Out of the box, servers are often insecure and come with outdated software. In this guide we will be going through the basics of what you need to do to secure a server. This guide applies to CentOS 7 and was last updated April 2019.
1. Updates! Updates! Updates!
The first thing you need to focus on is updates. Ensuring your server is up to date is key, and you need to make sure you do this regularly. Downtime in the name of security is justifiable, but with the correct configuration and redundancy you can avoid downtime too (but that’s for another blog post).
To update in CentOS, run:
sudo yum update && yum upgrade
2.1 – Install the firewall
My preference for a firewall for beginners is CSF + LFD (ConfigServer Firewall + Login Failure Daemon). To install CSF you’ll need to run the following commands:
sudo yum install wget nano perl-libwww-perl.noarch perl-Time-HiRes
Enter the /usr/src folder:
Download the CSF tarball:
Extract and install:
tar -xzf csf.tgz cd csf sh install.sh
Run the test to see if the server should be compatible:
cd /usr/local/csf/bin/ perl csftest.pl
The result should be:
# perl csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
2.2 – Configure the firewall
Now the firewall is installed, you need to configure it. This basic configuration will allow incoming traffic on a number of ports, you should edit the csf.conf file later to lock this down.
cd /etc/csf # Enter the CSF directory cp csf.conf csf.conf.bak # Back up the existing csf.conf file sed -i 's/TESTING = "1"/TESTING = "0"/g' csf.conf # Turns Testing mode off
Next, we’ll disable the existing firewall service and enable CSF.
systemctl stop firewalld # Stop firewalld systemctl disable firewalld # Disable firewalld from starting at boot systemctl start csf # Start the new CSF firewall systemctl enable csf # Enable CSF on boot systemctl start lfd # Start LFD systemctl enable lfd # Enable LFD on boot
You can whitelist your IP address to prevent you from getting locked out if you have too many incorrect password attempts, but only do this if you have a static IP. Do this by running:
csf -a 126.96.36.199 # Replace 188.8.131.52 with your IP Address (v4 or v6)
Once making a change, restart CSF with:
3. Secure SSH
Securing SSH is the next important aspect. I’m going to assume you are already connecting to your server using public key auth with your own user in the wheel group (AWS, DigitalOcean, Azure, Linode use this by default) – if you aren’t using public key auth, do so.
We’re going to disable root login and disable login by passwords. This will prevent hackers from brute-forcing their way in over SSH to the default root account.
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup echo "PasswordAuthentication no" >> /etc/ssh/sshd_config echo "PermitRootLogin no" >> /etc/ssh/sshd_config
In the future, we will release a blog post on achieving PCI Compliance to achieve baseline security, keep your eyes peeled or follow us on Twitter (@cyberhatch).