How To: Basic Server Security (CentOS 7) – April 2019

Out of the box, servers are often insecure and come with outdated software. In this guide we will be going through the basics of what you need to do to secure a server. This guide applies to CentOS 7 and was last updated April 2019.

1. Updates! Updates! Updates!

The first thing you need to focus on is updates. Ensuring your server is up to date is key, and you need to make sure you do this regularly.  Downtime in the name of security is justifiable, but with the correct configuration and redundancy you can avoid downtime too (but that’s for another blog post).

To update in CentOS, run:

sudo yum update && yum upgrade

2. Firewall

2.1 – Install the firewall

My preference for a firewall for beginners is CSF + LFD  (ConfigServer Firewall + Login Failure Daemon). To install CSF you’ll need to run the following commands:

sudo yum install wget nano perl-libwww-perl.noarch perl-Time-HiRes

Enter the /usr/src folder:

cd /usr/src/

Download the CSF tarball:

wget https://download.configserver.com/csf.tgz

Extract and install:

tar -xzf csf.tgz
cd csf
sh install.sh

Run the test to see if the server should be compatible:

cd /usr/local/csf/bin/
perl csftest.pl

The result should be:

# perl csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

2.2 – Configure the firewall

Now the firewall is installed, you need to configure it. This basic configuration will allow incoming traffic on a number of ports, you should edit the csf.conf file later to lock this down.

cd /etc/csf # Enter the CSF directory
cp csf.conf csf.conf.bak # Back up the existing csf.conf file
sed -i 's/TESTING = "1"/TESTING = "0"/g' csf.conf # Turns Testing mode off

Next, we’ll disable the existing firewall service and enable CSF.

systemctl stop firewalld # Stop firewalld 
systemctl disable firewalld # Disable firewalld from starting at boot
systemctl start csf # Start the new CSF firewall
systemctl enable csf # Enable CSF on boot
systemctl start lfd # Start LFD
systemctl enable lfd # Enable LFD on boot

You can whitelist your IP address to prevent you from getting locked out if you have too many incorrect password attempts, but only do this if you have a static IP. Do this by running:

csf -a 1.2.3.4 # Replace 1.2.3.4 with your IP Address (v4 or v6)

Once making a change, restart CSF with:

csf -r

3. Secure SSH

Securing SSH is the next important aspect. I’m going to assume you are already connecting to your server using public key auth with your own user in the wheel group (AWS, DigitalOcean, Azure, Linode use this by default) – if you aren’t using public key auth, do so.

We’re going to disable root login and disable login by passwords. This will prevent hackers from brute-forcing their way in over SSH to the default root account.

cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
echo "PermitRootLogin no" >> /etc/ssh/sshd_config

In the future, we will release a blog post on achieving PCI Compliance to achieve baseline security, keep your eyes peeled or follow us on Twitter (@cyberhatch).

Exit mobile version