Skip to main content

Cybercrime is on the rise and is expected to maintain its rapid growth in the coming years. Some would even argue that it will soon become the number one threat to the global economy.

That’s why businesses should take cybersecurity seriously and do their best to stay up to date with the latest security standards.

In this article, we bring you a step-by-step guide on how to secure CentOS 8.

Why Is CentOS Security Important?

Linux distributions, such as CentOS, are some of the most secure operating systems available today. But that doesn’t mean you shouldn’t take the proper measures to secure them further.

While private users might get away with the default CentOS settings, businesses are more likely to be targeted by cybercriminals. So if you’re a business owner, make CentOS 8 security one of your top priorities.

Linux server hardening will protect your business from unplanned downtime and data breaches. But more importantly, it will protect it from the worst consequences of cyberattacks, including lawsuits and reputation damage.

How To Harden CentOS 8?

CentOS 8 was first introduced in 2019 as a major upgrade to the CentOS operating system. This upgrade brought a whole host of changes to CentOS, such as the addition of the DNF package manager and the nftables firewall.

However, securing CentOS 8 is not much different than securing its previous versions. Just follow our step-by-step guide below, and you will secure CentOS 8 in no time.

Secure SSH Access

The first step in any CentOS server hardening guide should be to secure SSH access.

If a hacker can log into your server over SSH, they will have unlimited access to it. That’s why hardening SSH access is the number one security measure you should take.

Here’s how you can improve your SSH security in three steps.

1. Disable the root login.

On CentOS, the root account login is disabled by default. In case you enabled it, you should disable it by setting the PermitRootLogin value to no in the etc/ssh/sshd_config file.

Disable the root login

Now restart sshd to apply the changes.

sudo systemctl restart sshd

2. Change the default SSH port

Setting a custom SSH port will filter out any non-targeted SSH attacks. To do this, you would uncomment and replace port 22 in etc/ssh/sshd_config.

Change the default SSH port

Remember to restart sshd to apply the changes.

sudo systemctl restart sshd

3. Replace password authentication with SSH keys.

Given enough time, any password can be cracked with a brute force attack. To prevent this, you should switch to using SSH keys instead.

First, create a new SSH key pair.

ssh-keygen
Replace password authentication with SSH keys

Then check the private SSH key and write it down or copy its file to another device.

check the private SSH key

Now disable password authentication by setting the PasswordAuthentication value to no in the etc/ssh/sshd_config file.

disable password authentication by setting the PasswordAuthentication value

Finally, restart sshd to apply the changes.

sudo systemctl restart sshd

In the future, when you need to log in to the server, use the -i flag with the ssh command to specify the key file. As usual, remember to replace $username@hostname with a Linux username and a server hostname/IP.

ssh -i /path/to/key $username@hostname

Enable SELinux

SELinux is a security module that allows you to set custom restrictions for every application on your system. You can use it to limit everything from network access to read and write permissions. It comes preinstalled and enabled on CentOS.

1. Check if SELinux is enabled.

sudo sestatus
Check if SELinux is enabled

2. Enable SELinux.

To enable SELinux, you need to edit its configuration file etc/selinux/config and change the SELINUX value from disabled to enforcing or permissive.

 

Enable SELinux

Remember to reboot your server to apply the changes.

sudo reboot

3. Set the right mode of operation.

SELinux can run in two different modes: enforcing or permissive. Enforcing is the default mode that applies the security policy to the entire server. Permissive mode, on the other hand, doesn’t actually enforce the rules. Instead, it just logs any potential denials that the enforcing mode would give, making it better for testing purposes.

To check the currently active mode of operation and switch between them, you can use the following commands.

Set the right mode of operation

Configure the Firewall

You should protect your server’s unused ports with a firewall solution such as firewalld. This firewall comes preinstalled on CentOS, and it’s enabled by default. It’s essential for Linux server hardening.

