{"id":12029,"date":"2019-03-21T03:49:23","date_gmt":"2019-03-21T03:49:23","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=12029"},"modified":"2019-03-21T03:49:23","modified_gmt":"2019-03-21T03:49:23","slug":"the-mega-guide-to-harden-and-secure-centos-7","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/21\/the-mega-guide-to-harden-and-secure-centos-7\/","title":{"rendered":"The Mega Guide To Harden and Secure CentOS 7"},"content":{"rendered":"

This tutorial only covers general security tips for\u00a0CentOS 7<\/strong>\u00a0which can be used to harden the system. The checklist tips are intended to be used mostly on various types of bare-metal servers or on machines (physical or virtual) that provides network services.<\/p>\n

\n

\"Security<\/a><\/p>\n

Security and Hardening of CentOS 7<\/p>\n<\/div>\n

However, some of tips can be successfully applied on general purpose machines too, such as Desktops, Laptops and card-sized single-board computers (Raspberry Pi<\/strong>).<\/p>\n

Requirements<\/h4>\n
    \n
  1. CentOS 7 Minimal Installation<\/a><\/li>\n<\/ol>\n

    1. Physical Protection<\/h3>\n

    Lock down your server rooms access, use racks locking and video surveillance. Take into consideration that any physical access to server rooms can expose your machine to serious security issues.<\/p>\n

    BIOS<\/strong>\u00a0passwords can be changed by resetting jumpers on the motherboard or by disconnecting the CMOS battery. Also, an intruder can steal the hard disks or directly attach new hard disks to the motherboard interfaces (SATA, SCSI etc), boot up with a Linux live distro and clone or copy data without leaving any software trace.<\/p>\n

    2. Reduce Spying Impact<\/h3>\n

    In case of highly sensitive data you should probably use advanced physical protection such as placing and locking the server into a\u00a0Faraday Cage<\/a>\u00a0or use a military\u00a0TEMPEST<\/a>\u00a0solution in order to minimize the impact of spying the system via radio or electrical leaking emanations.<\/p>\n

    3. Secure BIOS\/UEFI<\/h3>\n

    Start the process of harden your machine by securing\u00a0BIOS\/UEFI<\/strong>\u00a0settings, especially set a\u00a0BIOS\/UEFI<\/strong>\u00a0password and disable boot media devices (CD, DVD, disable USB support) in order to prevent an unauthorized users from modifying the system BIOS settings or altering the boot device priority and booting the machine from an alternate medium.<\/p>\n

    In order to apply this type of changes to your machine you need to consult the motherboard manufacturer manual for specific instructions.<\/p>\n

    4. Secure Boot Loader<\/h3>\n

    Set a\u00a0GRUB<\/strong>\u00a0password in order to prevent malicious users to tamper with kernel boot sequence or runlevels, edit kernel parameters or start the system into single user mode in order to harm your system and\u00a0reset root password<\/a>\u00a0to gain privileged control.<\/p>\n

    5. Use Separate Disk Partitions<\/h3>\n

    When installing\u00a0CentOS<\/strong>\u00a0on systems intended as production servers use dedicated partitions or dedicated hard disks for the following parts of the system:<\/p>\n

