Securing CentOS - Revision history

Leaky: /* SSH */ Linked to denyhosts

2015-01-18T16:44:48Z

‎SSH: Linked to denyhosts

Leaky: /* Extra repositories */

2013-08-29T08:27:55Z

‎Extra repositories

Leaky: Start of a security page

2013-08-28T23:44:44Z

Start of a security page

New page

Quite a bit of the information that is on this page will apply to any distribution of Linux, but some of the paths etc may be different for non-CentOS 6 servers.

== Extra repositories ==

Don't add extra yum repositories without at least ensuring you have the yum priorities plugin enabled so that the extra repositories don't overwrite the base/updates repositories.

== SSH ==

* Change the SSH port
** /etc/ssh/sshd_config - look for "Port 22", uncomment and change the port.
** Remember to update the iptables rules in /etc/sysconfig/iptables with the new port
** service iptables restart (iptables-save to check the current rules include the new port)
** service sshd restart (do not log out of existing session until you have checked you can login from a new window)

* Set it so root cannot login using a password, only SSH keys
** /etc/ssh/sshd_config - "PermitRootLogin yes" becomes "PermitRootLogin without-password" or if you're happy to not use root at all except via sudo, "PermitRootLogin no"
* Enable denyhosts (or fail2ban if preferred) on SSH
** Install the package and configure as appropriate

== Email ==

* Ensure you don't relay email without authenticating first

== Apache ==

* mod_suphp for running PHP as individual users instead of just apache
** remove mod_php if running mod_suphp
** Remember to add the user/group config directive to each virtualhost
** Activate suphp using: suPHPEngine on
* suexec enabled for running CGI scripts as individual users

← Older revision		Revision as of 08:27, 29 August 2013
Line 4:		Line 4:

	Don't add extra yum repositories without at least ensuring you have the yum priorities plugin enabled so that the extra repositories don't overwrite the base/updates repositories.		Don't add extra yum repositories without at least ensuring you have the yum priorities plugin enabled so that the extra repositories don't overwrite the base/updates repositories.
		+
		+	== Keep packages up to date ==
		+
		+	Setup a cron entry to run "yum check-update" every few days so it can remind you there are updated packages available.

	== SSH ==		== SSH ==

@@ Line 17: / Line 17: @@
 ** service sshd restart (do not log out of existing session until you have checked you can login from a new window)
-* Set it so root cannot login using a password, only SSH keys
+* Set it so root cannot login using a password, only SSH keys (or not at all)
 ** /etc/ssh/sshd_config - "PermitRootLogin yes" becomes "PermitRootLogin without-password" or if you're happy to not use root at all except via sudo, "PermitRootLogin no"
-* Enable denyhosts (or fail2ban if preferred) on SSH
+* Enable [[Denyhosts|denyhosts]] (or fail2ban if preferred) on SSH
 ** Install the package and configure as appropriate