5 Steps to (Secure)Hardening your Server (Centos 7)

I am not DevOps or sysadmin, but in the meantime, I work in a small company (startup) as CTO.

I should take care of many things like developers, code review, problem-solving, recruit, manage the servers, Participate in business meetings, help QA to write the automated test and many other things.

I think maybe my experience in some of the title above would be good for others. so I decided to write and share them.

when our startup grows, we never think about server attack and this is my mistake as CTO. I have a chance that the unpredictable event has not happened before we secure our server.

Here are the steps we took to improve server security:

We have many access logs on our server with default user like “root, centos, ubuntu,…”, so this step is important to confuse attackers.

# adduser someWeirdName# passwd someWeirdName

to generate Password, you can use LastPass.com.

open the ssh configuration file with your text editor as root:

# vi /etc/ssh/sshd_config

To disable remote root logins, we need to find the line that looks like this:

PermitRootLogin yes

and change “yes” to “no”

PermitRootLogin no

Type this to restart SSH:

systemctl reload sshd

Hint: before logout, make sure you can log in to the server with the created new user.

Setting this up will increase the security of your server by requiring a private SSH key to log in.

print your Public-Key on console from your machine using this command :

local$ cat ~/.ssh/id_rsa.pub

then select and copy printed text.

login to server with created user and open a file in .ssh called authorized_keys with a text editor. We will use vi to edit the file:

$ vi .ssh/authorized_keys

Enter insert mode, by pressing i, then enter your public key (which should be in your clipboard) by pasting it into the editor. Now hit ESC to leave insert mode. Enter :wq then ENTER to save and exit the file.

Firewalls provide a basic level of security for your server.

CentOS ships with a firewall called firewalld. A tool called firewall-cmd can be used to configure your firewall policies.

First install firewalld:

# sudo yum install firewalld
# sudo systemctl start firewalld

In this step, we will only be adjusting the policies for the default zone. When we reload our firewall, this will be the zone applied to our interfaces. We should start by adding exceptions to our firewall for approved services. The most essential of these is SSH, since we need to retain remote administrative access to the server.

If you have not modified the port that the SSH daemon is running on, you can enable the service by name by typing:

$ sudo firewall-cmd — permanent — add-service=ssh

If you plan on running a conventional HTTP/HTTPS web server, you will need to enable the http/https service:

# sudo firewall-cmd --permanent --add-service=http
# sudo firewall-cmd --permanent --add-service=https

if you use custom port for something else, use below command to enable it:

# sudo firewall-cmd — permanent — add-port=(customPort)/tcp

To see any additional services that you can enable by name, type:

# sudo firewall-cmd — get-services

When you are finished, you can see the list of the exceptions that will be implemented by typing:

# sudo firewall-cmd — permanent — list-all

When you are ready to implement the changes, reload the firewall:

# sudo firewall-cmd — reload

If, after testing, everything works as expected, you should make sure the firewall will be started at boot:

# sudo systemctl enable firewalld

Remember that you will have to explicitly open the firewall (with services or ports) for any additional services that you may configure later.

if you add your Public-Key in step 3, now you can secure your server from brute-force with disabling login by password.

open the ssh configuration file with your text editor as root:

# vi /etc/ssh/sshd_config

Find ChallengeResponseAuthentication and set to no:

ChallengeResponseAuthentication no

Find PasswordAuthentication set to no:

PasswordAuthentication no

Find UsePAM and set to no:

UsePAM no

Find PermitRootLogin and set to no:

PermitRootLogin no

Now hit ESC to leave insert mode. Enter :wq then ENTER to save and exit the file.

Type this to restart SSH:

systemctl reload sshd

Hint: before logout, make sure you can log in to the server with your Public-Key.

Senior Mobile Developer, iOS is first platform of choice