    \/(root) \r\n\/boot  \r\n\/home  \r\n\/tmp \r\n\/var \r\n<\/pre>\n
    6. Use LVM and RAID for Redundancy and File System Growth<\/h3>\n
    The\u00a0\/var<\/strong>\u00a0partition is the place where log messages are written to disk. This part of the system can exponential grow in size on heavily traffic servers which expose network services such as web servers or file servers.<\/p>\n
    Thus, use a large partition for\u00a0\/var<\/strong>\u00a0or consider on setting up this partition using logical volumes (LVM<\/strong>) or combine several physical disks into one larger virtual RAID 0 device to sustain large amounts of data. For data redundancy consider on using LVM layout on top of\u00a0RAID 1<\/strong>\u00a0level.<\/p>\n
    For setting up LVM or RAID on the disks, follow our useful guides:<\/p>\n
      \n
    1. Setup Disk Storage with LVM in Linux<\/a><\/li>\n
    2. Create LVM Disks Using vgcreate, lvcreate and lvextend<\/a><\/li>\n
    3. Combine Several Disks into One Large Virtual Storage<\/a><\/li>\n
    4. Create RAID 1 Using Two Disks in Linux<\/a><\/li>\n<\/ol>\n
      7. Modify fstab Options to Secure Data Partitions<\/h3>\n
      Separate partitions intended for storing data and prevent the execution of programs, device files or\u00a0setuid<\/strong>\u00a0bit on these type of partitions by adding the following options to\u00a0fstab<\/strong>\u00a0file as illustrated on the below excerpt:<\/p>\n
      \/dev\/sda5 \t \/nas          ext4    defaults,nosuid,nodev,noexec<\/strong> 1 2\r\n<\/pre>\n
      To prevent privilege-escalation and arbitrary script execution create a separate partition for\u00a0\/tmp<\/strong>\u00a0and mount it as\u00a0nosuid<\/strong>,\u00a0nodev<\/strong>\u00a0and\u00a0noexec<\/strong>.<\/p>\n
      \/dev\/sda6  \t\/tmp         ext4    defaults,nosuid,nodev,noexec<\/strong> 0 0\r\n<\/pre>\n
      8. Encrypt the Hard Disks at block level with LUKS<\/h3>\n
      In order to protect sensitive data snooping in case of physical access to machine hard drives. I suggest you to learn how to encrypt disk by reading our article\u00a0Linux Hard Disk Data Encryption with LUKS<\/a>.<\/p>\n
      9. Use PGP and Public-Key Cryptography<\/h3>\n
      In order to encrypt disks, use PGP and Public-Key Cryptography or openssl command to encrypt and decrypt sensitive files with a password as shown in this article\u00a0Configure Encrypted Linux System Storage<\/a>.<\/p>\n
      10. Install Only the Minimum Amount of Packages Required<\/h3>\n
      Avoid installing unimportant or unnecessary programs, applications or services to avoid package vulnerabilities. This can decrease the risk that the compromise of a piece of software may lead to compromise other applications, parts of the system or even file systems, finally resulting in data corruption or data loss.<\/p>\n
      11. Update the system frequently<\/h3>\n
      Update the system regularly. Keep Linux kernel in sync with the latest security patches and all the installed software up-to-date with the latest versions by issuing the below command:<\/p>\n
      # yum update\r\n<\/pre>\n
      12. Disable Ctrl+Alt+Del<\/h3>\n
      In order to prevent users to reboot the server once they have physical access to keyboard or via a Remote Console Application or a virtualized console (KVM<\/strong>, Virtualizing software interface) you should disable\u00a0Ctrl+Alt+Del<\/code>\u00a0key sequence by executing the below command.<\/p>\n
      # systemctl mask ctrl-alt-del.target \r\n<\/pre>\n
      13. Remove Unnecessary Software Packages<\/h3>\n
      Install minimal software required for your machine. Never install extra programs or services. Install packages only from trusted or official repositories. Use minimal installation of the system in case the machine is destined to run its entire live as a server.<\/p>\n
      Verify installed packages using one of the following commands:<\/p>\n
      # rpm -qa<\/pre>\n
      Make a local list of all installed packages.<\/p>\n
      # yum list installed >> installed.txt\r\n<\/pre>\n
      Consult the list for useless software and delete a package by issuing the below command:<\/p>\n
      # yum remove package_name\r\n<\/pre>\n
      Read Also<\/strong>:\u00a0Disable and Remove Unwanted Packages on Minimal Installation of CentOS 7<\/a>.<\/p>\n
      14. Restart systemd services after daemon updates<\/h3>\n
      Use the below command example to restart a systemd service in order to apply new updates.<\/p>\n
      # systemctl restart httpd.service\r\n<\/pre>\n
      15. Remove Unneeded Services<\/h3>\n
