Tips on Hardening Centos7?

Support for security such as Firewalls and securing linux
lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: Tips on Hardening Centos7?

Post by lightman47 » 2019/06/26 18:02:17

CARP ==> failure to read the top of the sshd_config file!!! My bad! Created an uncommeneted entry = no


That said - /var/log/secure routinely (and thankfully) rejects root login attempts on my server due to the userID < 1000. Why might that be?

Thank you.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Tips on Hardening Centos7?

Post by TrevorH » 2019/06/26 18:06:23

Because the login attempt matched the test in /etc/pam.d/system-auth-ac and failed the tests that precede it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: Tips on Hardening Centos7?

Post by lightman47 » 2019/06/26 18:10:37

Hah - a study note!
Thank you.

jscarville
Posts: 135
Joined: 2014/06/17 21:50:37

Re: Tips on Hardening Centos7?

Post by jscarville » 2019/07/01 23:19:34

As a general rule, always set PermitRootLogin to "no". If you must allow remote root logins then put it in a Match block. Even then set it up to only allow key based logins. ie:

Code: Select all

Match Host ip.add.re.ss
  PermitRootLogin  prohibit-password

ron7000
Posts: 162
Joined: 2019/01/15 20:00:28

Re: Tips on Hardening Centos7?

Post by ron7000 » 2019/07/30 17:06:04

https://public.cyber.mil/

get their STIG Viewer Version 2.9 at https://public.cyber.mil/stigs/srg-stig-tools/

that will let you view the settings file which will be helpful.
you will need oracle java/jre in linux to run their STIGViewer-2.9.jar, openjre in linux will not work. You can also run this .jar in windows (with oracle jre) to view and learn what the settings are.

The settings file is here

Red Hat Enterprise Linux 7 - Ver 2, Rel 3 STIG, 2019-04-26 https://public.cyber.mil/stigs/download ... unix-linux
within the zip is "U_Red_Hat_Enterprise_Linux_7_V2R3_Manual_STIG-xccdf.xml" and that's what you open with STIGViewer-2.9.jar

I don't agree with everything in their xml, but it is a good start. Very likely you will NOT want to apply every setting in that xml file as it does not apply to you, but much of it is common sense and good judgement, all in one place, that you can make good use of.

Note:
  • centos is rhel, some rules that are specific (like grub.cfg location) are still valid, simply change references from "rhel" to "centos"
  • it makes no mention of firewall, you'll obviously want to understand and apply firewall settings accordingly and (if applicable) restrict network access {i.e. if using ssh or samba only allow access from certain ip's, for certain users, etc.}
  • also no mention of selinux settings, but use selinux=enforcing, and not permissive or disabled.

ron7000
Posts: 162
Joined: 2019/01/15 20:00:28

Re: Tips on Hardening Centos7?

Post by ron7000 » 2019/07/30 17:26:58

here's the /etc/ssh/sshd_config file i use, based on the STIG.
Stuff near the top is changed from default and what I consider more important, stuff at the bottom is all the default stuff we take for granted.

the cifer's setting only works for putty > 0.70 {which is not a bad thing}. Judge accordingly and reference the default cifer's listing when other systems trying to ssh to this ssh erver give an ssh error saying cipher problem.

Code: Select all

# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# If you want to change the port on a SELinux system, you have to tell# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

#ListenAddress 0.0.0.0       {want to set this for better hardening}
#ListenAddress ::


Port                          22
MACs                          hmac-sha2-256,hmac-sha2-512
PermitRootLogin               no
PermitEmptyPasswords          no
X11Forwarding                 yes
banner                        /etc/issue

# ClientAliveInterval=600 ClientAliveCountMax=0 it will auto log out idle ssh sessions
# original settings are 0, 3
ClientAliveInterval           0
ClientAliveCountMax           3

# deprecated
#RhostsRSAAuthentication      no

IgnoreRhosts                  yes
PrintLastLog                  yes
IgnoreUserKnownHosts          yes
GSSAPIAuthentication          no
KerberosAuthentication        no
StrictModes                   yes
UsePrivilegeSeparation        sandbox
Compression                   no
PermitUserEnvironment         no
Ciphers                       aes128-ctr,aes192-ctr,aes256-ctr

LoginGraceTime                2m
MaxAuthTries                  3
MaxSessions                   1
AuthorizedPrincipalsFile      none
AuthorizedKeysCommand         none
AuthorizedKeysCommandUser     nobody
SyslogFacility                AUTHPRIV
#SyslogFacility               AUTH
LogLevel                      INFO
KerberosOrLocalPasswd         yes
KerberosTicketCleanup         yes

# unsupported
#KerberosGetAFSToken          no

KerberosUseKuserok            yes
RekeyLimit                    default none
AllowAgentForwarding          yes
AllowTcpForwarding            no
GatewayPorts                  no
X11DisplayOffset              10
X11UseLocalhost               yes
PermitTTY                     yes
PrintMotd                     yes
TCPKeepAlive                  yes

# deprecated
#UseLogin                     no

ShowPatchLevel                no
UseDNS                        yes
PidFile                       /var/run/sshd.pid
MaxStartups                   10:30:100
PermitTunnel                  no
ChrootDirectory               none
VersionAddendum               none
Subsystem sftp                /usr/libexec/openssh/sftp-server
GSSAPICleanupCredentials      no
GSSAPIStrictAcceptorCheck     yes
GSSAPIKeyExchange             no
GSSAPIEnablek5users           no
PubkeyAuthentication          yes
AuthorizedKeysFile            .ssh/authorized_keys

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication        yes

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
HostbasedAuthentication       no

# WARNING: UsePAM no not supported in RHEL and may cause several problems.

UsePAM                        yes

AddressFamily any
#AddressFamily inet   {ipv4 only}
#AddressFamily inet6  {ipv6 only}

HostKey                       /etc/ssh/ssh_host_rsa_key
#HostKey                      /etc/ssh/ssh_host_dsa_key
HostKey                       /etc/ssh/ssh_host_ecdsa_key
HostKey                       /etc/ssh/ssh_host_ed25519_key

# Change to no to disable s/key passwords
ChallengeResponseAuthentication              yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Post Reply