Sajid Ali
Sajid Ali
Linux & Windows Server Administrator | Cloud Architect: I possess 10 years of professional experience with administration of different hosting provider’s Linux and Windows based servers on a large production level.

Hardening a CentOS 7 / RHEL 7 Server: Best practices and recommendation.

- Advertisement -

Securing Linux server is very important to protect your data, intellectual property from the hands of crackers (hackers). The system administrator is responsible for security of the Linux box. In this blog we will go through important tips for hardening a CentOS server.

Note: In this blog we are targeting specifically CentOS7 & RHEL7 Linux Operating system but same concept can be applied to other Linux/Unix flavors as well. 

1) Keep System updated

Always keep system updated with latest releases patches, security fixes and kernel when it’s available. Applying security patches is an important part of maintaining Linux server and Linux provides all necessary tools to keep your system updated.

# yum update

# yum check-update

2) Physical System Security

For best  practices you must protect Linux servers physical console access. Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS. Next, enable BIOSpassword & also protect GRUB with password to restrict physical access of your system.

Services

3) Avoid Using FTP, Telnet, And Rlogin / Rsh Services

Use secure medium to transfer files like scp, sftp etc.. and delete other services like ftp, telnet etc..

# yum erase xinetd ypserv tftp-server telnet-server rsh-server

4) Delete unnecessary packages Minimize Software to Minimize Vulnerability

It is important to delete unnecessary package to minimize vulnerability.

# yum list installed

# yum list packageName

# yum remove packageName

5) Disable Unwanted Services from server

Disable all unnecessary services and daemons (services that runs in the background).

To disable service, enter:

# service serviceName stop

# chkconfig serviceName off

6) Check Listening Network Ports

With the help of ‘netstat‘ networking command you can view all open ports and associated programs. As I said above use ‘chkconfig‘ command to disable all unwanted network services from the system.

# netstat -tulpn

OR use the ss command as follows:

$ ss -tulpn

OR

nmap -sT -O localhost

nmap -sT -O server.example.com

7) Turn on SELinux

So, Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel. Disabling SELinux means removing security mechanism from the system.

Then, you can view current status of SELinux mode from the command line using ‘system-config-selinux‘, ‘getenforce‘ or ‘sestatus‘ commands.

# sestatus

If it is disabled, enable SELinux using the following command.

# setenforce enforcing

Also, can be managed from ‘/etc/selinux/config‘ file, where you can enable or disable it.

More recommendations to hardening a CentOS Server

8) Turn Off IPv6

Perhaps you’re not using a IPv6 protocol, then you should disable it

# vi /etc/sysconfig/network

NETWORKING_IPV6=no

9) Enable Iptables (Firewall)

So, for best practices it is recommended to enable and configure server firewall to allow only specific ports that are required and block all the remaining ports.

Harderning a CentOS Server
Hardening a CentOS Server

Continuing the process

10) Keep /boot as read-only

Linux kernel and its related files are in /boot directory which is by default as read-write. Changing it to read-only reduces the risk of unauthorized modification of critical boot files. To do this, open “/etc/fstab” file.

# vi /etc/fstab

Add the following line at the bottom, save and close it.

LABEL=/boot     /boot     ext2     defaults,ro     1 2

Please note that you need to reset the change to read-write if you need to upgrade the kernel in future.

11) Hardening /etc/sysctl.conf and Ignore ICMP or Broadcast Request

Use the following kernel parameters rules to protect the system:

Disabling Source Routing

net.ipv4.conf.all.accept_source_route=0

Disable IPv4 forwarding

ipv4.conf.all.forwarding=0

Now Disable IPv6

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Disable the acceptance and sending of ICMP redirected packets unless specifically required.

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.send_redirects=0

Disable Reverse Path Forwarding

net.ipv4.conf.all.rp_filter=2

So, ignore all ICMP echo requests (set to 1 to enable)

net.ipv4.icmp_echo_ignore_all = 0

12) Important file Backup

In a production system, it is necessary to take important files backup and keep them in safety vault, remote site or offsite for Disasters recovery.

13) Checking Accounts for Empty Passwords

Then, you must make sure all accounts have strong passwords and no one has any authorized access. Empty password accounts are security risks and that can be easily hackable.

14) Network Port Scanning

Conduct external port checks using the Nmap tool from a remote system over the LAN. This type of scanning can be used to verify network vulnerabilities or test the firewall rules.

Configuring an RHEL / CentOS server

15) Disable Ctrl+Alt+Delete in Inittab

Moreover in most Linux distributions, pressing ‘CTRL-ALT-DELETE’ will takes your system to reboot process. So, it’s not a good idea to have this option enabled at least on production servers, if someone by mistakenly does this.

16) Enforcing Stronger Passwords

A number of users use soft or weak passwords and their password might be hacked with a dictionary based or brute-force attacks. Force the system to use strong passwords by adding the below line in /etc/pam.d/passwd file.

password required pam_pwquality.so retry=3

Adding the above line, the password entered cannot contain more than 3 characters in a monotonic sequence, such as abcd, and more than 3 identical consecutive characters, such as 1111.

So, To force users to use a password with a minimum length of 8 characters, including all classes of characters, strength-check for character sequences and consecutive characters add the following lines to the /etc/security/pwquality.conf file.

minlen = 8
minclass = 4
maxsequence = 3
maxrepeat = 3

17) World-Writable Files

Anyone can modify world-writable file resulting into a security issue. Use the following command to find all world writable and sticky bits set files:

find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

You need to investigate each reported file and either set correct user and group permission or remove it.

18) Noowner Files

Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group

find /dir -xdev \( -nouser -o -nogroup \) -print

Finally, You need to investigate each reported file and either assign it to an appropriate user and group or remove it.

- Advertisement -

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook

x