Complete CentOS secure server setup

Disable unnecessary services. Type as root:

setup

Chose System services and uncheck:

anacron atd auditd cpuspeed kudzu mcstrans netfs pcscd portmap

Update all software:

yum update

Disable Ipv6. Edit /etc/sysconfig/network and set:

NETWORKING_IPV6=no HOSTNAME=sscserver

After that add the following to /etc/modprobe.conf:

alias ipv6 off alias net-pf-10 off

and reboot:

reboot

After above steps follow the guide Install and secure LAMP on CentOS

Install Webmin. Navigate to http://www.webmin.com/download.html and download a RPM package:

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.470-1.noarch.rpm rpm -ivh webmin-1.470-1.noarch.rpm

Point your browser to: http://ip.address:10000 and login with your root password:

Secure server. Change your root password:

passwd

For security reasons we will add a new user sscadmin for administration purposes:

adduser sscadmin && passwd sscadmin

Add the user sscadmin to the wheel group:

usermod -a -G wheel sscadmin

User sscadmin will use sudo for administrative tasks. Ensure the wheel group has the correct privileges. Run:

visudo

and uncomment the line:

%wheel ALL=(ALL) ALL

to allow people in group wheel to have full sudo privileges

To secure SSH access to the server follow the guide Secure existing OpenSSH installation.

Next step is secure temporary folders. Follow the guide Secure temporary folders on existing Unix or Linux systems

If you want to harden your server, follow the guide Server Hardening with ConfigServer Security & Firewall (CSF)

Install PostgreSQL database server

yum install postgresql postgresql-server

Start it and set it to run at startup:

service postgresql start chkconfig postgresql on

Connect to PostgreSQL server:

su - postgres psql -d template1 -U postgres

You'll get the following output:

Welcome to psql 8.1.11, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit template1=#

Install Postfix and remove Sendmail:

yum install postfix yum remove sendmail

Edit Postfix configuration file and change the following lines:

queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.3.3/samples readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_security_options = noanonymous mynetworks = 127.0.0.0/8 smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom myhostname = domain.tld

Setup SASL + TLS to authenticate users. Install the required software:

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 \ cyrus-sasl-plain

Edit config file to allow plain and login logins:

nano -w /usr/lib/sasl2/smtpd.conf

and add the following:

pwcheck_method: saslauthd mech_list: plain login

Create the certificates for TLS:

mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Install Dovecot:

yum install dovecot

Open the Dovecot config file /etc/dovecot.conf and make the following changes:

protocols = imap imaps pop3 pop3s

Install Squirrelmail. Setup the Squirrelmail under Apache. Open /etc/httpd/conf/httpd.conf and insert the following lines:

Alias /squirrelmail "/usr/share/squirrelmail" <Directory /usr/share/squirrelmail/> Options Indexes AllowOverride none DirectoryIndex index.php Order allow,deny allow from all </Directory>

Run the configuration utility and set the server settings to SMTP and change your domain name to domain.tld:

/usr/share/squirrelmail/config/conf.pl

Restart all email services:

service postfix start service dovecot start service saslauthd start service httpd restart

Create a local user (to test the email):

adduser dima -s /sbin/nologin

Update a password for it:

passwd dima

To test the email open Squirrelmail and enter the username and the password

Make email services to run at startup:

chkconfig --levels 235 sendmail off chkconfig --levels 235 postfix on chkconfig --levels 235 saslauthd on chkconfig --levels 235 dovecot on