Securing a Fresh CentOS 7 Server
Securing the I.T infrastructure is essential to protect us or our data.
I don’t say this is the best way to secure CentOS 7 server, even the most hardened CentOS 7 can be breached, if I have miss-configured or I’m wrong, please let me know.
Password
- Use a minimum password length of 12 to 14 characters, if permitted.
- Include lowercase and uppercase alphabetic characters, numbers, and symbols.
- Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links etc.
- Avoid using information that is or might become publicly associated with the user or the account.
Keep the system updated
[root@localhost ~]# yum update -y
Users
Let’s create a new user.
[root@localhost ~]# useradd robert00421
[root@localhost ~]# passwd robert00421
Changing password for user robert00421.
New password:
Retype new password:
Give SUDO permission to the user.
[root@localhost ~]# visudo
Add the line after the line root ALL=(ALL:ALL) ALL:
robert00421 ALL=(ALL) ALL
SSH
modify the configuration file.
[root@localhost ~]# vi /etc/ssh/ssh_config
Use a non-standard port.
Port 2494
Disable SSH root access.
#PermitRootLogin yes
#PasswordAuthentication no
Limit maximum authentication tries.
#LoginGraceTime 5m
#MaxAuthTries 3
Create an SSH banner.
[root@localhost ~]# vi ssh_banner
Create a banner according to your standard.
Add the following lines.
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your actions
may be monitored if unauthorized usage is suspected.
And change the banner path.
[root@localhost ~]# vi /etc/ssh/ssh_config
#Banner /root/ssh_banner
Modify the MOTD.
[root@localhost ~]# vi /etc/motd
Add the following lines.
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your actions
may be monitored if unauthorized usage is suspected.
Limit SSH users logins.
[root@localhost ~]# echo "AllowUsers admin robert00421" >> /etc/ssh/sshd_config
Allow the SSH new port to the firewall.
[root@localhost ~]# firewall-cmd --add-port 2494/tcp
success
[root@localhost ~]# firewall-cmd --add-port 2494/tcp --permanent
success
Restart SSH daemon.
[root@localhost ~]# systemctl restart sshd
Fail2ban
Install the fail2band.
[root@localhost ~]# yum install epel-release -y
[root@localhost ~]# yum install fail2ban -y
Make a copy of the jail.conf file and save it with the name jail.local
[root@localhost ~]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Create a *.local file according to your organization standard.
[root@localhost ~]# vi /etc/fail2ban/jail.d/sshd.local
Add the following lines.
[sshd]
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400
Restart fail2ban services.
[root@localhost ~]# systemctl restart fail2ban
Check the status of fail2ban jails.
[root@localhost jail.d]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
Networking
Turn off IPV6.
[root@localhost ~]# sysctl -w net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
[root@localhost ~]# sysctl -w net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6 = 1
To make settings effective.
sysctl -p
Turn off IPV6.
[root@localhost ~]# vi /etc/sysconfig/network
Add the following lines.
NETWORKING_IPV6=no
IPV6INIT=no
Ignore ICMP or broadcast request.
[root@localhost ~]# vi /etc/sysctl.conf
Add the following lines.
Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1
Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Firewalling
Accept all incoming SSH.
[root@localhost ~]# iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 2494-j ACCEPT
Drop all incoming SSH.
[root@localhost ~]# iptables -A INPUT -p tcp --dport 2494-j DROP
Save the changes.
[root@localhost ~]# iptables-save
then reboot.
[root@localhost ~]# reboot
I don’t mention all other things that need to secure, because my goal on this blog is to secure fresh install CentOS 7 server and no services running yet.
Thanks for reading, if I’m wrong please let me know by sending me an email on canarerobertjohn@gmail.com