Complete CentOS secure server setup



Disable unnecessary services. Type as root:

setup

Chose System services and uncheck:

anacron
atd
auditd
cpuspeed
kudzu
mcstrans
netfs
pcscd
portmap

Update all software:

yum update

Disable Ipv6. Edit /etc/sysconfig/network and set:

NETWORKING_IPV6=no
HOSTNAME=sscserver

After that add the following to /etc/modprobe.conf:

alias ipv6 off
alias net-pf-10 off

and reboot:

reboot

After above steps follow the guide Install and secure LAMP on CentOS

Install Webmin. Navigate to http://www.webmin.com/download.html and download a RPM package:

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.470-1.noarch.rpm
rpm -ivh webmin-1.470-1.noarch.rpm

Point your browser to: http://ip.address:10000 and login with your root password:

Secure server. Change your root password:

passwd

For security reasons we will add a new user sscadmin for administration purposes:

adduser sscadmin && passwd sscadmin

Add the user sscadmin to the wheel group:

usermod -a -G wheel sscadmin

User sscadmin will use sudo for administrative tasks. Ensure the wheel group has the correct privileges. Run:

visudo

and uncomment the line:

%wheel  ALL=(ALL)       ALL

to allow people in group wheel to have full sudo privileges

To secure SSH access to the server follow the guide Secure existing OpenSSH installation.

Next step is secure temporary folders. Follow the guide Secure temporary folders on existing Unix or Linux systems

If you want to harden your server, follow the guide Server Hardening with ConfigServer Security & Firewall (CSF)

Install PostgreSQL database server

yum install postgresql postgresql-server

Start it and set it to run at startup:

service postgresql start
chkconfig postgresql on

Connect to PostgreSQL server:

su - postgres
psql -d template1 -U postgres

You'll get the following output:

Welcome to psql 8.1.11, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help with psql commands
       \g or terminate with semicolon to execute query
       \q to quit

template1=#

Install Postfix and remove Sendmail:

yum install postfix
yum remove sendmail

Edit Postfix configuration file and change the following lines:

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname = domain.tld

Setup SASL + TLS to authenticate users. Install the required software:

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 \
cyrus-sasl-plain

Edit config file to allow plain and login logins:

nano -w /usr/lib/sasl2/smtpd.conf

and add the following:

pwcheck_method: saslauthd
mech_list: plain login

Create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Install Dovecot:

yum install dovecot

Open the Dovecot config file /etc/dovecot.conf and make the following changes:

protocols = imap imaps pop3 pop3s

Install Squirrelmail. Setup the Squirrelmail under Apache. Open /etc/httpd/conf/httpd.conf and insert the following lines:

Alias /squirrelmail "/usr/share/squirrelmail"
        <Directory /usr/share/squirrelmail/>
                Options Indexes
                AllowOverride none
                DirectoryIndex index.php
                Order allow,deny
                allow from all
        </Directory>

Run the configuration utility and set the server settings to SMTP and change your domain name to domain.tld:

/usr/share/squirrelmail/config/conf.pl

Restart all email services:

service postfix start
service dovecot start
service saslauthd start
service httpd restart

Create a local user (to test the email):

adduser dima -s /sbin/nologin

Update a password for it:

passwd dima

To test the email open Squirrelmail and enter the username and the password

Make email services to run at startup:

chkconfig --levels 235 sendmail off
chkconfig --levels 235 postfix on
chkconfig --levels 235 saslauthd on
chkconfig --levels 235 dovecot on