Hardening CentOS 7

Support for security such as Firewalls and securing linux
ebadollahi
Posts: 6
Joined: 2017/03/09 22:52:13

Hardening CentOS 7

Post by ebadollahi » 2017/03/09 23:43:22

Hi guys,
I want provide hosting service to my customers through by WHMCS.
For implementing this, I want use 5 separate servers:
1- CentOS 7 minimal + MySQL (Only for use by WHMCS) in the safe zone
2- CentOS 7 minimal + MySQL (Only for use by customers) in the middle zone
3- Master DNS Server for internal network (Microsoft product). This DNS server has exist and I don't want change it to BIND in the middle zone
4- Master DNS Server for public (Microsoft product). This DNS server has exist and I don't want change it to BIND in the middle zone
5- CentOS 7 minimal + webserver + Slave DNS Server (BIND) in the DMZ

My Problem: What I should doing for hardening the CentOS servers in this scenario? I know, that exist more step and more solution, but I want know important actions for hardening CentOS in this scenario.
Note: I have 3 zone in my network: 1- Safe Zone 2- Middle Zone 3- DMZ (I have only one firewall on the edge and don't have any firewall between the zones)

tunk
Posts: 1204
Joined: 2017/02/22 15:08:17

Re: Hardening CentOS 7

Post by tunk » 2017/03/10 13:59:43

Firewalls on the CentOS servers: only open essential ports, and also limit them to required subnets (e.g. ssh only on local subnet).

ebadollahi
Posts: 6
Joined: 2017/03/09 22:52:13

Re: Hardening CentOS 7

Post by ebadollahi » 2017/03/10 22:02:34

tunk wrote:Firewalls on the CentOS servers: only open essential ports, and also limit them to required subnets (e.g. ssh only on local subnet).
That mean, I should not be any do about hardening for CentOS?!

tunk
Posts: 1204
Joined: 2017/02/22 15:08:17

Re: Hardening CentOS 7

Post by tunk » 2017/03/10 22:23:04

Are you asking if that's the only thing to do? I would guess that you could do a lot more.
One more thing I can suggest is to setup automatic updates on your CentOS servers.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Hardening CentOS 7

Post by TrevorH » 2017/03/11 00:15:54

The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

bayupermadi
Posts: 7
Joined: 2017/07/03 05:20:55
Location: Malang, Indonesia

Re: Hardening CentOS 7

Post by bayupermadi » 2017/07/07 01:53:26

Hi @ebadollahi

You can use this link as your hardening guideline https://www.cisecurity.org/cis-benchmarks/.

You can download the CentOS guideline document. With this document you can track what you've done or haven't in your hardening activity

Bayu Permadi

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Hardening CentOS 7

Post by hunter86_bg » 2017/07/11 21:03:31

You can always setup a vulnerability scanner on a temporary machine and scan everything in the zones. Thus , you will be able to pinpoint "weak" points - mainly general stuff that can provide some reconnaissance information for a possible attack.
P.S.: Always block root , or at least use:

Code: Select all

PermitRootLogin without-password

ddemchak
Posts: 12
Joined: 2017/07/31 13:01:52

Re: Hardening CentOS 7

Post by ddemchak » 2017/08/08 01:07:38

Some additional information for hardening:
I recommend at least setting up the base profiles for SELinux
https://wiki.centos.org/HowTos/SELinux




Also, here is a detailed guide on hardening : https://highon.coffee/blog/security-harden-centos-7/ ..and another which is more broad.
https://linux-audit.com/linux-server-ha ... e-systems/

macattack2241
Posts: 6
Joined: 2017/08/18 15:56:54

Re: Hardening CentOS 7

Post by macattack2241 » 2017/08/18 16:16:38

Howdy, I have a bit of experience in this area and definitely recommend using the Department of Defense (DoD) Security Technical Implementation Guide (STIG). It's based off OpenScap standards and redesigned for the DoD. Obviously, you need to go through the entire STIG to understand what is being done and how that can impact your operations (leave out what you don't need done for operational purposes). You'll need to download the DoD STIG viewer (java garbage program) to view the xccdf files. Here's a link to the latest release for RHEL 7:

http://iasecontent.disa.mil/stigs/zip/U ... 2_STIG.zip

If you follow this guide you'll be better of than the majority of people who use Linux. It covers securing SSH, modifying kernel parameters, removing unnecessary services, creating audit rules, installing IDS, and a whole lot more (total of 200+ configuration items).

N8tiv
Posts: 38
Joined: 2014/10/23 00:16:57
Location: Anchorage, AK 99508

Re: Hardening CentOS 7

Post by N8tiv » 2017/08/23 01:32:26


If I type this at the command line:

Code: Select all

echo "tty1" > /etc/securetty
chmod 700 /root
Would this effectively, disable the root user altogether? Which is what I'd like to do. Since I'm in Alaska & my server is in Seattle, Washington…

I've already created a new user & added them to the "wheel"?

Besides those 2 links you provided up above, any other recommendations that a new server administrator should follow?

Every little "bit", helps… :-)
Terrible pun, I know… :mrgreen: :geek:

Post Reply