Nov 30, 2012

Installing gitolite in CentOS 6

Gitolite is an management service that sits on top of git. It helps restrict users to certain projects (and what they can do on those projects). In this post we will install gitolite in a CentOS 6 environment.

  1. First we need to enable the EPEL repository. You could download and install gitolite directly, but I prefer to manage everything through the package manager for auditing purposes.
    wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm
    rpm -ivh ./epel-release-6-7.noarch.rpm
  2. Install gitolite (it will most likely install a variety of dependencies):
    yum install gitlolite
  3. If this is a brand new gitolite installation you will need to create a public SSH key on the account you will be using to administer your gitolite installation. The creation of these keys are outside the scope of this documentation. Once the key pair has been created, copy the public version to a common place where gitolite can access it (like temp). Use the command cp or scp to acheive this.
  4. Rename your copied public key with some sort of identifier. Gitolite uses the name of your keys to determine access.
  5. Log in as the gitolite user:
    su - gitolite
  6. Initialize your gitolite service with the key:
    gl-setup -q /tmp/user.pub
  7. Now you can use gitolite!
    ssh gitolite@192.168.0.1 info
    git clone gitolite@192.168.0.1:gitolite-admin.git

Further Reading:

Posted by at No comments:
Labels: , , ,

Nov 29, 2012

Setting up a virtual guest on a headless CentOS 6 host

This guide assumes you have at least followed my guides for setting up the host (either my 6.2 or 6.3 version) and have set up the bridge networking interface. You optionally can see my other posts such as auditing your software installs, hardening your accounts, network hardening, services hardening and clearing out orphaned packages.

Note that if you followed my guide for services hardening you may want to turn the messagebus daemon back on. If the avahi daemon and zeroconf is disabled, you will need to edit /etc/libvirt/libvirtd.conf with the following:
mdns_adv=0
The rest of the guide should apply to virtually everyone else:

  1. Edit /etc/libvirt/qemu.conf to allow the VNC server to listen on all ports:
    vnc_listen='0.0.0.0'
  2. Restart the libvirt daemon:
    service libvirtd restart
  3. If you don't already have one create the LVM partition that we will be our VM's hard-disk:
    lvcreate -L20G -n lv_vm1 VolGroup
  4. Poke a hole in the firewall so we can connect via VNC to the server. You can choose any port you wish, but in this case we will be using port 7601. Make sure you change the network to match your own settings! Edit /etc/sysconfig/iptables
    -A INPUT -m --state NEW -s 192.168.0.0/24 -m tcp -p tcp --dport 7601 -j ACCEPT

  5. Restart the firewall:
    service iptables restart
  6. Run the installation command:
    virt-install -n vm1 -r 512 --vcpus=2 --disk path=/dev/VolGroup/lv_vm1 -c /path/to/disk.iso -v --accelerate -w bridge:br0 --vnc --vncport=7601 --noautoconsole --os-type linux --osvariant rhel6
  7. Now use a VNC client to connect to your server by connecting to the firewall hole we created earlier. Follow through with the rest of the installation process.
  8. To start and stop your VM just use the virsh command. The VM has been configured to use port 7601 for VNC, so you can always connect to it using that port unless you close it.
    virsh start vm1 

Further reading

Posted by at No comments:
Labels: , ,

Nov 28, 2012

Bridge Networking in CentOS 6.3

Bridge networking is a useful technique to allow Virtual Guests to access your networking hardware. This guide was written in mind for CentOS 6.3 but should be applicable to other Linux versions (with modifications).

  1. Copy the file /etc/sysconfig/networking-scripts/ifcfg-eth0 as br0
    cp /etc/sysconfig/networking-scripts/ifcfg-eth0 /etc/sysconfig/networking-scripts/ifcfg-br0

  2. Edit the file /etc/sysconfig/networking-scripts/ifcfg-eth0 and add the line:
    BRIDGE=br0
    You can also delete the lines:
    BOOTPROTO
    IPADDR
    GATEWAY
    DNS1
    DNS2
  3. Edit the file /etc/sysconfig/networking-scripts/ifcfg-br0 and edit the lines:
    DEVICE=br0
    TYPE=Bridge
    You can also delete the lines:
    HWADDR
    UUID
  4. Restart your network:
    service network restart
     

References

Posted by at No comments:
Labels: , , ,

Nov 27, 2012

SSH Hardening on CentOS 6.3

This is a follow on post from my guide to installing CentOS 6.2 (or you can read my updated 6.3 version). You can see my other posts such as auditing your software installs, hardening your accounts, network hardening, services hardening and clearing out orphaned packages.

