Hardening CentOS 3 for Check Point NGX

[AlexLewisLnk]

Hardening CentOS 3 for Check Point NGX
I used the following steps to "harden" the CentOS 3 operating system after installing with a "Minimal" install. This is using the CentOS 3.8 i386 ServerCD. These are minimal hardening steps. I know there are probably a few more things that can be done to secure the OS.

Note: CentOS is not a supported OS for NGX. This information is only provided for the purpose of demonstrating and testing NGX in the RHEL environment without having to purchase RHEL. I do not recommend installing NGX on CentOS for your production firewall.

Configure and run yum
Use yum system update utility to install updated packages for CentOS 3.
For this part you will need to be connected to the internet. Make sure you are protected by a firewall.

Import the CentOS public key into your GPG keyring.

rpm --import /usr/share/doc/centos-release-3/RPM-GPG-KEY-CentOS-3

Update your system to the latest packages.

yum -y update

Disabling services
There are several services running by default that may be safely disabled.

for SERVICE in apmd atd autofs cups gpm ip6tables iptables isdn kudzu \
mdmonitor netfs nfslock pcmcia portmap rhnsd sendmail xinetd
do
/sbin/chkconfig $SERVICE off
done

Configuring OpenSSH server
Disable protocol 1 and root login. I also prefer to change ssh to run on port 922 instead of 22, for a little added security.

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original

sed -e 's/#Port 22/Port 922/' \
's/#Protocol 2,1/Protocol 2/' \
-e 's/#PermitRootLogin yes/PermitRootLogin no/' \
-e 's/#Banner \/some\/path/Banner \/etc\/issue.net/' \
/etc/ssh/sshd_config > /etc/ssh/newsshd_config

mv -f /etc/ssh/newsshd_config /etc/ssh/sshd_config

Disable zeroconf route
The /etc/sysconfig/network-scripts/ifup script adds a "zeroconf" route for 169.254.0.0.

echo "NOZEROCONF=yes" >> /etc/sysconfig/network

Create administrator user
This will be the user normally used for login, then su to root as needed.

groupadd admin
useradd -g admin admin
passwd admin

Change login banners.

echo "
Access to this systems is monitored.
Any unauthorized access or attempted access may be prosecuted.
" > /etc/issue
/bin/cp /etc/issue /etc/issue.net
echo "
Your access to this system has been logged and reported to Security personnel.
" > /etc/motd

Remove iptables
Since we are install the Check Point firewall these are not needed (we also do not want the to interfere with Check Point firewall if accidentally activated).

yum -y remove iptables iptables-ipv6

Reboot and install Check Point NGX according to instructions for installing on RHEL 3.

Remember that ssh access will only be possible on port 922. Also note that the iptables firewall is no longer installed so make sure you are not directly connected to an unsecure network until Check Point is installed and configured.

[stuartgreen]

not trying to put too much of a dampener on your useful guide, but CentOS isn't exactly a supported platform for Check Point. RHEL based yes but CP probably wouldn't offer any help with it at all!

[stancounty]

Thanks for this. We too are looking at CentOS as a useful alternative for our lab\training environment. In production we run SPLAT. However, in the lab, this particular off-the-shelf hardware (it's just a Shuttle machine with one onboard and one two port Intel NIC ) seems to have issues with SPLAT. It starts to run the installer and then just reboots. Hardware problems? Perhaps...but every Linux distro I throw on it runs just fine.

We're looking for a method to run a CP NGX R65 setup in our lab for a limited period of time (with Checkpoints licensing and the expense, it's unfortunate, but we couldn't afford to license our lab environment on a full-time basis). I wish Checkpoint would loosen up their licensing to support a non-production environment at little or no cost. As it is, if I recall, I can get 15 days of unlimited use out of the product if I don't register the system. If I register with Checkpoint, that can be bumped to 30 days, but then I'd not be able to use the provided certificate keys ever again...even if I reinstall. Anyone have any experience with this particular aspect of licensing?

In any case, just want to get some experience with NGX R65 before we take the plunge and upgrade our Gateways and SmartCenter Server from NG to NGX.

Thanks in Advance...

-Stancounty