TaskBoard is a free and open source application to keep a track of the tasks that needs to be done. It requires minimal dependencies to work. Database. Step by step guide on how to install CentOS 6. Screenshots are also included. In order to conserve the limited bandwidth available. The following mirrors should have the ISO images available. This guide is based on a minimal CentOS 7 install following the idea that you only install software that you require. For those familiar with OpenSCAP, you will. Cent. OS 7 Server Hardening Guide Lisenet. Linux Security. This guide is based on a minimal Cent. OS 7 install following the idea that you only install software that you require. For those familiar with Open. SCAP, you will notice the guide divided into two major sections System Settings and Services. This tutorial will show you how to install the latest version of Python 2 and Python 3 on CentOS 6. You can also use it to install the latest version of Python 3 on. In this guide, we will explain how to install, configure and secure a FTP server VSFTPD in CentOSRHEL 7 and Fedora distributions. Install Apache Maven Fedora. Install Apache Maven CentOS RedHat. Apache Maven Installation on CentOS 765. How to Install Apache Maven on Linux. How To Install Ftp In Centos 5 Download' title='How To Install Ftp In Centos 5 Download' />The first part contains rules that check system settings, where the second part is aimed towards hardening services. General disclaimer applies do not implement changes to production systems unless you understand what they do. System Settings Disk Partitioning and Post installation. Disk Encryption with Kickstart. The easiest way to encrypt a partition is during Kickstart installation. This can be achieved by adding the encrypted and passphrase options to the definition of a physical LVM volume. Our Kickstart template is provided below. Cent. OS7 System authorisation information. Use CDROM installation media. Keyboard layouts. System language. lang enGB. UTF 8. selinux enforcing. Network information. Plaintext root password Please. Change. Me. rootpw iscrypted 6n. S0m. BJy. SqQg. Cof. Wr. T9. W3qng. TISue. SDh. DHVNnt. Dqd. Ocgm. Hp. 2lq. 4fni. Ubj. Cmo. Ezaf. 3EWQ2x. IZa. OXkf. Nt. Jw. System timezone. timezone EuropeLondon is. Utc. System bootloader configuration. Partition clearing information. Disk partitioning information Journal for boot is not required therefore ext. GB physical volume. Please. Change. Me. To. Something. Else. Need the ability to shrink filesystems therefore ext. Partition Scheme. Keep the following partitions separate boot, home, tmp, var, varlog, vartmp, varlogaudit, varwww. Placing these in their own partitions gives more control over mount options. It also ensures that the system cannot be halted because of some partition running out of disk space. Splitting off opt depends on a setup and is generally not useful, but not harmful either. Post installation. Backup a LUKS header, where devsda. LUKS encrypted partition cryptsetup luks. Header. Backup devsda. Ensure that the backup file is stored off site and then removed from the server. Make sure that the system is up to date yum update. Remove packages which you dont require on a server, e. Win. TV, wireless drivers etc. 80 Plus Vista Ultimate Icons Of Evolution. System Settings File Permissions and Masks. Restrict Partition Mount Options. Partitions should have hardened mount options boot rw,nodev,noexec,nosuidhome rw,nodev,nosuidtmp rw,nodev,noexec,nosuidvar rw,nosuidvarlog rw,nodev,noexec,nosuidvarlogaudit rw,nodev,noexec,nosuidvarwww rw,nodev,nosuid. As a rule of thumb, malicious applications usually write to tmp and then attempt to run whatever was written. A way to prevent this is to mount tmp on a separate partition with the options noexec, nodev and nosuid enabled. This will deny binary execution from tmp, disable any binary to be suid root, and disable any block devices from being created. The storage location vartmp should be bind mounted to tmp, as having multiple locations for temporary storage is not required tmp vartmp none rw,nodev,noexec,nosuid,bind 0 0. The same applies to shared memory devshm tmpfs devshm tmpfs rw,nodev,noexec,nosuid 0 0. The proc pseudo filesystem proc should be mounted with hidepid. When setting hidepid