1. List the open ports and services

First, take a look at which services and ports are allowed to accept connections.

sudo firewall-cmd --list-all
List the open ports and services

2. Configure the firewall to allow HTTP and HTTPS connections.

By allowing HTTP and HTTPS connections, you are opening your websites and apps to visitors. This is an essential step for production environments.

sudo firewall-cmd --zone=public --permanent --add-service=http
sudo firewall-cmd --zone=public --permanent --add-service=https
Configure the firewall to allow HTTP and HTTPS connections

Finally, restart firewalld to apply the changes.

sudo firewall-cmd --reload

3. Configure the firewall to allow all connections from specific IPs.

This step allows you to whitelist the IPs of any administrators or developers who frequently use the server. In turn, they never have to worry about getting blocked and losing access.

sudo firewall-cmd --zone=trusted --permanent --add-source=#.#.#.#
Configure the firewall to allow all connections from specific IPs

There are many other useful firewall rules and commands that you can use for CentOS security hardening. To learn more about them, read the firewalld manual pages.

As always, remember to restart firewalld to apply the changes.

sudo firewall-cmd --reload

Run Regular Backups

Taking all security precautions is essential if you want to reduce the chances of getting hacked to a minimum. But you need to remember that no computer system is 100% secure.

Not to worry, that’s what backups are here for, and you can restore them as soon as you discover that a system is compromised. Just make sure to configure them properly to keep your CentOS secure.

Here are some things to keep in mind if you want to get the most out of your backup configuration.

1. Keep your backups in different physical locations.

While cybercriminals usually operate remotely, sometimes they can actually steal your physical backups. Furthermore, a data center where your server and backups are located could fall victim to a fire hazard.

That’s why you should always keep your backups in at least two physical locations to keep your CentOS secure.

2. Keep yearly, monthly, weekly, and daily backups.

You might get lucky and realize your system was compromised as soon as it happens. In such a case, the default daily or weekly backups are just what you need to get things back to normal.

However, it can sometimes take months before you finally realize your system was compromised. What’s even worse is that some malware infections are impossible to resolve without permanent data loss.

To prevent such issues from affecting you, make sure to keep older versions of your backups instead of just recent ones. That’s exactly what monthly and yearly backups are for.

3. Back up the whole system

In a lot of cases, people prioritize the /home or /var directories as that’s where their websites and applications are stored. But in fact, it’s almost as important to backup up your entire system as well.

Just think about it for a moment. How long will it take you or your administrators to install and configure all the necessary software on a new system once you get compromised? Not to mention how long it will take your firewalls to collect the same IPs and provide the same level of protection as before.

 

Update Everything

To keep your CentOS secure, make sure to run regular updates. This includes package repository information, installed packages, and all manually installed software.

You can install and update any element of your server stack, such as Apache, MySQL, and PHP, as a package. However, any software that you manually download, such as a CMS (content management system), will need to be updated manually.

1. Update the package information

sudo dnf check-update
Update the package information

2. Update all packages

If you’re satisfied with the output, you can proceed to upgrade all packages.

sudo dnf update
Update all packages

If not, you can update any individual packages one by one. Remember to replace $packagename with the name of each package.

sudo dnf update $packagename

3. Update your CMS, plugins, and any other manually installed software.

Keeping your Linux system up to date is important, but don’t forget about your CMS.

CMS systems, such as WordPress or Magento, are made out of many moving parts developed by different companies. While their modular nature brings a whole host of benefits, it’s also what makes them vulnerable to various attacks. This is an important part of Linux server hardening.

To keep all manually installed software up to date, read its official documentation.

Remove Unused Packages

Unused packages unnecessarily increase your exposure to potential exploits. That’s why you should find and remove them to keep your CentOS secure.

1. Find and remove unused packages with autoremove.

sudo dnf autoremove
Find and remove unused packages with autoremove

2. Find and remove temporary files.

sudo dnf clean all
Find and remove temporary files

Use Strong Passwords

Setting strong passwords is a critical part of Linux server hardening. Strong passwords are made out of a long randomized string of upper case letters, lower case letters, numbers, and symbols. They shouldn’t include any words or dates.

Furthermore, you should also make sure that all users update their passwords frequently. Password policies significantly reduce the risk of brute force attacks by preventing users from reusing the same passwords for multiple services.

1. Use pwgen to generate a strong password.

Install pwgen.

sudo dnf install pwgen
Use pwgen to generate a strong password

Generate a list of passwords using the -ys flag, where y means include symbols, and s is used to generate a highly secure password string.

pwgen -ys 20
Generate a list of passwords

2. Set a password expiration policy.

Use the etc/login.defs file to set a shorter password expiration policy, such as 30 to 90 days.

