====== Linux Debian Installation Best practice ======

===== Partitioning =====

By separating file systems into various partitions, you can fine tune permissions and functionality. Doing so will provide you greater granularity for permissions, as well as adding a layer of security for any potential bad guys to work through.   

Steve Grubb suggests, and quite rightly so, that areas where users have write privileges be kept on their own partition. This allows you to prevent hard link privilege escalation attempts, prevent creative device additions, and other unsavory behavior.

Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible. An example of a decently restricted /etc/fstab file is below:

    Disk OS with LVM (required)
    Disks data with LVM (required)
	

^ ^type^name^size^mount point^
|disk 1 (18GB)|static|/dev/sda1|512M|/boot|
| |LVM|/dev/mapper/rootvg-root|2G|/|
| |LVM|/dev/mapper/rootvg-usr|6G|/usr|
| |LVM|/dev/mapper/rootvg-var|2G|/var|
| |LVM|/dev/mapper/rootvg-opt|1G|/opt|
| |LVM|/dev/mapper/rootvg-tmp|2G|/tmp|
| |LVM|/dev/mapper/rootvg-home|2G|/home|
| |LVM|/dev/mapper/rootvg-swap|2G|swap|
 
| |disk2|LVM|/dev/mapper/datavg-data|10G|/data|

==== Modifying fstab ====

Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible. 

**An example of a decently restricted /etc/fstab file is below:**   

<code>
/dev/mapper/rootvg-root /                       ext4    defaults        1 1
/dev/sda1               /boot                   ext4    defaults,nosuid,noexec,nodev        1 2
/dev/mapper/rootvg-home /home                   ext4    defaults,nosuid,nodev        1 2
/dev/mapper/rootvg-opt  /opt                    ext4    defaults        1 2
/dev/mapper/rootvg-tmp  /tmp                    ext4    defaults,nosuid,noexec,nodev        1 2
/dev/mapper/rootvg-usr  /usr                    ext4    defaults        1 2
/dev/mapper/rootvg-var  /var                    ext4    defaults,nosuid        1 2
/dev/mapper/rootvg-swap swap                    swap    defaults        0 0
/dev/mapper/reposvg-reposlv /repos              ext4    defaults        1 2
/dev/mapper/reposvg-repcentoslv /repos/CentOS   ext4    defaults        1 2
/dev/mapper/reposvg-weblv        /var/www ext4      defaults,nosuid,nodev  1 2
</code>

===== Install additional packages =====

Adapt the yum repositories in /etc/yum.repos.d/ to be able to reach the right repositories\\
Add ntp and net-tools (for ifconfig command), and other utilities
  aptitude install ntp
  aptitude install telnet               #(client only to debug)
  aptitude install net-tools            #(ifconfig, arp, netstat)
  aptitude install lsof
  aptitude install mlocate              #(locate)
  aptitude install dnsutils             #(host, nslookup)
  aptitude install open-vm-tools        #(VMware Tools, opensource package)
  aptitude install sg3_utils            #(scsi-rescan)
  aptitude install nmon                 #(scsi-rescan)
  aptitude install cpulimit             #(limit CPU usage per process)

===== List and remove unused services =====

Services to remove : mpt-statusd (check RAID status, if you have a virtual machine)...
<cli prompt='#'>
root@debian7:/etc# for svc in mpt-statusd
do
update-rc.d $svc disable
update-rc.d $svc stop
done
</cli>

List the services:
<cli prompt='#'>
root@debian7:/etc# service --status-all
 [ + ]  acpid
 [ ? ]  alsa-utils
 [ - ]  anacron
 [ + ]  apache2
 [ + ]  atd
 [ + ]  avahi-daemon
 [ ? ]  binfmt-support
 [ - ]  bluetooth
 [ - ]  bootlogs
 [ ? ]  bootmisc.sh
 [ ? ]  checkfs.sh
 [ ? ]  checkroot-bootclean.sh
 [ - ]  checkroot.sh
 [ ? ]  ...
</cli>

==== Comment entry in /etc/inittab ====

Comment ctrl-alt-del, very useful to prevent Windows user from rebooting !!!
<cli prompt='#'>
root@timesrv01:/etc/init.d# cat /etc/inittab
...
# What to do when CTRL-ALT-DEL is pressed.
#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
...
</cli>

