Derwynd's Weblog

In general, many new Linux System Administrators create only two partitions / (root) and swap for entire hard drive. This is really a bad idea. You always need to consider following points:
-Performance
-Security
-Stability
-Backup

Let us assume you have 120 GB SCSI hard disk with / and swap partitions only. Then here comes a user (may be internal or external or cracker user) and runs something which eats up all hard disk (DoS attack). For example, consider the following tiny script that such user can run in /tmp directory:

#!/bin/sh
man bash > $(mktemp)
$0

Anyone can run above script via cron (if allowed), or even with nohup command:
$nohup bad-script&
Result is disaster! Your entire file system comes under Denial of Service attack. It will even bypass the disk quota restriction. A Linux sys admin created only two partition. Later, poorly written application eats up all space in /var/log/. End result was memo for him as he did not followed internal docs that has guidelines for partition setup for clients server.

Youcan create partition as follows:
/ – Root partition
/home – Users home directory
/usr – Linux/BSD binary programs are installed here
/tmp – Temporary files partition
/var – Stores files which keep changing size, e.g. log, or squid caching files

If you don’t have partitions like this then following attack can take place:
1. Denial of Service attack against disk space (example is the script above)
2. Users can download or compile SUID programs in /tmp or even in /home
3. Performance tunning is not possible

However, all of this attack can be stopped by adding following option to /etc/fstab file:
nosuid – Do not set SUID/SGID access on this partition
nodev – Do not character or special devices on this partition.
noexec – Do not set execution of any binaries on this partition
ro – Mount file system as readonly
quota – Enable disk quota
Please note that above options can be set only if you have separate partitions. Make sure you create partition as above with special option set on each partition
/home – Set option nosuid, and nodev with diskquota option
/usr – Set option nodev
/tmp – Set option nodev, nosuid, noexec option must be enabled

For example entry in /etc/fstab for /home should look like as follows:
/dev/sda1 / ext3 defaults,nosuid,nodev,noexec,ro 0 0
/dev/sda2 /home ext3 defaults,nosuid,nodev 1 0
/dev/sda3 /usr ext3 defaults,nodev 2 0
/dev/sda4 /tmp ext3 defaults,nosuid,nodev,noexec 3 0

For more info please read man pages of fstab, mount, fdisk.

Apply the Secure Linux Kernel Patch http://www.openwall.com/linux. Read the directions to install the diff.
Don’t forget to make the changes under performance
Turn OFF all the stuff you don’t need. This includes Telnet (you aren’t using telnet are you), NFS and a bunch of other crap that comes as a default install.
Stop SYN attacks dead :
echo 1 > /proc/sys/net/ipv4/tcp_syncookies.
Add this to your /etc/rc.d/rc.local file.
Stop IP address spoofing: Edit the /etc/host.conf and add the following lines:
#Check for IP address spoofing.
nospoof on
Set immutable bits on passwords and shadow files. Of course you will have unset these bits to change passwords etc, so do this after your system is stable.
Block su access: Edit /etc/pam.d/su and add the following two lines to the top in the file:
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group=wheel
This means that only users in the wheel group can log as su.
Add who you need to this group:
usermod -G10 username
I changed my /etc/fstab as follows
/dev/sda5 /tmp ext2 nosuid,nodev,noexec 1 2
This was to make /tmp safer, Of course your /dev will be different.
I don’t like having my shell commands living forever. (of course this doesn’t matter if noone has ssh access but you) (you are using ssh, if not you don’t have security).
Edit /etc/profile and change the following line to:
HISTFILESIZE=20
Change permissions on /etc/rc.d/init.d scripts:
chmod -R 700 /etc/rc.d/init.d/
Edit the /etc/nsswitch.conf file to eliminate all references to NIS. Why would you use NIS unless recquired?

