How To Quickly Secure A CentOS Web Server

Posted by jun auza On 1/21/2013
If you are a system administrator, then you must have come across CentOS sometime in your career. The open-source Linux distribution is popular for its stability and reliability in server environments. CentOS, which stands for Community ENTerprise Operating System, is based entirely on Red Hat Enterprise Linux (RHEL) distribution. Though you need to pay for RHEL license, CentOS comes free as in free beer and can be distributed amongst peers. The distribution is quite popular with almost 30% of all Linux web servers using it and yes, you can install the distribution right away via a live CD or a live USB.

These days, if you buy a cloud-based server space, you get to choose which operating system is loaded on it. If you choose Linux then most of the hosting companies provide CentOS as the distribution. Once setup you need to seal any vulnerabilities and openings that come with the default installation and make sure that your server won’t be hacked.

To access your server, you’ll need to SSH to the IP address and access it as root. In this article, we’ll show you few of the most important steps in securing a CentOS server. Note that this article doesn’t comprise all that is required to harden a server; however for small scale to medium scale setup, this security is enough at times.


Step 1: Do a yum upgrade and backup the list of packages installed

#yum upgrade
#yum list installed >> ~/installed.txt


These commands will ensure that all packages are up to date and that we have a back up of all the list of installed packages.


Step 2: Add a new user so that we won’t have to login via root the next time

Using the computer as root is one of the riskiest things to do on a Linux web server. So first, we’ll create a new user and then we will give it all admin privileges.

#/usr/bin/visudo

Then once visudo opens up, uncomment the following line:

%wheel  ALL=(ALL)  ALL

Press the Escape key followed by :wq to close the editor.

#useradd techsource
#passwd techsource


Here, you can set a new password for the user named techsource. Make sure that you create a strong password, one that is hard to guess.

Then type the following command to add techsource to the group wheel:

#gpasswd -a techsource wheel

Now, we have created a new user called techsource that can execute all the commands that root can.


Step 3: Disable root access via SSH

This is an important step. Once you have added a new user, now you have to make sure that next time you login, root will be denied access directly. This ensures that the attacker won’t be able to login via ssh by simply guessing the root password. Now he or she also has to guess the username.

#vim /etc/ssh/sshd_config


Uncomment the line:  #Change PermitRootLogin yes

and change it to:  PermitRootLogin no

You can also add a warning banner by uncommenting the following line:

#Banner /etc/issue.net

Edit issue.net file to add your own warning banner. A warning banner might look something like this:

###############################################################
#               Authorized access only!                       #
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#       All actions Will be monitored and recorded            #
###############################################################

Close the file using Escape + :wq and enter the following command:

#/etc/init.d/sshd restart



Step 4: Limit maximum number of SSH connections

First backup iptables configuration:

#cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup

Then, enter the following command:

#iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 2 -j REJECT

This will ensure that only 2 users are logged in at once via SSH. If a third person tries to login, he or she will not be given access.

Now that we’re done, log out of the server and log back in via the user we just created. Use sudo or su to use admin commands.

Bookmark and Share

Related Posts:



Archive


"Action is the real measure of intelligence" ~Napoleon Hill

Twitter

Tumblr

Google +