Hardening CentOS 3 for Check Point NGX I used the following steps to "harden" the CentOS 3 operating system after installing with a "Minimal" install. This is using the CentOS 3.8 i386 ServerCD. These are minimal hardening steps. I know there are probably a few more things that can be done to secure the OS.
Note: CentOS is not a supported OS for NGX. This information is only provided for the purpose of demonstrating and testing NGX in the RHEL environment without having to purchase RHEL. I do not recommend installing NGX on CentOS for your production firewall. Configure and run yum Use yum system update utility to install updated packages for CentOS 3.
For this part you will need to be connected to the internet. Make sure you are protected by a firewall.
Import the CentOS public key into your GPG keyring.
rpm --import /usr/share/doc/centos-release-3/RPM-GPG-KEY-CentOS-3
Update your system to the latest packages.
yum -y update
Disabling services There are several services running by default that may be safely disabled.
for SERVICE in apmd atd autofs cups gpm ip6tables iptables isdn kudzu \
mdmonitor netfs nfslock pcmcia portmap rhnsd sendmail xinetd
do
/sbin/chkconfig $SERVICE off
done
Configuring OpenSSH server Disable protocol 1 and root login. I also prefer to change ssh to run on port 922 instead of 22, for a little added security.
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sed -e 's/#Port 22/Port 922/' \
's/#Protocol 2,1/Protocol 2/' \
-e 's/#PermitRootLogin yes/PermitRootLogin no/' \
-e 's/#Banner \/some\/path/Banner \/etc\/issue.net/' \
/etc/ssh/sshd_config > /etc/ssh/newsshd_config
mv -f /etc/ssh/newsshd_config /etc/ssh/sshd_config
Disable zeroconf route The /etc/sysconfig/network-scripts/ifup script adds a "zeroconf" route for 169.254.0.0.
echo "NOZEROCONF=yes" >> /etc/sysconfig/network
Create administrator user This will be the user normally used for login, then su to root as needed.
groupadd admin
useradd -g admin admin
passwd admin
Change login banners. echo "
Access to this systems is monitored.
Any unauthorized access or attempted access may be prosecuted.
" > /etc/issue
/bin/cp /etc/issue /etc/issue.net
echo "
Your access to this system has been logged and reported to Security personnel.
" > /etc/motd
Remove iptables Since we are install the Check Point firewall these are not needed (we also do not want the to interfere with Check Point firewall if accidentally activated).
yum -y remove iptables iptables-ipv6
Reboot and install Check Point NGX according to instructions for installing on RHEL 3.
Remember that ssh access will only be possible on port 922. Also note that the iptables firewall is no longer installed so make sure you are not directly connected to an unsecure network until Check Point is installed and configured.