Difference between revisions of "SELinux,Fail2ban,Security Configurations"

From Rhomicom Wiki
Jump to navigation Jump to search
 
(9 intermediate revisions by the same user not shown)
Line 13: Line 13:
 
   nano /etc/firewalld/firewalld.conf
 
   nano /etc/firewalld/firewalld.conf
 
   <nowiki>#</nowiki> AllowZoneDrifting=no
 
   <nowiki>#</nowiki> AllowZoneDrifting=no
 +
 +
  Follow this link for [[Additional Firewall-Cmd Commands]]
 
== SELinux Permissions ==
 
== SELinux Permissions ==
 
   setsebool -P httpd_can_network_connect 1
 
   setsebool -P httpd_can_network_connect 1
Line 28: Line 30:
 
   sudo yum -y install epel-release
 
   sudo yum -y install epel-release
 
   sudo yum -y install fail2ban
 
   sudo yum -y install fail2ban
   sudo systemctl enable fail2ban
+
   sudo systemctl enable fail2ban && sudo systemctl start fail2ban
  
 +
nano /etc/fail2ban/jail.conf
 
   [DEFAULT]
 
   [DEFAULT]
 
   # Ban hosts for one hour:
 
   # Ban hosts for one hour:
Line 38: Line 41:
 
   # Override /etc/fail2ban/jail.d/00-firewalld.conf:
 
   # Override /etc/fail2ban/jail.d/00-firewalld.conf:
 
   banaction = iptables-multiport
 
   banaction = iptables-multiport
   ignoreip = 127.0.0.1/8 154.160.2.127/8
+
   ignoreip = 127.0.0.1/8 154.160.2.127/16
  
 
   [sshd]
 
   [sshd]
 
   enabled = true
 
   enabled = true
  
   phpinfo,
+
   systemctl start fail2ban
 +
  sudo systemctl status fail2ban
 
   sudo systemctl restart fail2ban
 
   sudo systemctl restart fail2ban
 +
 
   sudo fail2ban-client status
 
   sudo fail2ban-client status
 
   sudo fail2ban-client status sshd
 
   sudo fail2ban-client status sshd
Line 51: Line 56:
 
   sudo fail2ban-client status wordpress3
 
   sudo fail2ban-client status wordpress3
 
   sudo fail2ban-client status http-get-post-dos
 
   sudo fail2ban-client status http-get-post-dos
 +
 
== Install Letsencrypt ==
 
== Install Letsencrypt ==
 
   dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
 
   dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
Line 60: Line 66:
 
   certbot --nginx
 
   certbot --nginx
 
   OR certbot --apache
 
   OR certbot --apache
 +
  certbot --apache -d wiki.rhomicom.com
 +
  certbot --nginx -d wiki.rhomicom.com
  
 
   certbot renew
 
   certbot renew
Line 65: Line 73:
 
   certbot certonly --apache
 
   certbot certonly --apache
 
   certbot certonly --nginx
 
   certbot certonly --nginx
 +
  sudo certbot certonly --standalone --debug -d api.example.net
  
 
   echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
 
   echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
 +
  @daily /usr/bin/certbot renew >> /var/log/le-renew.log
 +
  0 1  * * * dnf -y update
 +
  0 */5 * * * /home/all_bkps.sh
 +
 +
==SELF-SIGNED SSL==
 +
  openssl req -new -newkey rsa:4096 -nodes -keyout rho-demo.key -out rho-demo.csr #(Copy and send .csr file content to Certificate Authority)
 +
 +
  mkdir -p /etc/pki/nginx
 +
  mkdir -p /etc/pki/nginx/private
 +
<syntaxhighlight lang="shell">
 +
openssl req -newkey rsa:4096 -nodes -keyout /etc/pki/nginx/private/server.key -x509 -days 365 -out /etc/pki/nginx/server.crt -subj "/C=GH/ST=Greater Accra/L=Accra/O=Rhomicom Demo/OU=IT/CN=*.rhomicom.com/[email protected]"
 +
 +
</syntaxhighlight>
 +
<syntaxhighlight lang="shell">
 +
openssl req -newkey rsa:4096 -nodes -keyout /etc/ssl/private/nginx-selfsigned.key -x509 -days 365 -out /etc/ssl/certs/nginx-selfsigned.crt -subj "/C=GH/ST=Greater Accra/L=Accra/O=Rhomicom Demo/OU=IT/CN=*.rhomicom.com/[email protected]"
 +
 +
</syntaxhighlight>
 +
<span> </span>
 +
  openssl dhparam -out /etc/pki/nginx/dhparam.pem 4096
 +
  nano /etc/nginx/nginx.conf #(# Add DH parameters
 +
        ssl_dhparam /etc/pki/nginx/dhparam.pem;)
 +
  nginx -t
 +
  systemctl restart nginx
 +
  visit this page for [https://wiki.rhomicom.com/index.php/Sample_full_nginx.conf_file sample full nginx.conf file]

