DEV Community

Cover image for CentOS - How to secure & Monitor
Sm0ke
Sm0ke

Posted on • Originally published at docs.appseed.us

CentOS - How to secure & Monitor

Securing a CentOS Server for production deployment is crucial to ensure the confidentiality, integrity, and availability of your services and sensitive data. Thank you!

Here's a step-by-step guide to help you secure your CentOS server:


Update the System

Ensure that your CentOS system is up to date with the latest security patches and updates. Run the following commands:

sudo yum update
sudo yum upgrade
Enter fullscreen mode Exit fullscreen mode

Firewall Configuration

Use firewalld to set up a firewall and only allow necessary ports and services. For example, if you're running a web server, allow HTTP (port 80) and HTTPS (port 443) traffic:

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent
sudo firewall-cmd --reload
Enter fullscreen mode Exit fullscreen mode

SSH Security

Secure SSH access by changing the default SSH port (optional but recommended) and disable root login. Edit the SSH configuration file /etc/ssh/sshd_config:

Port 2222  # Change to a non-default port
PermitRootLogin no
PasswordAuthentication no  # Use key-based authentication
Enter fullscreen mode Exit fullscreen mode

After making these changes, restart the SSH service:

sudo systemctl restart sshd
Enter fullscreen mode Exit fullscreen mode

Regular User Accounts

Avoid using the root account for regular tasks. Create a separate user with sudo privileges for administrative tasks:

sudo useradd -m -s /bin/bash yourusername
sudo passwd yourusername
sudo usermod -aG wheel yourusername
Enter fullscreen mode Exit fullscreen mode

Set Up SSH Keys

Use SSH keys for authentication instead of passwords. Generate an SSH key pair on your local machine and copy the public key to your server:

ssh-keygen -t rsa
ssh-copy-id yourusername@server_ip
Enter fullscreen mode Exit fullscreen mode

Fail2Ban

Install and configure Fail2Ban to protect against brute force attacks:

sudo yum install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Enter fullscreen mode Exit fullscreen mode

Install and Configure SELinux

CentOS comes with SELinux, a security enhancement. Ensure it's enabled and properly configured:

sudo setenforce 1
Enter fullscreen mode Exit fullscreen mode

Regular Backups

Implement a regular backup strategy to ensure data recovery in case of a breach or hardware failure.


Security Updates

Continuously monitor and apply security updates. You can use tools like yum-cron or dnf-automatic to automate this process.


Application Security

Harden the security of your applications by following best practices and regularly updating them.


Monitoring and Intrusion Detection

Use monitoring tools like Prometheus, Grafana, and intrusion detection systems like Tripwire or AIDE to detect and respond to security incidents.


Regular Security Audits

Perform regular security audits and vulnerability assessments to identify and address potential weaknesses.


Network Security

Implement network security measures, like network segmentation and VLANs, to isolate critical systems and minimize attack surfaces.


Physical Security

Ensure physical security of the server by restricting physical access to authorized personnel only.


Logging and Auditing

Configure comprehensive system logging and auditing to track and investigate security incidents.


✅ Detecting Real-time Changes

Detecting real-time changes to system-critical files and emitting alerts is essential for maintaining the security and integrity of your CentOS server.
You can achieve this by using file integrity monitoring (FIM) tools like auditd, tripwire, or osquery. Here, I'll provide an example using auditd, which is a built-in auditing tool in CentOS:


Install and Enable auditd

If it's not already installed, you can install auditd with the following command:

sudo yum install audit
Enter fullscreen mode Exit fullscreen mode

Enable and start the auditd service:

sudo systemctl enable auditd
sudo systemctl start auditd
Enter fullscreen mode Exit fullscreen mode

Configure Audit Rules

You can set up custom audit rules to monitor specific files or directories. For example, to monitor changes to the /etc directory, create a custom audit rule in a file named /etc/audit/rules.d/custom.rules:

sudo nano /etc/audit/rules.d/custom.rules
Enter fullscreen mode Exit fullscreen mode

Add the following rule to monitor file changes in /etc:

-w /etc -p wa
Enter fullscreen mode Exit fullscreen mode

This rule will watch the /etc directory for write (w) and attribute (a) changes. You can adjust the rules to fit your specific needs.


Restart auditd:

After adding or modifying audit rules, restart the auditd service to apply the changes:

   sudo systemctl restart auditd
Enter fullscreen mode Exit fullscreen mode

View Audit Logs:

You can view the audit logs in real-time using the auditd tools. For example, you can use the ausearch command to search for file-related events:

sudo ausearch -f /etc
Enter fullscreen mode Exit fullscreen mode

This command will display audit events related to changes in the /etc directory.


Set Up Alerts

To emit alerts when changes are detected, you can use a variety of methods, including email notifications, custom scripts, or central logging solutions like syslog-ng, rsyslog, or ELK Stack
(Elasticsearch, Logstash, Kibana).

Here's an example of setting up an email notification when auditd logs an event:

Install auditd email alerts:

sudo yum install auditd-plugins-mail
Enter fullscreen mode Exit fullscreen mode

Edit the /etc/audit/auditd.conf file and configure the action_mail_acct and admin_space_left_action options. For example:

action_mail_acct = root
admin_space_left_action = halt
Enter fullscreen mode Exit fullscreen mode

Create a custom script that will be executed when an audit event occurs. For example:

sudo nano /etc/audit/rules.d/audit-alert.rules
Enter fullscreen mode Exit fullscreen mode

Add the following rule:

-a always,exit -F arch=b64 -S open -F dir=/etc -k audit-alert
Enter fullscreen mode Exit fullscreen mode

This rule logs file openings in the /etc directory.

Restart auditd to apply the changes:

sudo systemctl restart auditd
Enter fullscreen mode Exit fullscreen mode

Create a script (e.g., /etc/audit/audit-alert.sh) to send an email alert when an audit event is detected.

#!/bin/bash
ausearch -k audit-alert | mail -s "Audit Alert on Server" your@email.com
Enter fullscreen mode Exit fullscreen mode

Make the script executable

sudo chmod +x /etc/audit/audit-alert.sh
Enter fullscreen mode Exit fullscreen mode

Use a cron job to run the script at regular intervals to check for audit events and send alerts:

sudo crontab -e
Enter fullscreen mode Exit fullscreen mode

Add the following line to run the script every 15 minutes:

*/15 * * * * /etc/audit/audit-alert.sh
Enter fullscreen mode Exit fullscreen mode

With these steps, you'll have a basic file integrity monitoring system in place that detects changes to system-critical files and emits alerts when such changes occur.
You can customize the rules, alerts, and notifications to meet your specific requirements and integrate them into your server monitoring and incident response procedures.


In Summary

Security is an ongoing process. Helps alot to stay informed about the latest security threats and best practices, and adapt your security measures accordingly.

Regularly review and update your security policies and procedures to maintain a secure production environment for CentOS.


✅ Resources

Top comments (0)