiest way to get an encrypted password is to copy one out of # an existing password file rootpw --iscrypted <replace with encrypted password> #Reboot after installation reboot #Use text mode install text #Install OS instead of upgrade install #Use Web installation url --url http://mirrors.gigenet.com/centos/5.4/os/i386/ #System bootloader configuration bootloader --location=mbr --append="rhgb quiet" #Clear the Master Boot Record zerombr yes #Partition clearing information clearpart --all --initlabel #Disk partitioning part /boot --fstype ext3 --size=100 --ondisk=hda part pv.2 --size=0 --grow --ondisk=hda volgroup VolGroup00 --pesize=32768 pv.2 logvol /var --fstype ext3 --name=VarVol --vgname=VolGroup00 --size=2048 logvol swap --fstype swap --name=SwapVol --vgname=VolGroup00 --size=1024 logvol / --fstype ext3 --name=RootVol --vgname=VolGroup00 --size=4800 #System authorization infomation auth --useshadow --enablemd5 #Network information network --bootproto=dhcp --device=eth0 #Firewall configuration firewall --disabled # SELinux configuration selinux --disabled #Do not configure the X Window System skipx %post # the chvt entry below will echo out all of the post # section to your screen so you can watch what's going on chvt 3 ( # Remove boot splash sed -ie 's/splashimage=(hd0,0)\/grub\/splash\.xpm\.gz/#splashimage=(hd0,0)\/grub\/splash\.xpm\.gz/g' /boot/grub/grub.conf # Change kernel parameters echo "modifying /etc/sysctl.conf" cat >> /etc/sysctl.conf << EOF # Change swap parameters, default is too high vm.swappiness=10 # Tighten security a bit more than default net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syncookies=1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 EOF # Configure cron to empty mail queue # This is much more secure than running sendmail in daemon mode echo "configuring cron mail queue purging" echo "" >> /etc/crontab echo "# empty mail queue" >> /etc/crontab echo "00,15,30,45 * * * * root /usr/lib/sendmail -q > /dev/null 2>&1" >> /etc/crontab # Configure key file for automated ssh auth echo "configure publickey file" mkdir /etc/publickeys touch /etc/publickeys/authorized_keys chmod 755 /etc/publickeys/authorized_keys # Tighten up secure shell echo "installing increased ssh security" sed -ie 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config sed -ie 's/#RSAAuthentication yes/RSAAuthentication yes/g' /etc/ssh/sshd_config sed -ie 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config sed -ie 's/#AuthorizedKeysFile .ssh\/authorized_keys/AuthorizedKeysFile \/etc\/publickeys\/authorized_keys/g' /etc/ssh/sshd_config sed -ie 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' /etc/ssh/sshd_config sed -ie 's/#PrintMotd yes/PrintMotd no/g' /etc/ssh/sshd_config sed -ie 's/#PrintLastLog yes/PrintLastLog no/g' /etc/ssh/sshd_config sed -ie 's/#RCPKeepAlive yes/TCPKeepAlive no/g' /etc/ssh/sshd_config sed -ie 's/#ClientAliveInterval 0/ClientAliveInterval 300/g' /etc/ssh/sshd_config sed -ie 's/#ClientAliveCountMax 3/ClientAliveCountMax 3/g' /etc/ssh/sshd_config sed -ie 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config sed -ie 's/#Banner \/some\/path/Banner \/etc\/issue/g' /etc/ssh/sshd_config # Install issue echo "installing /etc/issue" cat >/etc/issue<########################################################### This is a proprietary system requiring authorized access. Any unauthorized access and/or use of this system are not permitted. Any authorized use is subject to compliance with applicable law and internal policies as may be amended from time to time. Accordingly this system may be monitored and the results recorded and reviewed. By using or accessing this system you expressly acknowledge that you are an authorized user and are not entitled to any privacy rights with respect to your use of this system. ########################################################### EOF cat /dev/null > /etc/motd # Set shell timeout echo "setting shell TMOUT" echo "" >> /etc/profile echo "export TMOUT=900" >> /etc/profile # Tighten default umask echo "setting initial umask in /etc/login.defs" sed -ie 's/UMASK 077/UMASK 022/g' /etc/login.defs # Configure password constraints echo "Configuring password policy" sed -ie 's/PASS_MAX_DAYS 99999/PASS_MAX_DAYS 90/g' /etc/login.defs sed -ie 's/PASS_MIN_DAYS 0/PASS_MIN_DAYS 2/g' /etc/login.defs sed -ie 's/PASS_MIN_LEN 5/PASS_MIN_LEN 8/g' /etc/login.defs sed -ie 's/EXPIRE=/EXPIRE=14/g' /etc/default/useradd sed -ie 's/password requisite pam_cracklib.so try_first_pass retry=3/password requisite pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3/g' /etc/pam.d/system-auth-ac sed -ie 's/pam_unix.so md5 shadow nullok try_first_pass use_authtok/pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=6/g' /etc/pam.d/system-auth-ac # Remove ipv6 support. Again, omit this step if you use ipv6 echo "Disabling ipv6 support" sed -ie 's/NETWORKING_IPV6=yes/NETWORKING_IPV6=no/g' /etc/sysconfig/network sed -ie '/localhost6/d' /etc/hosts ############################# # Disable unneeded services ############################# echo "diabling uneeded services" chkconfig autofs off chkconfig avahi-daemon off chkconfig cups off chkconfig haldaemon off chkconfig iptables off chkconfig ip6tables off chkconfig kudzu off chkconfig mcstrans off chkconfig netfs off chkconfig nfslock off chkconfig pcscd off chkconfig portmap off chkconfig restorecond off chkconfig rpcgssd off chkconfig rpcidmapd off chkconfig sendmail off # I always like to log everything in the post section ) 2>&1 | /usr/bin/tee /root/post_install.log %packages @base # I can't see a real basic need for anything below # Of course, if you have an identified need, load it -bluez-gnome -bluez-libs -bluez-utils -dhcpv6-client -finger -firstboot-tui -gpm -irda-utils -NetworkManager -NetworkManager -rdate -rdist -wpa_supplicant -xorg-x11-filesystem -ypbind -yp-tools
Next week I'll cover some other kickstart tricks, such as loading netbackup client from kickstart.
Please try it out and leave some feedback. I'm anxious to hear what you have to say!
Some handy references:
http://www.puschitz.com/SecuringLinux.shtml
http://www.redhat.com/docs/manuals/enterprise/
http://wiki.centos.org/
John, you are absolutely correct about the swappiness default being too high (default is 60 on REL). Setting vm.swappiness=10 is a much more reasonable value for most servers. In fact, a database server (such as DB2, Oracle, MySQL, etc) should have swappiness set to 0, since the database should never be swapped out of memory in favor of file system caching (assuming that the DBA is competent enough to make sure that configured memory for the database will never exceed the real memory on the server). Many Linux admins do not realize that because modern databases have their own internal caching memory for tables and indexes (which is highly tunable by the DBA for different tables and indexes, and not just one big memory pool), the databases are usually configured to bypass file system caching by specifying direct I/O on tablespaces. If swappiness is set above 0, Linux may think file system caching is more important than the database code or database shared memory and swap the database out of memory, which can be a recipe for a very poor performing database, and in some cases a database hang or crash.
ReplyDeleteHere are some other kernel parms recommended for database servers:
vm.swappiness=0
vm.dirty_ratio=10
vm.dirty_background_ratio=5