Securing Linux server is very important to protect your data, intellectual property from the hands of crackers (hackers). The system administrator is responsible for security of the Linux box. In this blog we will go through important tips for hardening a CentOS server.
Note: In this blog we are targeting specifically CentOS7 & RHEL7 Linux Operating system but same concept can be applied to other Linux/Unix flavors as well.
1) Keep System updated
Always keep system updated with latest releases patches, security fixes and kernel when it’s available. Applying security patches is an important part of maintaining Linux server and Linux provides all necessary tools to keep your system updated.
# yum update
# yum check-update
2) Physical System Security
For best practices you must protect Linux servers physical console access. Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS. Next, enable BIOSpassword & also protect GRUB with password to restrict physical access of your system.
Services
3) Avoid Using FTP, Telnet, And Rlogin / Rsh Services
Use secure medium to transfer files like scp, sftp etc.. and delete other services like ftp, telnet etc..
# yum erase xinetd ypserv tftp-server telnet-server rsh-server
4) Delete unnecessary packages Minimize Software to Minimize Vulnerability
It is important to delete unnecessary package to minimize vulnerability.
# yum list installed
# yum list packageName
# yum remove packageName
5) Disable Unwanted Services from server
Disable all unnecessary services and daemons (services that runs in the background).
To disable service, enter:
# service serviceName stop
# chkconfig serviceName off
6) Check Listening Network Ports
With the help of ‘netstat‘ networking command you can view all open ports and associated programs. As I said above use ‘chkconfig‘ command to disable all unwanted network services from the system.
# netstat -tulpn
OR use the ss command as follows:
$ ss -tulpn
OR
nmap -sT -O localhost
nmap -sT -O server.example.com
7) Turn on SELinux
So, Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel. Disabling SELinux means removing security mechanism from the system.
Then, you can view current status of SELinux mode from the command line using ‘system-config-selinux‘, ‘getenforce‘ or ‘sestatus‘ commands.
# sestatus
If it is disabled, enable SELinux using the following command.
# setenforce enforcing
Also, can be managed from ‘/etc/selinux/config‘ file, where you can enable or disable it.
More recommendations to hardening a CentOS Server
8) Turn Off IPv6
Perhaps you’re not using a IPv6 protocol, then you should disable it
# vi /etc/sysconfig/network
NETWORKING_IPV6=no
9) Enable Iptables (Firewall)
So, for best practices it is recommended to enable and configure server firewall to allow only specific ports that are required and block all the remaining ports.
Continuing the process
10) Keep /boot as read-only
Linux kernel and its related files are in /boot directory which is by default as read-write. Changing it to read-only reduces the risk of unauthorized modification of critical boot files. To do this, open “/etc/fstab” file.
# vi /etc/fstab
Add the following line at the bottom, save and close it.
LABEL=/boot /boot ext2 defaults,ro 1 2
Please note that you need to reset the change to read-write if you need to upgrade the kernel in future.
11) Hardening /etc/sysctl.conf and Ignore ICMP or Broadcast Request
Use the following kernel parameters rules to protect the system:
Disabling Source Routing
net.ipv4.conf.all.accept_source_route=0Disable IPv4 forwarding
ipv4.conf.all.forwarding=0Now Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1net.ipv6.conf.default.disable_ipv6 = 1net.ipv6.conf.lo.disable_ipv6 = 1Disable the acceptance and sending of ICMP redirected packets unless specifically required.
net.ipv4.conf.all.accept_redirects=0net.ipv4.conf.all.secure_redirects=0net.ipv4.conf.all.send_redirects=0Disable Reverse Path Forwarding
net.ipv4.conf.all.rp_filter=2So, ignore all ICMP echo requests (set to 1 to enable)
net.ipv4.icmp_echo_ignore_all = 012) Important file Backup
In a production system, it is necessary to take important files backup and keep them in safety vault, remote site or offsite for Disasters recovery.
13) Checking Accounts for Empty Passwords
Then, you must make sure all accounts have strong passwords and no one has any authorized access. Empty password accounts are security risks and that can be easily hackable.
14) Network Port Scanning
Conduct external port checks using the Nmap tool from a remote system over the LAN. This type of scanning can be used to verify network vulnerabilities or test the firewall rules.
Configuring an RHEL / CentOS server
15) Disable Ctrl+Alt+Delete in Inittab
Moreover in most Linux distributions, pressing ‘CTRL-ALT-DELETE’ will takes your system to reboot process. So, it’s not a good idea to have this option enabled at least on production servers, if someone by mistakenly does this.
16) Enforcing Stronger Passwords
A number of users use soft or weak passwords and their password might be hacked with a dictionary based or brute-force attacks. Force the system to use strong passwords by adding the below line in /etc/pam.d/passwd file.
password required pam_pwquality.so retry=3Adding the above line, the password entered cannot contain more than 3 characters in a monotonic sequence, such as abcd, and more than 3 identical consecutive characters, such as 1111.
So, To force users to use a password with a minimum length of 8 characters, including all classes of characters, strength-check for character sequences and consecutive characters add the following lines to the /etc/security/pwquality.conf file.
minlen = 8minclass = 4maxsequence = 3maxrepeat = 317) World-Writable Files
Anyone can modify world-writable file resulting into a security issue. Use the following command to find all world writable and sticky bits set files:
find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
You need to investigate each reported file and either set correct user and group permission or remove it.
18) Noowner Files
Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group
find /dir -xdev \( -nouser -o -nogroup \) -print
Finally, You need to investigate each reported file and either assign it to an appropriate user and group or remove it.
Thank You.
Thankyou very much, was helpful. keep-up the hard-work.