====== Linux Debian Installation Best practice ======
===== Partitioning =====
By separating file systems into various partitions, you can fine tune permissions and functionality. Doing so will provide you greater granularity for permissions, as well as adding a layer of security for any potential bad guys to work through.
Steve Grubb suggests, and quite rightly so, that areas where users have write privileges be kept on their own partition. This allows you to prevent hard link privilege escalation attempts, prevent creative device additions, and other unsavory behavior.
Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible. An example of a decently restricted /etc/fstab file is below:
Disk OS with LVM (required)
Disks data with LVM (required)
^ ^type^name^size^mount point^
|disk 1 (18GB)|static|/dev/sda1|512M|/boot|
| |LVM|/dev/mapper/rootvg-root|2G|/|
| |LVM|/dev/mapper/rootvg-usr|6G|/usr|
| |LVM|/dev/mapper/rootvg-var|2G|/var|
| |LVM|/dev/mapper/rootvg-opt|1G|/opt|
| |LVM|/dev/mapper/rootvg-tmp|2G|/tmp|
| |LVM|/dev/mapper/rootvg-home|2G|/home|
| |LVM|/dev/mapper/rootvg-swap|2G|swap|
| |disk2|LVM|/dev/mapper/datavg-data|10G|/data|
==== Modifying fstab ====
Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible.
**An example of a decently restricted /etc/fstab file is below:**
/dev/mapper/rootvg-root / ext4 defaults 1 1
/dev/sda1 /boot ext4 defaults,nosuid,noexec,nodev 1 2
/dev/mapper/rootvg-home /home ext4 defaults,nosuid,nodev 1 2
/dev/mapper/rootvg-opt /opt ext4 defaults 1 2
/dev/mapper/rootvg-tmp /tmp ext4 defaults,nosuid,noexec,nodev 1 2
/dev/mapper/rootvg-usr /usr ext4 defaults 1 2
/dev/mapper/rootvg-var /var ext4 defaults,nosuid 1 2
/dev/mapper/rootvg-swap swap swap defaults 0 0
/dev/mapper/reposvg-reposlv /repos ext4 defaults 1 2
/dev/mapper/reposvg-repcentoslv /repos/CentOS ext4 defaults 1 2
/dev/mapper/reposvg-weblv /var/www ext4 defaults,nosuid,nodev 1 2
===== Install additional packages =====
Adapt the yum repositories in /etc/yum.repos.d/ to be able to reach the right repositories\\
Add ntp and net-tools (for ifconfig command), and other utilities
aptitude install ntp
aptitude install telnet #(client only to debug)
aptitude install net-tools #(ifconfig, arp, netstat)
aptitude install lsof
aptitude install mlocate #(locate)
aptitude install dnsutils #(host, nslookup)
aptitude install open-vm-tools #(VMware Tools, opensource package)
aptitude install sg3_utils #(scsi-rescan)
aptitude install nmon #(scsi-rescan)
aptitude install cpulimit #(limit CPU usage per process)
===== List and remove unused services =====
Services to remove : mpt-statusd (check RAID status, if you have a virtual machine)...
root@debian7:/etc# for svc in mpt-statusd
do
update-rc.d $svc disable
update-rc.d $svc stop
done
List the services:
root@debian7:/etc# service --status-all
[ + ] acpid
[ ? ] alsa-utils
[ - ] anacron
[ + ] apache2
[ + ] atd
[ + ] avahi-daemon
[ ? ] binfmt-support
[ - ] bluetooth
[ - ] bootlogs
[ ? ] bootmisc.sh
[ ? ] checkfs.sh
[ ? ] checkroot-bootclean.sh
[ - ] checkroot.sh
[ ? ] ...
==== Comment entry in /etc/inittab ====
Comment ctrl-alt-del, very useful to prevent Windows user from rebooting !!!
root@timesrv01:/etc/init.d# cat /etc/inittab
...
# What to do when CTRL-ALT-DEL is pressed.
#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
...
