Hey,

A while ago I was working on a guide and script to automate installing and securing servers on Centos6.
Since Centos6 does not cut it anymore for me and Centos7 is not supported, I want to help people who still use Centos6 or want to have a simple guide how to secure their server.

Hint: I use several e-mail addresses in my production. Depending of the content of the automated e-mails I send them to a monitoring mailbox, alarm mailbox, or other. This way, I’m always up-to-date with my systems through mail.

Software to install:
Lynis (a hardening check tool. This tool will tell you where possible security risks are).
NCDU (a handy tool to check how big directories are, comparable with treesize for windows)
RKHunter (Rootkithunter looks for file integrity and possible rootkits on your system)
LMD (Linux Mallware Detect looks for malicious softwar eon your system. Very useful for webservers!)
Fail2Ban (Bans brute force attempts for various systems)
tcpdump (a tool like wireshark, to review network traffic)
csf & lfd (scripts that block and ban intrusions)

Here we go:

Step1 Install repositories:

mkdir /tmp/epel cd /tmp/epel wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm rpm -ivh epel-release-6-8.noarch.rpm
Step 2: Install some basic security tools and update the system:

yum update -y yum install -y fail2ban

vim /etc/fail2ban/jail.local

enter following:

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3
[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 5[/code]
Do not forget to alter the destination and the sender.

Start fail2ban automatically:
[code]chkconfig --level 23 fail2ban on service fail2ban start[/code]
You can also add other jails for other systems (mail, apache, ...). To learn more, there's a lot on google.

Setup rkhunter:
[code]yum install -y rkhunter
rkhunter --update 
rkhunter --propupd
vim /etc/cron.daily/rkhunter.sh

Enter the following:

#!/bin/sh ( rkhunter --versioncheck rkhunter --update rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (SERVERNAME)' destinationmail@example.com
Don’t forget to set the e-mail address.
Change the chmod.

chmod 755 /etc/cron.daily/rkhunter.sh

Install NCDU, lynis and tcpdump

yum install -y ncdu lynis tcpdump

Install LMD:

[code]mkdir /tmp/lmd
cd /tmp/lmd
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar xfz maldetect-current.tar.gz cd maldetect-*
./install.sh
vim /usr/local/maldetect/conf.maldet

Enable e-mail alertuser
enable quar_hits
[/code]
You can change some rules in this document to search deeper and harder, but watch out not to set this to strong. It has a tendency to detect virtualmin files as malicious (backup scripts).

Add a user for yourself:

useradd username
passwd username
vim /etc/sudoers

Somewhere in the code of the sudoers file, you will find the following root user defined:

## Allow root to run any commands anywhere root ALL=(ALL) ALL
Add under it a line like:

username    ALL=(ALL)       ALL

Configure SSH:

vim /etc/ssh/sshd_config

Change or add the following:

Protocol 2 Port 6000 LoginGraceTime 30 MaxAuthTries 3 PermitRootLogin no AllowUsers username
Restart sshd

service sshd restart

At this point you should change your root password to a LONG string and save it somewhere in your password safe. In normal circumstances you will not need it anymore. You will from now on login with your username. If you need to access as root, you can use the command “sudo su” followed by your username’s password.

Logout completely and login again over ssh. Mind the port you set to 6000.
After logging in, change user to root:

sudo su

Let’s set-up some IP tables:

vim ~/firewall.sh

Enter the following rules. Please read the comments to see if you need the rule.

