How to Implement a Security Policy on CentOS

How to Implement a Security Policy on CentOS

What Do I Need?

  • Any Dedicated or Virtual Server
  • CentOS
  • Putty

What is a Security Policy?

Security should always be one of the foremost thoughts at all stages of the design, development and deployment of your Linux server. In order to implement a solid and efficient security policy on a machine requires a good handle on the fundamentals of Linux as well as some of the applications, protocols and languages that are used. The security of your operating system is a massive subject and there are literally tomes on this; however, I’ve done what I can to bring you some of the most relevant things to remember.

  1. Physical Protection
    1. Essentially, this means lockdown the physical location of your servers and comms equipment, use rack locking and video surveillance. Take into consideration that any physical access to server rooms can expose your machine to serious security issues.
    2. BIOS/UEFI – passwords can be changed by resetting jumpers on your server’s mainboard or by disconnecting the CMOS battery. Also, an intruder can steal the hard disk to directly attach new hard disks to the mainboard interfaces, sata, scsi, etc, boot up with a Linux live distro, and clone or copy data without leaving any software trace. Simply scary.
    3. Reduce Spying Impact on Environmental Security – in the case of highly sensitive data, you should probably consider using advanced physical protections such as placing and locking the server into a Faraday Cage, or use a military TEMPEST solution in order minimize the impact of spying on the server via radio or electrical leak emanations.
    4. Secure BIOS/UEFI – start the process of hardening your machine by securing BIOS/UEFI settings, especially set a BIOS/UEFI password and disable boot media devices, cd, dvd, disable usb support, in order to prevent any unauthorized users from modifying the system BIOS settings or altering the boot device priority and booting the machine from an alternate medium.
  1. Secure Boot Loader

    Set a GRUB password in order to prevent malicious users to tamper with kernel boot sequence or run levels, edit kernel parameters or start the system into a single-user mode in order to harm your system and reset the root password to gain privileged control.
  1. Use Separate Disk Partitions

    When installing CentOS on systems intended as production servers use dedicated partitions or dedicated hard disks for the following parts of the system:
    /(root)
    
    /boot
    
    /home
    
    /var
    
    /tmp

  1. Use LVM and RAID for Redundancy and File System Growth
    1. The /var partition is the place where log messages are written to disk. This part of the system can exponentially grow in size on heavily traffic servers that expose network services such as web servers or file servers.
    2. Thus, use a large partition for /var or consider setting up this partition using logical volumes (LVM) or combine several physical disks into one larger virtual RAID 0 device to sustain large amounts of data. For data redundancy consider using the LVM layout on top of the RAID 1 level.

  1. Modify fstab Options to Secure Data Partitions
    1. Separate partitions intended for storing data and prevent the execution of programs, device files or setuid bit on these type of partitions by adding the following options to fstab file as illustrated on the below excerpt:
    /dev/sda5          /nas          ext4
    defaults,nosuid,nodev,noexec 1 2

    1. To prevent privilege-escalation and arbitrary script execution create a separate partition for /tmp and mount it as nosuid, nodev, and noexec:
    /dev/sda6          /tmp         ext4    
    defaults,nosuid,nodev,noexec 0 0

  1. Encrypt the Server Hard Disks at Block Level with LUKS
    1. In order to protect sensitive data snooping in case of physical access to machine hard drives. LUKS acronym stands for Linux Unified Key Setup which is a widely used method of disk-encryption used by Linux Kernel and is implemented with the cryptsetup package.
    2. The cryptsetup command line encrypts a volume disk on fly using symmetric encryption key derived from supplied passphrase that is provided every time a volume disk, a partition and also a whole disk, even a USB stick is mounted in filesystem hierarchy and uses the aes-cbc-essiv:sha256 cipher.

Conclusion

Securing your CentOS server is incredibly important and not something to be taken lightly. What we’ve looked at earlier in this how-to guide is just the tip of the iceberg in ensuring your enterprise grade server is protected against hackers and bad-actors. Be sure to keep an eye out for more how-to guides in the future expanding your knowledge on this incredibly interesting subject.

How To Set up a VSFTPD Server on a CentOS 7 VPS or Dedicated Server

Brief Description FTP is usually insecure exposing clear-text passwords, userna
2 min read
Avi Ilinsky
Avi Ilinsky
Hosting Expert

How To Set up a VSFTPD Server on an Ubuntu 16.04 VPS or Dedicated Server

Brief Description FTP data is usually insecure since information (usernames, pa
2 min read
Eliran Ouzan
Eliran Ouzan
Web Designer & Hosting Expert

How to use phpMyAdmin to develop a website (without MySQL experience)

Brief description A web developer who is not well versed into coding websites f
2 min read
Idan Cohen
Idan Cohen
Marketing Expert

How to Install MySQL on a Windows Web Server Running Apache

This tutorial will show you how to install the MySQL database on a Windows serve
3 min read
Michael Levanduski
Michael Levanduski
Expert Hosting Writer & Tester
HostAdvice.com provides professional web hosting reviews fully independent of any other entity. Our reviews are unbiased, honest, and apply the same evaluation standards to all those reviewed. While monetary compensation is received from a few of the companies listed on this site, compensation of services and products have no influence on the direction or conclusions of our reviews. Nor does the compensation influence our rankings for certain host companies. This compensation covers account purchasing costs, testing costs and royalties paid to reviewers.
Click to go to the top of the page
Go To Top