Blog | G5 Cyber Security

Secure CentOS Server Setup

G5 Cyber Security

TL;DR

This guide shows you how to harden a new CentOS server for better cyber security. We’ll cover basic firewall setup, SSH hardening, user account management, and keeping your system updated.

1. Initial Server Setup & Updates

  1. Login: Access your server via SSH as the root user (or a sudo-enabled user).
  2. Update Packages: Ensure all packages are up to date. This is crucial for patching vulnerabilities. 
    sudo yum update -y
  3. Reboot: Reboot the server after updates to apply any kernel changes. 
    sudo reboot

2. Firewall Configuration (Firewalld)

CentOS uses Firewalld as its default firewall. We’ll configure it to allow only necessary traffic.

  1. Check Status: See if firewalld is running. 
    sudo systemctl status firewalld
  2. Start & Enable: If not running, start and enable it. 
    sudo systemctl start firewalld
    sudo systemctl enable firewalld
  3. List Zones: View available firewall zones. 
    firewall-cmd --get-zones
  4. Set Default Zone: Set the default zone to ‘public’ (or a more appropriate one for your network). 
    sudo firewall-cmd --set-default-zone=public
  5. Allow SSH: Allow SSH traffic through the firewall. 
    sudo firewall-cmd --permanent --add-service=ssh
  6. Allow HTTP/HTTPS (if needed): If you’re running a web server, allow HTTP and HTTPS traffic. 
    sudo firewall-cmd --permanent --add-service=http
    sudo firewall-cmd --permanent --add-service=https
  7. Reload Firewall: Apply the changes. 
    sudo firewall-cmd --reload
  8. Verify Rules: Check the active rules. 
    firewall-cmd --list-all

3. SSH Hardening

SSH is a common target for attackers. Here’s how to make it more secure.

  1. Edit SSH Configuration: Open the SSH configuration file. 
    sudo nano /etc/ssh/sshd_config
  2. Change Port (Optional): Change the default port (22) to a non-standard port. This reduces automated attacks. Be careful not to choose a commonly used port! Find the line starting with `#Port` and change it. 
    Port 2222
  3. Disable Root Login: Prevent direct root login via SSH. Change `PermitRootLogin yes` to `PermitRootLogin no`.
  4. Disable Password Authentication: Use key-based authentication instead of passwords. Change `PasswordAuthentication yes` to `PasswordAuthentication no`.
  5. Allow Specific Users (Optional): Limit SSH access to specific users. 
    AllowUsers user1 user2
  6. Restart SSH Service: Apply the changes. 
    sudo systemctl restart sshd

4. User Account Management

Proper user account management is essential.

  1. Create a New User: Create a new user with sudo privileges. 
    sudo adduser username
  2. Set Password: Set a strong password for the new user. 
    sudo passwd username
  3. Add to Wheel Group: Add the user to the ‘wheel’ group to grant sudo access. 
    sudo usermod -aG wheel username
  4. Disable Unused Accounts: Disable any accounts that are not actively used. 
    sudo passwd -l username

5. Keeping Your System Updated

Regular updates are vital for cyber security.

  1. Automated Updates: Consider using unattended-upgrades to automatically install security updates. 
    sudo yum install -y unattended-upgrades

    Configure the package in /etc/unattended-upgrades/50-unattended-upgrades.conf

  2. Regular Manual Updates: Even with automated updates, perform manual updates periodically. 
    sudo yum update -y
Exit mobile version