#!/bin/bash service iptables start iptables -F iptables -A INPUT -p tcp --dport 6000 -j ACCEPT #SSH if this port is closed, no ssh is possible. iptables -A INPUT -s xx.xx.xx.xx -j ACCEPT #Home Set your home IP in here if it's a fixed IP. This will allow you to always connect to your server. iptables -A INPUT -p icmp --icmp-type 8 -s xx.xx.xx.xx -j ACCEPT #Ping is by default not allowed. If your datacenter (like ovh) forces you to open the port for monitoring reasons, you can allow it here. iptables -A INPUT -p tcp --dport 10055 -j ACCEPT #zabbix agent (monitoring server) iptables -A INPUT -p tcp --dport 10051 -j ACCEPT #zabbix agent(monitoring server) iptables -A INPUT -p tcp --dport 10050 -j ACCEPT #zabbix agent(monitoring server) iptables -A INPUT -p tcp --dport 443 -j ACCEPT #SSL iptables -A INPUT -p tcp --dport 80 -j ACCEPT #http iptables -A INPUT -p tcp --dport 161 -j ACCEPT #snmp iptables -A INPUT -p tcp --dport 995 -j ACCEPT #POP3 SSL iptables -A INPUT -p tcp --dport 30050 -j ACCEPT #virtualmin (I change the default virtualmin port to something not so default to avoid brute force. iptables -A INPUT -p tcp --dport 20000 -j ACCEPT #webmin iptables -A INPUT -p tcp --dport 10000 -j ACCEPT #usermin iptables -A INPUT -p tcp --dport 10050 -j ACCEPT #usermin iptables -A INPUT -p tcp --dport 465 -j ACCEPT #SMTP SSL iptables -P INPUT DROP #all other ports will be dropped. iptables -P FORWARD DROP # we do not allow forwarding iptables -P OUTPUT ACCEPT # we allow all outgoing connections. You can tighten this. iptables -A INPUT -i lo -j ACCEPT #Accept the loopback interface iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #accept all connections that are already established or related /sbin/service iptables save #this line will save the iptables iptables -L -v #this line will show the iptables after saving
The iptables will work for all new connections, so it will not drop your SSH if you made a mistake.
Change rights and run:

chmod 755 ~/firewall.sh ~/firewall.sh
At this point you should check if your ssh connection will still work for new connections.
DO NOT CLOSE your current session, but open up a new one and try to connect to the server. If you get a connection refused, you did something wrong in the IP tables. the “iptables -F” command will remove all current iptables.

Hardening

vim /etc/sysconfig/init change: SINGLE=/sbin/sulogin vim /etc/inittab add: ~:S:wait:/sbin/sulogin vim /etc/named.conf Set version to “none” in options

Install logwatch

yum install –y logwatch 
vim /usr/share/logwatch/default.conf/logwatch.conf 

change:
•	Mailto = yourlog@mail.com
•	Mailfrom = logwatch@SERVER.domain.com
•	Detail = Med
•	Disable Service = “-*” (remove all disabled services)

Final approach:
Run lynis

./lynis --check-all -Q

To check:

grep Warning /var/log/lynis.log grep Suggestion /var/log/lynis.log
Update the rkhunter database of current files on the system, run rkhunter and let maldet scan your system (this will take a while)

rkhunter --propupd rkhunter -c maldet --scan-all /

A final step: CSF and LFD

http://configserver.com/cp/csf.html

Install the script. There is a GUI in webmin available for this.

In case of problems. To check recently changed files:

find /var/www/ -type f -exec stat --format '%Y :%y %n' {} \; | sort -nr | cut -d: -f2- | head -100

After all this, you can start to install virtualmin on a secure server.
I hope this small guide will help some people establish safer servers.

As a follow-up, here is the script I made.

IT IS NOT COMPLETE, IT DOES NOT work as it should. This is only for interested people looking to fix it, improve it and know what they are doing.

