CentOS is among the most secure Linux distributions, at least among distributions that are useful on a server. It is a stable, reliable, and secure platform. But every server distribution requires some input from the administrator to ensure that it is as secure as possible.
We take care of security hardening and monitoring for our managed server clients, but clients who opt for an unmanaged server should be aware of the procedure for securing CentOS. In this article, we’re going to cover six of the basic steps to securing a Linux server. This isn’t a comprehensive list — security requirements depend on the software a server runs — but it provides a solid and secure foundation.
Password-based logins are a frequent attack vector. Bad actors use brute-force and dictionary-based attacks to guess usernames and passwords until they hit on the right combination. Unfortunately, they’re successful more often than one would hope. The safest option is to disable password-based logins and use key-based logins instead.
Key-based logins use a secure key pair: a public key on the server and a private key on your local machine. A user can only log in if they have the right private key. Private keys are essentially unguessable, and they’re a reliable defense against brute-force attacks.
We have written in-depth about how to set-up key-based logins previously.
Get To Know Your Firewall
CentOS includes the iptables Linux firewall, but it can be a headache to use if you’re not already a server security expert. FirewallD is a wrapper around iptables that provides a more intuitive interface. It’s disabled by default on CentOS 7, but can be activated with the following commands:
sudo systemctl start firewalld # Start firewalld
sudo systemctl enable firewalld # Start firewalld on boot
Firewalld provides the firewall-cmd tool for accessing the firewall’s current state and adding new rules. For example, to see a full list of the rules run this command:
You can add firewall rules using the same tool. For example, to drop requests to port 80 — typically used for HTTP — run the following command.
sudo firewall-cmd –zone=public –remove-service=http –permanent
I will look more closely at FirewallD in a later post, including a detailed discussion of zones, but for a quick introduction take a look at this guide.
Install An Intrusion Detection System (IDS)
Intrusion Detection Systems monitor important directories on your server, reporting if they find unexpected changes. An IDS can’t stop your server being hacked, but it’s the best way to find out quickly.
There are several IDS services available, but Advanced Intrusion Detection Environment (AIDE) is the best supported on CentOS. AIDE is in the CentOS repositories, so you can install it with quick yum command.
yum install aide
IDSs work by making a thorough scan of system directories and then comparing future scans against this baseline. AIDE has a sensible set of default directories, but you can change them by editing the /etc/aide.conf file.
To create the initial database, run the command aide –init. This will create a database file at /var/lib/aide/aide.bb.new.gz. To use AIDE, you must rename this database with the following command:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Then, you can run AIDE with aide –check, and it will carry out a new scan and compare it with the baseline database, displaying a report of any differences it finds.
AIDE can’t run itself automatically, so you will have to periodically run aide –check or create a cron job.
Fail2Ban blocks repeated login requests. Brute-force bots will hammer on your server at any opportunity, so it’s a good idea to implement a policy to ignore excessive login requests.
Fail2Ban is not part of the standard CentOS repositories, but it is in the EPEL repo, which can be installed with yum install epel-release. Once you have the EPEL repo installed, you can install Fail2Ban with yum install fail2ban.
Fail2Ban comes with a default set of configuration files in the /etc/fail2ban repository. Open the /etc/fail2ban/jail.conf file in a text editor and familiarize yourself with the options. Here you can add and remove the services that Fail2Ban monitors. The defaults are reasonable for many common server setups, but you may want to make some tweaks. You should not edit this file directly because it may be overwritten on updates; instead, create a copy called /etc/fail2ban/fail2ban.local and make your changes there.
Once you’re satisfied with the configuration, activate Fail2Ban with systemctl start fail2ban. To make this persistent across reboots, run systemctl enable fail2ban.
Remove Unused Services
CentOS includes a default set of services, software that listens for incoming network connections. If you don’t use a service, you should deactivate it. An unused service is a potential security vulnerability.
On CentOS, activating and deactivating services is simple. If you’re following the suggestions in this article, you have done it several times already. First, you should run the command netstat -tulpn to see which services are currently running. You can then disable and uninstall services you don’t need. For example, if you don’t need to run the Postfix email server, you would first deactivate it and then uninstall it like so:
systemctl stop postfix
yum remove postfix
A word of warning: be careful not to deactivate the SSH server (or block it with a firewall rule). If you do, you won’t be able to log in.
Perform Regular Updates
Finally, you should regularly update your server to get the latest security patches. If you’re familiar with other distributions, you may be worried that updates could install changes that break configurations or otherwise disrupt the smooth functioning of your server. CentOS updates are extremely unlikely to include breaking or incompatible changes: one of the reasons CentOS is so popular is its conservative updates.
However, updates do bring security fixes, so you should frequently run yum update to download and install the latest security patches.
Implementing these suggestions will make compromising your server much more difficult. A hacker won’t be able to exploit vulnerabilities in unnecessary services, brute force your SSH server or other services, or make changes to files without your being aware.Securing your CentOS server will keep bad actors out and provide a secure foundation on which to build your applications. We cover size basic steps to a more secure CentOS server