Tag Archives: centos

Guide and hardning tips for RHEL/CentOS 5 from NSA

As I was looking to see if NSA had updated their guides for RHEL 6 and it turns out they haven’t. I decided it would be a good idea to post about them to give them some better coverage.

This is just a small tip of free and useful information in regards to securing your RHEL/CentOS installation. A lot of the information is general in nature and can therefore be applied to any Linux distribution. It’s definitely worth your time.

I take no credit, the credit goes to NSA for creating the documents to begin with.

Guide to the Secure Configuration of Red Hat Enterprise Linux 5
www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

Red Hat Linux 5 Hardening Tips
www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf

I just love how just about every section starts with “Disable ‘insert your service here’ if possible…” 😉

// CrashMAG

Setting up sSMTP with GMail

Let me introduce you to the “extremely simple MTA to get mail off the system to a mailhub”. Particularly useful when you don’t want systems to have a full blown MTA installed. Such as Postfix, Exim or Sendmail. I find ssmtp extremely helpful on standalone servers that use Logwatch.

Getting this up and running requires 4 steps.

  • Installing SSMTP
  • Configuring SSMTP
  • Changing the MTA on your system
  • Testing

Installing the daemon, ssmtp.

Use your favorite package manager, in my example I’ll be using YUM. (Fedora/CentOS/RHEL/Scientific Linux). For Centos/RHEL/Scientific Linux 5.5 or 5.6 you need access to the EPEL repository to install sSMTP. Add EPEL to your system using the following command.

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

You can find eventual new links from http://download.fedora.redhat.com/pub/epel/5/i386/repoview/epel-release.html

yum install ssmtp

Configuring SSMTP

Edit /etc/ssmtp/ssmtp.conf with your favorite text editor. I’ll be using nano.

nano /etc/ssmtp/ssmtp.conf

Remove all the entries and replace it with the ones beneath.

root=insert_your_email_address here
mailhub=smtp.gmail.com:587
UseTLS=YES
UseSTARTTLS=YES
AuthUser=your_gmail_username_which_you'll_be_using_to_send
AuthPass=password

Changing the MTA

For CentOS/Fedora/RHEL

alternatives --config mta

Press the number that equals /usr/sbin/sendmail.ssmtp and you’re done.

Testing

I’m testing this using the verbose mode just to be able to see the dialogue with the Google SMTP server.

cat random_file | sendmail -v your_email_address

// CrashMAG

Managing /etc with etckeeper and git

The following was done on Fedora 14. Keep in mind that the Etckeeper and git specific actions will be similar on whatever platform you’re on.

Simply put, Etckeeper automatically revisions your /etc folder. Allows you to compare, commit and revert the changes that have been made. It’ll also allow you to restore files, should you be unlucky and delete them. Once etckeeper is installed, it will work together with your package manager and cron to do its work. To manage all this you’ll use the commands that your chosen VCS (Version Control System).

Etckeeper supports Git, Bazaar, Darcs and Mercurial.

Use of Etckeeper

Installation

yum install etckeeper

Initialization

etckeeper init

Initial commit

etckeeper commit "initial commit"

Once this is done, etckeeper will make sure that every time you use the package manager (YUM) changes will be recorded. There are however a few git related commands you should be aware of.

Useful and necessary commands

Note: All of these commands assumes your current path is /etc

Viewing the Git log

git log

Check if there’s any modified files

git status

Complete status overview

git log --stat --summary

Revert a change

git revert 

View changes you haven’t commited yet

git diff

List different commits, each on one line.

git log --pretty=oneline

Revert to latest change-set, discarding changes

git reset --hard

Re-enter commit message

git commit --amend

Have at it folks!

// CrashMAG

Correcting the eth0 MAC Address in RHEL or CentOS

Cloning machines in VMWare is really straightforward thing. However once you do clone a machine, you’ll be left with new MAC addresses for the network cards. In a typical scenario the cloned RHEL or CentOS machine will boot up without the local network interface. You’ll typically see the following during boot.

Bringing up interface eth0: Device eth0 has different MAC address than expected, ignoring.

The reason for this is that

/etc/sysconfig/network-scripts/ifcfg-eth0

contains a variable called “HWADDR=”. Do the following to add the appropriate MAC address and restore networking functionality.

  • As the root user (or a user with appropriate permissions)
  • Type “ifconfig -a”
  • From the displayed information, find eth0 (this is the default first Ethernet adapter)
  • Locate the number next to the HWaddr. This is your MAC address

A typical output would be as follows.

eth0      Link encap:Ethernet  HWaddr 00:1B:21:1F:66:88
          inet addr:192.168.0.5  Bcast:192.168.0.255  Mask:255.255.255.0
... the additional output has been removed...

Now you edit

/etc/sysconfig/network-scripts/ifcfg-eth0

and modify the “HWADDR=” variable to include your MAC address. E.g.

HWADDR=00:1B:21:1F:66:88

Save the file. At this point you run

# service network restart

as root from the command prompt. You’ve now restored networking.