[code]#!/bin/bash

automatic attended install script

#Colours
############
#ToDo
############
#make variables for to download files
#add ossec agent
#add ossec server
#add zabbix server
#add config for fail2ban
#add logfile
#complete virtualmin change port && restart services
#mail to admin upon file completion

issue in if [ ${AddServerIPPort[$iserver]} != $Nullport ]

############
#Functions
############

Check IP function (Thanks to Mitch Frazier)

function valid_ip()
{
local ip=$1
local stat=1

if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
    OIFS=$IFS
    IFS='.'
    ip=($ip)
    IFS=$OIFS
    [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \
        && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
    stat=$?
fi
return $stat

}

Blue=’\e[0;34m’
Red=’\e[0;31m’
Green=’\e[0;32m’
RedBold=’\e[0;31m’
GreenBold=’\e[0;32m’
LightGrey=’\e[0;37m’
Purple=’\e[0;35m’
Brown=’\e[0;33m’
NoColour=’\e[0m’
Yes=y
if [ $(whoami) != ‘root’ ]; then
echo “Must be root to run”
exit 1;
fi
echo -e “------------------------------”
echo -e “-----${Purple}New Server Install${NoColour}-------”
echo -e “------------------------------”
echo -e “Please note the following:”
echo -e “There is no check if this system is running CentOS 6.5. \nIf it is not running CentOS 6.5 this install will not work.”
echo -e “\n${RedBold}Internet connectivity${NoColour} is required to run this script. \nIf you are behind a proxy or need to alter connectivity settings in order to connect to the internet \npress CTRL + C now to abort and set this first. \nIf you are not sure if you have internet press CTRL + C all the same and first do a ping.”
echo -e “${RedBold}No information is being collected or sent.${NoColour}”
echo -e “${Green}press enter to continue${NoColour}”
read empty
echo -e “${Green}first a check for basic tools${NoColour}”
yum install -y wget vim
#############
#ask for basic info
#############
#Initiating vars
TopDomain=""
ServerName=""
ServerIpv4=""
ServerIpv6=""
AdminMail=""
ZabAg=""
VirtMin=""
while [ -z “$TopDomain” ];
do
echo -e “${Purple}Top Level Domain Name${NoColour}”
read TopDomain
done
while [ -z “$ServerName” ];
do
echo -e “Server ${Purple}Name${NoColour}”
read ServerName
done
iploop=""
while [[ ! “$iploop” =~ ^(n)$ ]];
do
echo -e “Server ${Purple}IP v4${NoColour}”
read ipvalue
echo “$ipvalue”
if valid_ip $ipvalue;
then
echo -e “IP is correct”
ServerIpv4="$ipvalue"
iploop=“n”
else
echo -e “ip is wrong”
fi
done
iploop=""

echo -e “Server ${Purple}IP v6 (leave blank if not available)${NoColour}”
read ServerIpv6
while [ -z “$AdminMail” ];
do
echo -e “Administrator (working) ${Purple}Email Address ${NoColour}(for logs, warnings, errors, …)”
read AdminMail
done
while [[ ! “$VirtMin” =~ ^(y|n|Y|N)$ ]];
do
echo -e “Install ${Purple}Virtualmin? ${NoColour}(y/n)”
read VirtMin
done
while [[ ! “$ZabAg” =~ ^(y|n|Y|N)$ ]];
do
echo -e “Install ${Purple}Zabbix Agent${NoColour} (Monitoring. Zabbix server required) (y/n)”
read ZabAg
done
echo -e “${Purple}Top Level Domain is $TopDomain”
echo -e “Server Name is $ServerName”
echo -e “IP v4 is $ServerIpv4”
echo -e “Server IP v6 is $ServerIpv6”
echo -e “Admin Email is $AdminMail”
echo -e “Installing Virtualmin: $VirtMin”
echo -e “Installing Zabbix Agent: $ZabAg ${NoColour}”
echo -e “Press enter if OK, CTRL + C if not”
read empty

#############
#ask for services, ports and protocols
#############
echo -e “${Purple}Which services will run? ${NoColour}”
echo -e “reminder: ssh (default 22), http (default 80), https (default 443), smtp (default 587, 465, 25), pop (default 110 995), zabbix (default 10050), snmp (default 161), webmin and virtualmin (default 10000), usermin (default 20000), dns (default 53, tcp and utp), whois (default 43), NTP (default 123)”
echo -e “\n SSH This port information will be written in the config files of the services if you write the services in lower case, according to the service name (do not include the D for deamon)”
echo -e “${Green}These ports will also be written in the firewall file made in /home/newuser/firewall.sh ${NoColour}”
echo -e “the firewall file executes iptables.”
echo -e “if you make a mistake here, see the firewall file and the service config file”

