Installing a CentOS 6.4 Minimal Server w/ MegaMek

I had originially set this blog up to share some of my tech knowledge, or document what I did so you can do it too. So here is the first step in that progress. I used CentOS 6.4 Minimal 32bit, so as to give myself some extra practice, and allow for what I wanted to do with it. You can download the ISO here. I am also using a Virtual Machine, so if I mess up something, I don’t have to redo my whole good operating system. The virtual machine I used was VirtualBox from Oracle. This is a free VM, and supports a wide range of operating systems. You can also install it on a server with no GUI and use a commandline to administer it. There is plenty of documentation on that, and will be covered later. Now, on to install CentOS. If anything needs explanation, or any suggestions, please comment below. Do not accuse me of doing something “stupid” because I just followed a tutorial, and shared what I learned that was not shared on there.

  1. Installed system: CentOS 6.4 Minimal 32bit
  2. edited eth0 to boot
    1. $/etc/sysconfig/network-scripts/ifcfg-eth0
  3. Installed standard tools
    1. $yum install mdadm man wget mlocate beecrypt vim-enchanced lsof screen sudo rsyslog lynx patch which nc gcc gnutls gnutls-devel popt popt-devel
  4. Since it was a VM, I installed these packages to build the VM Tools
    1. $yum install kernel-devel
  5. Configured the user other than root
    1. $useradd -m username
    2. $usermod -a -G wheel username
    3. $passwd username
  6. edited the sudoers file to allow the wheel group to perform sudo actions
    1. $vim /etc/sudoers
  7. Added
    1. %wheel ALL=(ALL) ALL
  8. Then I disabled empty passwords for SSH and also disabled root SSH logins
    1. $vim /etc/ssh/sshd_config
  9. Uncomment
    1. PermitEmptyPasswords no
    2. PermitRootLogin no
  10. If you are unable to do that, then you can disable SELINUX by changing SELINUX=enforcing to disabled.
  11. Once you finish your changes, change SELINUX back to enforcing.
  12. Then I installed some extra security packages for SELinux
    1. $yum install audit
    2. $yum install setroubleshoot-server setroubleshoot-plugins
  13. Then you have to start the auditd
    1. $/etc/init.d/auditd start
    2. $chkconfig auditd on
  14. Now I locked down the ‘cron’ and ‘at’ systems
    1. touch /etc/cron.allow
    2. chmod 600 /etc/cron.allow
      awk -F: ‘{print $1}’ /etc/passwd | grep -v root
    3. /etc/cron.deny
      touch /etc/at.allow
    4. chmod 600 /etc/at.allow
    5. awk -F: ‘{print $1}’ /etc/passwd | grep -v root > /etc/at.deny
  15. Now to setup the firewall rules. Here we are setting up minimal anything. I have locked it down to only incoming SSH connections can be made, and no new outgoing SSH connections can be made. everything else, has been trashed.
  1. #!/bin/bashSERVER_IP=”ipaddress”iptables -F
    iptables -X## Set Default Filter Policy
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

    ## Allow unlimited local traffic on the loopback
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    ## Allow *INCOMING* SSH connections
    iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP –sport 513:65535 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 –sport 22 –dport 513:65535 -m state –state ESTABLISHED -j ACCEPT

    ## Allow *INCOMING* MegaMek connections
    iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP –sport 513:65535 –dport 2346 -m state –state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p udp -s 0/0 -d $SERVER_IP –sport 513:65535 –dport 2346 -m state –state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 –sport 2346 –dport 513:65535 -m state –state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p udp -s $SERVER_IP -d 0/0 –sport 2346 –dport 513:65535 -m state –state ESTABLISHED -j ACCEPT

    ## Drop everything else
    iptables -A INPUT -j DROP
    iptables -A OUTPUT -j DROP

    ## Save iptables rules
    /sbin/service iptables save

    ## List current running rules
    iptables -L -v

Another way to restrict the SSH access of root is:

  • $echo "tty1" > /etc/securetty
    $chmod 700 /root

References/Sources

I will continue to modify this also with other security tips that I find. I will be insalling some archiving tools, and java, so I can play my game. My ultimate goal is to serve a game called MegaMek on from http://www.megamek.info. Then I can play with other people, or have them play on my server when they let me know when they want it up and running. Once it is up and running, I will let everyone know.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s