==== Install ntp package and enable some services ====
network, ntpd, and if needed iptable
root@debian7:/etc# for svc in ntp
do
update-rc.d $svc enable
update-rc.d $svc start
done
==== Remove services that are in LISTEN state ====
In this example, you could disable the rpcbind service
[root@centos7 ~]# netstat -an | grep LIST
tcp 0 0 0.0.0.0:51579 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 192.168.22.136:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
unix 2 [ ACC ] STREAM LISTENING 14412 @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 10242 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 16930 @/tmp/dbus-wEGN6K01Pn
unix 2 [ ACC ] STREAM LISTENING 16307 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 17599 /tmp/.ICE-unix/1146
unix 2 [ ACC ] SEQPACKET LISTENING 10256 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 15164 /var/run/lsm/ipc/sim
unix 2 [ ACC ] STREAM LISTENING 15166 /var/run/lsm/ipc/simc
unix 2 [ ACC ] STREAM LISTENING 14413 @ISCSID_UIP_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 14414 /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 14417 /var/run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 16306 @/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 8042 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 18796 /run/user/42/pulse/native
unix 2 [ ACC ] STREAM LISTENING 1388 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 17778 /var/run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 14458 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 18556 /var/run/libvirt/libvirt-sock
unix 2 [ ACC ] STREAM LISTENING 18558 /var/run/libvirt/libvirt-sock-ro
unix 2 [ ACC ] STREAM LISTENING 17598 @/tmp/.ICE-unix/1146
unix 2 [ ACC ] STREAM LISTENING 16036 /var/run/abrt/abrt.socket
unix 2 [ ACC ] STREAM LISTENING 17418 @/tmp/dbus-0PYMRpYu
unix 2 [ ACC ] STREAM LISTENING 16892 @/tmp/dbus-bKDTQeVf
unix 2 [ ACC ] STREAM LISTENING 16893 @/tmp/dbus-Skwj1TBB
unix 2 [ ACC ] STREAM LISTENING 17543 @/tmp/dbus-qVKMoS2bff
unix 2 [ ACC ] STREAM LISTENING 18410 @/tmp/dbus-V9cHUqaM
unix 2 [ ACC ] STREAM LISTENING 17419 @/tmp/dbus-9XjDfCN8
[root@centos7 ~]# lsof -i :111
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1243 rpc 7u IPv4 17780 0t0 UDP *:sunrpc
rpcbind 1243 rpc 9u IPv4 17782 0t0 TCP *:sunrpc (LISTEN)
root@timesrv01:~# lsof -i :111
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1243 rpc 7u IPv4 17780 0t0 UDP *:sunrpc
rpcbind 1243 rpc 9u IPv4 17782 0t0 TCP *:sunrpc (LISTEN)
root@timesrv01:~# runlevel
N 2
root@timesrv01:/etc/rc2.d# ls -l
-rw-r--r-- 1 root root 677 Feb 8 2013 README
0 lrwxrwxrwx 1 root root 14 May 23 2013 S01motd -> ../init.d/motd
0 lrwxrwxrwx 1 root root 17 May 23 2013 S13rpcbind -> ../init.d/rpcbind
0 lrwxrwxrwx 1 root root 20 May 23 2013 S14nfs-common -> ../init.d/nfs-common
0 lrwxrwxrwx 1 root root 17 May 23 2013 S16rsyslog -> ../init.d/rsyslog
0 lrwxrwxrwx 1 root root 15 May 23 2013 S17acpid -> ../init.d/acpid
0 lrwxrwxrwx 1 root root 13 May 23 2013 S17atd -> ../init.d/atd
0 lrwxrwxrwx 1 root root 14 May 23 2013 S17cron -> ../init.d/cron
0 lrwxrwxrwx 1 root root 15 May 23 2013 S17exim4 -> ../init.d/exim4
0 lrwxrwxrwx 1 root root 21 May 23 2013 S17mpt-statusd -> ../init.d/mpt-statusd