Begin services

declare -a ServicesList
declare -a ServicesPortList
declare -a ServicesProtList
i=“0”
doloop=""
while [[ ! “$doloop” =~ ^(y|n|Y|N)$ ]];
do
echo -e “${Purple}Add Service?${NoColour} (y/n)”
read doloop
done
if [ “$doloop” = “$Yes” ];
then

while [ "$doloop" = "$Yes" ]
do
    while [[ -z "${ServicesList[$i]}" ]];
    do
            echo -e "${Purple}Name of Service${NoColour}"
                    read ServicesList[$i]
    done
    while [[ ! "${ServicesPortList[$i]}" =~ ^[0-9]+$ ]];
    do
            echo -e "${Purple}Port of Service${NoColour}"
                    read ServicesPortList[$i]
    done
    while [[ ! "${ServicesProtList[$i]}" =~ ^(tcp|udp)$ ]];
    do
            echo -e "${Purple}Protocol of Service ${NoColour}(tcp or udp) (lower case)"
                    read ServicesProtList[$i]
    done
    i=$(( $i + 1 ))
    doloop=""
    while [[ ! "$doloop" =~ ^(y|n|Y|N)$ ]];
    do
        echo -e "${Purple}Add another Service?${NoColour} (y/n)"
        read doloop
    done
done

else
echo -e “${Red}no services will be added${NoColour}”
#######MAKE SSH DEFAULT => for config file of ssh => make if array contains ssh
fi

#############
#ask for accept all from certain IP’s
#############
doloop=""
echo -e “${Green}specific firewall ports open?${NoColour}”
while [[ ! “$doloop” =~ ^(y|n|Y|N)$ ]];
do
echo -e “${Purple}Add a server? ${NoColour}(y/n)”
read doloop
done
iServer=“0”
declare -a AddServerIP
declare -a AddServerIPDesc
declare -a AddServerIPPort
declare -a AddServerIPProt

if [[ ! “$doloop” =~ ^(n|N)$ ]];
then
while [[ ! “$doloop” =~ ^(n|N)$ ]]
do
while [[ -z “${AddServerIPDescr[$iServer]}” ]];
do
echo -e “${Purple}Give Server description${NoColour}”
read AddServerIPDescr[$iServer]
done
iploop=""
while [[ ! “$iploop” =~ ^(n)$ ]];
do
echo -e “${Purple}Give Server IP ${NoColour}(ipv4)”
read ipvalue
echo “$ipvalue”
if valid_ip $ipvalue;
then
echo -e “${Green}IP is correct${NoColour}”
AddServerIP[$iServer]="$ipvalue"
echo -e “written to array=: $ipvalue "
iploop=“n”
else
echo -e “${Red}ip is wrong${NoColour}”
fi
done
iploop=”"

    while [[ ! "${AddServerIPPort[$iServer]}" =~ ^[0-9]+$ ]];
    do
            echo -e "${Purple}Specific port ${NoColour}(enter 0 to open all ports)"
            read AddServerIPPort[$iServer]
    done
    if [ ${AddServerIPPort[$iServer]} != "0" ];
    then
            while [[ ! "${AddServerIPProt[$iServer]}" =~ ^(tcp|udp)$ ]];
            do
                    echo -e "${Purple}specific protocol${NoColour} (tcp or udp)"
                    read AddServerIPProt[$iServer]
            done
    fi
    iServer=$(( $iServer + 1 ))
    doloop=""
    while [[ ! "$doloop" =~ ^(y|n|Y|N)$ ]];
    do
            echo -e "${Purple}Add another Server?${NoColour} (y/n)"
            read doloop
    done
done

fi

#############
#setup users and root
#############
echo -e “${Red}change root password${NoColour}”
passwd root
echo -e "${Purple}New User${NoColour} "
read NewUser
useradd $NewUser
passwd $NewUser

