This article shows how to secure a CentOS server using psad, Bastille, and some other tweaks. psad is a tool that helps detect port scans and other suspicious traffic, and the Bastille hardening program locks down an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise.
Create an additional account for Systems Administration
The "adduser" command will create an account.
adduser service
The "passwd" command will set the password for the "service" account.
passwd service
Creating a directory for downloads.
This will create a directory to download the RPMs and other files.
mkdir /downloads
cd /downloads
Installing PSAD
psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze Netfilter log messages to detect port scans and other suspicious traffic. More information can be found here.
wget http://www.cipherdyne.com/psad/download/psad-1.4.6-1.i386.rpm
rpm -Uvh psad-1.4.6-1.i386.rpm
Installing Bastille
The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works. More information can be found here.
wget http://easynews.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-3.0.9-1.0.noarch.rpm
wget ftp://ftp.icm.edu.pl/vol/rzm4/linux-dag/redhat/el4/en/i386/RPMS.dag/perl-Curses-1.12-1.2.el4.rf.i386.rpm
rpm -ivh Bastille-3.0.9-1.0.noarch.rpm
rpm -Uvh perl-Curses-1.12-1.2.el4.rf.i386.rpm
Running Bastille
This will start the interactive prompt.
/usr/sbin/bastille -c
Interactive prompt response
These settings are recommendations for the Perfect Setup install. There may be certian values that may need to change if other software or packages have been installed.
accept
<ENTER>
Would you like to set more restrictive permissions on the administration utilities? -> YES
<ENTER>
Would you like to disable SUID status for mount/umount? -> YES
Would you like to disable SUID status for ping? -> YES
Would you like to disable SUID status for at? -> YES
Would you like to disable the r-tools? -> YES
Would you like to disable SUID status for usernetctl? -> YES
Would you like to disable SUID status for traceroute? -> YES
Should Bastille disable clear-text r-protocols that use IP-based authentication? -> YES
Would you like to enforce password aging? -> YES
Do you want to set the default umask? -> YES
What umask would you like to set for users on the system? -> 007
Should we disallow root login on tty's 1-6? -> NO
Should Bastille ask you for extraneous accounts to delete? -> NO
Would you like to password-protect the GRUB prompt? -> NO
Would you like to disable CTRL-ALT-DELETE rebooting? -> YES
Would you like to password protect single-user mode? -> NO
Would you like to set a default-deny on TCP Wrappers and xinetd? -> NO
Would you like to display "Authorized Use" messages at log-in time? -> YES
Who is responsible for granting authorization to use this machine? -> YOUR COMPANY NAME
Would you like to put limits on system resource usage? -> YES
<ENTER>