This tutorial only covers general security tips for CentOS 7 which can be used to harden the system. The checklist tips are intended to be used mostly on various types of bare-metal servers or on machines (physical or virtual) that provides network services.
However, some of tips can be successfully applied on general purpose machines too, such as Desktops, Laptops and card-sized single-board computers (Raspberry Pi).
1. Physical Protection
Lock down your server rooms access, use racks locking and video surveillance. Take into consideration that any physical access to server rooms can expose your machine to serious security issues.
BIOS passwords can be changed by resetting jumpers on the motherboard or by disconnecting the CMOS battery. Also, an intruder can steal the hard disks or directly attach new hard disks to the motherboard interfaces (SATA, SCSI etc), boot up with a Linux live distro and clone or copy data without leaving any software trace.
2. Reduce Spying Impact
In case of highly sensitive data you should probably use advanced physical protection such as placing and locking the server into a Faraday Cage or use a military TEMPEST solution in order to minimize the impact of spying the system via radio or electrical leaking emanations.
3. Secure BIOS/UEFI
Start the process of harden your machine by securing BIOS/UEFI settings, especially set a BIOS/UEFI password and disable boot media devices (CD, DVD, disable USB support) in order to prevent an unauthorized users from modifying the system BIOS settings or altering the boot device priority and booting the machine from an alternate medium.
In order to apply this type of changes to your machine you need to consult the motherboard manufacturer manual for specific instructions.
4. Secure Boot Loader
Set a GRUB password in order to prevent malicious users to tamper with kernel boot sequence or runlevels, edit kernel parameters or start the system into single user mode in order to harm your system and reset root password to gain privileged control.
5. Use Separate Disk Partitions
When installing CentOS on systems intended as production servers use dedicated partitions or dedicated hard disks for the following parts of the system:
/(root) /boot /home /tmp /var
6. Use LVM and RAID for Redundancy and File System Growth
The /var partition is the place where log messages are written to disk. This part of the system can exponential grow in size on heavily traffic servers which expose network services such as web servers or file servers.
Thus, use a large partition for /var or consider on setting up this partition using logical volumes (LVM) or combine several physical disks into one larger virtual RAID 0 device to sustain large amounts of data. For data redundancy consider on using LVM layout on top of RAID 1 level.
For setting up LVM or RAID on the disks, follow our useful guides:
- Setup Disk Storage with LVM in Linux
- Create LVM Disks Using vgcreate, lvcreate and lvextend
- Combine Several Disks into One Large Virtual Storage
- Create RAID 1 Using Two Disks in Linux
7. Modify fstab Options to Secure Data Partitions
Separate partitions intended for storing data and prevent the execution of programs, device files or setuid bit on these type of partitions by adding the following options to fstab file as illustrated on the below excerpt:
/dev/sda5 /nas ext4 defaults,nosuid,nodev,noexec 1 2
To prevent privilege-escalation and arbitrary script execution create a separate partition for /tmp and mount it as nosuid, nodev and noexec.
/dev/sda6 /tmp ext4 defaults,nosuid,nodev,noexec 0 0
8. Encrypt the Hard Disks at block level with LUKS
In order to protect sensitive data snooping in case of physical access to machine hard drives. I suggest you to learn how to encrypt disk by reading our article Linux Hard Disk Data Encryption with LUKS.
9. Use PGP and Public-Key Cryptography
In order to encrypt disks, use PGP and Public-Key Cryptography or openssl command to encrypt and decrypt sensitive files with a password as shown in this article Configure Encrypted Linux System Storage.
10. Install Only the Minimum Amount of Packages Required
Avoid installing unimportant or unnecessary programs, applications or services to avoid package vulnerabilities. This can decrease the risk that the compromise of a piece of software may lead to compromise other applications, parts of the system or even file systems, finally resulting in data corruption or data loss.