CentOS

Hi guys,
I want provide hosting service to my customers through by WHMCS.
For implementing this, I want use 5 separate servers:
1- CentOS 7 minimal + MySQL (Only for use by WHMCS) in the safe zone
2- CentOS 7 minimal + MySQL (Only for use by customers) in the middle zone
3- Master DNS Server for internal network (Microsoft product). This DNS server has exist and I don't want change it to BIND in the middle zone
4- Master DNS Server for public (Microsoft product). This DNS server has exist and I don't want change it to BIND in the middle zone
5- CentOS 7 minimal + webserver + Slave DNS Server (BIND) in the DMZ

My Problem: What I should doing for hardening the CentOS servers in this scenario? I know, that exist more step and more solution, but I want know important actions for hardening CentOS in this scenario.
Note: I have 3 zone in my network: 1- Safe Zone 2- Middle Zone 3- DMZ (I have only one firewall on the edge and don't have any firewall between the zones)

Firewalls on the CentOS servers: only open essential ports, and also limit them to required subnets (e.g. ssh only on local subnet).

tunk wrote:Firewalls on the CentOS servers: only open essential ports, and also limit them to required subnets (e.g. ssh only on local subnet).

That mean, I should not be any do about hardening for CentOS?!

Are you asking if that's the only thing to do? I would guess that you could do a lot more.
One more thing I can suggest is to setup automatic updates on your CentOS servers.

https://wiki.centos.org/HowTos/OS_Protection
https://wiki.centos.org/HowTos/Network/SecuringSSH

Hi @ebadollahi

You can use this link as your hardening guideline https://www.cisecurity.org/cis-benchmarks/.

You can download the CentOS guideline document. With this document you can track what you've done or haven't in your hardening activity

Bayu Permadi

You can always setup a vulnerability scanner on a temporary machine and scan everything in the zones. Thus , you will be able to pinpoint "weak" points - mainly general stuff that can provide some reconnaissance information for a possible attack.
P.S.: Always block root , or at least use:

Some additional information for hardening:
I recommend at least setting up the base profiles for SELinux
https://wiki.centos.org/HowTos/SELinux




Also, here is a detailed guide on hardening : https://highon.coffee/blog/security-harden-centos-7/ ..and another which is more broad.
https://linux-audit.com/linux-server-ha ... e-systems/

Howdy, I have a bit of experience in this area and definitely recommend using the Department of Defense (DoD) Security Technical Implementation Guide (STIG). It's based off OpenScap standards and redesigned for the DoD. Obviously, you need to go through the entire STIG to understand what is being done and how that can impact your operations (leave out what you don't need done for operational purposes). You'll need to download the DoD STIG viewer (java garbage program) to view the xccdf files. Here's a link to the latest release for RHEL 7:

http://iasecontent.disa.mil/stigs/zip/U ... 2_STIG.zip

If you follow this guide you'll be better of than the majority of people who use Linux. It covers securing SSH, modifying kernel parameters, removing unnecessary services, creating audit rules, installing IDS, and a whole lot more (total of 200+ configuration items).

TrevorH wrote:https://wiki.centos.org/HowTos/OS_Protection
https://wiki.centos.org/HowTos/Network/SecuringSSH

If I type this at the command line: Would this effectively, disable the root user altogether? Which is what I'd like to do. Since I'm in Alaska & my server is in Seattle, Washington…

I've already created a new user & added them to the "wheel"?

Besides those 2 links you provided up above, any other recommendations that a new server administrator should follow?

Every little "bit", helps…
Terrible pun, I know…