fbpx

Securing a Fresh CentOS 7 Server

Securing a Fresh CentOS 7 Server

Securing the I.T infrastructure is essential to protect us or our data.

I don’t say this is the best way to secure CentOS 7 server, even the most hardened CentOS 7 can be breached, if I have miss-configured or I’m wrong, please let me know.

Password

  • Use a minimum password length of 12 to 14 characters, if permitted.
  • Include lowercase and uppercase alphabetic characters, numbers, and symbols.
  • Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links etc.
  • Avoid using information that is or might become publicly associated with the user or the account.

Keep the system updated

[root@localhost ~]# yum update -y

Users

Let’s create a new user.

[root@localhost ~]# useradd robert00421
[root@localhost ~]# passwd robert00421
Changing password for user robert00421.
New password:
Retype new password:

Give SUDO permission to the user.

[root@localhost ~]# visudo

Add the line after the line root ALL=(ALL:ALL) ALL:

robert00421 ALL=(ALL) ALL

SSH

modify the configuration file.

[root@localhost ~]# vi /etc/ssh/ssh_config

Use a non-standard port.

Port 2494

Disable SSH root access.

#PermitRootLogin yes
#PasswordAuthentication no

Limit maximum authentication tries.

#LoginGraceTime 5m
#MaxAuthTries 3

Create an SSH banner.

[root@localhost ~]# vi ssh_banner

Create a banner according to your standard.

Add the following lines.

WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your actions
may be monitored if unauthorized usage is suspected.

And change the banner path.

[root@localhost ~]# vi /etc/ssh/ssh_config

#Banner /root/ssh_banner

Modify the MOTD.

[root@localhost ~]# vi /etc/motd

Add the following lines.

WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your actions
may be monitored if unauthorized usage is suspected.

Limit SSH users logins.

[root@localhost ~]# echo "AllowUsers admin robert00421" >> /etc/ssh/sshd_config

Allow the SSH new port to the firewall.

[root@localhost ~]# firewall-cmd --add-port 2494/tcp
success
[root@localhost ~]# firewall-cmd --add-port 2494/tcp --permanent
success

Restart SSH daemon.

[root@localhost ~]# systemctl restart sshd

Fail2ban

Install the fail2band.

[root@localhost ~]# yum install epel-release -y
[root@localhost ~]# yum install fail2ban -y

Make a copy of the jail.conf file and save it with the name jail.local

[root@localhost ~]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Create a *.local file according to your organization standard.

[root@localhost ~]# vi /etc/fail2ban/jail.d/sshd.local

Add the following lines.

[sshd]
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400

Restart fail2ban services.

[root@localhost ~]# systemctl restart fail2ban

Check the status of fail2ban jails.

[root@localhost jail.d]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd

Networking

Turn off IPV6.

[root@localhost ~]# sysctl -w net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
[root@localhost ~]# sysctl -w net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6 = 1

To make settings effective.

sysctl -p

Turn off IPV6.

[root@localhost ~]# vi /etc/sysconfig/network

Add the following lines.

NETWORKING_IPV6=no
IPV6INIT=no

Ignore ICMP or broadcast request.

[root@localhost ~]# vi /etc/sysctl.conf

Add the following lines.

Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1

Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1

Firewalling

Accept all incoming SSH.

[root@localhost ~]# iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 2494-j ACCEPT

Drop all incoming SSH.

[root@localhost ~]# iptables -A INPUT -p tcp --dport 2494-j DROP

Save the changes.

[root@localhost ~]# iptables-save

then reboot.

[root@localhost ~]# reboot

I don’t mention all other things that need to secure, because my goal on this blog is to secure fresh install CentOS 7 server and no services running yet.

Thanks for reading, if I’m wrong please let me know by sending me an email on canarerobertjohn@gmail.com

Leave a Reply