This post outlines how you can harden your SSH server.

  1. Strengthen your IP table firewall rules by editing /etc/sysconfig/iptables and adding or changing the line (NOTE: Any old SSH rule will be using port 22; change it accordingly):
    -A INPUT -m state --state NEW -s network/mask -p tcp --dport 4444 -j ACCEPT
    where network/mask is replaced with your actual network and mask values i.e 10.0.0.0/24
  2. Since SSH uses the TCP wrappers library we will need to allow the service in /etc/hosts.allow
    sshd: 10.0.0.

  3. Edit /etc/ssh/sshd_config with the following changes:
    # Use Port 4444 instead of Port 22
    Port 4444

    # Ensure we use Protocol 2 by default
    Protocol 2

    # Set idle timeouts (15 minutes)
    ClientAliveInterval 900
    ClientAliveCountMax 0

    # Disable rhost behaviour
    IgnoreRhosts yes

    # Do not trust other hosts
    HostbasedAuthentication no

    # Do not allow root logins
    PermitRootLogin no

    # Do not allow empty passwords
    PermitEmptyPasswords no

    #Disable environment alteration
    PermitUserEnvironment no

    #Disable X11 forwarding
    X11Forwarding no

    # Disable TCP forwarding
    AllowTCPForwarding no

    # Log level
    LogLevel INFO
  4. Restart everything

    service sshd restart
    service iptables restart
    service network restart

References

Posted by at No comments:
Labels: , , , ,

Nov 26, 2012

Fun Stuff: Getting Wolfram Alpha to talk

There was a post on Reddit's /r/math board that inspired me to make Wolfram Alpha bend to my will and say whatever I want it to say. Here is the image of Wolfram Alpha repeating 'make it stop':

0.makeitstopmakeitstopmakeitstop....

So I did a bit of research into the topic and came away with a Python script to figure out the Base-36 fraction that will make Wolfram Alpha repeatedly say an arbitrary sentence.

# The sentence to convert (characters only, no symbols)
q='makeitstop'

# Convert string to a base-36 number. This is numerator
n=long(q,36)

# Get the power of 36 that is equal to the length of the string, minus 1
d=pow(36,len(q))-1

# Print out the equation
print 'convert',n,'/',d,'to base 36'

Once you run the code you just copy and paste the printed result into http://www.wolframalpha.com/

(NOTE: You may need to click on 'Hide Block Form' to force wolfram to use the alpha-numerical representation)

If you want to know more about the equation/formula I used, look at the following post http://mathforum.org/library/drmath/view/61257.html

Posted by at No comments:
Labels: ,

Nov 23, 2012

Setting up a CentOS 6 server: Services Hardening

This is a follow on post from my guide to installing CentOS 6.2 (or you can read my updated 6.3 version). You can see my other posts such as auditing your software installs, hardening your accounts, network hardening and clearing out orphaned packages.

This guide outlines how to cut down on unnecessary services so that you have a lean and mean machine.


  1. List all the services running on your machine with the following command:
    chkconfig --list | grep :on
     
  2.  Go through the list and select packages to disable or remove. For instance:
    chkconfig mdmonitor off
    chkconfig smartd off
    chkconfig messagebus off
    chkconfig haldaemon off
    chkconfig cups off
    chkconfig atd off
    chkconfig kdump off
  3. If you do not know what a service is or does, just run:
    rpm -qf /etc/init.d/<service_name>

    Then run:
    rpm -qi <rpm>

References

Posted by at 2 comments:
Labels: , , ,

Nov 22, 2012

Setting up a CentOS 6 server: Network Hardening

This is a follow on post from my guide to installing CentOS 6.2 (or you can read my updated 6.3 version). You can see my other posts such as auditing your software installs, hardening your accounts, and clearing out orphaned packages.

