Cybercrime is on the rise and is expected to maintain its rapid growth in the coming years. Some would even argue that it will soon become the number one threat to the global economy.
That’s why businesses should take cybersecurity seriously and do their best to stay up to date with the latest security standards.
In this article, we bring you a step-by-step guide on how to secure CentOS 8.
Linux distributions, such as CentOS, are some of the most secure operating systems available today. But that doesn’t mean you shouldn’t take the proper measures to secure them further.
While private users might get away with the default CentOS settings, businesses are more likely to be targeted by cybercriminals. So if you’re a business owner, make CentOS 8 security one of your top priorities.
Linux server hardening will protect your business from unplanned downtime and data breaches. But more importantly, it will protect it from the worst consequences of cyberattacks, including lawsuits and reputation damage.
CentOS 8 was first introduced in 2019 as a major upgrade to the CentOS operating system. This upgrade brought a whole host of changes to CentOS, such as the addition of the DNF package manager and the nftables firewall.
However, securing CentOS 8 is not much different than securing its previous versions. Just follow our step-by-step guide below, and you will secure CentOS 8 in no time.
The first step in any CentOS server hardening guide should be to secure SSH access.
If a hacker can log into your server over SSH, they will have unlimited access to it. That’s why hardening SSH access is the number one security measure you should take.
Here’s how you can improve your SSH security in three steps.
1. Disable the root login.
On CentOS, the root account login is disabled by default. In case you enabled it, you should disable it by setting the PermitRootLogin value to no in the etc/ssh/sshd_config file.
Now restart sshd to apply the changes.
sudo systemctl restart sshd
2. Change the default SSH port
Setting a custom SSH port will filter out any non-targeted SSH attacks. To do this, you would uncomment and replace port 22 in etc/ssh/sshd_config.
Remember to restart sshd to apply the changes.
sudo systemctl restart sshd
3. Replace password authentication with SSH keys.
Given enough time, any password can be cracked with a brute force attack. To prevent this, you should switch to using SSH keys instead.
First, create a new SSH key pair.
ssh-keygen
Then check the private SSH key and write it down or copy its file to another device.
Now disable password authentication by setting the PasswordAuthentication value to no in the etc/ssh/sshd_config file.
Finally, restart sshd to apply the changes.
sudo systemctl restart sshd
In the future, when you need to log in to the server, use the -i flag with the ssh command to specify the key file. As usual, remember to replace $username@hostname with a Linux username and a server hostname/IP.
ssh -i /path/to/key $username@hostname
SELinux is a security module that allows you to set custom restrictions for every application on your system. You can use it to limit everything from network access to read and write permissions. It comes preinstalled and enabled on CentOS.
1. Check if SELinux is enabled.
sudo sestatus
2. Enable SELinux.
To enable SELinux, you need to edit its configuration file etc/selinux/config and change the SELINUX value from disabled to enforcing or permissive.
Remember to reboot your server to apply the changes.
sudo reboot
3. Set the right mode of operation.
SELinux can run in two different modes: enforcing or permissive. Enforcing is the default mode that applies the security policy to the entire server. Permissive mode, on the other hand, doesn’t actually enforce the rules. Instead, it just logs any potential denials that the enforcing mode would give, making it better for testing purposes.
To check the currently active mode of operation and switch between them, you can use the following commands.
You should protect your server’s unused ports with a firewall solution such as firewalld. This firewall comes preinstalled on CentOS, and it’s enabled by default. It’s essential for Linux server hardening.
1. List the open ports and services
First, take a look at which services and ports are allowed to accept connections.
sudo firewall-cmd --list-all
2. Configure the firewall to allow HTTP and HTTPS connections.
By allowing HTTP and HTTPS connections, you are opening your websites and apps to visitors. This is an essential step for production environments.
sudo firewall-cmd --zone=public --permanent --add-service=http
sudo firewall-cmd --zone=public --permanent --add-service=https
Finally, restart firewalld to apply the changes.
sudo firewall-cmd --reload
3. Configure the firewall to allow all connections from specific IPs.
This step allows you to whitelist the IPs of any administrators or developers who frequently use the server. In turn, they never have to worry about getting blocked and losing access.
sudo firewall-cmd --zone=trusted --permanent --add-source=#.#.#.#
There are many other useful firewall rules and commands that you can use for CentOS security hardening. To learn more about them, read the firewalld manual pages.