to 2, directories entries in proc will hidden. Harden removeable media mounts by adding nodev, noexec and nosuid, e. Restrict Dynamic Mounting and Unmounting of Filesystems. Add the following to etcmodprobe. Depending on a setup if you dont run clusters, NFS, CIFS etc, you may consider disabling the following too install fat bintrue. It is wise to leave ext. Prevent Users Mounting USB Storage. Add the following to etcmodprobe. USB and Fire. Wire storage drivers blacklist usb storage. Disable USB authorisation. Create a file optusb auth. If more than one USB device is available, then add them all. Create a service file etcsystemdsystemusb auth. Unit. DescriptionDisable USB auth. Default. Dependenciesno. Exec. Startbinbash optusb auth. Wanted. Bymulti user. Set permissions, enable and start the service chmod 0. If required, disable kernel support for USB via bootloader configuration. To do so, append nousb to the kernel line GRUBCMDLINELINUX in etcdefaultgrub and generate the Grub. Note that disabling all kernel support for USB will likely cause problems for systems with USB based keyboards etc. Restrict Programs from Dangerous Execution Patterns. Configure etcsysctl. Disable core dumps. Disable System Request debugging functionality. Restrict access to kernel logs. Enable Exec. Shield protection. Randomise memory space. Hide kernel pointers. Load sysctl settings sysctp p. Set UMASK 0. 27. The following files require umask hardening etcbashrc, etccsh. Sed one liner sed i e sumask 0. Disable Core Dumps. Open etcsecuritylimits. Set Security Limits to Prevent Do. SAdd the following to etcsecuritylimits. Soft limit 3. 2GB, hard 6. GB. soft fsize 3. Limits for root. root soft nofile 4. Verify Permissions of Files. Ensure that all files are owned by a user find ignorereaddirrace nouser print exec chown root Ensure that all files are owned by a group find ignorereaddirrace nogroup print exec chgrp root Automate the process by creating a cron file etccron. Set ownership and permissions chown root root etccron. Monitor SUIDGUID Files. Search for setuidsetgid files and identify if all are required find xdev type f perm 4. System Settings Firewall and Network Configuration. Firewall. Setting the default firewalld zone to drop makes any packets which are not explicitly permitted to be rejected. Default. Zone. Default. Zonedropg etcfirewalldfirewalld. Unless firewalld is required, mask it and replace with iptables systemctl stop firewalld. Add the following to etcsysconfigiptables to allow only minimal outgoing traffic DNS, NTP, HTTPS and SMTPS ilter. P INPUT ACCEPT. P FORWARD DROP. P OUTPUT ACCEPT. A INPUT i lo m comment comment local j ACCEPT. A INPUT d 1. 27. REJECT reject with icmp port unreachable. A INPUT m conntrack ctstate RELATED,ESTABLISHED j ACCEPT. A INPUT p tcp m tcp m conntrack ctstate NEW dport 2. ACCEPT. A INPUT p tcp m tcp m conntrack ctstate NEW dport 2. ACCEPT. A INPUT p tcp m tcp m conntrack ctstate NEW dport 2. ACCEPT. A INPUT p tcp m tcp m conntrack ctstate NEW dport 2. ACCEPT. A INPUT j DROP. A OUTPUT d 1. 27. ACCEPT. A OUTPUT m conntrack ctstate RELATED,ESTABLISHED j ACCEPT. A OUTPUT p icmp m icmp icmp type any j ACCEPT. A OUTPUT p udp m udp m conntrack ctstate NEW dport 5. ACCEPT. A OUTPUT p tcp m tcp m conntrack ctstate NEW dport 5. ACCEPT. A OUTPUT p udp m udp m conntrack ctstate NEW dport 1. ACCEPT. A OUTPUT p tcp m tcp m conntrack ctstate NEW dport 8. ACCEPT. A OUTPUT p tcp m tcp m conntrack ctstate NEW dport 4. ACCEPT. A OUTPUT p tcp m tcp m conntrack ctstate NEW dport 5. ACCEPT. A OUTPUT j LOG log prefix iptablesoutput. A OUTPUT j REJECT reject with icmp port unreachable. COMMITNote that the rule allowing all incoming SSH traffic should be removed restricting access to an IP whitelist only, or hiding SSH behind a VPN. Add the following to etcsysconfigip. IPv. 6 ilter. P FORWARD DROP. COMMITApply configurations iptables restore lt etcsysconfigiptables. TCP Wrappers. Open etchosts. SSH ALL 1. 27. 0. ALLThe file etchosts. ALL ALL3. 3 Kernel Parameters Which Affect Networking. Open etcsysctl. Disable packet forwarding. Disable redirects, not a router. Disable source routing. Enable source validation by reversed path. Log packets with impossible addresses to kernel log. Disable ICMP broadcasts. Ignore bogus ICMP errors.