This post will focus on hardening your networking infrastructure.
  1. Disable wireless networking in the kernel by running the following loop:
    2. for i in $(find /lib/modules/`uname -r`/kernel/drivers/net/wireless -name "*.ko" -type f ) ; do
    echo blacklist $i >> /etc/modprobe.d/blacklist-wireless ; done
  2. OPTIONAL: I also disabled the loading of bluetooth drivers by modifying the command loop. I replaced 'net/wireless' with 'bluetooth' and save it under a different filename.
  3. Edit /etc/sysctl.conf to secure the network within the kernel.
    # Disables packet forwarding
    net.ipv4.ip_forward = 0

    # Source route verification
    net.ipv4.conf.all.rp_file = 1
    net.ipv4.conf.default.rp_file = 1

    # Don't accept source routing
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0

    # Not a router, so do not send redirects
    net.ipv4.conf.all.send_redirects = 0
    net.ipv4.conf.default.send_redirects = 0

    # Not a router, so do not accept redirects
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0
    net.ipv4.conf.all.secure_redirects = 0
    net.ipv4.conf.default.secure_redirects = 0

    # Log all packets with impossible addresses to the kernel log
    net.ipv4.conf.all.log_martians = 1

    # Ignore all ICMP ECHO and TIMESTAMP requests sent via broadcast/multicast
    # And protect against ICMP attacks
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    net.ipv4.icmp_ignore_bogus_error_messages = 1

    # Protect against SYN flood attacks, and controls the use of SYN cookies
    net.ipv4.tcp_syncookies = 1
    net.ipv4.tcp_synack_retries = 2

    # This is not  a router so don't accept IPv6 solicitations
    net.ipv6.conf.all.router_solicitations = 0
    net.ipv6.conf.default.router_solicitations = 0

    # Do not accept IPv6 preferences from the router
    net.ipv6.conf.all.accept_ra_rtr_pref = 0
    net.ipv6.conf.default.accept_ra_rtr_pref = 0

    # Do not accept IPv6 prefix information from the router
    net.ipv6.conf.all.accept_ra_pinfo = 0
    net.ipv6.conf.default.accept_ra_pinfo = 0

    # Do not accept Hop Limit settings from router
    net.ipv6.conf.all.accept_ra_defrtr = 0
    net.ipv6.conf.default.accept_ra_defrtr = 0

    # Do not accept configuration from router
    net.ipv6.conf.all.autoconf = 0
    net.ipv6.conf.default.autoconf = 0

    # Not a router so don't sent IPv6 solicitations
    net.ipv6.conf.all.dad_transmits = 0
    net.ipv6.conf.default.dad_transmits = 0

    #Assign only one address per interface
    net.ipv6.conf.all.max_addresses = 1
    net.ipv6.conf.default.max_addresses = 1
  4. OPTIONAL: While we are in /etc/sysctl.conf we may as well add a few hardening parameters for the kernel:
    # Controls System Request Debugging
    kernel.sysrq = 0