Append after root line

##############Make sure to put a TAB sign after root!
sed -i ‘/root ALL*/a ‘"$NewUser"’ ALL=(ALL) ALL’ /etc/sudoers
#check if executed:
if grep -q $NewUser “/etc/sudoers”; then
echo -e “New User added to sudo”
else
echo -e “${Red}something went wrong. user was not added to sudoers file. Please abort.${NoColour}”
exit 1;

fi

#############
#Get Home IP
#############
echo -e “${Green}local (home) IP ${NoColour}”
echo -e “Adding a home IP to your security ensures you cannot lock yourself out of your server”
iploop=""
while [[ ! “$iploop” =~ ^(n)$ ]];
do
echo -e “${Purple}Give home IP ${NoColour}(ipv4)”
read ipvalue
echo “$ipvalue”
if valid_ip $ipvalue;
then
echo -e “${Green}IP is correct${NoColour}”
LocalHomeIp="$ipvalue"
iploop=“n”
else
echo -e “${Red}ip is wrong${NoColour}”
fi
done
iploop=""
#############
#set hostname
#############
echo -e “${Green} Changing Hostnames ${NoColour}”
hostname $ServerName.$TopDomain
sed -i ‘s/^HOSTNAME=*/HOSTNAME=$ServerName.$TopDomain/g’ /etc/sysconfig/network
echo $ServerIpv4 $ServerName.$TopDomain $ServerName >> /etc/hosts
echo $ServerIpv6 $ServerName.$TopDomain $ServerName >> /etc/hosts

#############
#Install EPEL
#############
echo -e “${Green}Installing EPEL…${NoColour}”
mkdir /tmp/epel
cd /tmp/epel
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
if [ ! -f /etc/epel/epel-release-6-8.noarch.rpm];
then
echo “File not found! Attempt download again. To cancel, press ctrl+c”
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
if [ ! -f /tmp/epel/epel-release-6-8.noarch.rpm];
then
echo “File not found! cannot continue without EPEL. Aborting.”
exit 1;
fi
else
rpm -ivh epel-release-6-8.noarch.rpm
rm -fr /tmp/epel
fi

#############
#Update all packages
#############
echo -e “${Green}Updating Packages…${NoColour}”
yum update -y

#############
#Install Fail2Ban
#############
echo -e “${Green}Installing Fail2Ban…${NoColour}”
yum install -y fail2ban
sed -i ‘s/^ignoreip = 127.0.0.1*/ignoreip = 127.0.0.1 ${LocalHomeIp}/g’ /etc/fail2ban/jail.conf
sed -i ‘s/maxretry = 3/maxretry = 5/g’ /etc/fail2ban/jail.conf

#############
#Install RKHUNTER
#############
echo -e “${Green}Installing RKHUNTER…${NoColour}”
yum install -y rkhunter

touch /etc/cron.daily/rkhunter.sh
echo "
#!/bin/sh
(
rkhunter --versioncheck
rkhunter --update
rkhunter --cronjob --report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Run ($ServerName)’ $AdminMail
" > /etc/cron.daily/rkhunter.sh
chmod 755 /etc/cron.daily/rkhunter.sh

#############
#Install NCDU
#############
echo -e “${Green}Installing NCDU…${NoColour}”
yum install -y ncdu