// CrashMAG

Disable IPv6 lookups with Bind on RHEL or CentOS

Discovered during a recent project. Bind / Named was constantly spamming the logs about it being unable to reach root servers. The logs revealed that we were talking IPv6 addresses. Which was assumed to be disabled.

The less cool part was that in “/etc/named.conf” the following was commented out.

//      listen-on-v6 port 53 { ::1; };

It turns out that to disable the IPv6 lookups you have to edit “/etc/sysconfig/named” and set

OPTIONS="-4"

The option does the following

Use IPv4 only even if the host machine is capable of IPv6. -4 and -6 are mutually exclusive.

You then run

service named restart

This serves the very practical purpose of not spamming the logs. My ISP has yet to enable IPv6 so it does me no good.

// CrashMAG

Resetting the root password for MySQL running on RHEL or CentOS

I recently had to reset the MySQL root password due to the fact that initializing it the way I assumed it should did not work. The following procedure will work in CentOS/RHEL/Scientific Linux and Fedora.

After installing MySQL using

# yum install mysql-server

I ran the command

# mysqladmin -u root password 'new-password'

Trying to log in with the following failed

# mysql -u root -p

with the following error

Access denied for user 'root'@'localhost'

Decided to not spend more time as it’s a fresh MySQL installation. And did the following to reset the root password for MySQL.

Resetting the root password

1) Stopped the MySQL service.

# service mysqld stop

2) Started MySQL in safe mode.

# mysqld_safe --skip-grant-tables &

3) Logged in using root.

# mysql -u root

4) Reset the password.

> use mysql;
> update user set password=PASSWORD("mynewpassword") where User='root';
> flush privileges;
> quit

5) Stop MySQL in safe mode.

# service mysqld stop

6) Start MySQL.

# service mysqld start

7) Log in using the new password.

# mysql -u root -p

Success!

// CrashMAG

Nano syntax highlighting

I wanted to share an easy way of adding syntax highlighting to your favorite editor. I’ll give you examples to use for Arch Linux, RHEL, CentOS, Fedora and Debian. This all requires you to add code to your ~/.nanorc file. Luckily, the nano packages contain what you want. You just have to add it.

The typical format of these nanorc files that comes with the nano package is programming_language.nanorc.

To list the available packages for each distributions please do the following

RHEL/CentOS/Scientific Linux/Fedora

# rpm -ql nano | grep nanorc

Debian

# dpkg -S nano | grep nanorc

Arch Linux

# pacman -Ql nano

They all reside in the /usr/share/nano/ folder on each system.

You add languages to your ~/.nanorc the following way.

$ cat /usr/share/nano/programming_language.nanorc >> ~/.nanorc

The >> option will append information so you can keep using this command for each language you want to add syntax highlighting for.

// CrashMAG

How to set up RHEL or CentOS 5.5 with Apache, MySQL, PHP 5.3 and WordPress

This is just a short how-to on what I did to set up WordPress on my VPS server. This assumes you’re running RHEL, CentOS or Scientific Linux 5.5.

These instructions assume that you know how and when to use root. Whether it be via sudo or not.

Rather than going with the minimum requirements(*) from WordPress I went with PHP 5.3.

PHP version 4.3 or greater
MySQL version 4.1.2 or greater

Installing MySQL and Apache

1) Install MySQL and Apache

# yum install mysql-server httpd

2) Add MySQL and Apache to the appropriate run levels

# chkconfig --level 345 mysqld on
# chkconfig --level 345 httpd on

3) Adding the PHP 5.3 repository

# rpm -ivh http://repo.webtatic.com/yum/centos/5/`uname -i`/webtatic-release-5-0.noarch.rpm

4) Installing PHP 5.3 via YUM

# yum --enablerepo=webtatic install php php-mysql

Set up MySQL

1) Start MySQL.

# service mysqld start

2) Set the root password.

# mysqladmin -u root password 'your password'

The 5th step is to set up the database and database user for WordPress 

1) Log in to mysql

# mysql -u root -p

Enter your password when prompted.

2) Create the database

> CREATE DATABASE wordpress CHARACTER SET = utf8 COLLATE = utf8_general_ci;

3) Create the database user and assign appropriate rights. In the example the user is called “wp”.

> CREATE USER 'wp'@'localhost' IDENTIFIED BY 'db_passwd';
> GRANT ALL PRIVILEGES ON wordpress.* TO 'wp'@'localhost' IDENTIFIED BY 'db_passwd';
> FLUSH PRIVILEGES;

The 6th step is to download and install WordPress

1) Download

# wget http://wordpress.org/latest.tar.gz

2) Create the wordpress folder.

# mkdir /var/www/html/wordpress

3) Extract

# tar -xzvf latest.tar.gz -C /var/www/html

4) Modify folder ownership.

# chown apache:apache /var/www/html/wordpress -R

-R, –recursive change files and directories recursively

5) Go to http://your site/wordpress and follow the on screen instructions.



// CrashMAG