#!/usr/bin/perl -w

use strict;
use Crypt::PasswdMD5;
# This will ask you for a password once all users will have the same passwd
print “Enter Password: “;
chomp ( my $Passwd = );
$cryptedPasswd = unix_md5_crypt($Passwd, $salt);

# Please create a file /root/username.txt that has all usenames
open(USERFILE, “< /root/username.txt”) || die “Cannot open username file: $!”;
my @users = < USERFILE >;
@users = sort(@users);

# Starting for loop to add users

foreach my $u (@users){
print “$u”;

my $cryptPasswd = “”;
my $salt = rand(99);

system(”useradd -m -d /home/$username $username”);
system(”usermod -p ‘$cryptedPasswd’ $username”);

print “Username is $u, using password hash $cryptedPasswd\n\n”;
}
close (USERFILE);

Steps for installing Linux over Network with PXE and tftpboot setup - Centos
=============================================================================

Scenario
========
To setup a NFS server containing the CentOS4 customized distro and then booting via
a PXE bootrom on the client side to get the required info for installing the OS via
kickstart.

Step 1: DHCP server setup
==========================
- Install the dhcp server rpms
dhcp-devel-3.0.1-12_EL.centos4
dhcp-devel-3.0.1-12_EL.centos4
dhcp-3.0.1-12_EL.centos4

- Create the /etc/dhcpd.conf file.  Following is the configuration given below

ddns-update-style none;
ignore client-updates;
allow booting;
allow bootp;
authoritative;

subnet 192.168.0.0 netmask 255.255.255.0 {

option routers                  192.168.0.1;
option subnet-mask              255.255.255.0;
option broadcast-address        192.168.0.255;
option domain-name              “example.com”;
option domain-name-servers      192.168.0.1;
option time-offset              -18000; # Eastern Standard Time
range dynamic-bootp 192.168.0.127 192.168.0.130;
default-lease-time 21600;
max-lease-time 43200;

class “pxeclients” {
match if substring(option vendor-class-identifier, 0, 9) = “PXEClient”;
next-server 192.168.0.120;
filename “linux-install/pxelinux.0″;
}
}

- chkconfig –level 2345 dhcpd on
- service dhcpd restart

STEP 3: Configure NFS server
============================

- I have copied the base dir of the Distro (ie CD 1 and in the RPM folder all rpms of remaining cd 2,3,4…) to /data dir.  I my case i called it
“custom-install” dir
- Edit /etc/exports and add the following line
/data/custom-install        *(rw,sync,no_root_squash)
- service nfs restart
- service portmap restart

For Security related purpose edit /etc/hosts.allow and /etc/hosts/deny to limit the
connection to specific ip addresses

STEP 4: Configure TFTP server
==============================
- Install the syslinux, redhat-config-netboot, and tftp-server rpms
- Enable the tftp server in /etc/xinetd.d/tftp and changing the “disable” line from
“yes” to “no.”
- chkconfig –level 345 tftp on
- service xinetd restart
- Next step is to copy the files necessary to start the installation to the tftp
server so they can be found when the client requests them. The tftp server is
usually the same server as the network server exporting the installation tree.

- Type system-config-netboot on the command prompt
- 1st time when u start, select “Network Install” from the First Time Druid
OR

select Configure => Network Installation from the pulldown menu, and then click Add.

Enter the following in the fields:

- Operating system identifier - CentOS4

Provides a unique name using one word to identify the Linux version and variant. It
is used as the directory name in the /tftpboot/linux-install/ directory.

- Description - CentOS4 install

- Select Protocol for installation - NFS

- Kickstart - nfs:192.168.0.120:/data/custom-install/ks.cfg - Path to your kickstart
file

- Server IP address - 192.168.0.120 - Where UR NFS is residing

- Location - /data/custom-install

-  After clicking OK, the initrd.img and vmlinuz files necessary to boot the
installation program are transfered from images/pxeboot/ in the provided
installation tree to /tftpboot/linux-install//  on the tftp server

= CentOS4 - Given above

- The Directory /tftpboot/linux-install/CentOS4 contains 3 files

initrd.img
vmlinuz
ks.cfg

- Contents of the ks.cfg as as follows
#use NFS installation media
nfs –server 192.168.0.120 –dir /data/custom-install

In this way you can create a Menu for installation of different linux OSes by
specifying a diff  and pointing to different dirs.

