23 CentOS Server Hardening Security Tips - Part 2

Continuing the previous tutorial on how to secure CentOS 8/7, in this article we'll discuss other security tips that will be presented on the below checklist.

If the setuid and setgid bits are set on binary programs, these commands can run tasks with other user or group rights, such as root privileges which can expose serious security issues.

Often, buffer overrun attacks can exploit such executables binaries to run unauthorized code with the rights of a root power user.

# find /  -path /proc -prune -o -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

To unset the setuid bit execute the below command:

# chmod u-s /path/to/binary_file

To unset the setgid bit run the below command:

# chmod g-s /path/to/binary_file

22. Check for Unowned Files and Directories

Files or directories not owned by a valid account must be deleted or assigned with permissions from a user and group.

Issue the below find command to list files or directories with no user and group.

# find / -nouser -o -nogroup -exec ls -l {} \;

23. List World-Writeable Files

Keeping a world-writable file on the system can be dangerous due to the fact that anyone can modify them. Execute the below command in order to display word-writeable files, except Symlinks, which are always world-writeable.

# find / -path /proc -prune -o -perm -2 ! -type l –ls

24. Create Strong Passwords

Create a password of a minimum of eight characters. The password must contain digits, special characters, and uppercase letters. Use pwmake to generate a password of 128 bits from /dev/urandom file.

# pwmake 128

25. Apply Strong Password Policy

Force the system to use strong passwords by adding the below line in /etc/pam.d/passwd file.

password required pam_pwquality.so retry=3

Adding the above line, the password entered cannot contain more than 3 characters in a monotonic sequence, such as abcd, and more than 3 identical consecutive characters, such as 1111.

To force users to use a password with a minimum length of 8 characters, including all classes of characters, strength-check for character sequences and consecutive characters add the following lines to the /etc/security/pwquality.conf file.

minlen = 8
minclass = 4
maxsequence = 3
maxrepeat = 3

26. Use Password Aging

The chage command can be used for user password aging. To set a user’s password to expire in 45 days, use the following command:

# chage -M 45 username

To disable password expiration time use the command:

# chage -M -1 username

Force immediate password expiration (user must change the password on next login) by running the following command:

# chage -d 0 username

27. Lock Accounts

User accounts can be locked by executing the passwd or usermod command:

# passwd -l username
# usermod -L username

To unlock accounts use the -u option for passwd command and -U option for usermod.

Related Article: How to Lock User Accounts After Failed Login Attempts

28. Prevent Accounts Shell Access

To prevent a system account (ordinary account or service account) to gain access to a bash shell, change root shell to /usr/sbin/nologin or /bin/false in the /etc/passwd file by issuing the command below:

# usermod -s /bin/false username

To change the shell when creating a new user issue the following command:

# useradd -s /usr/sbin/nologin username

Related Article: Learn 15 Examples of “useradd” Command in Linux

29. Lock Virtual User Console with vlock

vlock is a program used for locking one multiple session on Linux console. Install the program and start locking your terminal session by running the below commands:

# yum install vlock
# vlock

30. Use a Centralized System to Manage Accounts and Authentication

Using a centralized authentication system can greatly simplify account management and control. Services that can offer this type of account management are IPA Server, LDAP, Kerberos, Microsoft Active Directory, Nis, Samba ADS or Winbind.

Some of these services are by default highly secured with cryptographic protocols and symmetric-key cryptography, such as Kerberos.

Related Article: Setup NFS Server with Kerberos-based User Authentication in Linux

31. Force Read-Only Mounting of USB Media

Using blockdev utility you can force all removable media to be mounted as read-only. For instance, create a new udev configuration file named 80-readonly-usb.rules in the /etc/udev/rules.d/ directory with the following content:

SUBSYSTEM=="block",ATTRS{removable}=="1",RUN{program}="/sbin/blockdev --setro %N"

Then, apply the rule with the below command:

# udevadm control -reload

Related Article: How to Use Udev for Device Detection and Management in Linux

32. Disabling Root Access via TTY

To prevent the root account from performing system log-in via all console devices (TTY), erase the contents of securetty file by typing the following command terminal prompt as root.

# cp /etc/securetty /etc/securetty.bak
# cat /dev/null > /etc/securetty

Remember that this rule does not apply to SSH login sessions

To prevent root login via SSH edit the file /etc/ssh/sshd_config and add the below line:

PermitRootLogin no

Related Article: How to Secure and Harden OpenSSH Server

centos redhat security centos 7 centos tips linux security tips rhel tips

Lighttpd is an secure, fast, flexible and more optimized web server designed for speed-critical environments with low memory usage as compared to other web servers.

In this 4-article series, we will discuss Docker, which is an open-source lightweight virtualization tool that runs at top of Operating System level, allowing users to create, run and deploy applications, encapsulated into small containers.

This tutorial only covers general security tips for CentOS 8/7 which can be used to harden the system. The checklist tips are intended to be used mostly on various types of bare-metal servers or on machines.

This video explains how to install CentOS Enterprise Linux 7 server operating systems.

This tutorial will demonstrate how you can install RHEL/CentOS 8/7 on multiple servers via an FTP Network Source as a single source point using minimal ISO image.