Difference between revisions of "SELinux,Fail2ban,Security Configurations"
Jump to navigation
Jump to search
(10 intermediate revisions by the same user not shown) | |||
Line 13: | Line 13: | ||
nano /etc/firewalld/firewalld.conf | nano /etc/firewalld/firewalld.conf | ||
<nowiki>#</nowiki> AllowZoneDrifting=no | <nowiki>#</nowiki> AllowZoneDrifting=no | ||
+ | |||
+ | Follow this link for [[Additional Firewall-Cmd Commands]] | ||
== SELinux Permissions == | == SELinux Permissions == | ||
setsebool -P httpd_can_network_connect 1 | setsebool -P httpd_can_network_connect 1 | ||
Line 28: | Line 30: | ||
sudo yum -y install epel-release | sudo yum -y install epel-release | ||
sudo yum -y install fail2ban | sudo yum -y install fail2ban | ||
− | sudo systemctl enable fail2ban | + | sudo systemctl enable fail2ban && sudo systemctl start fail2ban |
+ | nano /etc/fail2ban/jail.conf | ||
[DEFAULT] | [DEFAULT] | ||
# Ban hosts for one hour: | # Ban hosts for one hour: | ||
Line 38: | Line 41: | ||
# Override /etc/fail2ban/jail.d/00-firewalld.conf: | # Override /etc/fail2ban/jail.d/00-firewalld.conf: | ||
banaction = iptables-multiport | banaction = iptables-multiport | ||
− | ignoreip = 127.0.0.1/8 154.160.2.127/ | + | ignoreip = 127.0.0.1/8 154.160.2.127/16 |
[sshd] | [sshd] | ||
enabled = true | enabled = true | ||
− | + | systemctl start fail2ban | |
+ | sudo systemctl status fail2ban | ||
sudo systemctl restart fail2ban | sudo systemctl restart fail2ban | ||
+ | |||
sudo fail2ban-client status | sudo fail2ban-client status | ||
sudo fail2ban-client status sshd | sudo fail2ban-client status sshd | ||
Line 51: | Line 56: | ||
sudo fail2ban-client status wordpress3 | sudo fail2ban-client status wordpress3 | ||
sudo fail2ban-client status http-get-post-dos | sudo fail2ban-client status http-get-post-dos | ||
+ | |||
+ | == Install Letsencrypt == | ||
+ | dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm | ||
+ | # (for centos 8) dnf config-manager --set-enabled PowerTools | ||
+ | sudo dnf install certbot python3-certbot-nginx | ||
+ | OR dnf install certbot python3-certbot-apache | ||
+ | |||
+ | certbot --version | ||
+ | certbot --nginx | ||
+ | OR certbot --apache | ||
+ | certbot --apache -d wiki.rhomicom.com | ||
+ | certbot --nginx -d wiki.rhomicom.com | ||
+ | |||
+ | certbot renew | ||
+ | certbot certificates | ||
+ | certbot certonly --apache | ||
+ | certbot certonly --nginx | ||
+ | sudo certbot certonly --standalone --debug -d api.example.net | ||
+ | |||
+ | echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null | ||
+ | @daily /usr/bin/certbot renew >> /var/log/le-renew.log | ||
+ | 0 1 * * * dnf -y update | ||
+ | 0 */5 * * * /home/all_bkps.sh | ||
+ | |||
+ | ==SELF-SIGNED SSL== | ||
+ | openssl req -new -newkey rsa:4096 -nodes -keyout rho-demo.key -out rho-demo.csr #(Copy and send .csr file content to Certificate Authority) | ||
+ | |||
+ | mkdir -p /etc/pki/nginx | ||
+ | mkdir -p /etc/pki/nginx/private | ||
+ | <syntaxhighlight lang="shell"> | ||
+ | openssl req -newkey rsa:4096 -nodes -keyout /etc/pki/nginx/private/server.key -x509 -days 365 -out /etc/pki/nginx/server.crt -subj "/C=GH/ST=Greater Accra/L=Accra/O=Rhomicom Demo/OU=IT/CN=*.rhomicom.com/[email protected]" | ||
+ | |||
+ | </syntaxhighlight> | ||
+ | <syntaxhighlight lang="shell"> | ||
+ | openssl req -newkey rsa:4096 -nodes -keyout /etc/ssl/private/nginx-selfsigned.key -x509 -days 365 -out /etc/ssl/certs/nginx-selfsigned.crt -subj "/C=GH/ST=Greater Accra/L=Accra/O=Rhomicom Demo/OU=IT/CN=*.rhomicom.com/[email protected]" | ||
