This is a post about how to harden CentOS 7 security. Everyone should know that the default configuration on almost any Linux server distribution is not really very secure. With a 22 SSH port you will get loads of incorrect login attempts. Why? The answer has only four letter and that is BOTS.
Have your remote root login enabled, SSH key disabled and a crappy password, I promise your server will be hacked in the next 24 hours and it’ll be spamming, DoS:ing or mining crypto. If you’re interested in SSH penetration testing, you should check my post Hack SSH Server with Nmap and Hydra – Pentest guide.
Next things you will learn, will make your CentOS 7 server or a VPS hundred times more secure.
Basic steps to harden CentOS 7 security
These are the easiest steps to do, if you’re a beginner with Linux server environments. Even a child could configure the next things!
Disable remote root login on CentOS 7
This will make your server a lot of more secure. If the root login is disabled, the bots can’t spam your server with login tries. They do not know the user that can be used to log in! However, this will not work in every configuration, for example if you’re setting up something special, you might need to have remote root login enabled.
First we need to create a new user. Type the following commands to add new user and create a password for it. I will be using penguin as example, please don’t use that. I probably don’t have to explain why.
adduser penguinpasswd penguinAfter creating the user, you need to add it to the sudoers file, to use sudo and execute root level commands. If you don’t have sudo installed, type “yum install sudo” to install it, without quotes.
echo 'penguin ALL=(ALL) ALL' >> /etc/sudoersThat will add a line ‘penguin ALL=(ALL) ALL’ to your file which it located in /etc/sudoers, you can also modify it with the text editor of your choice, if you do not prefer to use the echo command.
After doing that, you can try your new account first, before disabling the root login. Log out from root and login with the new user as SSH. After you’ve logged in, you can type “su” to get to the root account again. Now we can really disable the root user from remote logins.
Open the file /etc/ssh/sshd_config with your favorite text editor.
nano /etc/ssh/sshd_configAfter that, uncomment the following line, or just add it yourself.
PermitRootLogin noNow you just need to restart the SSH service.
service sshd restartYou have now learned how to disable remote root login on your server and made it much more secure.
Change the SSH port
Another basic step to harden CentOS 7 security, is to change the SSH login port. This is very easy step to do and it also will make your server much more secure. Open the file /etc/ssh/sshd_config with your favorite text editor.
nano /etc/ssh/sshd_configLocate the port number 22, if it’s commented, uncomment it and change it to something else. Do not use the ports in this list and you should be fine. After changing the port, restart the SSH service again and the change will take effect.
service sshd restartYou have now succesfully changed the SSH port of your server.
Advanced steps to harden CentOS 7 security
Here are a couple more advanced things that you can configure to make your Linux server setup more secure.
Enable password-less login and disable login with password on your server.
Attention! We will generate a SSH key that allows you to login only from the machine that the SSH key is also configured to. If you lose it, you won’t be able to login unless you have emergency terminal on your VPS host. This is the easiest to do on UNIX machine, like Apples OSX computers and Linux desktops or laptops. Type the following command on you local machine.
ssh-keygen -t rsaThe output you will get, will look similar to this.
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/younogetmyname/.ssh/id_rsa): pengs
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in pengs.
Your public key has been saved in pengs.pub.
The key fingerprint is:
SHA256:guRBGcEMqzqnBRX1wLO5jRsAep6JFDEnpirmi0/ro/A younogetmyname@MacBook-Pro.local
The key's randomart image is:
+---[RSA 2048]----+
| =+B*+ |
|+.++*o |
|o.+ o+. |
|o+oooo |
|*= +o+. S |
|*.+ + .. |
|+.+ o |
|oBo.. |
|+=E. |
+----[SHA256]-----+Then, you will need to add the same key to your server, I created an user called penguin earlier, so I’ll use that as an example. Create a folder called .ssh to the users home folder.
mkdir /home/penguin/.shhAfter that, create authorized_keys file there and copy paste the key there.
nano /home/penguin/.ssh/authorized_keysChange the owner of the file to your user if you’re using root.
chown penguin /home/penguin/.ssh/authorized_keysNow we can disable SSH login with password. Make sure that the following lines exist in the /etc/ssh/sshd_config file. Open it with your the text editor of your choice, then add or uncomment these lines, if they are not there.
Passwordauthentication no
PermitRootLogin noNow restart the SSH service.
service sshd restartNow only the permitted user can login with SSH key in the machine used. So please be careful not to lose it.
Install and configure firewall on CentOS 7
It would be possible to write an entire post about firewalls and how they work, but firewalls are not the point of this post, so I will probably write that later and add the link to it here. However I will tell you the quick setup on installing and configurind firewalld. Install firewalld with the following commands and enable it. Commands must be run as root or sudo.
yum install firewalld
systemctl start firewalld
systemctl enable firewalld
systemctl status firewalldNow you have enabled the firewall and also see its current status. You can add open ports to the firewall with the following command.
sudo firewall-cmd --zone=public --add-port=6969/tcp --permanentMake sure to reload it everytime you make changes.
sudo firewall-cmd --reloadTo remove ports, run the next command, and also the one above.
sudo firewall-cmd --zone=public --remove-port=6969/tcp --permanentNow just add the ports you need and you’re done.
I hope you liked my post about hardening CentOS 7 security. Have a great time with configuring your server and learning! Please drop a comment below if you have any thoughts!