      Identify the services that are listening on specific ports using the following command.<\/p>\n
      # ss -tulpn\r\n<\/pre>\n
      To list all installed services with their output status issue the below command:<\/p>\n
      # systemctl list-units -t service\r\n<\/pre>\n
      For instance,\u00a0CentOS 7<\/strong>\u00a0default minimal installation comes with Postfix daemon installed by default which runs by the name of master under port\u00a025<\/strong>. Remove Postfix network service in case your machine will not be used as a mail server.<\/p>\n
      # yum remove postfix\r\n<\/pre>\n
      Read Also<\/strong>:\u00a0Stop and Disable Unwanted Services in CentOS 7<\/a>.<\/p>\n
      16. Encrypt Transmitted Data<\/h3>\n
      Do not use unsecure protocols for remote access or file transfer such as\u00a0Telnet<\/strong>,\u00a0FTP<\/strong>\u00a0or other plain text high protocols such as SMTP, HTTP, NFS or SMB which, by default, does not encrypt the authentication sessions or sent data.<\/p>\n
      Use only\u00a0sftp<\/a>,\u00a0scp<\/a>\u00a0for file transfers and SSH or VNC over SSH tunnels for remote console connections or GUI access.<\/p>\n
      In order to tunnel a VNC console via SSH use the below example which forwards the VNC port 5901 from the remote machine to your local machine:<\/p>\n
      # ssh -L 5902:localhost:5901 remote_machine\r\n<\/pre>\n
      On local machine run the below command in order to virtual connect to the remote endpoint.<\/p>\n
      # vncviewer localhost:5902\r\n<\/pre>\n
      17. Network Port Scanning<\/h3>\n
      Conduct external port checks using the nmap tool from a remote system over the LAN. This type of scanning can be used to verify network vulnerabilities or test the firewall rules.<\/p>\n
      # nmap -sT -O 192.168.1.10\r\n<\/pre>\n
      Read Also<\/strong>:\u00a0Learn How to Use Nmap with these 29 Examples<\/a>.<\/p>\n
      18. Packet-filtering Firewall<\/h3>\n
      Use\u00a0firewalld<\/strong>\u00a0utility to protect the system ports, open or close specific services ports, especially well-known ports (<1024).<\/p>\n
      Install, start, enable and list the firewall rules by issuing the below commands:<\/p>\n
      # yum install firewalld\r\n# systemctl start firewalld.service\r\n# systemctl enable firewalld.service\r\n# firewall-cmd --list-all\r\n<\/pre>\n
      19. Inspect Protocol Packets with tcpdump<\/h3>\n
      Use\u00a0tcpdump<\/strong>\u00a0utility in order to sniff network packets locally and inspect their content for suspicious traffic (source-destination ports, tcp\/ip protocols, layer two traffic, unusual ARP requests).<\/p>\n
      For a better analysis of the\u00a0tcpdump<\/strong>\u00a0captured file use a more advanced program such as\u00a0Wireshark<\/strong>.<\/p>\n
      # tcpdump -i eno16777736 -w tcpdump.pcap\r\n<\/pre>\n
      Read Also<\/strong>:\u00a012 tcpdump Command Examples<\/a>\u00a0and\u00a0Analyze Network Using Wireshark Tool<\/a>.<\/p>\n
      20. Prevent DNS Attacks<\/h3>\n
      Inspect the contents of your resolver, typically\u00a0\/etc\/resolv.conf<\/strong>\u00a0file, which defines the IP address of the DNS servers it should use to query for domain names, in order to avoid man-in-the-middle attacks, unnecessary traffic for root DNS servers, spoof or create a DOS attack.<\/p>\n
      This is just the first part. On the next part we\u2019ll discuss other security tips for\u00a0CentOS 7<\/strong>.<\/p>\n
      Continuing the previous tutorial on\u00a0how to secure CentOS 7<\/a>, in this article we\u2019ll discuss other security tips that will be presented on the below checklist.<\/p>\n
      \n
      \"Hardening<\/a><\/p>\n
      Hardening and Securing of CentOS 7 Server<\/p>\n<\/div>\n
      Requirements<\/h4>\n
        \n
      1. The Mega Guide To Harden and Secure CentOS 7 \u2013 Part 1<\/a><\/li>\n<\/ol>\n
        21. Disable Useless SUID and SGID Commands<\/h3>\n
        If the\u00a0setuid<\/strong>\u00a0and\u00a0setgid<\/strong>\u00a0bits are set on binary programs, these commands can run tasks with other user or group rights, such as\u00a0root<\/strong>\u00a0privileges which can expose seriously security issues.<\/p>\n
        Often, buffer overrun attacks can exploit such executables binaries to run unauthorized code with the rights of a root power user.<\/p>\n
        # find \/  -path \/proc -prune -o -type f \\( -perm -4000 -o -perm -2000 \\) -exec ls -l {} \\;\r\n<\/pre>\n
        To unset the\u00a0setuid<\/strong>\u00a0bit execute the below command:<\/p>\n
        # chmod u-s \/path\/to\/binary_file\r\n<\/pre>\n