#############
#Install LMD
#############
echo -e “${Green}Installing LMD…${NoColour}”
mkdir /tmp/lmd
cd /tmp/lmd
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
if [ ! -f /tmp/lmd/maldetect-current.tar.gz ];
then
echo “File not found! Attempt download again. To cancel, press ctrl+c”
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
if [ ! -f /tmp/lmd/maldetect-current.tar.gz];
then
echo “File not found! continuing without Linux Malware Detect. To install later, please visit http://www.rfxn.com/downloads/maldetect-current.tar.gz”
fi
else

tar xfz maldetect-current.tar.gz
cd maldetect-*
./install.sh
rm -fr /tmp/lmd
sed -i 's/email_alert=0/email_alert=1/g' /usr/local/maldetect/conf.maldet
sed -i 's/email_addr="you@domain.com"/email_addr="monitor@fraksken.be"/g' /usr/local/maldetect/conf.maldet
sed -i 's/quar_hits=0/quar_hits=1/g' /usr/local/maldetect/conf.maldet

fi

#############
#SSH
#############
echo -e “${Green}Configuring SSHD…${NoColour}”
ValueSSH=“ssh”
sshcounter=“0”
for sshname in “${ServicesList[@]}”
do
if [ “$sshname” = “$ValueSSH” ] ; then
echo -e “${Green} Found ${NoColour}”
echo “value in $sshcounter”
endvalue=$sshcounter
echo -e “${Green}The SSH port number is stored in $endvalue and is port ${ServicesPortList[$endvalue]} ${NoColour}”
sed -i ‘s/"#Port 22"/“Port ${ServicesPortList[$endvalue]}”/g’ /etc/ssh/sshd_config
else
echo “parsing”
sshcounter=$(( $sshcounter + 1 ))
echo “counting $sshcounter”
fi
done

####### does not work
#######
sed -i ‘s/#LoginGraceTime 2m/LoginGraceTime 30/g’ /etc/ssh/sshd_config
sed -i ‘s/#PermitRootLogin yes/PermitRootLogin no/g’ /etc/ssh/sshd_config
sed -i ‘s/#MaxAuthTries 6/MaxAuthTries 5/g’ /etc/ssh/sshd_config
sed -i ‘s/MaxAuthTries 5/a AllowUsers $NewUser/’ /etc/ssh/sshd_config
echo -e “${Green}sshd config file changed.${NoColour}”

#############
#firewall
#############
echo -e “${Green}Creating IPTables Firewall…${NoColour}”
touch /home/$NewUser/firewall.sh
echo -n “#!/bin/bash
service iptables start
iptables -F” >> /home/$NewUser/firewall.sh
i2=“0”
while [ “$i2” -lt “$i” ]
do
echo -n "
iptables -A INPUT -p " >> /home/$NewUser/firewall.sh
printf “%s” “${ServicesProtList[$i2]}” >> /home/$NewUser/firewall.sh
echo -n “–dport " >> /home/$NewUser/firewall.sh
printf “%s” “${ServicesPortList[$i2]}” >> /home/$NewUser/firewall.sh
echo -n " -j ACCEPT #” >> /home/$NewUser/firewall.sh
printf “%s\n” “${ServicesList[$i2]}” >> /home/$NewUser/firewall.sh
i2=$(( $i2 + 1 ))
done
if [ -n “$LocalHomeIp” ]; then
echo -n "
iptables -A INPUT -s $LocalHomeIp -j ACCEPT #Home
" >> /home/$NewUser/firewall.sh
fi
iServer2=“0”
while [ “$iServer2” -lt “$iServer” ]
do
echo -n "
iptables -A INPUT -s " >> /home/$NewUser/firewall.sh
if [ “${AddServerIPPort[$iServer2]}” = “0” ];
then
echo -n "
iptables -A INPUT -s "
printf “%s” “${AddServerIP[$iServer2]}” >> /home/$NewUser/firewall.sh
echo -n " -j ACCEPT #"
printf “%s\n” “${AddServerIPDesc[$iServer2]}” >> /home/$NewUser/firewall.sh
else
echo -n "
iptables -A INPUT -s "
printf “%s” “${AddServerIP[$iServer2]}” >> /home/$NewUser/firewall.sh
echo -n " -p "
printf “%s” “${AddServerIPProt[$iServer2]}” >> /home/$NewUser/firewall.sh
echo -n " --dport "
printf “%s” “${AddServerIPPort[$iServer2]}” >> /home/$NewUser/firewall.sh
echo -n " -j ACCEPT #"
printf “%s\n” “${AddServerIPDesc[$iServer2]}” >> /home/$NewUser/firewall.sh
fi
iServer2=$(( $iServer2 + 1 ))
done
echo -n “iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
iptables -L -v” >> /home/$NewUser/firewall.sh
chmod 755 /home/$NewUser/firewall.sh
/home/$NewUser/firewall.sh

