Continuing the previous tutorial on How to Secure and Harden CentOS server, in this article, we’ll discuss other security tips that will be presented on the below checklist.

Requirements#

1. 20 CentOS Server Hardening Security Tips – Part 1

21. Disable Useless SUID and SGID Commands#

If the setuid and setgid bits are set on binary programs, these commands can run tasks with other user or group rights, such as root privileges which can expose serious security issues.

Often, buffer overrun attacks can exploit such executables binaries to run unauthorized code with the rights of a root power user.

# find /  -path /proc -prune -o -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

To unset the setuid bit execute the below command:

# chmod u-s /path/to/binary_file

To unset the setgid bit run the below command:

# chmod g-s /path/to/binary_file

22. Check for Unowned Files and Directories#

Files or directories not owned by a valid account must be deleted or assigned with permissions from a user and group.

Issue the below find command to list files or directories with no user and group.

# find / -nouser -o -nogroup -exec ls -l {} \;

23. List World-Writeable Files#

Keeping a world-writable file on the system can be dangerous due to the fact that anyone can modify them. Execute the below command in order to display word-writeable files, except Symlinks, which are always world-writeable.

# find / -path /proc -prune -o -perm -2 ! -type l –ls

24. Create Strong Passwords#

Create a password of a minimum of eight characters. The password must contain digits, special characters, and uppercase letters. Use pwmake to generate a password of 128 bits from /dev/urandom file.

# pwmake 128

25. Apply Strong Password Policy#

Force the system to use strong passwords by adding the below line in /etc/pam.d/passwd file.

password required pam_pwquality.so retry=3

Adding the above line, the password entered cannot contain more than 3 characters in a monotonic sequence, such as abcd, and more than 3 identical consecutive characters, such as 1111.

To force users to use a password with a minimum length of 8 characters, including all classes of characters, strength-check for character sequences and consecutive characters add the following lines to the /etc/security/pwquality.conf file.

minlen = 8
minclass = 4
maxsequence = 3
maxrepeat = 3

26. Use Password Aging#

The chage command can be used for user password aging. To set a user’s password to expire in 45 days, use the following command:

# chage -M 45 username

To disable password expiration time use the command:

# chage -M -1 username

Force immediate password expiration (user must change the password on next login) by running the following command:

# chage -d 0 username

27. Lock Accounts#

User accounts can be locked by executing the passwd or usermod command:

# passwd -l username
# usermod -L username

To unlock accounts use the -u option for passwd command and -U option for usermod.Related Article: How to Lock User Accounts After Failed Login Attempts

28. Prevent Accounts Shell Access#

To prevent a system account (ordinary account or service account) to gain access to a bash shell, change root shell to /usr/sbin/nologin or /bin/false in the /etc/passwd file by issuing the command below:

# usermod -s /bin/false username

To change the shell when creating a new user issue the following command:

# useradd -s /usr/sbin/nologin username

Related Article: Learn 15 Examples of “useradd” Command in Linux

29. Lock Virtual User Console with vlock#

vlock is a program used for locking one multiple session on Linux console. Install the program and start locking your terminal session by running the below commands:

# yum install vlock
# vlock

30. Use a Centralized System to Manage Accounts and Authentication#

Using a centralized authentication system can greatly simplify account management and control. Services that can offer this type of account management are IPA Server, LDAP, Kerberos, Microsoft Active Directory, Nis, Samba ADS or Winbind.

Some of these services are by default highly secured with cryptographic protocols and symmetric-key cryptography, such as Kerberos.Related Article: Setup NFS Server with Kerberos-based User Authentication in Linux

31. Force Read-Only Mounting of USB Media#

Using blockdev utility you can force all removable media to be mounted as read-only. For instance, create a new udev configuration file named 80-readonly-usb.rules in the /etc/udev/rules.d/ directory with the following content:

SUBSYSTEM=="block",ATTRS{removable}=="1",RUN{program}="/sbin/blockdev --setro %N"

Then, apply the rule with the below command:

# udevadm control -reload

Related Article: How to Use Udev for Device Detection and Management in Linux

32. Disabling Root Access via TTY#

To prevent the root account from performing system log-in via all console devices (TTY), erase the contents of securetty file by typing the following command terminal prompt as root.

# cp /etc/securetty /etc/securetty.bak
# cat /dev/null > /etc/securetty

Remember that this rule does not apply to SSH login sessions
To prevent root login via SSH edit the file /etc/ssh/sshd_config and add the below line:

PermitRootLogin no

Related Article: How to Secure and Harden OpenSSH Server

33. Use POSIX ACLs to Expand System Permissions#

Access Control Lists can define access rights for more than just a single user or group and can specify rights for programs, processes, files, and directories. If you set ACL on a directory, its descendants will inherit the same rights automatically.

