What Do I Need?
- A Dedicated or VPS Linux Server
What is Operating System Hardening?
Once you’ve installed CentOS, securing it to prevent unauthorized access and intrusions comes second. As the saying goes, ‘prevention is better than the cure’, and this couldn’t be more true than now. Bad actors and hackers are continuously looking to subvert or take control of our servers. You need to prevent this with as much efficacy as possible.
- Set Up a Firewall
- As a security-conscious and conscientious administrator, you shouldn’t allow just any traffic into your web server. In fact, setting up a firewall is one of the initial server setup tasks that a systems administrator needs to perform in order to only open specific ports and allow services currently in use. By default, CentOS 8 systems operate with the firewalld firewall which can be enabled on startup by running the following commands:
sudo systemctl start firewalld sudo systemctl enable firewalld
- To check the services allowed on the firewall, simply run the following commands:
sudo firewall-cmd --list all
- Then open a port on the firewall, i.e. port 443:
sudo firewall-cmd --add-port=443/tcp --zone=public --permanent
- Then enable a service, i.e. ssh, type:
sudo firewall-cmd --add-service=ssh --zone=public --permanent
- To remove a port and/or a service, use the -remove-port and -remove-service attributes respectively. For the changes to take effect, always reload the firewall as shown:
sudo firewall-cmd --reload
- Disable Unused/Undesirable Services
- It’s always advised to turn off any unused or unnecessary services on your web server. This is because the higher the number of services running, the more the number of ports open on your system that can be exploited by any bad actor to gain entry to your systems. Additionally, desist from using old and insecure services like telnet, which sends traffic in plain text. To be honest, this is nothing short of moronic.
- Best security practices recommend disabling unused services and getting rid of all insecure services running on your system. You can use the nmap tool to scan your system and check which ports are open and being listened to.
- Secure Critical Files
- It’s essential to lock down all critical files to prevent accidental deletion or editing. Such files include the /etc/passwd and /etc/gshadow, which contain hashed passwords. To ensure the files are immutable, i.e cannot be modified or accidentally deleted, use the chattr command as shown:
sudo chattr +i /etc/passwd sudo chattr +i /etc/shadow
- This ensures that a bad actor or hacker cannot change any of the users’ passwords or delete them leading to a denial of login to the system.
- Secure SSH Protocol
- SSH protocol is a popularly used protocol for remote logins. By default, the protocol has native weaknesses that can be exploited by a hacker.
- By default, SSH allows remote login by the root user. This is a potential loophole and if a hacker can get a hold of the root’s password to your system, your server is pretty much at their mercy. To prevent this, it’s advisable to deny remote root login and instead create a login regular user with Sudo privileges. You can alter this by modifying the SSH configuration file /etc/ssh/sshd_config and disabling the root login as shown:
- Another way you can secure SSH is by setting up SSH passwordless authentication by use of ssh keys. Instead of using password authentication, which is prone to brute force attacks, SSH keys are preferred as they only allow entry to users with the ssh key to log in to the remote server and block out any other user. The first step in enabling passwordless authentication is generating a key pair using the command:
- This generates a public and private key pair. The private key resides on the host while the public key is copied to the remote system or server. Once the ssh-key pair is copied, you can log in to the remote system without being prompted for a password. Next, disable password authentication by modifying the /etc/ssh/sshd_config configuration file and setting this value:
- Ensure that you remember to restart the SSH service for the changes to take effect:
sudo systemctl restart sshd
Really, there’s still a long way to go in securing your Linux web server. I’d recommend looking at defining limits for password attempts and setting up an intrusion prevention system and, of course, remember to keep those upgrades and updates fully up to date.
Keep an eye out for future articles extending upon this and bringing you more helpful tips and tricks to making sure you’re protecting your servers and web hosting appropriately.
- Click here to know more about the Best website hosting.