#############
#Disable Single User Mode
#############
echo -e “${Green}Disabling Single User Mode…${NoColour}”
sed -i ‘s/SINGLE=/sbin/sushell/SINGLE=/sbin/sulogin/’ /etc/sysconfig/init
touch /tmp/out
echo “su:S:wait:/sbin/sulogin”|cat - /etc/inittab > /tmp/out && mv /tmp/out /etc/inittab

#############
#Install LYNIS
#############
echo -e “${Green}Installing LYNIS…${NoColour}”
mkdir /tmp/lynis
cd /tmp/lynis
wget http://cisofy.com/files/lynis-1.5.2.tar.gz
if [ ! -f /tmp/lynis/lynis-1.5.2.tar.gz];
then
echo “File not found! Attempt download again. To cancel, press ctrl+c”
wget http://cisofy.com/files/lynis-1.5.2.tar.gz
if [ ! -f /tmp/lynis/lynis-1.5.2.tar.gz];
then
echo “File not found! continuing without LYNIS. To install later, please visit http://cisofy.com/files/”
fi
else
tar xvfvz lynis-*.tar.gz -C /opt
rm -fr /tmp/lynis
fi

#############
#INSTALL LOGWATCH And TCPDUMP
#############
echo -e “${Green}Installing LOGWATCH and TCPDUMP…${NoColour}”
yum install –y logwatch tcpdump

Asks anyway and halts

sed -i ‘s/^MailTo*/MailTo = $AdminMail/g’ /usr/share/logwatch/default.conf/logwatch.conf
sed -i ‘s/^MailFrom*/MailFrom = Logwatch@$ServerName.$TopDomain/g’ /usr/share/logwatch/default.conf/logwatch.conf
sed -i ‘s/^Detail*/Detail = Med’ /usr/share/logwatch/default.conf/logwatch.conf
sed -i ‘s/Service = “-zz-network”/#Service = “-zz-network”/g’ /usr/share/logwatch/default.conf/logwatch.conf
sed -i ‘s/Service = “-zz-sys” /#Service = “-zz-sys”/g’ /usr/share/logwatch/default.conf/logwatch.conf
sed -i ‘s/Service = “-eximstats”/#Service = “-eximstats”/g’ /usr/share/logwatch/default.conf/logwatch.conf
#####Sed: -e expression #1, char 23: unterminated ‘s’ command

#############
#INSTALL Virtualmin
#############
echo -e “${Green}Installing VirtualMin${NoColour}”
if [[ ! “$VirtMin” =~ ^(n|N)$ ]];
then
mkdir /tmp/virtmin
cd /tmp/virtmin
wget http://software.virtualmin.com/gpl/scripts/install.sh
if [ ! -f /tmp/virtmin/install.sh];
then
echo “File not found! Attempt download again. To cancel, press ctrl+c”
wget http://software.virtualmin.com/gpl/scripts/install.sh
if [ ! -f /tmp/virtmin/install.sh];
then
echo “File not found! continuing without VIRTUALMIN. To install later, please visit virtualmin.com”
fi
else
chmod 777 /tmp/virtmin/install.sh
/tmp/virtmin/install.sh
echo -e “change VirtualMin ports”
read VirtMinCh
rm -fr /tmp/virtmin
if [ “$VirtMinCh” = “$Yes” ];
then
while [[ ! “$VirtMinPort” =~ ^[0-9]+$ ]];
do
echo -e “New Virtualmin Port nr${NoColour}(y/n)”
read VirtMinPort
done
sed -i ‘s/^port=/port=$VirtMinPort/g’ /etc/webmin/miniserv.conf
sed -i 's/^listen=/listen=$VirtMinPort/g’ /etc/webmin/miniserv.conf

/etc/usermin/miniserv.conf

        fi
    fi

fi
############ If installed virtualmin => set versions to empty
############The main port for Virtualmin/Webmin is in /etc/webmin/miniserv.conf, entry “port”. The other entry with the default port 10000, “listen”, applies to the UDP broadcast “search for Webmins” function.
############The port for Usermin is in /etc/usermin/miniserv.conf, entry “port”.