As always, remember to restart firewalld to apply the changes.
sudo firewall-cmd --reload
Taking all security precautions is essential if you want to reduce the chances of getting hacked to a minimum. But you need to remember that no computer system is 100% secure.
Not to worry, that’s what backups are here for, and you can restore them as soon as you discover that a system is compromised. Just make sure to configure them properly to keep your CentOS secure.
Here are some things to keep in mind if you want to get the most out of your backup configuration.
1. Keep your backups in different physical locations.
While cybercriminals usually operate remotely, sometimes they can actually steal your physical backups. Furthermore, a data center where your server and backups are located could fall victim to a fire hazard.
That’s why you should always keep your backups in at least two physical locations to keep your CentOS secure.
2. Keep yearly, monthly, weekly, and daily backups.
You might get lucky and realize your system was compromised as soon as it happens. In such a case, the default daily or weekly backups are just what you need to get things back to normal.
However, it can sometimes take months before you finally realize your system was compromised. What’s even worse is that some malware infections are impossible to resolve without permanent data loss.
To prevent such issues from affecting you, make sure to keep older versions of your backups instead of just recent ones. That’s exactly what monthly and yearly backups are for.
3. Back up the whole system
In a lot of cases, people prioritize the /home or /var directories as that’s where their websites and applications are stored. But in fact, it’s almost as important to backup up your entire system as well.
Just think about it for a moment. How long will it take you or your administrators to install and configure all the necessary software on a new system once you get compromised? Not to mention how long it will take your firewalls to collect the same IPs and provide the same level of protection as before.
To keep your CentOS secure, make sure to run regular updates. This includes package repository information, installed packages, and all manually installed software.
You can install and update any element of your server stack, such as Apache, MySQL, and PHP, as a package. However, any software that you manually download, such as a CMS (content management system), will need to be updated manually.
1. Update the package information
sudo dnf check-update
2. Update all packages
If you’re satisfied with the output, you can proceed to upgrade all packages.
sudo dnf update
If not, you can update any individual packages one by one. Remember to replace $packagename with the name of each package.
sudo dnf update $packagename
3. Update your CMS, plugins, and any other manually installed software.
Keeping your Linux system up to date is important, but don’t forget about your CMS.
CMS systems, such as WordPress or Magento, are made out of many moving parts developed by different companies. While their modular nature brings a whole host of benefits, it’s also what makes them vulnerable to various attacks. This is an important part of Linux server hardening.
To keep all manually installed software up to date, read its official documentation.
Unused packages unnecessarily increase your exposure to potential exploits. That’s why you should find and remove them to keep your CentOS secure.
1. Find and remove unused packages with autoremove.
sudo dnf autoremove
2. Find and remove temporary files.
sudo dnf clean all
Setting strong passwords is a critical part of Linux server hardening. Strong passwords are made out of a long randomized string of upper case letters, lower case letters, numbers, and symbols. They shouldn’t include any words or dates.
Furthermore, you should also make sure that all users update their passwords frequently. Password policies significantly reduce the risk of brute force attacks by preventing users from reusing the same passwords for multiple services.
1. Use pwgen to generate a strong password.
Install pwgen.
sudo dnf install pwgen
Generate a list of passwords using the -ys flag, where y means include symbols, and s is used to generate a highly secure password string.
pwgen -ys 20
2. Set a password expiration policy.
Use the etc/login.defs file to set a shorter password expiration policy, such as 30 to 90 days.
PASS_MAX_DAYS is the number of days after which a password will expire.