==== Install ntp package and enable some services ====

network, ntpd, and if needed iptable
<cli prompt='#'>
root@debian7:/etc# for svc in ntp
do
update-rc.d $svc enable
update-rc.d $svc start
done
</cli>

==== Remove services that are in LISTEN state ====

In this example, you could disable the rpcbind service
<cli prompt='#'>
[root@centos7 ~]# netstat -an | grep LIST
tcp        0      0 0.0.0.0:51579           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
tcp        0      0 192.168.22.136:80       0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
unix  2      [ ACC ]     STREAM     LISTENING     14412    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     10242    /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     16930    @/tmp/dbus-wEGN6K01Pn
unix  2      [ ACC ]     STREAM     LISTENING     16307    /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     17599    /tmp/.ICE-unix/1146
unix  2      [ ACC ]     SEQPACKET  LISTENING     10256    /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     15164    /var/run/lsm/ipc/sim
unix  2      [ ACC ]     STREAM     LISTENING     15166    /var/run/lsm/ipc/simc
unix  2      [ ACC ]     STREAM     LISTENING     14413    @ISCSID_UIP_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     14414    /var/run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     14417    /var/run/rpcbind.sock
unix  2      [ ACC ]     STREAM     LISTENING     16306    @/tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     8042     /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     18796    /run/user/42/pulse/native
unix  2      [ ACC ]     STREAM     LISTENING     1388     /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     17778    /var/run/rpcbind.sock
unix  2      [ ACC ]     STREAM     LISTENING     14458    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     18556    /var/run/libvirt/libvirt-sock
unix  2      [ ACC ]     STREAM     LISTENING     18558    /var/run/libvirt/libvirt-sock-ro
unix  2      [ ACC ]     STREAM     LISTENING     17598    @/tmp/.ICE-unix/1146
unix  2      [ ACC ]     STREAM     LISTENING     16036    /var/run/abrt/abrt.socket
unix  2      [ ACC ]     STREAM     LISTENING     17418    @/tmp/dbus-0PYMRpYu
unix  2      [ ACC ]     STREAM     LISTENING     16892    @/tmp/dbus-bKDTQeVf
unix  2      [ ACC ]     STREAM     LISTENING     16893    @/tmp/dbus-Skwj1TBB
unix  2      [ ACC ]     STREAM     LISTENING     17543    @/tmp/dbus-qVKMoS2bff
unix  2      [ ACC ]     STREAM     LISTENING     18410    @/tmp/dbus-V9cHUqaM
unix  2      [ ACC ]     STREAM     LISTENING     17419    @/tmp/dbus-9XjDfCN8
[root@centos7 ~]# lsof -i :111
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1243  rpc    7u  IPv4  17780      0t0  UDP *:sunrpc
rpcbind 1243  rpc    9u  IPv4  17782      0t0  TCP *:sunrpc (LISTEN)
root@timesrv01:~# lsof -i :111
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1243  rpc    7u  IPv4  17780      0t0  UDP *:sunrpc
rpcbind 1243  rpc    9u  IPv4  17782      0t0  TCP *:sunrpc (LISTEN)
root@timesrv01:~# runlevel
N 2
root@timesrv01:/etc/rc2.d# ls -l
 -rw-r--r--  1 root root  677 Feb  8  2013 README
0 lrwxrwxrwx  1 root root   14 May 23  2013 S01motd -> ../init.d/motd
0 lrwxrwxrwx  1 root root   17 May 23  2013 S13rpcbind -> ../init.d/rpcbind
0 lrwxrwxrwx  1 root root   20 May 23  2013 S14nfs-common -> ../init.d/nfs-common
0 lrwxrwxrwx  1 root root   17 May 23  2013 S16rsyslog -> ../init.d/rsyslog
0 lrwxrwxrwx  1 root root   15 May 23  2013 S17acpid -> ../init.d/acpid
0 lrwxrwxrwx  1 root root   13 May 23  2013 S17atd -> ../init.d/atd
0 lrwxrwxrwx  1 root root   14 May 23  2013 S17cron -> ../init.d/cron
0 lrwxrwxrwx  1 root root   15 May 23  2013 S17exim4 -> ../init.d/exim4
0 lrwxrwxrwx  1 root root   21 May 23  2013 S17mpt-statusd -> ../init.d/mpt-statusd
0 lrwxrwxrwx  1 root root   28 Sep  2 16:32 S17nagios-nrpe-server -> ../init.d/nagios-nrpe-server
0 lrwxrwxrwx  1 root root   13 May 23  2013 S17ntp -> ../init.d/ntp
0 lrwxrwxrwx  1 root root   15 May 28  2013 S17rsync -> ../init.d/rsync
0 lrwxrwxrwx  1 root root   13 May 23  2013 S17ssh -> ../init.d/ssh
0 lrwxrwxrwx  1 root root   18 May 23  2013 S19bootlogs -> ../init.d/bootlogs
0 lrwxrwxrwx  1 root root   18 May 23  2013 S20rc.local -> ../init.d/rc.local
0 lrwxrwxrwx  1 root root   19 May 23  2013 S20rmnologin -> ../init.d/rmnologin
root@timesrv01:/etc/rc2.d# update-rc.d rpcbind stop
root@timesrv01:/etc/rc2.d# update-rc.d rpcbind disable
</cli>

