Securing CentOS

From Leaky
Revision as of 16:44, 18 January 2015 by Leaky (talk | contribs) (SSH: Linked to denyhosts)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Quite a bit of the information that is on this page will apply to any distribution of Linux, but some of the paths etc may be different for non-CentOS 6 servers.

Extra repositories

Don't add extra yum repositories without at least ensuring you have the yum priorities plugin enabled so that the extra repositories don't overwrite the base/updates repositories.

Keep packages up to date

Setup a cron entry to run "yum check-update" every few days so it can remind you there are updated packages available.

SSH

  • Change the SSH port
    • /etc/ssh/sshd_config - look for "Port 22", uncomment and change the port.
    • Remember to update the iptables rules in /etc/sysconfig/iptables with the new port
    • service iptables restart (iptables-save to check the current rules include the new port)
    • service sshd restart (do not log out of existing session until you have checked you can login from a new window)
  • Set it so root cannot login using a password, only SSH keys (or not at all)
    • /etc/ssh/sshd_config - "PermitRootLogin yes" becomes "PermitRootLogin without-password" or if you're happy to not use root at all except via sudo, "PermitRootLogin no"
  • Enable denyhosts (or fail2ban if preferred) on SSH
    • Install the package and configure as appropriate

Email

  • Ensure you don't relay email without authenticating first

Apache

  • mod_suphp for running PHP as individual users instead of just apache
    • remove mod_php if running mod_suphp
    • Remember to add the user/group config directive to each virtualhost
    • Activate suphp using: suPHPEngine on
  • suexec enabled for running CGI scripts as individual users
Retrieved from "https://wiki.leaky.org/index.php?title=Securing_CentOS&oldid=210"