  • PASS_MAX_DAYS is the number of days after which a password will expire.
  • PASS_MIN_DAYS is the number of days that need to pass before a password can be changed.
  • PASS_WARN_AGE is the number of days warnings will be shown on log-in before the password expires. This feature doesn’t extend the PASS_MAX_DAYS expiration.
Set a password expiration policy

3. Apply the new policy to existing users.

When you set a new policy, it only affects new users. To check the policy of an existing user, you would use chage -l command while replacing $username with the Linux user.

sudo chage -l $username
Apply the new policy to existing users

To apply it to existing ones, you need to use the chage command. The -M flag is for maximum days, -m for minimum, and -W for warnings. Don’t forget to replace $days and $username with the proper values, and check if the change was applied.

sudo chage -M $days $username

Install Fail2ban

When you’re working on hardening CentOS 8, it’s also important that you install Fail2ban intrusion prevention. This software protects your server from malicious login attempts by systematically blocking misbehaving IPs.

1. Install Fail2ban.

sudo dnf install fail2ban
Install Fail2ban

2. Activate and enable Fail2ban.

Start fail2ban and set it to load at boot.

sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Activate and enable Fail2ban

3. Configure Fail2ban.

Before you can configure Fail2ban, you need to copy etc/fail2ban/jail.conf to etc/fail2ban/jail.local.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now add your IP to the ignoreip list and uncomment the line.

 

Then configure how the system should treat suspicious IPs.

  • bantime defines how long an IP will be blocked.
  • maxretry is how many times an IP can fail to log in before getting blocked.
  • findtime is the time period after which the maxretry counter is reset.
configure how the system should treat suspicious IPs

Finally, restart Fail2ban to apply these changes.

sudo systemctl restart fail2ban

There are many other useful Fail2ban features that you can use for CentOS hardening. To learn more about them, read the Fail2ban manual pages.

Password protect GRUB

Another important step in this CentOS 8 hardening guide involves protecting GRUB. Grand Unified Bootloader (GRUB) is the most common bootloader for a lot of Linux distributions, including CentOS.

GRUB can be used to reset the root password by logging in to the single-user mode. That’s why you should set a password to protect it and improve your CentOS security.

Set the password.

sudo grub2-setpassword
Password protect GRUB

Disable Ctrl+Alt+Del

Pressing the keys Ctrl, Alt, and Delete together will cause a reboot on most Linux distributions, including CentOS. If an attacker gets keyboard access and reboots your system, they could potentially access the single-user mode without a password.

That’s why it’s important that you disable it to prevent any unwanted reboots and improve your CentOS 8 security.

Disable the shortcut.

sudo systemctl mask ctrl-alt-del.target
Disable Ctrl+Alt+Del

Secure the Kernel

Securing the Linux kernel is another important aspect of CentOS hardening. Linux kernel configurations are stored under /proc/sys. To change them, you can use the systctl command.

1. Check the configuration.

sudo sysctl –system
Secure the Kernel

2. Edit the configuration.

Open the etc/sysctl.conf file and copy the following configurations to it. They should work for most machines as long as they aren’t used as routers. Make sure to read each comment before applying the changes.

# Disable IP forwarding

net.ipv4.ip_forward = 0

# Disable source routing

net.ipv4.conf.default.accept_source_route = 0

# Disable the Magic System Request key

kernel.sysrq = 0

# Enable TCP SYN cookie protection

net.ipv4.tcp_syncookies = 1

# Enable SYN flood protection

net.ipv4.tcp_synack_retries = 5

# Don’t accept source-routed packets

net.ipv4.conf.all.accept_source_route = 0

# Don’t accept ICMP redirects

net.ipv4.conf.all.accept_redirects = 0

# Log packets with suspicious addresses

net.ipv4.conf.all.log_martians = 1

# Ignore broadcast requests

net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bad ICMP errors

net.ipv4.icmp_ignore_bogus_error_responses = 1

3. Apply the changes.

Finally, reload sysctl to apply the changes.

sudo sysctl -p

That’s it. You’ve reached the end of this CentOS 8 hardening guide.

Wrapping Up

The digital landscape is rapidly evolving, but so is cybercrime. If your business relies on Linux for its day-to-day operations, it’s essential that you apply the latest Linux server hardening procedures to survive and thrive in the coming years.

Spending a couple of extra hours on security can protect you from the severe consequences of cyberattacks, including lawsuits and reputation damage. This step-by-step guide on how to secure CentOS 8 is a great place to start, so take action and improve your security today.

 

Leave a Reply