Purpose
This document describes
how to add a RHEL or Oracle Linux servers to any test/production environment.
Target Audience
This document is
intended for use by Systems Administrators who wish to install and harden Linux
servers.
Prerequisites
Install the OS and choose
the appropriate layout and correct hostname.
Adding a new Linux server
Network Configurations
Add the Name server to your resolv.conf configuration file.
# vi /etc/resolv.conf
Nameserver <IP>
Configure your NIC.
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
# service network restart
# ping
google.com //For testing
VMTools Installation
For virtual machines, so the following:
# cd
# mkdir VMTools
# mount /dev/cdrom /mnt/
# cp -a /mnt/VMwareTools-x.x.x.tar.gz VMTools/
# umount /dev/cdrom
# cd VMTools/
# tar xzvf
VMwareTools-x.x.x.tar.gz
# cd vmware-tools-distrib/
#./vmware-install.pl
Disable SELinux
To make your life easy :)
# vi /etc/sysconfig/selinux
NTP Configuration
# vi /etc/ntp.conf
# ntpdate -bs ntp01. domainname.com
# service ntpd start
# chkconfig ntpd on
Register the system
# uln_register --proxy=proxy.domainname.com:8080
# export http_proxy=http:// proxy.domainname.com:8080 //Not required only if
you faced a problem connecting to ULN
# export https_proxy=http:// proxy.domainname.com:8080
# uln_register --proxy= proxy.domainname.com:8080
Update the system
# yum update
Apply the security scripts
Security scripts will be uploaded separately.
# cp -a scripts/ /root/
# cd /root/scripts/
# chmod u+x *
#./script1.sh
#./script2.sh
#./script3.sh
#./script4.sh
#./script6.sh
#./script7.sh
#./script8.sh
#./script9.sh
LDAPS Configuration
Will attach samples of the configuration files later.
# yum install openldap openldap-clients
nss-pam-ldapd krb5-libs
# cd /etc
# scp krb5.conf nsswitch.conf pam_ldap.conf
sudo-ldap.conf sudoers nslcd.conf client:/etc/
# cd /etc/pam.d
# scp login
password-auth-ac system-auth-ac
client:/etc/pam.d
# cd /etc/openldap/certs/
# scp ca.pem client:/etc/openldap/certs/
# certutil -A -n "CA Certificate" -t
"CT" -i ca.pem -d .
# service nslcd start
# sudo su - your_ldap_user
Auto create Home Directories
# vi /etc/pam.d/sshd
# session
required pam_mkhomedir.so
skel=/etc/skel/ umask=0022
Log Configuration
Add your log server to /etc/rsyslog.conf
# service rsyslog restart
Mail Configuration
Add the relay host:
# vi /etc/postfix/main.cf
# service postfix restart
Add the system admin contact email
# vi /root/.forward
Tripwire Installation
# yum install gcc-c++
# cd /opt/
# tar xjvf /root/Server/tripwire-x.x.x-src.tar.bz2
# cd tripwire-x.x.x-src/
# vi policy/twpol-Linux.txt
Comment the following:
/usr/local/sysinfo
/usr/X11R6/lib
/etc/mail/statistics
/var/lost+found
/cdrom
/floppy
/initrd
/home/lost+found
/etc/sysconfig/hwconf
#./configure
# make
# make install
# tripwire --init
# cd /root/Server/
# cp tripwire /etc/cron.daily/
# ls -l /etc/cron.daily/
# chmod +x /etc/cron.daily/tripwire
Proxy Configuration
# vi /etc/wgetrc //To
add the proxy
# vi /etc/profile //Add
the following
PS1='\u@\h:\w\$ '
PS2='> '
Stop iptables services (Put all rules on the main firewall)
# service iptables stop
# service ip6tables stop
# chkconfig iptables off
# chkconfig ip6tables off
# reboot
Finishing up
You have now
successfully hardened and configured a new Linux server.
No comments:
Post a Comment