Securing a server running CentOS involves multiple layers of defense, starting from the network level and extending all the way up to the application layer. Whether you’re setting up a personal server or managing infrastructure for a business, taking the right precautions will safeguard your systems from both automated and targeted attacks.
In this post, we’ll walk you through practical steps for securing your CentOS server from SSH attacks and application-layer threats. Additionally, we’ll highlight some essential tools that can help assess your setup and monitor for intrusions, providing a comprehensive security strategy.
Securing SSH Access
Since SSH (Secure Shell) is the primary method for remotely managing a CentOS server, it’s often a prime target for attacks. The default configuration can leave you vulnerable to brute force attacks, unauthorized access, and other malicious activities. Here’s how you can secure your SSH access:
1.1 Change the Default SSH Port
By default, SSH listens on port 22. Changing it to a non-standard port can reduce the chances of automated attacks.
- Open the SSH configuration file:
sudo vi /etc/ssh/sshd_config - Locate the line:
#Port 22 - Change it to a new port (e.g., 2022):
Port 2022 - Restart SSH to apply changes:
sudo systemctl restart sshd
1.2 Disable Root Login
Allowing root to log in via SSH opens up a significant vulnerability. Disable direct root login to minimize risk.
- In the same
/etc/ssh/sshd_configfile, find:
PermitRootLogin yes - Change it to:
PermitRootLogin no - Then restart SSH again:
sudo systemctl restart sshd
1.3 Use SSH Key-Based Authentication
Passwords can be guessed or brute-forced, but SSH keys are much harder to compromise.
- Generate an SSH key pair on your local machine:
ssh-keygen -t rsa -b 4096 - Copy the public key to the server:
ssh-copy-id user@your-server-ip - Disable password authentication by editing
/etc/ssh/sshd_config:
PasswordAuthentication no
- Restart SSH:
sudo systemctl restart sshd
1.4 Use Fail2ban for Brute-Force Protection
Fail2ban monitors login attempts and blocks suspicious IPs that attempt too many logins.
- Install Fail2ban:
sudo yum install epel-release
sudo yum install fail2ban - Start and enable Fail2ban:
sudo systemctl start fail2ban
sudo systemctl enable fail2ban - Configure Fail2ban for SSH protection by creating the file
/etc/fail2ban/jail.local:
[sshd]
enabled true
port 2022 # Update if using a custom SSH port
filter = sshd
logpath = /var/log/secure
maxretry = 5
bantime = 3600
Securing the Application Layer
While securing SSH is critical, it’s equally important to protect the applications running on your server. Application-layer attacks exploit vulnerabilities in web apps, APIs, or services like databases. Here’s how to minimize these risks.
2.1 Install a Web Application Firewall (WAF)
A WAF filters, monitors, and blocks HTTP/HTTPS traffic to and from a web application based on security rules.
- ModSecurity is a popular WAF for CentOS:
sudo yum install mod_security
sudo systemctl start httpd
sudo systemctl enable httpd
- Enable the WAF rules in the configuration file located at
/etc/httpd/conf.d/mod_security.conf.
2.2 Keep Applications Updated
Running outdated software is one of the most common causes of security breaches.
- Update your system and applications:
sudo yum update - Enable automatic updates for critical patches:
sudo yum install yum-cron
sudo systemctl start yum-cron
sudo systemctl enable yum-cron
2.3 Implement Secure Configurations
Misconfigurations often leave your application vulnerable. Follow best practices for each software installed:
- Use strong database credentials.
- Ensure files like
.htaccessandwp-config.phpin web apps are inaccessible via HTTP. - Use TLS certificates (like Let’s Encrypt) to secure your HTTP traffic.
2.4 Protect Against DDoS Attacks
Distributed Denial of Service (DDoS) attacks target the availability of your server. To mitigate this, use tools like:
- CSF (ConfigServer Security & Firewall): Install and configure it to prevent DDoS attacks and block malicious traffic.
sudo yum install csf
sudo systemctl start csf
Adjust the firewall rules as needed in the/etc/csf/csf.conffile.
Intrusion Detection and Monitoring
Monitoring your server is crucial for identifying unusual activity that could indicate an ongoing attack. Here’s how you can monitor your server for potential intrusions.
3.1 Use SELinux
Security-Enhanced Linux (SELinux) enforces security policies that limit what applications can do, even if they are compromised.
- Check if SELinux is enabled:
sestatus
- To enable it, edit the
/etc/selinux/configfile and set:
SELINUX=enforcing
Reboot the server afterward:
sudo reboot
3.2 Install and Configure AIDE
AIDE (Advanced Intrusion Detection Environment) is a file integrity checker that scans your system for unauthorized changes.
- Install AIDE:
sudo yum install aide
- Initialize the database:
sudo aide --init
- Check the integrity of your system files regularly:
sudo aide --check
3.3 Monitor Logs with Logwatch
Logwatch analyzes and summarizes your log files, helping you detect suspicious activity.
- Install Logwatch:
sudo yum install logwatch
- Set up daily reports:
sudo logwatch --output mail --mailto [email protected] --detail high
3.4 Use Tripwire for File Monitoring
Tripwire is another popular tool for monitoring your file system for unauthorized changes.
- Install Tripwire:
sudo yum install tripwire
- Configure and run regular scans to ensure file integrity.
Tools to Assess Security and Monitor Intrusions
Here’s a list of tools that can help you assess your server’s security and detect possible intrusions:
- Lynis: A security auditing tool that assesses your CentOS server for vulnerabilities.
sudo yum install lynis
sudo lynis audit system
- Ossec: A host-based intrusion detection system (HIDS) that monitors logs and detects anomalies.
sudo yum install ossec-hids
- Nagios: A powerful monitoring tool to keep track of your server’s health and security.
sudo yum install nagios
Final Thoughts
Securing a CentOS server from SSH attacks and application-layer threats requires a multi-layered approach. By following the steps outlined above, you’ll significantly reduce the risk of an attack on your server. Remember, security is not a one-time setup but an ongoing process. Regularly review your configurations, patch vulnerabilities, and monitor your system to stay ahead of potential threats.
Consider saving this guide as a reference for future setups, and stay vigilant about emerging security threats!
Recap: Key Tools Mentioned
- Fail2ban – Protection from brute-force attacks on SSH
- ModSecurity – Web Application Firewall (WAF)
- CSF – Protect against DDoS attacks
- AIDE/Tripwire – Intrusion detection and file integrity monitoring
- Lynis – Security auditing
- Ossec/Nagios – Intrusion monitoring and server health
