How to Secure a Server Running CentOS from SSH and Application Layer Attacks

CentOS-SSH-Config
Table of Contents

Securing a server running CentOS involves multiple layers of defense, starting from the network level and extending all the way up to the application layer. Whether you’re setting up a personal server or managing infrastructure for a business, taking the right precautions will safeguard your systems from both automated and targeted attacks.

In this post, we’ll walk you through practical steps for securing your CentOS server from SSH attacks and application-layer threats. Additionally, we’ll highlight some essential tools that can help assess your setup and monitor for intrusions, providing a comprehensive security strategy.

Securing SSH Access

Since SSH (Secure Shell) is the primary method for remotely managing a CentOS server, it’s often a prime target for attacks. The default configuration can leave you vulnerable to brute force attacks, unauthorized access, and other malicious activities. Here’s how you can secure your SSH access:

1.1 Change the Default SSH Port

By default, SSH listens on port 22. Changing it to a non-standard port can reduce the chances of automated attacks.

  • Open the SSH configuration file:
    sudo vi /etc/ssh/sshd_config
  • Locate the line:
    #Port 22
  • Change it to a new port (e.g., 2022):
    Port 2022
  • Restart SSH to apply changes:
    sudo systemctl restart sshd

1.2 Disable Root Login

Allowing root to log in via SSH opens up a significant vulnerability. Disable direct root login to minimize risk.

  • In the same /etc/ssh/sshd_config file, find:
    PermitRootLogin yes
  • Change it to:
    PermitRootLogin no
  • Then restart SSH again:
    sudo systemctl restart sshd

1.3 Use SSH Key-Based Authentication

Passwords can be guessed or brute-forced, but SSH keys are much harder to compromise.

  • Generate an SSH key pair on your local machine:
    ssh-keygen -t rsa -b 4096
  • Copy the public key to the server:
    ssh-copy-id user@your-server-ip
  • Disable password authentication by editing /etc/ssh/sshd_config:
    PasswordAuthentication no
  • Restart SSH:
    sudo systemctl restart sshd

1.4 Use Fail2ban for Brute-Force Protection

Fail2ban monitors login attempts and blocks suspicious IPs that attempt too many logins.

  • Install Fail2ban:
    sudo yum install epel-release
    sudo yum install fail2ban
  • Start and enable Fail2ban:
    sudo systemctl start fail2ban
    sudo systemctl enable fail2ban
  • Configure Fail2ban for SSH protection by creating the file /etc/fail2ban/jail.local:
    [sshd]
    enabled true
    port 2022 # Update if using a custom SSH port
    filter = sshd
    logpath = /var/log/secure
    maxretry = 5
    bantime = 3600

Securing the Application Layer

While securing SSH is critical, it’s equally important to protect the applications running on your server. Application-layer attacks exploit vulnerabilities in web apps, APIs, or services like databases. Here’s how to minimize these risks.

2.1 Install a Web Application Firewall (WAF)

A WAF filters, monitors, and blocks HTTP/HTTPS traffic to and from a web application based on security rules.

  • ModSecurity is a popular WAF for CentOS:
    sudo yum install mod_security
    sudo systemctl start httpd
    sudo systemctl enable httpd
  • Enable the WAF rules in the configuration file located at /etc/httpd/conf.d/mod_security.conf.

2.2 Keep Applications Updated

Running outdated software is one of the most common causes of security breaches.

  • Update your system and applications:
    sudo yum update
  • Enable automatic updates for critical patches:
    sudo yum install yum-cron
    sudo systemctl start yum-cron
    sudo systemctl enable yum-cron

2.3 Implement Secure Configurations

Misconfigurations often leave your application vulnerable. Follow best practices for each software installed:

  • Use strong database credentials.
  • Ensure files like .htaccess and wp-config.php in web apps are inaccessible via HTTP.
  • Use TLS certificates (like Let’s Encrypt) to secure your HTTP traffic.

2.4 Protect Against DDoS Attacks

Distributed Denial of Service (DDoS) attacks target the availability of your server. To mitigate this, use tools like:

  • CSF (ConfigServer Security & Firewall): Install and configure it to prevent DDoS attacks and block malicious traffic.
    sudo yum install csf
    sudo systemctl start csf

    Adjust the firewall rules as needed in the /etc/csf/csf.conf file.

Intrusion Detection and Monitoring

Monitoring your server is crucial for identifying unusual activity that could indicate an ongoing attack. Here’s how you can monitor your server for potential intrusions.

3.1 Use SELinux

Security-Enhanced Linux (SELinux) enforces security policies that limit what applications can do, even if they are compromised.

  • Check if SELinux is enabled:
    sestatus
  • To enable it, edit the /etc/selinux/config file and set:
    SELINUX=enforcing

    Reboot the server afterward:
    sudo reboot

3.2 Install and Configure AIDE

AIDE (Advanced Intrusion Detection Environment) is a file integrity checker that scans your system for unauthorized changes.

  • Install AIDE:
    sudo yum install aide
  • Initialize the database:
    sudo aide --init
  • Check the integrity of your system files regularly:
    sudo aide --check

3.3 Monitor Logs with Logwatch

Logwatch analyzes and summarizes your log files, helping you detect suspicious activity.

  • Install Logwatch:
    sudo yum install logwatch
  • Set up daily reports:
    sudo logwatch --output mail --mailto [email protected] --detail high

3.4 Use Tripwire for File Monitoring

Tripwire is another popular tool for monitoring your file system for unauthorized changes.

  • Install Tripwire:
    sudo yum install tripwire
  • Configure and run regular scans to ensure file integrity.

Tools to Assess Security and Monitor Intrusions

Here’s a list of tools that can help you assess your server’s security and detect possible intrusions:

  • Lynis: A security auditing tool that assesses your CentOS server for vulnerabilities.
    sudo yum install lynis
    sudo lynis audit system
  • Ossec: A host-based intrusion detection system (HIDS) that monitors logs and detects anomalies.
    sudo yum install ossec-hids
  • Nagios: A powerful monitoring tool to keep track of your server’s health and security.
    sudo yum install nagios

Final Thoughts

Securing a CentOS server from SSH attacks and application-layer threats requires a multi-layered approach. By following the steps outlined above, you’ll significantly reduce the risk of an attack on your server. Remember, security is not a one-time setup but an ongoing process. Regularly review your configurations, patch vulnerabilities, and monitor your system to stay ahead of potential threats.

Consider saving this guide as a reference for future setups, and stay vigilant about emerging security threats!

Recap: Key Tools Mentioned

  • Fail2ban – Protection from brute-force attacks on SSH
  • ModSecurity – Web Application Firewall (WAF)
  • CSF – Protect against DDoS attacks
  • AIDE/Tripwire – Intrusion detection and file integrity monitoring
  • Lynis – Security auditing
  • Ossec/Nagios – Intrusion monitoring and server health
Latest articles
Picture of Endri Bedini
Endri Bedini

Endri Bedini is a laureate in Mechanical Engineering with over 20 years of experience in various technology fields, including Electronics, IT, and Healthcare Equipment. Throughout his career, Endri has honed his skills and expertise, earning a reputation for his exceptional problem-solving abilities and innovative thinking. In addition to his work in technology, Endri has a deep interest in Science, Astronomy, AI, Psychology, Sociology, Nature, and Evolution. He is committed to staying up-to-date with the latest developments in these fields, and his insights are informed by his broad range of knowledge and interests.

Read also

Receive new posts and updates at your e-mail address.

Subscription Form
Scroll to Top