===== Configure the network =====

Change your interfaces file located in /etc/network/, to remove IPV6 parameters:
Ex:
<cli prompt='#'>
root@debian7:/etc/network# cat interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
        address 192.18.20.77
        netmask 255.255.255.0
        network 192.18.20.0
        broadcast 192.16.20.255
        gateway 192.18.20.244
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 192.18.20.1 192.18.20.2 192.18.20.3
        dns-search mydom.org
</cli>

Remove **pan0** interface (Bluetooth)
  Changed to zero (from 1) the BLUETOOTH_ENABLED entry in /etc/default/bluetooth.

===== Stop IPV6 best practice =====

==== Disable IPV6 on network adapter ====

On most current OS, IPV6 is activate by default. It wouldn't be a good practice to completely unload the kernel module, but better disable it for most applications. You have to know that some application, like SELINUX will load IPV6 module if needed!

Create a file /etc/sysctl.d/98-disable_ipv6.conf
<cli prompt='#'>
[root@centos7 ~]# cat /etc/sysctl.d/98-disable_ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1 
</cli>

To disable in the running system:   
<cli prompt='#'>
[root@centos7 ~]# echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
[root@lstor2rrd ~]# echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
</cli>
or   
<cli prompt='#'>
[root@centos7 ~]# sysctl -w net.ipv6.conf.all.disable_ipv6=1
[root@lstor2rrd ~]# sysctl -w net.ipv6.conf.default.disable_ipv6=1
</cli> 

==== Disable IPV6 on SSH server ====

If problems with X forwarding are encountered on systems with IPv6 disabled, edit /etc/ssh/sshd_config and make either of the following changes:   

(1) Change the line   

#AddressFamily any
  to   
AddressFamily inet
  
(inet is ipv4 only; inet6 is ipv6 only)   

or   

(2) Remove the hash mark (#) in front of the line   

#ListenAddress 0.0.0.0

Then restart ssh.   
  service ssh restart
  
==== Disable IPV6 on exim4 ====

If problems with starting exim4 are encountered on systems with IPv6 disabled, either   

edit /etc/exim4/update-exim4.conf.conf  and comment out the localhost part of the config and use ipv4 loopback.   

  dc_local_interfaces='127.0.0.1'

  #dc_local_interfaces='127.0.0.1 ; ::1'

==== Disable IPV6 on NTP client ====

Edit the file /etc/ntp.conf, and comment the line related to IPV6

  # restrict ::1
  # restrict -6 default kod notrap nomodify nopeer noquery

Add as option: IPV4 only in /etc/default/ntp
<cli prompt='#'>
root@timesrv01:/etc/rc2.d# cat /etc/default/ntp
NTPD_OPTS='-4'
</cli>  

==== Disable IPV6 on RPCBIND ====


To disable RPCBIND ipv6 (rpcbind, rpc.mountd, prc.statd) remark out the udp6 and tcp6 lines in /etc/netconfig:   
<code>
udp        tpi_clts      v     inet     udp     -       -
tcp        tpi_cots_ord  v     inet     tcp     -       -
#udp6      tpi_clts      v     inet6    udp     -       -
#tcp6      tpi_cots_ord  v     inet6    tcp     -       -
rawip      tpi_raw       -     inet      -      -       -
local      tpi_cots_ord  -     loopback  -      -       -
unix       tpi_cots_ord  -     loopback  -      -       -
</code>