Embed Size (px)
Citation preview
10 Essential Steps to Configuring a New Server
User Configuration● To change the root password: log in as root, run passwd, enter the new password, then again to confirm● Setting up a password policy is fairly complex, full details are here, but essentially:
+ Install pam_cracklib
+ Edit the /etc/pam.d/common-password (Debian, Ubuntu, Mint) or /etc/pam.d/system-auth (RHEL, Fedora, CentOS) file
+ Modify the various attributes in that file forlength, complexity, history
+ Edit the /etc/login.defs file and modify theattributes there for expiration settings
● To create a new user: run useradd [username] as root, then run passwd [username] to set the password for that account.
● To give a user sudo access: run visudo as root, find “root ALL=(ALL) ALL” in the sudoers file, add a new line next to it and add “[username] ALL=(ALL) ALL” Save and close.
● To disable root: run sudo passwd -l root
1.
UpGuard.com | @UpGuard
● To set the hostname and gateway: edit the /etc/sysconfig/network file
● To set the IP, netmask and broadcast: edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file (Must restart the network service for changes to take effect)
● To set DNS servers: edit /etc/resolv.conf
● To disable IPv6: edit /etc/sysctl.conf and add “net.ipv6.conf.all.disable_ipv6 = 1”
Network Configuration2.
UpGuard.com | @UpGuard
● To list current packages: run yum list installed or dpkg -l
● To install a package: run yum install [package name] or apt-get install [package name]
● To remove a package: run yum remove [package name] or apt-get remove [package name]
Package Management3.
UpGuard.com | @UpGuard
● To update everything: run yum update or apt-get upgrade
● To set up automatic updates: install and use yum-cron or unattended-upgrades (apt)
Update Installation and Configuration4.
UpGuard.com | @UpGuard
● To sync with an NTP server: edit the /etc/ntp.conf file
NTP and Time Drift5.
UpGuard.com | @UpGuard
● -To show your iptables: run iptables --list
● -To delete an existing entry: run iptables --delete [chain] [rule number]
● -To insert a new entry: run iptables --insert [chain] [rule number]
● -Full details can be found here: http://linux.die.net/man/8/iptables
Firewalls and iptables6.
UpGuard.com | @UpGuard
● To disable ssh access for root: edit /etc/ssh/sshd_config, find “#PermitRootLogin no” and remove the comment “#” symbol so the directive takes effect. Restart ssh.
● To restrict ssh by IP: edit the sshd_config file and modify the AllowUsers directive like so: AllowUsers [email protected] [email protected] etc.
● Moving from password authentication to certificate based authentication is fairly involved, requiring the generation of a key pair and several configuration changes. See a detailed guide for your distribution.
Securing SSH7.
UpGuard.com | @UpGuard
● To list all services and their status: run systemctl list-unit-files --type=service or chkconfig --list
● To prevent a service from automatically starting: run systemctl disable [service] or chkconfig [service] off
● To set a service to start automatically: run systemctl enable [service] or chkconfig [service] on
Systemctl and Service Configuration8.
UpGuard.com | @UpGuard
● To see if SELinux is running (RHEL, CentOS, Fedora): run getenforce or sestatus
● To enable, disable or modify SELinux, edit the /etc/selinux/config file
● Try AppArmor as an SELinux alternative
SELinux and Further Hardening9.
UpGuard.com | @UpGuard
● Logs are usually stored in /var/log
● Check the documentation and configuration files of your applications to see what log levels they allow and set the one that is appropriate for your needs.
● Consider a centralized syslog server if your environment warrants one
Logging10.
UpGuard.com | @UpGuard
Want more tips? Visit UpGuard.com for more technical and how-to articles.
UpGuard.com | @UpGuard
