How to Setup a Secure CentOS Server

How to Setup a Secure CentOS Server? centos 7 or centos 6? I would personally get CentOs 7, Centos6 still has a few years of support left. There is a saying ‘The only constant in life is change.’ Is CentOS exactly the same as RHEL? CentOS is a free operating system distribution based upon the Linux kernel. It is derived entirely from the Red Hat Enterprise Linux (RHEL) distribution. CentOS exists to provide a free enterprise class computing platform and strives to maintain 100% binary compatibility with its upstream source, Red Hat. CentOS stands for Community ENTerprise Operating System. CentOS is the most popular Linux distribution for web servers with almost 30% of all Linux web servers using it

CentOS is very close to being RHEL without the branding and support. In particular, the library versions are the same, so binaries that work on one will work on the other. The administration tools are the same and configured in similar ways. However, there are a few differences, as the two distributions sometimes apply different minor patches. For example, in this question, it was apparent that RHEL 5 and CentOS 5 apply different rules to identify files under /etc/cron.d. In other words, at the level of your course, you can treat CentOS and RHEL as interchangeable. But if you needed to look up the precise behavior of a program in a corner of the man page, you may encounter differences.

The first basic steps you need to go through after installing a CentOS 7 in order to obtain information about the installed system, the hardware on top of which runs the system and configure other specific system tasks, such as networking, root privileges, software, services and others. You had option to choose whether to install a minimal CentOS 7 system with no graphical environment or a Desktop Gnome CentOS 7 system with graphical environment and could be remote access via VNC later on.

When you first create a new server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent actions.

First, Setup a secure ssh connection.
You may achieve this by modifying the default sshd_config file. Go log onto your terminal and type below:
$ vi /etc/ssh/sshd_config

*Change default port 22 into another port. For example: “port 2288”
*Uncomment #PermitRootLogin and change it to no. For example: “PermitRootLogin no”
*Add AllowUsers access, this force anyone to login as user then only can access root. For example: “AllowUsers jonboy60”

Then add ssh service into you firewall.
$ firewall-cmd –permanent –add-service=ssh
$ firewall-cmd –permanent –add-port=2288/tcp
$ firewall-cmd –reload

After that type this to restart SSH:
$ systemctl reload sshd

Second, Setup Apache, NGINX, MariaDB, Exim and etc.
There is a simpler ways by using control panel such as CPANEL, Plesk Panel, VestaCP or any other Control Panel in the market. They will install all behalf of you. Ok, most of the control panel do not support Selinux. In case they did not disable it, you may disable it via command.

Type below to disable Selinux
$ vi /etc/selinux/config

change from enable to disable then reboot. For example: “SELINUX=disabled”

Installing CPANEL, Plesk, VestaCP.
$ cd /home && curl -o latest -L && sh latest
$ wget -O – | sh
$ curl -O && bash

Third, Setup firewall and other security.
CentOS firewall for me are enough, however CPANEL, VestaCP or other Control panel will require CentOS firewall to be disable or removed.
$ firewall-cmd –permanent –add-service=ftp,http,https,dns,ssh
$ firewall-cmd –reload

$ firewall-cmd –permanent –add-port=8083/tcp (Vestacp)
$ firewall-cmd –permanent –add-port=8443/tcp (Plesk)
$ firewall-cmd –permanent –add-port=2087/tcp (Cpanel)
$ firewall-cmd –permanent –add-port=2083/tcp (Cpanel)

Then you may install or enable fail2ban or ConfigServer Security & Firewall. Fail2ban are good for counter brute force which is available in Plesk and Vestacp as far as i know. CSF firewall & Cpanel is a good combinations, with cphulk enable your Cpanel will be protected in a very good manners.

Fourth, Manage Services.
CentOS 7 manages daemons or service via systemctl utility. In order to list all services state, issue the following command.
$ systemctl list-units

To check if a daemon or service is enabled to automatically start when the system starts, issue the following command.
$ systemctl list-unit-files -t service

It’s recommended after installing CentOS 7, to list what services are running in the system by running the above commands and disable and remove them in order to reduce the attacks vectors against your system.

For example, Postfix daemon is installed and enabled by default in CentOS 7. If your system don’t require running a mail server, it’s best to stop, disable and remove the postfix service by issuing the below commands.

$ systemctl stop postfix
$ systemctl disable postfix

$ yum remove postfix

Fifth, Keep Update to date.
Issue like Meltdown and Spectre. Vulnerabilities in modern computers leak passwords and sensitive data. Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer.

So its best to keep your kernel updated. Type below command to update kernel:
$ yum update kernel

After kernel had been successfully, your server need to reboot to apply the newly installed kernel.

Leave a Reply

Your email address will not be published. Required fields are marked *