Strengthening Security on CentOS 7: Building a Resilient Digital Fortress
A fresh CentOS 7 installation provides a clean slate, a canvas on which you can paint a robust fortress of security. In this guide, we delve into the crucial steps and strategies required to fortify your CentOS 7 server from potential vulnerabilities, ensuring a robust and resilient digital environment. Whether you’re a seasoned sysadmin or a newcomer to server management, this comprehensive walkthrough will empower you to establish a secure foundation that stands up to the challenges of today’s cybersecurity landscape.
Safeguarding an organization’s IT infrastructure is of paramount importance to shield critical data and information from potential threats. While there is no foolproof method to ensure absolute security, adopting rigorous security measures is imperative to minimize vulnerabilities.
In this context, the following guide outlines a series of meticulous steps aimed at enhancing the security posture of a CentOS 7 server. It’s important to acknowledge that even the most rigorously fortified systems can be susceptible to breaches if misconfigurations or errors are present. Therefore, your insights and corrections are highly valued to collectively reinforce the security fabric.
Creating Robust Passwords for CentOS 7 Security
- Use a minimum password length of 12 to 14 characters, if permitted.
- Include lowercase and uppercase alphabetic characters, numbers, and symbols.
- Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links etc.
- Avoid using information that is or might become publicly associated with the user or the account.
Keep the System Updated
[root@localhost ~]# yum update -y
Creating a New User with SUDO Permissions on CentOS 7
Let’s create a new user.
[root@localhost ~]# useradd robert00421
[root@localhost ~]# passwd robert00421
Changing password for user robert00421.
New password:
Retype new password:
Give SUDO permission to the user.
[root@localhost ~]# visudo
Add the line after the line root ALL=(ALL:ALL) ALL:
robert00421 ALL=(ALL) ALL
Securing SSH
modify the configuration file.
[root@localhost ~]# vi /etc/ssh/ssh_config
Use a non-standard port.
Port 2494
Disable SSH root access.
#PermitRootLogin yes
#PasswordAuthentication no
Limit maximum authentication tries.
#LoginGraceTime 5m
#MaxAuthTries 3
Create an SSH banner.
[root@localhost ~]# vi ssh_banner
Create a banner according to your standard.
Add the following lines.
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your actions
may be monitored if unauthorized usage is suspected.
And change the banner path.
[root@localhost ~]# vi /etc/ssh/ssh_config
#Banner /root/ssh_banner
Modify the MOTD.
[root@localhost ~]# vi /etc/motd
Add the following lines.
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your actions
may be monitored if unauthorized usage is suspected.
Limit SSH users logins.
[root@localhost ~]# echo "AllowUsers admin robert00421" >> /etc/ssh/sshd_config
Allow the SSH new port to the firewall.
[root@localhost ~]# firewall-cmd --add-port 2494/tcp
success
[root@localhost ~]# firewall-cmd --add-port 2494/tcp --permanent
success
Restart SSH daemon.
[root@localhost ~]# systemctl restart sshd
Fail2ban
Install the fail2band.
[root@localhost ~]# yum install epel-release -y
[root@localhost ~]# yum install fail2ban -y
Make a copy of the jail.conf file and save it with the name jail.local
[root@localhost ~]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Create a *.local file according to your organization standard.
[root@localhost ~]# vi /etc/fail2ban/jail.d/sshd.local
Add the following lines.
[sshd]
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400
Restart fail2ban services.
[root@localhost ~]# systemctl restart fail2ban
Check the status of fail2ban jails.
[root@localhost jail.d]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
Networking
Turn off IPV6.
[root@localhost ~]# sysctl -w net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
[root@localhost ~]# sysctl -w net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6 = 1
To make settings effective.
sysctl -p
Turn off IPV6.
[root@localhost ~]# vi /etc/sysconfig/network
Add the following lines.
NETWORKING_IPV6=no
IPV6INIT=no
Ignore ICMP or broadcast request.
[root@localhost ~]# vi /etc/sysctl.conf
Add the following lines.
Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1
Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Firewalling
Accept all incoming SSH.
[root@localhost ~]# iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 2494-j ACCEPT
Drop all incoming SSH.
[root@localhost ~]# iptables -A INPUT -p tcp --dport 2494-j DROP
Save the changes.
[root@localhost ~]# iptables-save
then reboot.
[root@localhost ~]# reboot
I don’t mention all other things that need to secure, because my goal on this blog is to secure fresh install CentOS 7 server and no services running yet.
Thanks for reading, if I’m wrong please let me know by sending me an email on canarerobertjohn@gmail.com
