New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Any good CentOS 7 hardening scripts/instructions?
I'm giving CentOS 7 a try. Does anyone have good hardening scripts/instructions that they can recommend? I've primarily used Ubuntu and have scripts for that, but I haven't quite gotten them to work in CentOS.
Edit: Forgot to mention that I found a script from Limestone Networks and a tutorial from Goodhosting. They both seemed to take care of some basics, but wanted other opinions as well
Comments
if [ -f /etc/redhat-release ] ; then
echo Use Debian.
:-P
I thought most hosts use CentOS?
A lot of hosts (like us) use CentOS as its a nice easy and efficient distro.
As for scripts, just have a good ol google and you should find anything you need
We use CentOS (Well, CloudLinux), only when it's absolutely necessary. 99% of the time for cPanel servers. Everything, Debian =
Here is an example of why asking for advice on the Internet isn't always a good idea . . .
change ssh port, enforce selinux,use ssh keys, disable direct root login
http://linoxide.com/how-tos/linux-server-protection/
inb4 discussion about changing ssh port and why it's bad etc..
OT: firewall anything incomming & outgoing you're not using; some IDS like fail2ban, keep stuff up to date and 1) KNOW what you are running or 2) contain the parts you are not sure about to a seperate environment
http://centminmod.com is great (CSF Firewall and some other nice stuff included)
Edit: CentOS 7.0 support is coming soon
I made some instructions for CentOS beginners, but unfortunately they were for CentOS 6. Some parts will have changed due to systemd.
IIRC the default firewall is mostly closed in CentOS (not wide open, like Debian), and SELinux is in enforcing mode by default.
The bit about disabling password authentication and preventing root login still applies, though.
CentOS is a clone from RHEL, thus enterprise Linux. You supposed to be an enterprise level administrator to use it. That's why I always recommend debian for hobby use.
That's the funniest thing I have read today.
@drserver the SSH port is a no go
As shown here
@MCHPhil
And it begins
DrSSHPhil.
Moving port does help to reduce noises in the log file.
But yes I agree that it's not about security.
In a way it is, since 22 is default/well known once changed your less susceptible to brute force password attacks.. that is if you haven't changed to SSH Keys..
@drserver @LES
Thank you for the suggestions and the links, I'll take a look at them. Seems like not a whole lot of differences to Ubuntu. Should be an easy modification from my existing Ubuntu scripts.
@bertan
Do you have a link to your guide?
@sumo
Bear in mind I was trying to write something for complete beginners. It may be too simple for your purposes:
http://members.shaw.ca/bertan/Virtual-Private-Server-VPS-Quick-Start-Guide.pdf