    # Append PID to core filename in a core dump (useful to determine what happened)
    kernel.core_users_pid = 1

    # Activate ExecShield
    kernel.exec-shield = 1
    kernel.randomize_va_space = 1
  5. OPTIONAL: If you are going to use bridge interfaces then disable packet filtering. This way we will use the Virtual Machine's firewall rules instead of defining complex rules on the host.
    net.bridge.bridge_nf_call_ip6tables = 0
    net.bridge.bridge_nf_call_iptables = 0
    net.bridge.bridge_nf_call_arptables = 0
  6. Disable automatic loading of IPv6 in the kernel by editing /etc/modprobe.d/dist.conf with:
    install ipv6 /bin/true
    While we are here, we will also disable the loading of uncommon networking protocols:
    install dccp /bin/true
    install sctp /bin/true
    install rds /bin/true
    install tipc /bin/true
  7. Disable IPv6 interfaces by modifying /etc/sysconfig/network:
    NETWORKING_IPV6=no
    IPV6INIT=no
    IPV6_AUTOCONF=no
    You can also turn off avahi and zeroconf by adding the line:
    NOZEROCONF=yes
    (NOTE: If you are not going to use zeroconf you may as well uninstall it with yum remove avahi avahi-autoipd. The avahi-libs package is required by other programs so you may still need it)
  8. Add the following line to every file that matches the pattern /etc/sysconfig/network-scripts/ifcfg-* with:
    IPV6INIT=no
  9. Deny all TCP Wrapper services by default. Edit /etc/hosts.deny and enter the following as the only entry:
    ALL: ALL
  10. OPTIONAL: If you wish, only allow TCP Wrapper services (like SSH) to run on the localhost loopback interface. Edit /etc/hosts.allow and enter the following:
    ALL: localhost
  11. Edit IP tables (the firewall) to automatically drop packets that do not match a given rule. Edit the files /etc/sysconfig/iptables & /etc/sysconfig/ip6tables
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
  12. Restrict ICMP messages by removing any lines in /etc/sysconfig/iptables containing the following:
    -p icmp
    and replace it with:
    -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
  13. To log all dropped packets in the system replace the following line in /etc/sysconfig/iptables:
    -A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibited
    with:
    -A INPUT -j LOG
    -A INPUT -j DROP    -A FORWARD-j LOG
    -A FORWARD -j DROP
    You will need to write the same in the equivalent IPv6 file (in /etc/sysconfig/ip6tables)
  14. You may have NFS installed; if you don't need it then uninstall it:

    yum remove portmap nfs-utils

    NOTE: If you are running virtual machines then it will need the libraries provided by portmap. Instead turn off the services:
    chkconfig portreserve off
    chkconfig rpcgssd off
    chkconfig rpcidmapd off
    chkconfig rpcbind off
    chkconfig rpcsvcgssd off
    chkconfig nfs off
    chkconfig nfslock off
  15. Finally, to check what is running on your server:

    • This will show all services:
      netstat -tulp
    • This will show only services with active connection
      netstat -ant
    • This will show you the routing table
      route
    • This will show you if any program is actively pulling raw packets, and is a sign that there is a network sniffer. Note that on a fresh system that a positive result may just be the DHCP client (if you use one).

      cat /proc/net/packet

References

Posted by at No comments:
Labels: , , , ,

Nov 20, 2012

Clearing orphaned and unused packages from CentOS 6.3


This is a follow on post from my guide to installing CentOS 6.2 (or you can read my updated 6.3 version) and auditing your software installs. We will go through some of the steps required to secure your server and get it ready for production use.

As always, I suggest you take this time to tighten up your machine first; run updates, turn off services, install software and harden your machine. You should also consider setting up your SSH settings.

To check which packages are left on your system just run the following command:
package-cleanup --leaves --exclude-bin
(NOTE: The --exclude-bin option means that packages with bin files are not included; to see packages with bin files just delete the option)

If you are happy with the list produced, run the modified version to delete all the files:

package-cleanup --quiet --leaves --exclude-bin | xargs yum remove -y

Further Reading

Posted by at No comments:
Labels: , ,

Nov 18, 2012

Setting up a CentOS 6.2 web server: Accounts Hardening

This is a follow on post from my guide to installing CentOS 6.2 and auditing your software installs. We will go through some of the steps required to secure your server and get it ready for production use.

These steps will outline how to harden your user accounts to lessen the risk that they will be compromise (and limit the damage able to be done if they are compromised).
We will assumes you have already created a new user account; if you haven't, just run the following command:

adduser -m -U USERNAME
passwd USERNAME

Now let's lock down our accounts!
  1. Let's restrict the root access to the system console only. Edit /etc/securetty and remove everything except for the following:
    console
    tty1
    tty2
    ...
    tty10
    tty11
  2. Uncomment the following line in /etc/pam.d/su

    auth required pam_wheel.so use_uid

  3. Uncomment the following line in /etc/sudoers

    %wheel ALL=(ALL) ALL
  4. Add your new administrator user to the wheel group
    usermod -G wheel USERNAME
  5. Now we will lock non-root system accounts and block shell access. Figure out the list of accounts by running the following (it will print a list of accounts with the associated UID):
    awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
  6. Run the following commands on any non-root account with a UID less than 500:
    usermod -L account
    usermod -s /sbin/nologin account
     