Latest revision as of 21:46, 29 January 2024

Install firewalld

 sudo yum install firewalld
 sudo systemctl start firewalld
 sudo systemctl enable firewalld
 sudo systemctl status firewalld
 sudo firewall-cmd --permanent --add-service=http
 sudo firewall-cmd --permanent --add-service=https
 sudo firewall-cmd --permanent --list-all
 sudo firewall-cmd --reload
 nano /etc/firewalld/firewalld.conf
 # AllowZoneDrifting=no
 Follow this link for Additional Firewall-Cmd Commands

SELinux Permissions

 setsebool -P httpd_can_network_connect 1
 setsebool -P httpd_execmem 1
 setsebool -P httpd_setrlimit 1
 setsebool -P httpd_can_sendmail 1
 setsebool -P allow_httpd_mod_auth_pam 1
 setsebool -P httpd_mod_auth_pam 1
 setsebool -P httpd_read_user_content 1
 setsebool -P httpd_run_stickshift 1
 setsebool -P httpd_enable_cgi 1
 setsebool -P httpd_unified 1
 setsebool -P httpd_enable_homedirs 1

FAIL2BAN

 sudo yum -y install epel-release
 sudo yum -y install fail2ban
 sudo systemctl enable fail2ban && sudo systemctl start fail2ban

nano /etc/fail2ban/jail.conf

 [DEFAULT]
 # Ban hosts for one hour:
 bantime = 360000
 findtime = 3600
 maxretry = 2
 # Override /etc/fail2ban/jail.d/00-firewalld.conf:
 banaction = iptables-multiport
 ignoreip = 127.0.0.1/8 154.160.2.127/16
 [sshd]
 enabled = true
 systemctl start fail2ban
 sudo systemctl status fail2ban
 sudo systemctl restart fail2ban
 sudo fail2ban-client status
 sudo fail2ban-client status sshd
 sudo fail2ban-client status wordpress
 sudo fail2ban-client status wordpress2
 sudo fail2ban-client status wordpress3
 sudo fail2ban-client status http-get-post-dos

Install Letsencrypt

 dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
 # (for centos 8) dnf config-manager --set-enabled PowerTools
 sudo dnf install certbot python3-certbot-nginx
 OR dnf install certbot python3-certbot-apache
 certbot --version
 certbot --nginx
 OR certbot --apache
 certbot --apache -d wiki.rhomicom.com
 certbot --nginx -d wiki.rhomicom.com
 certbot renew
 certbot certificates
 certbot certonly --apache
 certbot certonly --nginx
 sudo certbot certonly --standalone --debug -d api.example.net
 echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
 @daily /usr/bin/certbot renew >> /var/log/le-renew.log
 0 1   * * * dnf -y update
 0 */5 * * * /home/all_bkps.sh

SELF-SIGNED SSL

 openssl req -new -newkey rsa:4096 -nodes -keyout rho-demo.key -out rho-demo.csr #(Copy and send .csr file content to Certificate Authority)
 mkdir -p /etc/pki/nginx
 mkdir -p /etc/pki/nginx/private
openssl req -newkey rsa:4096 -nodes -keyout /etc/pki/nginx/private/server.key -x509 -days 365 -out /etc/pki/nginx/server.crt -subj "/C=GH/ST=Greater Accra/L=Accra/O=Rhomicom Demo/OU=IT/CN=*.rhomicom.com/[email protected]"
openssl req -newkey rsa:4096 -nodes -keyout /etc/ssl/private/nginx-selfsigned.key -x509 -days 365 -out /etc/ssl/certs/nginx-selfsigned.crt -subj "/C=GH/ST=Greater Accra/L=Accra/O=Rhomicom Demo/OU=IT/CN=*.rhomicom.com/[email protected]"

 openssl dhparam -out /etc/pki/nginx/dhparam.pem 4096
 nano /etc/nginx/nginx.conf #(# Add DH parameters
       ssl_dhparam /etc/pki/nginx/dhparam.pem;)
 nginx -t
 systemctl restart nginx
 visit this page for sample full nginx.conf file