#############
#INSTALL ZABBIX Agent
#############
echo -e “${Green}Installing Zabbix Agent ${NoColour}”
if [[ ! “$ZabAg” =~ ^(n|N)$ ]];
then
echo -e “prepairing packages for installing zabbix 2.2.5 agent”
mkdir /tmp/zabbix
cd /tmp/zabbix
wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-2.2.5-1.el6.x86_64.rpm
if [ ! -f /tmp/zabbix/zabbix-2.2.5-1.el6.x86_64.rpm];
then
echo “File not found! Attempt download again. To cancel, press ctrl+c”
wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-2.2.5-1.el6.x86_64.rpm
if [ ! -f /tmp/zabbix/zabbix-2.2.5-1.el6.x86_64.rpm];
then
echo “File not found! cannot continue without file. Abort”

            fi
        else
            wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-agent-2.2.5-1.el6.x86_64.rpm
            if [ ! -f /tmp/zabbix/zabbix-agent-2.2.5-1.el6.x86_64.rpm];
                then
                    echo "File not found! Attempt download again. To cancel, press ctrl+c"
                    wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-agent-2.2.5-1.el6.x86_64.rpm
                    if [ ! -f /tmp/zabbix/zabbix-agent-2.2.5-1.el6.x86_64.rpm];
                        then
                            echo "File not found! cannot continue without file. Abort"
                          
                    fi
            else
                wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-get-2.2.5-1.el6.x86_64.rpm
                if [ ! -f /tmp/zabbix/zabbix-get-2.2.5-1.el6.x86_64.rpm];
                    then
                        echo "File not found! Attempt download again. To cancel, press ctrl+c"
                        wget http://repo.zabbix.com/zabbix/2.2/rhel/6/x86_64/zabbix-get-2.2.5-1.el6.x86_64.rpm
                        if [ ! -f /tmp/zabbix/zabbix-get-2.2.5-1.el6.x86_64.rpm];
                            then
                                echo "File not found! cannot continue without file. Abort"
                                
                        fi
                else
                echo -e "files successfully downloaded"
                echo -e "installing rpms"
                rpm -ivh zabbix-2.2.5-1.el6.x86_64.rpm zabbix-agent-2.2.5-1.el6.x86_64.rpm zabbix-get-2.2.5-1.el6.x86_64.rpm
                fi
            fi
    fi
    
else
echo -e "${Red}skipping Zabbix Agent Install${NoColour}"

fi
echo -e “${Green}finish${NoColour}”
exit
#At absolute end of script, before executing all securiçty checks:

if ssh = 1 sed -i …

#/etc/fail2ban/jail.conf
#mailto monitor@fraksken.be
#chkconfig --level 23 fail2ban on
#service fail2ban start

#FINAL SECURITY CHECK
rkhunter --update
rkhunter --propupd
/opt/lynis-*/lynis --check-all -Q[/code]

Howdy,

That’s a nice guide you have there! I just wanted to mention regarding your comment “CentOS 7 is not supported” – Virtualmin does support CentOS 7 actually. You are welcome to use Virtualmin on that distro/version.

-Eric

Great! But since most commands are different, this guide cannot be blindly used.

Now I have to consider reinstalling my new server before it goes live…

My previous reply has a partly automated script inside, but it does not want to show. Did I do something wrong?

Thanks! Although it is an old post, i would like to thank you for it