  7. For reference, this is a list of system accounts generally created on a fresh install:
    bin
    daemon
    adm
    lp
    sync
    shutdown
    halt
    mail
    uucp
    operator
    games
    gopher
    ftp
    nobody
    dbus
    rpc
    abrt
    vcsa
    haldaemon
    saslauth
    postfix
    rpcuser
    nfsnobody
    ntp
    qemu
    radvd
    sshd
    tcpdump
    oprofile
    avahi
    rtkit
    pulse
    avahi-autoipd
    mysql
  8. Ensure passwords expire by editing /etc/login.defs
    PASS_MAX_DAYS 360
    PASS_MIN_DAYS 14
    PASS_MIN_LENGTH 8    PASS_WARN_AGE 32
    For any accounts that have already been created, run the following to enforce the new rules:

    chage -M 360 -m 14 -W 7 admin

References

Posted by at No comments:
Labels: , , ,

Nov 15, 2012

Setting up a CentOS 6.3 Virtual Host

This guide outlines how I set-up my virtual host using CentOS 6.3 (a free release version of Red Hat Linux with all the branding removed). It's partially based on my previous installation guide. I also used my guide to create a bootable USB installation disk, but this guide should work equally well with the standard DVD install.

Installation

  1. Boot up your installation media (you may need to edit your BIOS to do so)
  2. Select 'Install or upgrade an existing system' from the menu
  3. Select your language and keyboard layout.
  4. Click next at the splash screen.
  5. Choose the 'Basic Storage Device' option
  6. Select the 'Fresh Installation' option
  7. Enter in the host-name of your new server (for best results you should append your domain name to the end so it works seamlessly with SSL certificates) i.e. testserver.example.com

    If you want to configure a static IP address click on the 'Configure Network' button, select the your network card (probably eth0) and enter away.

    If you are going to use DHCP, or just don't know, just hit 'Next'
  8. Select the correct timezone for you (just click a location on the map and it should select the closest one to you).
  9. Enter in an appropriate root password. Make as long and complex as possible (long sentences with mixed character types are easier to remember than jibberish strings; for instance 'My office is situated in 1234 fake street, Fakeville!')
  10. In this example we are going to go for a custom partition layout, so select 'Create Custom Layout'. If you are fine with defaults, just skip to part .
  11. Delete all existing partitions and do the following:
    • A /boot partition of about 100MB. Use the ext4 format

    • Create a LVM Physical Volume that fills up the rest of the hard-drive

    • Create a LVM Volume Group with a Physical Extent of 4MB.

    • Create LVM Logical Volumes on the Volume group as follows (make sure you leave some free space for your Virtual machines!!):

      • Swap space that is at least equal to how much RAM is in your server
      • /tmp/ should be as big as the largest file you will be manipulating (for instance, if you are copying a DVD you will need at least 4GB)
      •  /var/log and /var/log/audit are separated so that if your log system goes haywire it does not kill the space for other applications. Dedicate a couple of gigabytes to each.
      • /home/ and /usr/ should be a few gigabytes each. /usr/ just holds your applications and should remain pretty static, while /home/ is where you will store your personal files.
      • /var/ and /var/www/ will contain the majority of space on your system. MySQL stores your database files in /var/lib/mysql/, while Apache runs from /var/www/. Dedicate adequate space to each folder.
      • Your root folder (/) will only need a few GB of space. It will mainly hold configuration files.
  12. The system will take some time to format your hard-drive. Once it is complete it will ask you to install the boot-loader. While the defaults are suitable, for extra security you should consider password protecting your boot-loader.
  13. We can now select our packages. You can customize the system to suit your needs, but for the basics just select 'Basic Server' from the menu and the 'Customize now' from the radio buttons. Hit 'Next'.
  14. Do the following edits:
    • Remove the 'Java Platform' and 'Directory Client' meta-packages
    • Add all of the Virtualization meta-packages (including client, platform and tools)
    • Because the virt-manager tool requires a GUI, you may need to install the 'X Windows System'  and the 'KDE Desktop'
    • From the base system, I removed packages such as hunspell and word (as well as hardware tools like RAID that I was not using)
  15. Reboot your system!