Using the command line tool to do the above using pxeos

pxeos -a -i “” -p  -D 0 -s client.example.com -L
-k  -K

Substitue the respective values

STEP 4: Editing the default tftpboot server files
==================================================

Edit the /tftpboot/linux-install/pxelinux.cfg/default file and do the required
changes as show below:

default centos
timeout 100
prompt 1
display msgs/boot.msg
F1 msgs/boot.msg
F2 msgs/general.msg
F3 msgs/expert.msg
F4 msgs/param.msg
F5 msgs/rescue.msg
F7 msgs/snake.msg

label centos
kernel CentOS4/vmlinuz
append initrd=CentOS4/initrd.img ramdisk_size=7000
ks=nfs:192.168.0.120:/data/custom-install/ks.cfg

STEP 5: Editing the main ks.cfg for installation
================================================

In the main ks.cfg of the distro change the install method to NFS

Eg:

In /data/custom-install/ks.cfg

nfs –server 192.168.0.120 –dir /data/custom-install

STEP 6: Checking for the installation
=====================================

Boot the PXE enabled client machine and check if the client get the IP via DHCP and
present a menu for installation

################ Creation Of SINGLE DVD from ISO or CD’s ####################
# Install base system on IDE HD with RHEL4
# The same procedure can be used for Contos/Fedora or any redhat based system
# Make sure your base system and the rpms required are of that system
# Install the following RPM’s from disk
anaconda-10.1.1.13-1
anaconda-help-10.1.0-1
anaconda-product-4-1AS
busybox-anaconda-1.00.rc1-5
anaconda-runtime-10.1.1.13-1
comps-4AS-0.20050107
comps-extras-10.1-1
# If ISO are present mount the ISO onto one partion
# Else Dump the files from the 4 cd’s into /mnt/disk[no] partitions
# eg :
mkdir -p /mnt/disk{1,2,3,4}
mount -o loop RHEL4_Disk1.iso /mnt/disk1
mount -o loop RHEL4_Disk2.iso /mnt/disk2
mount -o loop RHEL4_Disk3.iso /mnt/disk3
mount -o loop RHEL4_Disk4.iso /mnt/disk4

# We now copy all the files from the directories to a single directory:
# My directory structure was /usr/RHEL4/RHEL4_OneDVD

mkdir -p /usr/RHEL4/RHEL4_OneDVD
cp -ar /mnt/disk1 /usr/RHEL4/RHEL4_OneDVD
cp -ar /mnt/disk{2,3,4}/RHEL4/RPMS/* /usr/RHEL4/RHEL4_OneDVD
cp /mnt/disk1/.discinfo /usr/RHEL4/RHEL4_OneDVD
=============================================================

PYTHONPATH=/usr/lib/anaconda /usr/lib/anaconda-runtime/pkgorder /usr/RHEL4/RHEL4_OneDVD RHEL4 > /usr/RHEL4/pkgorder

# This creates a list of files in the order it needs to install them
# in the file /data/isobuild/pkgorder Sometimes an occasional
# RPM will not provide the information anaconda needs. You can edit
# the file manually and insert your RPMs at the end.
# Ignore the errors during this process
=============================================================
# Next we need to generate the dependency file:
/usr/lib/anaconda-runtime/genhdlist –fileorder /usr/RHEL4/pkgorder /usr/RHEL4/RHEL4_OneDVD/

# No Errors after this step
=============================================================

# Building the DVD iso
# Now to build the iso:

cd /usr/RHEL4/RHEL4_OneDVD/
chmod a+w isolinux/isolinux.bin

mkisofs -r -T -J -V “Custom RHEL4 Build” -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -o /usr/RHEL4/ISOs/RHEL4.iso /usr/RHEL4/RHEL4_OneDVD/

# This Generates the RHEL4 iso in /usr/RHEL4/ISOs/RHEL4.iso

=============================================================

# Now we can burn the image to the DVD. I assume the DVD writer is already
# set up on your system. Better Usr Nero to burn the iso /usr/RHEL4/ISOs/RHEL4.iso