+ | |||
+ | </syntaxhighlight> | ||
+ | <span> </span> | ||
+ | openssl dhparam -out /etc/pki/nginx/dhparam.pem 4096 | ||
+ | nano /etc/nginx/nginx.conf #(# Add DH parameters | ||
+ | ssl_dhparam /etc/pki/nginx/dhparam.pem;) | ||
+ | nginx -t | ||
+ | systemctl restart nginx | ||
+ | visit this page for [https://wiki.rhomicom.com/index.php/Sample_full_nginx.conf_file sample full nginx.conf file] |
Latest revision as of 21:46, 29 January 2024
Install firewalld
sudo yum install firewalld sudo systemctl start firewalld sudo systemctl enable firewalld sudo systemctl status firewalld
sudo firewall-cmd --permanent --add-service=http sudo firewall-cmd --permanent --add-service=https sudo firewall-cmd --permanent --list-all sudo firewall-cmd --reload
nano /etc/firewalld/firewalld.conf # AllowZoneDrifting=no
Follow this link for Additional Firewall-Cmd Commands
SELinux Permissions
setsebool -P httpd_can_network_connect 1 setsebool -P httpd_execmem 1 setsebool -P httpd_setrlimit 1 setsebool -P httpd_can_sendmail 1 setsebool -P allow_httpd_mod_auth_pam 1 setsebool -P httpd_mod_auth_pam 1 setsebool -P httpd_read_user_content 1 setsebool -P httpd_run_stickshift 1 setsebool -P httpd_enable_cgi 1 setsebool -P httpd_unified 1 setsebool -P httpd_enable_homedirs 1
FAIL2BAN
sudo yum -y install epel-release sudo yum -y install fail2ban sudo systemctl enable fail2ban && sudo systemctl start fail2ban
nano /etc/fail2ban/jail.conf
[DEFAULT] # Ban hosts for one hour: bantime = 360000 findtime = 3600 maxretry = 2
# Override /etc/fail2ban/jail.d/00-firewalld.conf: banaction = iptables-multiport ignoreip = 127.0.0.1/8 154.160.2.127/16
[sshd] enabled = true
systemctl start fail2ban sudo systemctl status fail2ban sudo systemctl restart fail2ban
sudo fail2ban-client status sudo fail2ban-client status sshd sudo fail2ban-client status wordpress sudo fail2ban-client status wordpress2 sudo fail2ban-client status wordpress3 sudo fail2ban-client status http-get-post-dos
Install Letsencrypt
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm # (for centos 8) dnf config-manager --set-enabled PowerTools sudo dnf install certbot python3-certbot-nginx OR dnf install certbot python3-certbot-apache
certbot --version certbot --nginx OR certbot --apache certbot --apache -d wiki.rhomicom.com certbot --nginx -d wiki.rhomicom.com
certbot renew certbot certificates certbot certonly --apache certbot certonly --nginx sudo certbot certonly --standalone --debug -d api.example.net
echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null @daily /usr/bin/certbot renew >> /var/log/le-renew.log 0 1 * * * dnf -y update 0 */5 * * * /home/all_bkps.sh
SELF-SIGNED SSL
openssl req -new -newkey rsa:4096 -nodes -keyout rho-demo.key -out rho-demo.csr #(Copy and send .csr file content to Certificate Authority)
mkdir -p /etc/pki/nginx mkdir -p /etc/pki/nginx/private
openssl req -newkey rsa:4096 -nodes -keyout /etc/pki/nginx/private/server.key -x509 -days 365 -out /etc/pki/nginx/server.crt -subj "/C=GH/ST=Greater Accra/L=Accra/O=Rhomicom Demo/OU=IT/CN=*.rhomicom.com/[email protected]"
openssl req -newkey rsa:4096 -nodes -keyout /etc/ssl/private/nginx-selfsigned.key -x509 -days 365 -out /etc/ssl/certs/nginx-selfsigned.crt -subj "/C=GH/ST=Greater Accra/L=Accra/O=Rhomicom Demo/OU=IT/CN=*.rhomicom.com/[email protected]"
openssl dhparam -out /etc/pki/nginx/dhparam.pem 4096 nano /etc/nginx/nginx.conf #(# Add DH parameters ssl_dhparam /etc/pki/nginx/dhparam.pem;) nginx -t systemctl restart nginx visit this page for sample full nginx.conf file