Hardening CentOS 7
-
- Posts: 6
- Joined: 2017/03/09 22:52:13
Hardening CentOS 7
Hi guys,
I want provide hosting service to my customers through by WHMCS.
For implementing this, I want use 5 separate servers:
1- CentOS 7 minimal + MySQL (Only for use by WHMCS) in the safe zone
2- CentOS 7 minimal + MySQL (Only for use by customers) in the middle zone
3- Master DNS Server for internal network (Microsoft product). This DNS server has exist and I don't want change it to BIND in the middle zone
4- Master DNS Server for public (Microsoft product). This DNS server has exist and I don't want change it to BIND in the middle zone
5- CentOS 7 minimal + webserver + Slave DNS Server (BIND) in the DMZ
My Problem: What I should doing for hardening the CentOS servers in this scenario? I know, that exist more step and more solution, but I want know important actions for hardening CentOS in this scenario.
Note: I have 3 zone in my network: 1- Safe Zone 2- Middle Zone 3- DMZ (I have only one firewall on the edge and don't have any firewall between the zones)
I want provide hosting service to my customers through by WHMCS.
For implementing this, I want use 5 separate servers:
1- CentOS 7 minimal + MySQL (Only for use by WHMCS) in the safe zone
2- CentOS 7 minimal + MySQL (Only for use by customers) in the middle zone
3- Master DNS Server for internal network (Microsoft product). This DNS server has exist and I don't want change it to BIND in the middle zone
4- Master DNS Server for public (Microsoft product). This DNS server has exist and I don't want change it to BIND in the middle zone
5- CentOS 7 minimal + webserver + Slave DNS Server (BIND) in the DMZ
My Problem: What I should doing for hardening the CentOS servers in this scenario? I know, that exist more step and more solution, but I want know important actions for hardening CentOS in this scenario.
Note: I have 3 zone in my network: 1- Safe Zone 2- Middle Zone 3- DMZ (I have only one firewall on the edge and don't have any firewall between the zones)
Re: Hardening CentOS 7
Firewalls on the CentOS servers: only open essential ports, and also limit them to required subnets (e.g. ssh only on local subnet).
-
- Posts: 6
- Joined: 2017/03/09 22:52:13
Re: Hardening CentOS 7
That mean, I should not be any do about hardening for CentOS?!tunk wrote:Firewalls on the CentOS servers: only open essential ports, and also limit them to required subnets (e.g. ssh only on local subnet).
Re: Hardening CentOS 7
Are you asking if that's the only thing to do? I would guess that you could do a lot more.
One more thing I can suggest is to setup automatic updates on your CentOS servers.
One more thing I can suggest is to setup automatic updates on your CentOS servers.
Re: Hardening CentOS 7
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 7
- Joined: 2017/07/03 05:20:55
- Location: Malang, Indonesia
Re: Hardening CentOS 7
Hi @ebadollahi
You can use this link as your hardening guideline https://www.cisecurity.org/cis-benchmarks/.
You can download the CentOS guideline document. With this document you can track what you've done or haven't in your hardening activity
Bayu Permadi
You can use this link as your hardening guideline https://www.cisecurity.org/cis-benchmarks/.
You can download the CentOS guideline document. With this document you can track what you've done or haven't in your hardening activity
Bayu Permadi
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: Hardening CentOS 7
You can always setup a vulnerability scanner on a temporary machine and scan everything in the zones. Thus , you will be able to pinpoint "weak" points - mainly general stuff that can provide some reconnaissance information for a possible attack.
P.S.: Always block root , or at least use:
P.S.: Always block root , or at least use:
Code: Select all
PermitRootLogin without-password
Re: Hardening CentOS 7
Some additional information for hardening:
I recommend at least setting up the base profiles for SELinux
https://wiki.centos.org/HowTos/SELinux
Also, here is a detailed guide on hardening : https://highon.coffee/blog/security-harden-centos-7/ ..and another which is more broad.
https://linux-audit.com/linux-server-ha ... e-systems/
I recommend at least setting up the base profiles for SELinux
https://wiki.centos.org/HowTos/SELinux
Also, here is a detailed guide on hardening : https://highon.coffee/blog/security-harden-centos-7/ ..and another which is more broad.
https://linux-audit.com/linux-server-ha ... e-systems/
-
- Posts: 6
- Joined: 2017/08/18 15:56:54
Re: Hardening CentOS 7
Howdy, I have a bit of experience in this area and definitely recommend using the Department of Defense (DoD) Security Technical Implementation Guide (STIG). It's based off OpenScap standards and redesigned for the DoD. Obviously, you need to go through the entire STIG to understand what is being done and how that can impact your operations (leave out what you don't need done for operational purposes). You'll need to download the DoD STIG viewer (java garbage program) to view the xccdf files. Here's a link to the latest release for RHEL 7:
http://iasecontent.disa.mil/stigs/zip/U ... 2_STIG.zip
If you follow this guide you'll be better of than the majority of people who use Linux. It covers securing SSH, modifying kernel parameters, removing unnecessary services, creating audit rules, installing IDS, and a whole lot more (total of 200+ configuration items).
http://iasecontent.disa.mil/stigs/zip/U ... 2_STIG.zip
If you follow this guide you'll be better of than the majority of people who use Linux. It covers securing SSH, modifying kernel parameters, removing unnecessary services, creating audit rules, installing IDS, and a whole lot more (total of 200+ configuration items).
Re: Hardening CentOS 7
If I type this at the command line:
Code: Select all
echo "tty1" > /etc/securetty
chmod 700 /root
I've already created a new user & added them to the "wheel"?
Besides those 2 links you provided up above, any other recommendations that a new server administrator should follow?
Every little "bit", helps…
Terrible pun, I know…