Difference between revisions of "Securing CentOS"

Quite a bit of the information that is on this page will apply to any distribution of Linux, but some of the paths etc may be different for non-CentOS 6 servers.

Extra repositories

Don't add extra yum repositories without at least ensuring you have the yum priorities plugin enabled so that the extra repositories don't overwrite the base/updates repositories.

Keep packages up to date

Setup a cron entry to run "yum check-update" every few days so it can remind you there are updated packages available.

SSH

• Change the SSH port
  • /etc/ssh/sshd_config - look for "Port 22", uncomment and change the port.
  • Remember to update the iptables rules in /etc/sysconfig/iptables with the new port
  • service iptables restart (iptables-save to check the current rules include the new port)
  • service sshd restart (do not log out of existing session until you have checked you can login from a new window)

• Set it so root cannot login using a password, only SSH keys (or not at all)
  • /etc/ssh/sshd_config - "PermitRootLogin yes" becomes "PermitRootLogin without-password" or if you're happy to not use root at all except via sudo, "PermitRootLogin no"
• Enable denyhosts (or fail2ban if preferred) on SSH
  • Install the package and configure as appropriate

Email

• Ensure you don't relay email without authenticating first

Apache

• mod_suphp for running PHP as individual users instead of just apache
  • remove mod_php if running mod_suphp
  • Remember to add the user/group config directive to each virtualhost
  • Activate suphp using: suPHPEngine on
• suexec enabled for running CGI scripts as individual users