Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

[GUIDE] Basic CentOS / RedHat 6 Server Hardening / csf install / epel install

[GUIDE] Basic CentOS / RedHat 6 Server Hardening / csf install / epel install

GoodHostingGoodHosting Member
edited January 2014 in Tutorials

[0] Introduction / Preface

First, I'm going to preface this guide with my assumptions and base level knowledge going into this guide. My "assumptions" are things that I assume to be correct, and the "base level knowledge" is a collection of things you should know how to do, or research to learn how to do; first.

Assumptions:

  • You are working with a CentOS Linux 6.x or RedHat Linux 6.x Dedicated Server or Virtual Private Server running either on dedicated hardware, or inside a KVM hypervisor. Some things in this guide may not work correctly in OpenVZ due to the lack of abstraction present.
  • You are the superuser (root) and own the machine you are messing with.
  • If all else fails, you have a way to reinstall your machine (if you screw something up, or somehow lock yourself out of the machine.)
  • This guide is written from a clean installation of CentOS 6.4 x86_64 Minimal. If you have more or less packages than this already, you may run into problems.


Base Level Knowledge:

  • You should know your way around the linux command line, with command such as ls, cd, tar, wget, md / mkdir, rm etcetera. This is not a "Linux 101" guide.
  • You should know how to connect to a Linux server remotely, either by using SSH, VNC, Putty/Kitty, or some other toolkit. (again, this is not "Linux 101".)

[1] Update your system

You should always keep your Linux system up-to-date. CentOS and RedHat flavours of Linux (and a few others) come with a utility called yum which stands for Yellowdog Updater Modified which is just some unimportant trivia.

You can update your Linux system at any time by running the following command:

[[email protected] ~]# yum update

You can also use the synonym yum upgrade. If you're lazy and don't want to have to agree to anything, simply add -y:

[[email protected] ~]# yum upgrade -y

[2a] (Optionally) Secure SSHd service

Please note: On multi-user systems (those in which you are not the only one using it) this could be considered a security risk, or do more harm than good. This is a step that should only be taken if you understand what the implications are, or if you are the only person that will be using your server. The most secure thing you can do is disable SSH entirely, if you only use the console (VNC) to control your server; and this is advise in all cases whenever possible.

[[email protected] ~]# nano /etc/ssh/sshd_config

If you do not have nano, you can use any other text editor such as vi, emacs etcetera. nano however is by far the simplest to use and exit. If your system did not come pre-installed with nano you can install it with the command yum install nano.

Now, you're specifically looking for the line that starts with Port. It might be commented out (preceeded by a hash mark (#)), simply delete the hash mark and change the number after the space from 22 to some other port that is not currently in use (such as 6418, 5871 or 9915.)

Some more important things to change in this file, are explained in section [4] "Security through: Why? Just Why!?"

To save and exit, proceed to press Ctrl+X then y then the <enter> key. If you are not using nano, you'd better well know how to exit your chosen editor.

After making this change, restart your SSH service:

[[email protected] ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

[2b] (Optionally) Disable SSHd Entirely

Please Note: Disabling SSH will stop you from being able to use the SSH utility to connect to this server. You will not be able to use kitty / putty or SCP / SFTP either; unless you replace these functions in other ways not covered in this guide. This is the most secure option (more secure than changing the port), but can lead to reduced means of access entirely; or locking yourself out of your server, if you do not have any other way in.

The easiest way to disable SSH entirely is to stop the service, and disable the runlevel as follows:

[[email protected] ~]# service sshd stop
Stopping sshd:                                             [  OK  ]
[[email protected] ~]# chkconfig sshd off

[3] Install Configserver Security & Firewall (csf)

Configserver Security & Firewall is an exceptionally well compiled selection of scripts to help generate and easily manage firewall and blocklist rules for many authenticated services on a *nix-based system. CSF runs well on a CentOS / RedHat machine, with or without cPanel; and works by managing PAM authentication rules, as well as your firewall iptables.

Installation of CSF is straight-forward as documented:

[[email protected] ~]# wget http://www.configserver.com/free/csf.tgz
[[email protected] ~]# tar -xzf csf.tgz ; cd csf ; sh install.sh

And as the documentation says...

That's it. You can then configure csf and lfd by reading the documentation and
configuration files in /etc/csf/csf.conf and /etc/csf/readme.txt directly or
through the csf User Interface.

csf installation for cPanel and DirectAdmin is preconfigured to work on those
servers with all the standard ports open.

csf auto-configures your SSH port on installation where it's running on a non-
standard port.

csf auto-whitelists your connected IP address where possible on installation.

There are many more things you can do to further secure your installation, these are just the basic things I do before going on to other steps.

Another nice (but optional) step, is that you can install other repositories; such as EPEL (Extra Packages for Enterprise Linux):

[[email protected] ~]# wget dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
[[email protected] ~]# rpm -ivh epel-release-6-8.noarch.rpm

[4] Security through: Why? Just Why!?

Please note: This section does not apply to you if you followed step [2b] above. Following the steps in this section will make your machine much harder for anyone to access, including yourself.

[4a] Switching over to Public-key Authentication

First, you should generate a keypair:

[[email protected] ~]# ssh-keygen -t rsa

You can (generally) safely accept all default options thrown at you.

Then proceed to secure and install the key you've just generated:

[[email protected] ~]# chmod 700 ~/.ssh
[[email protected] ~]# chmod 600 ~/.ssh/id_rsa
[[email protected] ~]# cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

You will need to download the private key to your computer, if you're connecting via an SSH client already, the easiest way is to read it to the screen; and copy-paste it into a text-file on your computer. If you have WinSCP, you can use this instead as well.

[[email protected] ~]# cat ~/.ssh/id_rsa

The server does not need to keep the private key, only the public one; so you can safely delete the private key from the server once you have verified that connecting with it does in fact work.

Once you have configured key authentication, you should disable password authentication by opening your SSH configuration file at /etc/ssh/sshd_config again and making the following change:

PasswordAuthentication no

You may have to remove the pre-ceeding hashmark (if any) to uncomment this command line, and change the "yes" to "no" as in the example above.

After making this change, restart your SSH service:

[[email protected] ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

Acting Director of Albino Geek Services Ltd. My Keybase ID ( gh )
GoodHosting.co | Enterprise KVM Virtual Private Servers | Twitter / Status : @ GoodHostingCo

Thanked by 1jmginer

Comments

Sign In or Register to comment.