For example,

# setfacl -m u:user:rw file
# getfacl file

Related Article: Setup ACL and Disk Quotas for Users/Groups in Linux

34. Setup SELinux in Enforce Mode#

The SELinux enhancement to the Linux kernel implements the Mandatory Access Control (MAC) policy, allowing users to define a security policy that provides granular permissions for all users, programs, processes, files, and devices.

The kernel’s access control decisions are based on all the security-relevant context and not on the authenticated user identity.

To get Selinux status and enforce policy run the below commands:

# getenforce
# setenforce 1
# sestatus

Related Article: Setup Mandatory Access Control Policy with SELinux

35. Install SELinux Additional Utilities#

Install policycoreutils-python package which provides additional Python utilities for operating SELinux: audit2allow, audit2why, chcat, and semanage.

To display all boolean values together with a short description, use the following command:

# semanage boolean -l

For instance, to display and set the value of httpd_enable_ftp_server, run the below command:

# getsebool httpd_enable_ftp_server

To make the value of a boolean persist across reboots, specify the -P option to setsebool, as illustrated on the following example:

# setsebool -P httpd_enable_ftp_server on

36. Use Centralized Log Server#

Configure rsyslog daemon to send sensitive utilities log messages to a centralized log server. Also, monitor log files with the help of logwatch utility.

Sending log messages to a remote server assures that once the system has been compromised, the malicious users cannot completely hide their activity, always leaving traces on remote log files.Related Article: 4 Best Linux Log Monitoring and Management Tools

37. Enable Process Accounting#

Enable process accounting by installing psacct utility and use lastcomm command to displays information about previously executed commands as recorded in the system accounting file and sa to summarize information about previously executed commands as recorded in the system accounting file.

38. Hardening /etc/sysctl.conf#

Use the following kernel parameters rules to protect the system:

Disabling Source Routing#

net.ipv4.conf.all.accept_source_route=0

Disable IPv4 forwarding#

ipv4.conf.all.forwarding=0

Disable IPv6#

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Disable the acceptance and sending of ICMP redirected packets unless specifically required.

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.send_redirects=0

Disable Reverse Path Forwarding#

net.ipv4.conf.all.rp_filter=2

Ignore all ICMP echo requests (set to 1 to enable)

net.ipv4.icmp_echo_ignore_all = 0

39. Use VPN Services to Access your Premises over Unprotected Public Networks#

Always use VPN services for carriers to remotely access LAN premises over the Internet. Such types of services can be configured using a free open source solution, such as OpenVPN, or using a proprietary solution, such as Cisco VPN (install vpnc command-line utility provided by Epel Repositories).Related Article: Install OpenVPN Server with Windows Clients in CentOS

40. Perform External System Scan#

Evaluate your system security for vulnerabilities by scanning the system from remote points over your LAN using specific tools such as:

1. Nmap – network scanner 29 Examples of Nmap Command
2. Nessus – security scanner
3. OpenVAS – used to scan for vulnerabilities and for comprehensive vulnerability management.
4. Nikto – an excellent common gateway interface (CGI) script scanner Scan Web Vulnerability in Linux

41. Protect System Internally#

Use internal system protection against viruses, rootkits, malware, and, as a good practice, install intrusion detection systems that can detect unauthorized activity (DDOS attacks, port scans), such as:

1. AIDE – Advanced Intrusion Detection Environment – http://aide.sourceforge.net/
2. ClamAV – Antivirus Scanner https://www.clamav.net
3. Rkhunter – Rootkit Scanner
4. Lynis – Security Auditing and Scanning Tool for Linux
5. Tripwire – Security and Data Integrity http://www.tripwire.com/
6. Fail2Ban – Intrusion Network Prevention
7. OSSEC – (HIDS) Host-based Intrusion Detection System http://ossec.github.io/
8. Mod_Security – Protect Brute Force or DDoS Attacks

42. Modify User Environment Variables#

Append date and time format to store commands execution by issuing the below command:

# echo 'HISTTIMEFORMAT="%d/%m/%y  %T  "' >> .bashrc'

Force to instantly record HISTFILE every time a command is typed (instead of logout):

# echo ‘PROMPT_COMMAND="history -a"’ >> .bashrc

Limit the timeout login session. Automatically tear-down the shell when no activity is performed during an idle time period. Very useful to automatically disconnect SSH sessions.

# echo ‘TMOUT=120’ >> .bashrc

Apply all the rules by executing:

# source .bashrc

Related Article: Set User Environment Variables in Linux

43. Backup Data#

Use backup utilities, such as tar, cat, rsync, scp, LVM snapshots, etc in order to store a copy of your system, preferably offsite, in case of a system failure.

If the system gets compromised you can perform data restore from previous backups.

Finally, don’t forget that no matter how many security measures and contra-measures you take in order to keep your system safe, you will never be 100% completely secure as long as your machine is plugged-in and powered-on.

source: https://www.tecmint.com/centos-7-hardening-and-security-guide/