Question

Hardening CentOS 7 (firewalld, selinux)

Posted September 10, 2014 27.8k views

I recently launched a CentOS 7 droplet and noticed that both firewalld and selinux were disabled by default. Does anyone have a good introductory guide on hardening CentOS 7?

I’m used to setting up an Ubuntu Server install such as:

  • ssh hardening (ports, retries, key_auth. fail2ban)
  • firewall hardening (ufw)
  • application specific hardening
Add a comment
storrgie
By:
storrgie
7 comments
  • wiesson November 14, 2014
    Reply Report

    I’m also interested in this question!

  • asb November 14, 2014
    Reply Report

    @wiesson You might want to check out the tutorial series New CentOS 7 Server Checklist

  • giluxxx December 8, 2014
    Reply Report

    what is wrong with the engineers at digital ocean that they disable firewalld and selinux on purpose?

    makes you wonder about their own systems… and if doing business with them is such a good idea after all…

  • storrgie December 8, 2014
    Reply Report

    @giluxxx I don’t think thats what the intent is, they are providing a bare system that should be hardened by the individual. I do think they should have an officially tended guide (or offer to pay a community member to write one).

  • giluxxx December 8, 2014
    Reply Report

    @storrgie

    if you install your OS you want it to have at least BASIC security since these droplets will be connected to the internet by default.
    Since any image will most probably have outdated packages it therefor there is at risk right after first boot because of possible remotely exploitable vulnerabilities.

    so, enabling selinux and a firewall is not considered hardening its considered basic security.

    after that you can start HARDENING it.

    i think it’s insane these images come without selinux and firewall enabled by default.

    just give me one reason why it shouldn’t be!

  • Show 2 more comments

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

2 answers
conceptblossom November 2, 2014

See here: RHEL7 Security Guide

And here: RHEL7 SELinux

In particular:

systemctl start firewalld
systemctl enable firewalld

And

vi /etc/selinux/config
set enforcing or permissive.
shutdown -r now     (or reboot)

After reboot, confirm:

 sestatus

And to harden ssh:
First confirm you’re able to login via ssh keys.
Then generate a list of all authentication methods, like this:

man sshd_config | grep 'Authentication$'

Then

vi /etc/ssh/sshd_config

Search for all instances of “Authentication” and comment them out. Paste the afore-generated list, as follows:

PubkeyAuthentication yes
RSAAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
PasswordAuthentication no
RhostsRSAAuthentication no

And restart sshd

systemctl restart sshd
Reply Report
Vehemeni September 10, 2014
An Introduction to Securing your Linux VPS
by Justin Ellingwood
Linux security is a complex task with many different variables to consider. In this guide, we will attempt to give you a good introduction to how to secure your Linux server. We will discuss high-level concepts and areas to keep an eye on, with links to more specific advice.
Reply Report
Submit an Answer

Looking for something else?

Ask a new question Search for more help