PASS_MIN_DAYS is the number of days that need to pass before a password can be changed.
PASS_WARN_AGE is the number of days warnings will be shown on log-in before the password expires. This feature doesn’t extend the PASS_MAX_DAYS expiration.
3. Apply the new policy to existing users.
When you set a new policy, it only affects new users. To check the policy of an existing user, you would use chage -l command while replacing $username with the Linux user.
sudo chage -l $username
To apply it to existing ones, you need to use the chage command. The -M flag is for maximum days, -m for minimum, and -W for warnings. Don’t forget to replace $days and $username with the proper values, and check if the change was applied.
sudo chage -M $days $username
When you’re working on hardening CentOS 8, it’s also important that you install Fail2ban intrusion prevention. This software protects your server from malicious login attempts by systematically blocking misbehaving IPs.
1. Install Fail2ban.
sudo dnf install fail2ban
2. Activate and enable Fail2ban.
Start fail2ban and set it to load at boot.
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
3. Configure Fail2ban.
Before you can configure Fail2ban, you need to copy etc/fail2ban/jail.conf to etc/fail2ban/jail.local.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now add your IP to the ignoreip list and uncomment the line.
Then configure how the system should treat suspicious IPs.
bantime defines how long an IP will be blocked.
maxretry is how many times an IP can fail to log in before getting blocked.
findtime is the time period after which the maxretry counter is reset.
Finally, restart Fail2ban to apply these changes.
sudo systemctl restart fail2ban
There are many other useful Fail2ban features that you can use for CentOS hardening. To learn more about them, read the Fail2ban manual pages.
Another important step in this CentOS 8 hardening guide involves protecting GRUB. Grand Unified Bootloader (GRUB) is the most common bootloader for a lot of Linux distributions, including CentOS.
GRUB can be used to reset the root password by logging in to the single-user mode. That’s why you should set a password to protect it and improve your CentOS security.
Set the password.
sudo grub2-setpassword
Pressing the keys Ctrl, Alt, and Delete together will cause a reboot on most Linux distributions, including CentOS. If an attacker gets keyboard access and reboots your system, they could potentially access the single-user mode without a password.
That’s why it’s important that you disable it to prevent any unwanted reboots and improve your CentOS 8 security.
Disable the shortcut.
sudo systemctl mask ctrl-alt-del.target
Securing the Linux kernel is another important aspect of CentOS hardening. Linux kernel configurations are stored under /proc/sys. To change them, you can use the systctl command.
1. Check the configuration.
sudo sysctl –system
2. Edit the configuration.
Open the etc/sysctl.conf file and copy the following configurations to it. They should work for most machines as long as they aren’t used as routers. Make sure to read each comment before applying the changes.
# Disable IP forwarding
net.ipv4.ip_forward = 0
# Disable source routing
net.ipv4.conf.default.accept_source_route = 0
# Disable the Magic System Request key
kernel.sysrq = 0
# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1
# Enable SYN flood protection
net.ipv4.tcp_synack_retries = 5
# Don’t accept source-routed packets
net.ipv4.conf.all.accept_source_route = 0
# Don’t accept ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
# Log packets with suspicious addresses
net.ipv4.conf.all.log_martians = 1
# Ignore broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
3. Apply the changes.
Finally, reload sysctl to apply the changes.
sudo sysctl -p
That’s it. You’ve reached the end of this CentOS 8 hardening guide.
The digital landscape is rapidly evolving, but so is cybercrime. If your business relies on Linux for its day-to-day operations, it’s essential that you apply the latest Linux server hardening procedures to survive and thrive in the coming years.
Spending a couple of extra hours on security can protect you from the severe consequences of cyberattacks, including lawsuits and reputation damage. This step-by-step guide on how to secure CentOS 8 is a great place to start, so take action and improve your security today.
Hope, this blog post has helped you understand CentOS Server Hardening (Linux Server Hardening). Thanks for reading this tutorial post. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.