This is a quick tutorial on how to secure CentOS 6.5. It does not go into details and should only be used as quick solution.
1. Enable Auto Updates
yum -y install yum-cron
Review the config file
Start the service
Set the service to auto start
chkconfig yum-cron on
2. Securing root
You should not be logging in as root. So first lets create a user
# useradd [user]
Now let's give
sudoaccess to that user by calling
visudoand adding your user (last line)
## Allow root to run any commands anywhere root ALL=(ALL) ALL [user] ALL=(ALL) ALL
Restrict root login to tty1
echo "tty1" > /etc/securetty
Remove read access from /root
chmod 700 /root
3. Securing SSH
Let's setup your SSH keys. See this tutorial on how to. Make sure you create the keys as the user and not root.
Make sure you can login as the user with the new keys and without being prompted for a password.
Now let's edit
/etc/ssh/sshd_configas root and make the following changes:
- Enable IPv4 only
- Root cannot login via SSH
- Users cannot login with password (we will be using the SSH keys)
- Only allow a specific user to login
AddressFamily inet PermitRootLogin no PasswordAuthentication no AllowUsers [user]
4. Disable IPv6
Disable IPv6 if you are not using it. Edit
/etc/sysctl.confby adding the lines below to the end of the file
# Disable IPv6 net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1
5. Setup TCP Wrappers
This section will only be used if your server is accessed by a known list people from specific locations. If your server needs to be open to the public, skip this part.
Find out what IPs your ISP uses (you can use a site like http://ipchicken.com/ to find out your current IP). Do this on all the devices you will use to connect to this server (either via SSH, telnet, web browser, sftp, anything), including your phone.
/etc/hosts.allowby adding a
ALL:followed by the first set of digits of the IP you will use. For example, my file allows me to access from my ISP at home, by VPN and from my work.
# (Rogers) ALL: 99. # VPN ALL: 192.50. # Work ALL: 226.
You can also limit it to a service, like SSH and httpd
httpd: 99. sshd: 192.50
Now add a