Hardening CentOS 7

Support for security such as Firewalls and securing linux
ebadollahi
Posts: 6
Joined: 2017/03/09 22:52:13

Hardening CentOS 7

Postby ebadollahi » 2017/03/09 23:43:22

Hi guys,
I want provide hosting service to my customers through by WHMCS.
For implementing this, I want use 5 separate servers:
1- CentOS 7 minimal + MySQL (Only for use by WHMCS) in the safe zone
2- CentOS 7 minimal + MySQL (Only for use by customers) in the middle zone
3- Master DNS Server for internal network (Microsoft product). This DNS server has exist and I don't want change it to BIND in the middle zone
4- Master DNS Server for public (Microsoft product). This DNS server has exist and I don't want change it to BIND in the middle zone
5- CentOS 7 minimal + webserver + Slave DNS Server (BIND) in the DMZ

My Problem: What I should doing for hardening the CentOS servers in this scenario? I know, that exist more step and more solution, but I want know important actions for hardening CentOS in this scenario.
Note: I have 3 zone in my network: 1- Safe Zone 2- Middle Zone 3- DMZ (I have only one firewall on the edge and don't have any firewall between the zones)

tunk
Posts: 156
Joined: 2017/02/22 15:08:17

Re: Hardening CentOS 7

Postby tunk » 2017/03/10 13:59:43

Firewalls on the CentOS servers: only open essential ports, and also limit them to required subnets (e.g. ssh only on local subnet).

ebadollahi
Posts: 6
Joined: 2017/03/09 22:52:13

Re: Hardening CentOS 7

Postby ebadollahi » 2017/03/10 22:02:34

tunk wrote:Firewalls on the CentOS servers: only open essential ports, and also limit them to required subnets (e.g. ssh only on local subnet).

That mean, I should not be any do about hardening for CentOS?!

tunk
Posts: 156
Joined: 2017/02/22 15:08:17

Re: Hardening CentOS 7

Postby tunk » 2017/03/10 22:23:04

Are you asking if that's the only thing to do? I would guess that you could do a lot more.
One more thing I can suggest is to setup automatic updates on your CentOS servers.

User avatar
TrevorH
Forum Moderator
Posts: 20592
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Hardening CentOS 7

Postby TrevorH » 2017/03/11 00:15:54

CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

bayupermadi
Posts: 4
Joined: 2017/07/03 05:20:55

Re: Hardening CentOS 7

Postby bayupermadi » 2017/07/07 01:53:26

Hi @ebadollahi

You can use this link as your hardening guideline https://www.cisecurity.org/cis-benchmarks/.

You can download the CentOS guideline document. With this document you can track what you've done or haven't in your hardening activity

Bayu Permadi

hunter86_bg
Posts: 735
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Hardening CentOS 7

Postby hunter86_bg » 2017/07/11 21:03:31

You can always setup a vulnerability scanner on a temporary machine and scan everything in the zones. Thus , you will be able to pinpoint "weak" points - mainly general stuff that can provide some reconnaissance information for a possible attack.
P.S.: Always block root , or at least use:

Code: Select all

PermitRootLogin without-password

ddemchak
Posts: 12
Joined: 2017/07/31 13:01:52

Re: Hardening CentOS 7

Postby ddemchak » 2017/08/08 01:07:38

Some additional information for hardening:
I recommend at least setting up the base profiles for SELinux
https://wiki.centos.org/HowTos/SELinux




Also, here is a detailed guide on hardening : https://highon.coffee/blog/security-harden-centos-7/ ..and another which is more broad.
https://linux-audit.com/linux-server-ha ... e-systems/

macattack2241
Posts: 6
Joined: 2017/08/18 15:56:54

Re: Hardening CentOS 7

Postby macattack2241 » 2017/08/18 16:16:38

Howdy, I have a bit of experience in this area and definitely recommend using the Department of Defense (DoD) Security Technical Implementation Guide (STIG). It's based off OpenScap standards and redesigned for the DoD. Obviously, you need to go through the entire STIG to understand what is being done and how that can impact your operations (leave out what you don't need done for operational purposes). You'll need to download the DoD STIG viewer (java garbage program) to view the xccdf files. Here's a link to the latest release for RHEL 7:

http://iasecontent.disa.mil/stigs/zip/U ... 2_STIG.zip

If you follow this guide you'll be better of than the majority of people who use Linux. It covers securing SSH, modifying kernel parameters, removing unnecessary services, creating audit rules, installing IDS, and a whole lot more (total of 200+ configuration items).

N8tiv
Posts: 30
Joined: 2014/10/23 00:16:57
Location: Anchorage, AK 99508

Re: Hardening CentOS 7

Postby N8tiv » 2017/08/23 01:32:26

TrevorH wrote:https://wiki.centos.org/HowTos/OS_Protection
https://wiki.centos.org/HowTos/Network/SecuringSSH



If I type this at the command line:

Code: Select all

echo "tty1" > /etc/securetty
chmod 700 /root


Would this effectively, disable the root user altogether? Which is what I'd like to do. Since I'm in Alaska & my server is in Seattle, Washington…

I've already created a new user & added them to the "wheel"?

Besides those 2 links you provided up above, any other recommendations that a new server administrator should follow?

Every little "bit", helps… :-)
Terrible pun, I know… :mrgreen: :geek: