centos 6.3 minimal (intended target are virtual and cloud environments, less = more secure)

use minimal-install.iso (use custom single root partition no swap no lvm) choose UTC please and yay it comes with sshd by default =)

At the boot screen: Install or upgrade... press TAB add "text" to the end of the command line containing ... vmlinuz text

sed 's/ONBOOT="no"/ONBOOT="yes"/g' -i /etc/sysconfig/network-scripts/ifcfg-eth0

userdel ftp userdel games userdel gopher userdel halt userdel operator userdel shutdown userdel uucp

ifup eth0 yum update -y yum install sudo -y

rpm -qa | sort > /root/minimal-installation.txt

yum remove lvm2* # unnecessary hard drive partitioning system yum remove nfs* # nfs (legacy file sharing) yum remove iscsi* # scsi over internet (also removes dracut-network) yum remove fcoe* # fibre channel over ethernet yum remove lldpad* # for fibre channel over ethernet

rpm -qa | sort > /root/minimal-installation.txt chkconfig --list > /root/services.txt

cp -a /etc/grub.conf /etc/grub.conf.original vi /etc/grub.conf comment out the # splashimage line at the end of the kernel /boot/.... rhgb quiet (delete both rhgb and quiet) kernel /boot/.... KEYTABLE=us rd_NO_DM

chkconfig rpcbind --off # rpcbind = server that converts RPC program numbers into universal addresses (make RPC calls on a server on that machine)

for i in $(find /lib/modules/uname -r/kernel/drivers/net/wireless -name ".ko" -type f) ; do echo blacklist $i >> /etc/modprobe.d/blacklist-wireless.conf ; done for i in $(find /lib/modules/uname -r/kernel/drivers/scsi/fcoe -name ".ko" -type f) ; do echo blacklist $i >> /etc/modprobe.d/blacklist-fcoe.conf ; done

sed -i 's/1-6/1/g' /etc/syconfig/init # only a single getty available sed -i 's/1-6/1/g' /etc/init/start-ttys.conf # only a single getty available

chmod 700 /root chmod 700 /var/log/audit

echo "net.ipv4.tcp_timestamps = 0" >> /etc/sysctl.conf echo "net.ipv6.conf.all.disable_ipv6 = 1 " >> /etc/sysctl.conf echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf

useradd -s /bin/bash -m NEWUSERNAME # make a new user with bash shell and default home directory passwd NEWUSERNAME # set the initial password, otherwise the user is locked out

sed 's/#PermitRootLogin yes/PermitRootLogin no/g' -i /etc/ssh/sshd_config sed 's/#MaxAuthTries 6/MaxAuthTries 3/g' -i /etc/ssh/sshd_config echo "AllowUsers NEWUSERNAME" >> /etc/ssh/sshd_config

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm

yum repolist

yum install gcc make

optionall fail2ban to block ssh brute force attempts

Centos6 3 minimal secure server

optionall fail2ban to block ssh brute force attempts

Published

Category

~324 words

Tags