 House cleaning

I suggest you take this time to tighten up your machine; run updates, turn off services, install software and harden your machine. You should also consider setting up your SSH settings.

Have a look at some of my guide to Software package integrity checks (aide).


Creating our first guest

We are going to use LVM based guests, so if you haven't left any space on your LVM partition I suggest you use these guides to free up some space. If you have partitions you don't think you need anymore, just delete it.

You may also want to ensure that KVM is installed so that you get the benefit from it's kernel and hardware virtualisation.

yum install kvm qemu-kvm qemu-kvm-tools

Now you just need to create a logical partition in the volume to store your VM by running the following command (assuming your volume is call VolGroup):

lvcreate -L20G -n vm1 VolGroup

To install to this new partition, just run the following command:

virt-install --connect qemu:///system -n vm1 -r 512 --vcpus=2 --disk path=/dev/VolGroup/lv_vm1 -c /path/to/installation.iso --graphics vnc --noautoconsole --os-type linux --os-variant rhel6

Note the following parameters:
  • -r specifies the RAM size
  • --vcpus specifies the virtual CPU's to use
  • --os-type helps to optimise the VM by specifying an operating system
  • --os-variant is a optional parameter, but helps further optimisation of the emulator.

Further reading

Posted by at No comments:
Labels: , , , ,

Nov 14, 2012

Installing CentOS 6.3 from a USB mass storage device

I've done A LOT of research on this issue and I have finally been able to create a bootable USB to use for installing CentOS.

  1. Download the Centos DVD for your system.

    (Optional: You can run the md5sum command on your download and compare the hash against that stored on the server)
  2. Clear the USB (NOTE: This is assuming your device is sdb!!! Double check, otherwise you may wipe your hard-drive!!!):

    sudo dd if=/dev/zero of=/dev/sdb bs=512 count=1
  3. Make it bootable (you can type in 'm' to show a help menu):

    sudo fdisk /dev/sdb
    >n
    >p
    >1
    >(default)
    >(default)
    >a
    >1
    >t
    >c
    >w
  4. Format the partition:

    sudo mkfs.vfat /dev/sdb1
  5. Download the livecd bash script and make it executable:

    wget http://git.fedorahosted.org/cgit/livecd/plain/tools/livecd-iso-to-disk.sh
    chmod +x livecd-iso-to-disk.sh
  6. Install the software required by the script:

    sudo apt-get install isomd5sum syslinux extlinux
  7. Run the script:

    sudo ./livecd-iso-to-disk.sh [your-dvd-iso] /dev/sdb1
  8.  Insert your USB device and run!

Further reading

 You can also see my other related articles:
Posted by at No comments:
Labels: , , ,

Nov 12, 2012

Get page width dynamically with Javascript (or JQuery)

This quick script will display the current width of your browser window (useful for creating responsive web designs).

The HTML

Simply make a <div> element, which we will be used by JQuery to print out the window width:
<html>
  <body>
    <div id="dimensions">
      <span class="width"></span>
    </div>
  </body>
</html>

JQuery method

If you already use JQuery, then this is for you. If you aren't using it, you should consider it; it makes programming in Javascript a breeze!

To use this snippet, just download the JQuery library, link it into your page and add the following script:

<script>
  $("#dimensions .width").html($(window).width());
  $(window).resize(function(){
    $("#dimensions .width").html($(window).width());
  });
</script>

Javascript method

If you don't have JQuery this should work equally well:

<script>
  window.onresize = displayWindowSize;
  window.onload = displayWindowSize;
  function displayWindowSize() {
    // your size calculation code here
    document.getElementById("dimensions").innerHTML = myWidth + "x" + myHeight;
  };
</script>

Further reading

You can also browse my other content such as:
Posted by at 1 comment:
Labels: , , , ,
Subscribe to: Posts (Atom)