[or-cvs] r20491: {} This script is not relevant and has incorrect information. I (projects/misc-sysadmin)
ioerror at seul.org
ioerror at seul.org
Mon Sep 7 00:13:43 UTC 2009
Author: ioerror
Date: 2009-09-06 20:13:43 -0400 (Sun, 06 Sep 2009)
New Revision: 20491
Removed:
projects/misc-sysadmin/harden-centos.sh
Log:
This script is not relevant and has incorrect information. It's a bag of lies.
Deleted: projects/misc-sysadmin/harden-centos.sh
===================================================================
--- projects/misc-sysadmin/harden-centos.sh 2009-09-06 23:56:11 UTC (rev 20490)
+++ projects/misc-sysadmin/harden-centos.sh 2009-09-07 00:13:43 UTC (rev 20491)
@@ -1,177 +0,0 @@
-#!/bin/bash -x
-#
-# harden-centos.sh by
-# Jacob Appelbaum <jacob at appelbaum.net>
-#
-# This is released under the same license as Tor
-#
-# Basically this automates the stuff I like from:
-# http://wiki.centos.org/HowTos/OS_Protection
-#
-# It also automates a few other things from other systems
-#
-
-if [ -f /tmp/harden-centos ]; then
- echo "Already hardened!";
- exit
-fi
-
-# Force passwords to expire
-echo "Passwords expire every 180 days"
-perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 180/' -i /etc/login.defs
-echo "Passwords may only be changed once a day"
-perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs
-
-# We don't need no stinkin' MD5
-authconfig --passalgo=sha512 --update
-
-# Add a secure umask
-perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc
-perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc
-
-# Configure a reasonable timeout for bash users
-echo "Idle users will be removed after 15 minutes"
-echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
-echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
-chmod +x /etc/profile.d/os-security.sh
-
-# Remove wireless modules
-for i in $(find /lib/modules/`uname -r`/kernel/drivers/net/wireless -name "*.ko" -type f) ; do echo blacklist $i >> /etc/modprobe.d/blacklist-wireless ; done
-
-# Harden all services with TCP wrappers; allow ssh connections by default
-echo "ALL:ALL" >> /etc/hosts.deny
-echo "sshd:ALL" >> /etc/hosts.allow
-
-# Configure some sane default sysctls
-cat << 'EOF' > /etc/sysctl.conf
-#
-# This is a custom and semi-hardened sysctl.conf
-# by Jacob Appelbaum <jacob at appelbaum.net>
-#
-kernel.core_uses_pid = 1
-kernel.msgmax = 65536
-kernel.msgmnb = 65536
-kernel.printk = 4 4 1 7
-kernel.shmall = 4294967296
-kernel.shmmax = 68719476736
-kernel.sysrq = 0
-net.ipv4.conf.all.accept_redirects = 0
-net.ipv4.conf.all.accept_source_route = 0
-net.ipv4.conf.all.log_martians = 1
-net.ipv4.conf.all.rp_filter = 1
-net.ipv4.conf.all.secure_redirects = 0
-net.ipv4.conf.all.send_redirects = 0
-net.ipv4.conf.default.accept_redirects = 0
-net.ipv4.conf.default.accept_source_route = 0
-net.ipv4.conf.default.forwarding=0
-net.ipv4.conf.default.rp_filter=1
-net.ipv4.conf.default.secure_redirects = 0
-net.ipv4.conf.default.send_redirects = 0
-net.ipv4.icmp_echo_ignore_broadcasts = 1
-net.ipv4.icmp_ignore_bogus_error_responses = 1
-net.ipv4.ip_forward = 0
-net.ipv4.ip_local_port_range = 16384 65536
-net.ipv4.tcp_max_syn_backlog = 1280
-net.ipv4.tcp_syncookies = 1
-net.ipv4.tcp_timestamps = 0
-net.ipv6.conf.default.forwarding=0
-kernel.cap-bound = 0xFFFCFFFF
-EOF
-sysctl -p /etc/sysctl.conf
-echo
-
-cp /etc/ssh/sshd_config /etc/ssh/sshd_config-default
-cat << 'EOF' > /etc/ssh/sshd_config
-# This is a hardened configuration for OpenSSH
-#
-# by Jacob Appelbaum <jacob at appelbaum.net>
-#
-Port 22
-Protocol 2
-# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-#Privilege Separation is turned on for security
-UsePrivilegeSeparation yes
-
-# Lifetime and size of ephemeral version 1 server key
-KeyRegenerationInterval 3600
-ServerKeyBits 768
-
-# Logging
-SyslogFacility AUTHPRIV
-LogLevel INFO
-
-# Authentication:
-LoginGraceTime 120
-PermitRootLogin no
-StrictModes yes
-
-RSAAuthentication yes
-PubkeyAuthentication yes
-#AuthorizedKeysFile %h/.ssh/authorized_keys
-
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication no
-# similar for protocol version 2
-HostbasedAuthentication no
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-#IgnoreUserKnownHosts yes
-
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Change to no to disable tunnelled clear text passwords
-PasswordAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-X11Forwarding no
-X11DisplayOffset 10
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-#UseLogin no
-
-#MaxStartups 10:30:60
-#Banner /etc/issue.net
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-Subsystem sftp /usr/lib/openssh/sftp-server
-
-UsePAM no
-
-# General crypto config stuff goes here
-Ciphers aes256-ctr,blowfish-cbc
-MACs hmac-sha1
-
-# Groups we care about allow access
-AllowGroups cymru noc cams torproject
-
-# Lets not become a generic port bounce
-AllowTcpForwarding no
-
-# misc
-Compression yes
-
-EOF
-
-/etc/init.d/sshd restart
-
-touch /tmp/harden-centos
More information about the tor-commits
mailing list