0 lrwxrwxrwx 1 root root 28 Sep 2 16:32 S17nagios-nrpe-server -> ../init.d/nagios-nrpe-server
0 lrwxrwxrwx 1 root root 13 May 23 2013 S17ntp -> ../init.d/ntp
0 lrwxrwxrwx 1 root root 15 May 28 2013 S17rsync -> ../init.d/rsync
0 lrwxrwxrwx 1 root root 13 May 23 2013 S17ssh -> ../init.d/ssh
0 lrwxrwxrwx 1 root root 18 May 23 2013 S19bootlogs -> ../init.d/bootlogs
0 lrwxrwxrwx 1 root root 18 May 23 2013 S20rc.local -> ../init.d/rc.local
0 lrwxrwxrwx 1 root root 19 May 23 2013 S20rmnologin -> ../init.d/rmnologin
root@timesrv01:/etc/rc2.d# update-rc.d rpcbind stop
root@timesrv01:/etc/rc2.d# update-rc.d rpcbind disable
===== Configure the network =====
Change your interfaces file located in /etc/network/, to remove IPV6 parameters:
Ex:
root@debian7:/etc/network# cat interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 192.18.20.77
netmask 255.255.255.0
network 192.18.20.0
broadcast 192.16.20.255
gateway 192.18.20.244
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.18.20.1 192.18.20.2 192.18.20.3
dns-search mydom.org
Remove **pan0** interface (Bluetooth)
Changed to zero (from 1) the BLUETOOTH_ENABLED entry in /etc/default/bluetooth.
===== Stop IPV6 best practice =====
==== Disable IPV6 on network adapter ====
On most current OS, IPV6 is activate by default. It wouldn't be a good practice to completely unload the kernel module, but better disable it for most applications. You have to know that some application, like SELINUX will load IPV6 module if needed!
Create a file /etc/sysctl.d/98-disable_ipv6.conf
[root@centos7 ~]# cat /etc/sysctl.d/98-disable_ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
To disable in the running system:
[root@centos7 ~]# echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
[root@lstor2rrd ~]# echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
or
[root@centos7 ~]# sysctl -w net.ipv6.conf.all.disable_ipv6=1
[root@lstor2rrd ~]# sysctl -w net.ipv6.conf.default.disable_ipv6=1
==== Disable IPV6 on SSH server ====
If problems with X forwarding are encountered on systems with IPv6 disabled, edit /etc/ssh/sshd_config and make either of the following changes:
(1) Change the line
#AddressFamily any
to
AddressFamily inet
(inet is ipv4 only; inet6 is ipv6 only)
or
(2) Remove the hash mark (#) in front of the line
#ListenAddress 0.0.0.0
Then restart ssh.
service ssh restart
==== Disable IPV6 on exim4 ====
If problems with starting exim4 are encountered on systems with IPv6 disabled, either
edit /etc/exim4/update-exim4.conf.conf and comment out the localhost part of the config and use ipv4 loopback.
dc_local_interfaces='127.0.0.1'
#dc_local_interfaces='127.0.0.1 ; ::1'
==== Disable IPV6 on NTP client ====
Edit the file /etc/ntp.conf, and comment the line related to IPV6
# restrict ::1
# restrict -6 default kod notrap nomodify nopeer noquery
Add as option: IPV4 only in /etc/default/ntp
root@timesrv01:/etc/rc2.d# cat /etc/default/ntp
NTPD_OPTS='-4'
==== Disable IPV6 on RPCBIND ====
To disable RPCBIND ipv6 (rpcbind, rpc.mountd, prc.statd) remark out the udp6 and tcp6 lines in /etc/netconfig:
udp tpi_clts v inet udp - -
tcp tpi_cots_ord v inet tcp - -
#udp6 tpi_clts v inet6 udp - -
#tcp6 tpi_cots_ord v inet6 tcp - -
rawip tpi_raw - inet - - -
local tpi_cots_ord - loopback - - -
unix tpi_cots_ord - loopback - - -