The Mega Guide To Harden and Secure CentOS 7 – Part 1
11. Update the system frequently
Update the system regularly. Keep Linux kernel in sync with the latest security patches and all the installed software up-to-date with the latest versions by issuing the below command:
# yum update
12. Disable Ctrl+Alt+Del
In order to prevent users to reboot the server once they have physical access to keyboard or via a Remote Console Application or a virtualized console (KVM, Virtualizing software interface) you should disable
Ctrl+Alt+Del key sequence by executing the below command.
# systemctl mask ctrl-alt-del.target
13. Remove Unnecessary Software Packages
Install minimal software required for your machine. Never install extra programs or services. Install packages only from trusted or official repositories. Use minimal installation of the system in case the machine is destined to run its entire live as a server.
Verify installed packages using one of the following commands:
# rpm -qa
Make a local list of all installed packages.
# yum list installed >> installed.txt
Consult the list for useless software and delete a package by issuing the below command:
# yum remove package_name
14. Restart systemd services after daemon updates
Use the below command example to restart a systemd service in order to apply new updates.
# systemctl restart httpd.service
15. Remove Unneeded Services
Identify the services that are listening on specific ports using the following command.
# ss -tulpn
To list all installed services with their output status issue the below command:
# systemctl list-units -t service
For instance, CentOS 7 default minimal installation comes with Postfix daemon installed by default which runs by the name of master under port 25. Remove Postfix network service in case your machine will not be used as a mail server.
# yum remove postfix
Read Also: Stop and Disable Unwanted Services in CentOS 7.
16. Encrypt Transmitted Data
Do not use unsecure protocols for remote access or file transfer such as Telnet, FTP or other plain text high protocols such as SMTP, HTTP, NFS or SMB which, by default, does not encrypt the authentication sessions or sent data.
In order to tunnel a VNC console via SSH use the below example which forwards the VNC port 5901 from the remote machine to your local machine:
# ssh -L 5902:localhost:5901 remote_machine
On local machine run the below command in order to virtual connect to the remote endpoint.
# vncviewer localhost:5902
17. Network Port Scanning
Conduct external port checks using the nmap tool from a remote system over the LAN. This type of scanning can be used to verify network vulnerabilities or test the firewall rules.
# nmap -sT -O 192.168.1.10
Read Also: Learn How to Use Nmap with these 29 Examples.
18. Packet-filtering Firewall
Use firewalld utility to protect the system ports, open or close specific services ports, especially well-known ports (<1024).
Install, start, enable and list the firewall rules by issuing the below commands:
# yum install firewalld # systemctl start firewalld.service # systemctl enable firewalld.service # firewall-cmd --list-all
19. Inspect Protocol Packets with tcpdump
Use tcpdump utility in order to sniff network packets locally and inspect their content for suspicious traffic (source-destination ports, tcp/ip protocols, layer two traffic, unusual ARP requests).
For a better analysis of the tcpdump captured file use a more advanced program such as Wireshark.
# tcpdump -i eno16777736 -w tcpdump.pcap
20. Prevent DNS Attacks
Inspect the contents of your resolver, typically /etc/resolv.conf file, which defines the IP address of the DNS servers it should use to query for domain names, in order to avoid man-in-the-middle attacks, unnecessary traffic for root DNS servers, spoof or create a DOS attack.
This is just the first part. On the next part we’ll discuss other security tips for CentOS 7.