Question
Hardening CentOS 7 (firewalld, selinux)
I recently launched a CentOS 7 droplet and noticed that both firewalld and selinux were disabled by default. Does anyone have a good introductory guide on hardening CentOS 7?
I’m used to setting up an Ubuntu Server install such as:
- ssh hardening (ports, retries, key_auth. fail2ban)
- firewall hardening (ufw)
- application specific hardening
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
I’m also interested in this question!
@wiesson You might want to check out the tutorial series New CentOS 7 Server Checklist
what is wrong with the engineers at digital ocean that they disable firewalld and selinux on purpose?
makes you wonder about their own systems… and if doing business with them is such a good idea after all…
@giluxxx I don’t think thats what the intent is, they are providing a bare system that should be hardened by the individual. I do think they should have an officially tended guide (or offer to pay a community member to write one).
@storrgie
if you install your OS you want it to have at least BASIC security since these droplets will be connected to the internet by default.
Since any image will most probably have outdated packages it therefor there is at risk right after first boot because of possible remotely exploitable vulnerabilities.
so, enabling selinux and a firewall is not considered hardening its considered basic security.
after that you can start HARDENING it.
i think it’s insane these images come without selinux and firewall enabled by default.
just give me one reason why it shouldn’t be!
@giluxxx
Who cares about SELINUX and FIREWALL if its a minimal installation? Nothing is running except SSH.. so even if you have SELINUX and FIREWALL, SSH is still exposed.
Thumbs Up for DigitalOcean providing a real minimal installation.
nothing is running except SSH????
there are literally hundreds of processes running…
are you insane or are just trying to troll?
anyway,
if you are so certain your set up is so secure please post the ip numbers of your servers here.