CARP ==> failure to read the top of the sshd_config file!!! My bad! Created an uncommeneted entry = no
That said - /var/log/secure routinely (and thankfully) rejects root login attempts on my server due to the userID < 1000. Why might that be?
Thank you.
Tips on Hardening Centos7?
-
- Posts: 1521
- Joined: 2014/05/21 20:16:00
- Location: Central New York, USA
Re: Tips on Hardening Centos7?
Because the login attempt matched the test in /etc/pam.d/system-auth-ac and failed the tests that precede it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 1521
- Joined: 2014/05/21 20:16:00
- Location: Central New York, USA
Re: Tips on Hardening Centos7?
Hah - a study note!
Thank you.
Thank you.
-
- Posts: 135
- Joined: 2014/06/17 21:50:37
Re: Tips on Hardening Centos7?
As a general rule, always set PermitRootLogin to "no". If you must allow remote root logins then put it in a Match block. Even then set it up to only allow key based logins. ie:
Code: Select all
Match Host ip.add.re.ss
PermitRootLogin prohibit-password
Re: Tips on Hardening Centos7?
https://public.cyber.mil/
get their STIG Viewer Version 2.9 at https://public.cyber.mil/stigs/srg-stig-tools/
that will let you view the settings file which will be helpful.
you will need oracle java/jre in linux to run their STIGViewer-2.9.jar, openjre in linux will not work. You can also run this .jar in windows (with oracle jre) to view and learn what the settings are.
The settings file is here
Red Hat Enterprise Linux 7 - Ver 2, Rel 3 STIG, 2019-04-26 https://public.cyber.mil/stigs/download ... unix-linux
within the zip is "U_Red_Hat_Enterprise_Linux_7_V2R3_Manual_STIG-xccdf.xml" and that's what you open with STIGViewer-2.9.jar
I don't agree with everything in their xml, but it is a good start. Very likely you will NOT want to apply every setting in that xml file as it does not apply to you, but much of it is common sense and good judgement, all in one place, that you can make good use of.
Note:
get their STIG Viewer Version 2.9 at https://public.cyber.mil/stigs/srg-stig-tools/
that will let you view the settings file which will be helpful.
you will need oracle java/jre in linux to run their STIGViewer-2.9.jar, openjre in linux will not work. You can also run this .jar in windows (with oracle jre) to view and learn what the settings are.
The settings file is here
Red Hat Enterprise Linux 7 - Ver 2, Rel 3 STIG, 2019-04-26 https://public.cyber.mil/stigs/download ... unix-linux
within the zip is "U_Red_Hat_Enterprise_Linux_7_V2R3_Manual_STIG-xccdf.xml" and that's what you open with STIGViewer-2.9.jar
I don't agree with everything in their xml, but it is a good start. Very likely you will NOT want to apply every setting in that xml file as it does not apply to you, but much of it is common sense and good judgement, all in one place, that you can make good use of.
Note:
- centos is rhel, some rules that are specific (like grub.cfg location) are still valid, simply change references from "rhel" to "centos"
- it makes no mention of firewall, you'll obviously want to understand and apply firewall settings accordingly and (if applicable) restrict network access {i.e. if using ssh or samba only allow access from certain ip's, for certain users, etc.}
- also no mention of selinux settings, but use selinux=enforcing, and not permissive or disabled.
Re: Tips on Hardening Centos7?
here's the /etc/ssh/sshd_config file i use, based on the STIG.
Stuff near the top is changed from default and what I consider more important, stuff at the bottom is all the default stuff we take for granted.
the cifer's setting only works for putty > 0.70 {which is not a bad thing}. Judge accordingly and reference the default cifer's listing when other systems trying to ssh to this ssh erver give an ssh error saying cipher problem.
Stuff near the top is changed from default and what I consider more important, stuff at the bottom is all the default stuff we take for granted.
the cifer's setting only works for putty > 0.70 {which is not a bad thing}. Judge accordingly and reference the default cifer's listing when other systems trying to ssh to this ssh erver give an ssh error saying cipher problem.
Code: Select all
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# If you want to change the port on a SELinux system, you have to tell# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#ListenAddress 0.0.0.0 {want to set this for better hardening}
#ListenAddress ::
Port 22
MACs hmac-sha2-256,hmac-sha2-512
PermitRootLogin no
PermitEmptyPasswords no
X11Forwarding yes
banner /etc/issue
# ClientAliveInterval=600 ClientAliveCountMax=0 it will auto log out idle ssh sessions
# original settings are 0, 3
ClientAliveInterval 0
ClientAliveCountMax 3
# deprecated
#RhostsRSAAuthentication no
IgnoreRhosts yes
PrintLastLog yes
IgnoreUserKnownHosts yes
GSSAPIAuthentication no
KerberosAuthentication no
StrictModes yes
UsePrivilegeSeparation sandbox
Compression no
PermitUserEnvironment no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
LoginGraceTime 2m
MaxAuthTries 3
MaxSessions 1
AuthorizedPrincipalsFile none
AuthorizedKeysCommand none
AuthorizedKeysCommandUser nobody
SyslogFacility AUTHPRIV
#SyslogFacility AUTH
LogLevel INFO
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
# unsupported
#KerberosGetAFSToken no
KerberosUseKuserok yes
RekeyLimit default none
AllowAgentForwarding yes
AllowTcpForwarding no
GatewayPorts no
X11DisplayOffset 10
X11UseLocalhost yes
PermitTTY yes
PrintMotd yes
TCPKeepAlive yes
# deprecated
#UseLogin no
ShowPatchLevel no
UseDNS yes
PidFile /var/run/sshd.pid
MaxStartups 10:30:100
PermitTunnel no
ChrootDirectory none
VersionAddendum none
Subsystem sftp /usr/libexec/openssh/sftp-server
GSSAPICleanupCredentials no
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange no
GSSAPIEnablek5users no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
HostbasedAuthentication no
# WARNING: UsePAM no not supported in RHEL and may cause several problems.
UsePAM yes
AddressFamily any
#AddressFamily inet {ipv4 only}
#AddressFamily inet6 {ipv6 only}
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS