Once you have installed your CentOS 8 / RHEL 8 server, securing it to prevent unauthorized access and intrusions comes second. As the adage goes , “Prevention is better than cure” so is prevention of hacks better that taking remediation attempts.
Let explore a few steps that you can take to harden and secure CentOS 8 / RHEL 8 server and thwart hacking attempts.
1) Set up a firewall
As a security-minded Linux user, you wouldn’t just allow any traffic into your CentOS 8 / RHEL 8 system for security reasons. In fact, setting up a firewall is one of the initial server setup tasks that a systems administrator needs to perform to only open specific ports and allow services currently in use.
By default, CentsO8 / RHEL 8 system ship with firewalld firewall which can be started and enabled on startup by running the commands:
$ sudo systemctl start firewalld $ sudo systemctl enable firewalld
To check the services allowed on the firewall, simply run the command:
$ sudo firewall-cmd --list all
To open a port on the firewall e.g port 443, execute the command:
$ sudo firewall-cmd --add-port=443/tcp --zone=public --permanent
To allow a service e.g ssh , use the command:
$ sudo firewall-cmd --add-service=ssh --zone=public --permanent
To remove a port and a service , use the –remove-port and –remove-service attributes respectively.
For the changes to take effect , always reload the firewall as shown.
$ sudo firewall-cmd --reload
2) Disable unused / undesirable services
It’s always advised to turn off unused or unnecessary services on your server. This is because the higher the number of services running, the more the number of ports open on your system which can be exploited by an attacker to gain entry to your system. Additionally, desist from using old and insecure service like telnet which send traffic in plain text
Best security practices recommend disabling unused services and getting rid of all the insecure services running on your system. You can use the nmap tool to scan your system and check which ports are open and being listened to.
3) Secure critical files
It’s essential to lock down critical files to prevent accidental deletion or editing. Such files include the /etc/passwd and /etc/gshadow which contain hashed passwords. To make the files immutable ( i.e prevent modification or accidental deletion ) use the chattr command as shown:
$ sudo chattr +i /etc/passwd $ sudo chattr +i /etc/shadow
This ensures that a hacker cannot change any of the users’ password or delete them leading to denial of login to the system.
4) Secure SSH protocol
SSH protocol is a popularly used protocol for remote logins. By default , the protocol has native weaknesses that can be exploited by a hacker.
By default, SSH allows remote login by the root user. This is a potential loophole and if a hacker can get a hold of the root’s password to your system, your server is pretty much at their mercy. To prevent this, it’s advisable to deny remote root login and instead create a login regular user with sudo privileges. You can effect this by modifying the SSH configuration file /etc/ssh/sshd_config and disable root login as shown:
Another way you can secure SSH is by setting up SSH passwordless authentication by use of ssh keys. Instead of using password authentication which is prone to brute force attacks, SSH keys are preferred as they only allow entry to users with the ssh key to login to the remote server and block out any other user. The first step in enabling passwordless authentication is generating a key pair using the command:
This generates a public and private key pair. The private key resides on the host while the public key is copied to the remote system or server. Once the ssh-key pair is copied, you can effortlessly login to the remote system without being prompted for a password. Next, disable password authentication by modifying the /etc/ssh/sshd_config configuration file and setting this value:
Once you have made the changes be sure to restart the SSH service for the changes to take effect.
$ sudo systemctl restart sshd
5 ) Define a limit for password attempts
To further harden your server, you might consider limiting the number of password attempts when logging via SSH to deter brute force attacks. Again, head over to the SSH configuration file, scroll and locate the “MaxAuthTries” parameter. Uncomment it and set a value , for example 3 as shown.
This implies that after 3 incorrect password attempts, the session will be closed. This comes in handy especially when you want to block robotic scripts/programs trying to gain access to your system.
6) Set up an intrusion prevention system (IPS)
So far, we have covered the basic steps you can take to harden your CentOS 8 / RHEL 8 server. To add another layer, it’s recommended that you install an intrusion detection system. A perfect example of an IPS is Fail2ban.
Fail2ban is a free and open source intrusion prevention system that shields servers from brute force attacks by banning IP addresses after a certain number of login attempts which can be specified in its configuration file. Once blocked, the malicious or unauthorized user cannot even initiate an SSH login attempt.
7) Regularly update your server
This article would not be complete without emphasizing how critical it is to update your server regularly. This ensures that your server gets the latest feature and security updates which are essential in addressing existing security issues.
You can set up automatic updates using cockpit utility which is a GUI-based server management tool that also performs a host of other tasks. This is ideal especially if you intend to go on a long stay or vacation without access to the server.