SELinux,Fail2ban,Security Configurations

From Rhomicom Wiki
Jump to navigation Jump to search

Install firewalld

 sudo yum install firewalld
 sudo systemctl start firewalld
 sudo systemctl enable firewalld
 sudo systemctl status firewalld
 sudo firewall-cmd --permanent --add-service=http
 sudo firewall-cmd --permanent --add-service=https
 sudo firewall-cmd --permanent --list-all
 sudo firewall-cmd --reload
 nano /etc/firewalld/firewalld.conf
 # AllowZoneDrifting=no
 Follow this link for Additional Firewall-Cmd Commands

SELinux Permissions

 setsebool -P httpd_can_network_connect 1
 setsebool -P httpd_execmem 1
 setsebool -P httpd_setrlimit 1
 setsebool -P httpd_can_sendmail 1
 setsebool -P allow_httpd_mod_auth_pam 1
 setsebool -P httpd_mod_auth_pam 1
 setsebool -P httpd_read_user_content 1
 setsebool -P httpd_run_stickshift 1
 setsebool -P httpd_enable_cgi 1
 setsebool -P httpd_unified 1
 setsebool -P httpd_enable_homedirs 1

FAIL2BAN

 sudo yum -y install epel-release
 sudo yum -y install fail2ban
 sudo systemctl enable fail2ban && sudo systemctl start fail2ban

nano /etc/fail2ban/jail.conf

 [DEFAULT]
 # Ban hosts for one hour:
 bantime = 360000
 findtime = 3600
 maxretry = 2
 # Override /etc/fail2ban/jail.d/00-firewalld.conf:
 banaction = iptables-multiport
 ignoreip = 127.0.0.1/8 154.160.2.127/16
 [sshd]
 enabled = true
 systemctl start fail2ban
 sudo systemctl status fail2ban
 sudo systemctl restart fail2ban
 sudo fail2ban-client status
 sudo fail2ban-client status sshd
 sudo fail2ban-client status wordpress
 sudo fail2ban-client status wordpress2
 sudo fail2ban-client status wordpress3
 sudo fail2ban-client status http-get-post-dos

Install Letsencrypt

 dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
 # (for centos 8) dnf config-manager --set-enabled PowerTools
 sudo dnf install certbot python3-certbot-nginx
 OR dnf install certbot python3-certbot-apache
 certbot --version
 certbot --nginx
 OR certbot --apache
 certbot --apache -d wiki.rhomicom.com
 certbot --nginx -d wiki.rhomicom.com
 certbot renew
 certbot certificates
 certbot certonly --apache
 certbot certonly --nginx
 sudo certbot certonly --standalone --debug -d api.example.net
 echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
 @daily /usr/bin/certbot renew >> /var/log/le-renew.log
 0 1   * * * dnf -y update
 0 */5 * * * /home/all_bkps.sh

SELF-SIGNED SSL

 openssl req -new -newkey rsa:4096 -nodes -keyout rho-demo.key -out rho-demo.csr #(Copy and send .csr file content to Certificate Authority)
 mkdir -p /etc/pki/nginx
 mkdir -p /etc/pki/nginx/private
openssl req -newkey rsa:4096 -nodes -keyout /etc/pki/nginx/private/server.key -x509 -days 365 -out /etc/pki/nginx/server.crt -subj "/C=GH/ST=Greater Accra/L=Accra/O=Rhomicom Demo/OU=IT/CN=*.rhomicom.com/[email protected]"

 openssl dhparam -out /etc/pki/nginx/dhparam.pem 4096
 nano /etc/nginx/nginx.conf #(# Add DH parameters
       ssl_dhparam /etc/pki/nginx/dhparam.pem;)
 nginx -t
 systemctl restart nginx
 visit this page for sample full nginx.conf file