Monday, November 17, 2014

How to Quickly Secure CentOS 6.5

This is a quick tutorial on how to secure CentOS 6.5. It does not go into details and should only be used as quick solution.

1. Enable Auto Updates

Install “yum-cron”
yum -y install yum-cron
Review the config file
vim /etc/sysconfig/yum-cron
Start the service
/etc/init.d/yum-cron start
Set the service to auto start
chkconfig yum-cron on

2. Securing root

You should not be logging in as root. So first lets create a user
# useradd [user] 
Now let's give sudo access to that user by calling visudo and adding your user (last line)
## Allow root to run any commands anywhere 
root    ALL=(ALL)   ALL
[user]  ALL=(ALL)   ALL
Restrict root login to tty1
echo "tty1" > /etc/securetty
Remove read access from /root
chmod 700 /root

3. Securing SSH

Let's setup your SSH keys. See this tutorial on how to. Make sure you create the keys as the user and not root.
Make sure you can login as the user with the new keys and without being prompted for a password.
Now let's edit /etc/ssh/sshd_config as root and make the following changes:
  • Enable IPv4 only
  • Root cannot login via SSH
  • Users cannot login with password (we will be using the SSH keys)
  • Only allow a specific user to login
AddressFamily inet
PermitRootLogin no
PasswordAuthentication no
AllowUsers [user]

4. Disable IPv6

Disable IPv6 if you are not using it. Edit /etc/sysctl.conf by adding the lines below to the end of the file
# Disable IPv6
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

5. Setup TCP Wrappers

This section will only be used if your server is accessed by a known list people from specific locations. If your server needs to be open to the public, skip this part.
Find out what IPs your ISP uses (you can use a site like http://ipchicken.com/ to find out your current IP). Do this on all the devices you will use to connect to this server (either via SSH, telnet, web browser, sftp, anything), including your phone.
Edit /etc/hosts.allow by adding a ALL: followed by the first set of digits of the IP you will use. For example, my file allows me to access from my ISP at home, by VPN and from my work.
# (Rogers)
ALL: 99.

# VPN 
ALL: 192.50.

# Work
ALL: 226.
You can also limit it to a service, like SSH and httpd
httpd: 99.

sshd: 192.50
Now add a ALL: ALL to /etc/hosts.deny
ALL: ALL

No comments: