CentOS Server Hardening

For

Version: 1.0
Date: 08 June 2010

 Confidential and Proprietary

Table of Contents
[1]

INTRODUCTION AND BASIC ASSUMPTIONS .................................................................................... 3

1.1.
1.2.
1.3.
1.4.
1.5.
1.6.

[2]

PRE-HARDENING ................................................................................................................................... 3
ROOT PRIVILEGES .................................................................................................................................. 3
ACTIONS................................................................................................................................................ 3
ENABLING / DISABLING SERVICES .......................................................................................................... 3
REBOOT IS REQUIRED ............................................................................................................................. 3
CONVENTIONAL TERMS ......................................................................................................................... 4
PREREQUISITES...................................................................................................................................... 5

2.1.
2.2.
2.3.
[3]

BACKUP ................................................................................................................................................ 5
PATCH ................................................................................................................................................... 5
INSTALLATION ....................................................................................................................................... 5
HARDENING PROCEDURES .................................................................................................................. 6

3.1.
3.2.
3.3.
3.4.
3.5.
3.6.

USER AND GROUP ACCOUNTS ................................................................................................................. 6

ACCOUNT AND PASSWORD POLICY ......................................................................................................... 6
ACCESS CONTROL .................................................................................................................................. 8
SERVICES CONFIGURATION .................................................................................................................... 9
NETWORKING ...................................................................................................................................... 20
GENERAL REQUIREMENTS .................................................................................................................... 22

APPENDIX A ............................................................................................................................................................. 23

CentOS Server Hardening

Page 2 of 23
Version 1.0

 Confidential and Proprietary

[1] Introduction and Basic Assumptions

The primary assumption of this hardening document is to install and run only systems that are clearly
required. Services and applications should be installed and started only if absolutely required according to
this document.

1.1. Pre-Hardening
This document describes major changes to the configuration of the operating system in order to provide a
better security level. Note section 2.1 for backup before hardening.

1.2. Root Privileges

The actions listed in this hardening document are written with the assumption that they will be executed by
the root user running the /bin/bash shell.

1.3. Actions
The actions listed in this document are provided according to the assumption that they will be executed in
the order presented here. Some actions may need to be modified if the order is changed. Some actions are
written so that they may be copied directly from this document into a root shell window with a "cut-andpaste" method.

1.4. Enabling / Disabling Services

Please note that during the hardening many of the "chkconfig" actions, which activate or deactivate
services, produce the message "error reading information on service <service>: No such file or directory."
These messages are quite normal and should not cause alarm they simply indicate that the program being
referenced was not installed on your machine. As the OS installation allows a great deal of flexibility in what
software you choose to install, these messages are unavoidable.

1.5. Reboot is required

Rebooting the system is required after completing all of the actions below in order to complete the
reconfiguration of the system and verify that all services are up and running. In some cases, the changes
made in the following steps will not take effect until this reboot is performed.

CentOS Server Hardening

Page 3 of 23
Version 1.0

 Confidential and Proprietary

1.6. Conventional Terms

Term

Description

Must
Must not
Should

The definition is an absolute requirement of the specification.

The definition is an absolute prohibition of the specification.
There may be a valid reason in particular circumstances to ignore a
particular definition, but the full implications must be understood
and carefully weighed before choosing a different course.
There may be valid reasons in particular circumstances when the
particular behavior is acceptable or even useful, but the full
implications should be understood and the case carefully weighed
before implementing any behavior described with this label.
The definition is recommended but it is not a must. If chosen to be
ignored the security of the operating system will still be satisfying.

Should not

May

CentOS Server Hardening

Page 4 of 23
Version 1.0

 Confidential and Proprietary

[2] Prerequisites
2.1. Backup
Before performing the steps of this hardening guide, backup copies of critical configuration files that may be
modified by various hardening items MUST be created. (A full backed-up or mirror SHOULD be performed).

2.2. Patch
Keeping up-to- date with vendor patches is critical for the security and reliability of the system. Vendors
issue operating system updates when they become aware of security vulnerabilities and other serious
functionality issues, but it is up to their customers to actually download and install these patches.
All security patches SHOULD be applied on a test environment before being applied on a production
environment due to the option that a security patch will damage the installed application.
After testing, all security patches SHOULD be implemented on the production environment.

2.3. Installation

The system MUST be installed with the minimum needed components (minimum Packages during
the CentOS operating system installation).

SSH suite MUST be installed.

The operating system SHOULD be installed with the following partition table:

/tmp

/home

/var

/boot

In any case the following packages SHOULD NOT be installed:

Action
Parted
The parted package contains various utilities to create, destroy, resize, move and copy
hard disk partitions. Since the hard disk is configured during the installation process,
there is no need to change it.
NC
Netcat is a featured networking utility which reads and writes data across network
connections, It can be used as an arbitrary TCP and UDP connections and listening
utility.

CentOS Server Hardening

Page 5 of 23
Version 1.0

 Confidential and Proprietary

[3] Hardening Procedures

3.1. User and Group accounts
The following user accounts MAY be removed:
User
uucp
news
ldap
postfix
ftp
games
mail
lp
The shell for the following account MUST be set to /dev/null:
User
daemon
bin
sys
nobody
noaccess
nobody4
The following groups MAY be removed:
Group
adm
dip
gopher
games
uucp
Check for more unused accounts and groups and carefully delete them. If the functionality of the account is
unknown, it is better to lock and set /dev/null shell then to delete it.

3.2. Account and Password Policy

The operating system enables configuring the account policy by defining different parameters. The
configurations defined by default on the servers usually provide a low level of information security. The
following steps are required in order to create a suitable policy.

CentOS Server Hardening

Page 6 of 23
Version 1.0

 Confidential and Proprietary

3.2.1. Generic Accounts

Generic accounts are accounts that are used by a number of users. This often means that the identity of
the user which performed an active action within the system is unclear and could be one of many
people. These types of accounts are not recommended and SHOULD NOT be used.
Delete generic accounts.

3.2.2. UID 0 Accounts

An account which is configured with UID 0 has root privileges.
Action
All users beside root account MUST NOT be configured with UID 0.
The root group MUST include only the root user.

3.2.3. Password Policy

A password policy SHOULD be enforced. This is a recommended set of policy rules:
Action
Minimum password length MUST be at least 8 characters.
Passwords SHOULD include at least one uppercase character
Password SHOULD include at least one lowercase character
Passwords SHOULD include at least one special character (Example: #$%^&* etc.)
Passwords SHOULD include at least one numeric character
Password history SHOULD be set to 10
All accounts SHOULD be locked after five invalid login attempts from Telnet, SSH and
login interfaces.
An automatic script MUST run to release blocked accounts after 10 minutes of
lockout.

Technical Details for Password Policy:

The following lines MUST be set to /etc/login.defs:
Action
PASS_MIN_DAYS=1
PASS_MAX_DAYS=90
PASS_WARN_AGE=7
PASS_MIN_LEN=8

CentOS Server Hardening

Page 7 of 23
Version 1.0

 Confidential and Proprietary

The following lines MUST be set to /etc/pam.d/system_auth :

Action
password: <other options as "nullok"> remember=5 minlen=8

The following lines MUST be set to /etc/pam.d/system_auth :

Action
password
1 lcredit=-1

required

pam_cracklib.so retry=3 debug ucredit=-1 dcredit=-1 ocredit=-

The following lines MUST be set to /etc/pam.d/ system_auth:

Action
auth

required

pam_tally.so onerr=fail no_magic_root

The following lines MUST be set to /etc/pam.d/system_auth:

Action
account required

pam_tally.so deny=6 reset no_magic_root

3.3. Access Control

3.3.1. BIOS and Boot Loader
The boot loader MAY be configured with the following settings:
Action
/boot/grub/grub.conf need to be readable only for root.
/boot/grub/grub.conf file need to be configured with immutable bit.

3.3.2. R* Services and .rhosts Files

The r* services (rsh, rexec, etc.) are vulnerable to IP spoofing attacks and may allow an attacker the
ability to execute commands on the server by using their trust options (using ~.rhosts files).
The following settings MUST be set:
Action
Find and delete all .rhosts files.
/etc/securetty is owned by root user and group
CentOS Server Hardening

Page 8 of 23
Version 1.0

 Confidential and Proprietary

Only root should be able to edit the /etc/securetty file

Set immutable bit to the /etc/securetty file
Disable of the shell/rsh/login/rlogin/rexec services is part of the xinetd.d session

3.3.3. FTP
FTP protocol is unencrypted, meaning passwords and other data transmitted during the session can be
captured by sniffing the network, and that the FTP session can be hijacked by an external attacker
Note: Any directory writable by an anonymous FTP server should probably have its own partition or
have a quota limitation. This helps prevent a compromised FTP server from filling a hard drive used by
other services.
Action
The /etc/ftpusers file MUST exist, if it does not exist - create it
The following users MUST exist on the /etc/ftpusers file:
root
daemon
bin
sys
adm
smmsp
gdm
webservd
nobody
noaccess
nobody4
sshd
More users SHOULD be added to the /etc/ftpusers file if they should not use the FTP
service.
The root user MUST be the only user which is able to change /etc/ftpusers file

3.4. Services Configuration

3.4.1. SSH
OpenSSH is a popular free distribution of the standards-track SSH protocols which has become the
standard implementation on Linux distributions. For more information on OpenSSH, see
www.openssh.org. The settings in this section attempt to ensure safe defaults for both the client and
the server. Specifically, both the SSH and the SSHD server are configured to use only SSH protocol 2, as
security vulnerabilities have been found in the first SSH protocol.
CentOS Server Hardening

Page 9 of 23
Version 1.0

 Confidential and Proprietary

Action
SSH latest updated package MUST be installed
Configure sshd_config with the following settings:
Port 22
Protocol 2
ServerKeyBits 1024
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
PrintMotd yes
AllowTcpForwarding no

MAY
MUST
SHOULD
SHOULD
SHOULD
MUST
MUST
MUST
SHOULD
MAY
SHOULD
SHOULD
MUST
MUST
SHOULD
SHOULD
MUST
SHOULD
MUST

The file sshd_config MUST be owned by root:root

The file sshd_config MUST have 600 permissions

3.4.2. xinetd.d
On Linux, xinetd has outpaced inetd as the default network superserver. Most distributions have been
using xinetd for some time, there are still many servers that do run inetd.
After enabling SSH, it is possible to nearly disable all xinetd-based services, since SSH provides both a
secure login mechanism and a means of transferring files to and from the system. The actions below will
disable all standard services normally enabled in the xinetd configuration.
Action
If all xinetd-based services are not needed xinetd SHOULD be completely disabled by
stopping the xinetd service.
The file xinetd.conf should have 600 permissions
Set immutable bit to the xinetd.conf file

CentOS Server Hardening

Page 10 of 23
Version 1.0

 Confidential and Proprietary

permissions on /etc/rc.d/init.d/* need to be set without write permissions to groups

and other
All of the following services SHOULD be disabled. If for any reason one of the services is being used it
MUST be configured with a secured configuration.
Action
Disable Telnet service (port 23)
Disable FTP service (port 21)
Disable amanda service (Port 10080)
Disable amandaidx service (Port 10082)
Disable cups service (Port 1179)
Disable dbskdkd-cdb service
Disable eklogin service (Port 2180)
Disable gssftp service (Port 21)
Disable vsftpd service (Port 21)
Disable wu-ftpd service (Port 21)
Disable imap service (Port 143)
Disable imaps service (Port 993)
Disable ipop3 service
Disable ipop2 service
Disable pop3s service
Disable tftp service (Port 69)
Disable rlogin service (Port 513)
Disable rsh service (Port 514)
Disable rexec service (Port 512)
Disable chargen/chargen-udp service (Port 19)
Disable daytime/daytime-udp service (Port 13)
Disable echo/echo-udp service (Port 7)
Disable finger service (Port 79)
Disable talk/ntalk service (Port 518)
Disable rsync service (Port 873)
Disable sgi_fam service
Disable time/time-udp service (Port 37)
Disable krb5-telnet service
Disable klogin service
Disable kshell service
Disable ktalk service

CentOS Server Hardening

Page 11 of 23
Version 1.0

 Confidential and Proprietary

3.4.3. Boot Services

Every system daemon that does not have a clear and necessary purpose on the host MUST be
deactivated. This greatly reduces the chances that the machine will be running a vulnerable daemon
when the next vulnerability is discovered in its operating system.
It may be that services listed below will not exist on all installations this is normal behavior.
All of the following services SHOULD be disabled. If for any reason one of the services is being used it
MUST be configured with a secured configuration.
Action
Stop apmd daemon
An APM monitoring daemon, works in conjunction with the APM BIOS driver in the OS
kernel. It can execute a command (normally a shell script) when certain events are
reported by the driver and certain changes in system power status. When the
available battery power becomes very low, it can alert all users on the system using
several methods
Stop canna daemon
Japanese input system
Stop freewnn daemon
FreeWnn is a client-server based input system for Japanese input system
Stop gpm daemon
A cut and paste utility and mouse server for virtual consoles.
Stop hpoj daemon
HP printer driver
Stop innd daemon
InterNetNews daemon
Stop irda daemon
Infrared support
Stop isdn daemon
Support for ISDN infrastructure
Stop kdcrotate daemon
A script which rotates the list of KDCs in /etc/krb5.conf.
Stop lvs daemon
A service for LVSM cluster
Stop mars-nwe daemon

CentOS Server Hardening

Page 12 of 23
Version 1.0

 Confidential and Proprietary

A NetWare compatible file and printer server

Stop oki4daemon daemon
Printer service
Stop privoxy daemon
Privoxy is a web proxy with advanced filtering capabilities
Stop rstatd daemon
Server that returns performance statistics through RPC.
Stop ruserd daemon
Server that returns information about users currently logged in.
Stop rwalld daemon
Writes messages to users currently logged in. Uses RPC.
Stop rwhod daemon
System-status server that maintains the database used by the rwho and ruptime
programs. Its operation is predicated on the ability to broadcast messages on a
network. As a producer of information, rwhod periodically queries the state of the
system and constructs status messages, which are broadcast on a network. As a
consumer of information, it listens for other rwhod servers' status messages, validates
them, then records them in a collection of files located in the directory
/var/spool/rwho. Messages received by the rwhod server are discarded unless they
originated at an rwhod server's port. Status messages are generated approximately
once every three minutes.
Stop spamassassin daemon
Anti-SPAM server
Stop nfs daemon
Network File Server, use to share files and directories. Use RPC.
Stop nfslock daemon
NFS Component
Stop autofs daemon
Autofs is a kernel-based automounter for Linux.
Stop ypbind daemon
NIS server process
Stop ypserv daemon
NIS server process
Stop yppasswdd daemon
CentOS Server Hardening

Page 13 of 23
Version 1.0

 Confidential and Proprietary

NIS server process

Stop portmap daemon
RPC Service
Stop smb daemon
Samba Server
Stop netfs daemon
Mounts and un-mounts all Network File System (NFS), SMB (Lan Manager/Windows),
and NCP (NetWare) mount points.
Stop lpd daemon
Print Server
Stop apache daemon
Web Server
Stop httpd daemon
Web Server
Stop tux daemon
Kernel based HTTP server
Stop snmpd daemon
SNMP server
Stop named daemon
DNS Server
Stop postgresql daemon
Postgres SQL Server
Stop mysqld daemon
mySQL database server.
Stop webmin daemon
Web based system administration tool.
Stop kudzu daemon
Linux hardware probing tool. This is a hardware probing tool run at system boot time
to determine what hardware has been added or removed from the system.
Stop squid daemon
WEB proxy server
CentOS Server Hardening

Page 14 of 23
Version 1.0

 Confidential and Proprietary

Stop hotplug daemon

Hot pluggable hardware daemon.
Stop cups daemon
A printing service
Stop sendmail daemon
Sendmail is an e-mail transfer agent.
Stop ident daemon
Looks up TCP/IP connections and returns the username of the process user
identification daemon for Linux, which implements the Identification Protocol
(RFC1413). This protocol is used to identify active TCP connections.
Stop vncserver daemon
Starts a vnc server application.
Stop arpwatch daemon
Keeps track of Ethernet IP address.
Stop acpid daemon
ACPID is a completely flexible, totally extensible daemon for delivering ACPI events.
Stop anacron daemon
Anacron is a periodic command scheduler. It executes commands at intervals
specified in days. Unlike cron, it does not assume that the system is running
continuously.
Stop avahi-daemon
Avahi is a fully LGPL framework for Multicast DNS Service Discovery. It allows
programs to publish and discover services and hosts running on a local network with
no specific configuration. For example one can plug into a network and instantly find
printers to print to, files to look at and people to talk to.
Stop avahi-dnsconfd daemon
Same as avahi-daemon
Stop bluetooth daemon
Bluetooth support
Stop capi daemon
CAPI is a shortcut for Common-ISDN-API and defines an abstraction layer for different
ISDN protocols
Stop dhcp daemon

CentOS Server Hardening

Page 15 of 23
Version 1.0

 Confidential and Proprietary

DHCP D-BUS daemon (dhcdbd) controls dhclient sessions with D-BUS

Stop conman daemon
Conman is a program for connecting to remote consoles being managed by conmand.
Stop cpuspeed daemon
Power management based CPU Speed control
Stop dc_client daemon
Distributed session cache client
Stop dc_server daemon
Distributed session cache server
Stop dovecot daemon
Secure IMAP and POP3 server.
Stop dund daemon
BlueZ Bluetooth dial-up networking daemon
Stop haldaemon daemon
HAL is used for discovering storage, networking, digital cameras and printers
Stop hidd daemon
Bluetooth HID daemon
Stop kdump daemon
Kdump is a kexec based crash dumping mechanism for Linux.
Stop lisa daemon
LISA is a small daemon which is intended to run on end user systems. It provides
something like a "network neighborhood", but only relying on the TCP/IP protocol
stack.
Stop mcstrans daemon
mcstrans provides a translation daemon to translate SELinux categories from internal
representations to user defined representation.
Stop mdmonitor daemon
Manages software RAID
Stop mdmpd daemon
Used to monitor multi-path devices (RAID) devices
Stop messagebus daemon
D-BUS is first a library that provides one-to-one communication between any two
CentOS Server Hardening

Page 16 of 23
Version 1.0

 Confidential and Proprietary

applications; dbus-daemon-1 is an application that uses this library to implement a

message bus daemon. Multiple programs connect to the message bus daemon and
can exchange messages with one another.
Stop netplugd daemon
netplugd is a daemon that responds to network link events from the Linux kernel,
such as a network interface losing or acquiring a carrier signal.
Stop nscd daemon
Nscd is a daemon that provides a cache for the most common name service requests.
Stop pand daemon
BlueTooth network tools
Stop pcscd daemon
pcscd is the daemon program for pcsc-lite and musclecard framework. It is a resource
manager that coordinates communications with smart-card readers and smart cards
and cryptographic tokens that are connected to the system.
Stop psacct daemon
The psacct package contains several utilities for monitoring process activities.
Stop rdisc daemon
rdisc implements client side of the ICMP router discover protocol. rdisc is invoked at
boot time to populate the network routing tables with default routes.
Stop restorecond daemon
A daemon that watches for file creation and then sets the default SELinux file context
Stop saslauthd daemon
saslauthd is a daemon process that handles plaintext authentication requests on
behalf of the SASL library.
Stop setroubleshoot daemon
SELinux Module
Stop smartd daemon
Self-monitoring analysis and reporting technology system. Monitors the hard disk for
failures.
Stop winbind daemon
Winbind is an NSS switch module to map Windows NT Domain databases to Unix.
Stop postfix daemon
Mail Server

CentOS Server Hardening

Page 17 of 23
Version 1.0

 Confidential and Proprietary

3.4.4. SNMP Service

The SNMP protocol is a management protocol that provides the ability to audit and manage network
devices remotely. A community name is the identification string used in this service.
Action
SNMP prior to version 3 SHOULD NOT be used because it is considered to be nonsecured in many ways.
The community strings which are being used for SNMP queries MUST NOT be the
default ("public")
The private (read-write) SNMP method SHOULD NOT be used.
ACL (Access List) MUST be set to the SNMP service in order to allow only the query
server to query the SNMP service.

3.4.5. Setuid/Gid Files

Setuid and setgid are short for "Set User ID" and "Set Group ID", respectively. Setuid and setgid are
access right flags that can be assigned to files and directories and mostly used to allow users on a
computer system to execute binary executable with temporarily elevated privileges in order to perform
a specific task.
When a binary executable file has been given the setuid attribute, normal users on the system can
execute this file and gain the privileges of the user who owns the file (commonly root) within the
created process. When root privileges are gained within the process, the application can then perform
tasks on the system that regular users normally would be restricted from doing.
While the setuid feature is very useful in many cases, it can pose a security risk if the setuid attribute is
assigned to executable programs that are not carefully designed. Users can exploit vulnerabilities in
flawed programs to gain permanent elevated privileges, or unintentionally execute a Trojan Horse
program.
Action
The SUID bit SHOULD be removed from all files under /bin /usr/bin except the
following files:
/usr/bin/passwd
/usr/bin/sudo
/bin/ping
/usr/bin/crontab
/bin/su
/usr/bin/agent_ctrl
/usr/bin/wall
/usr/bin/rcp
/bin/ping
/bin/mount
/bin/traceroute
Executable files SHOULD NOT be set with suid/sgid bit.
Find and remove suid/sgid bit from all other files on the file system:

CentOS Server Hardening

Page 18 of 23
Version 1.0

 Confidential and Proprietary

find / -perm 4000 print

find / -perm 2000 print
Before removing suid/sgid bit make sure the permission is not needed by the
application.
Only Read-Only permission MAY be set to the mount point by using "ro" option.

3.4.6. Crontab
The following configuration settings with enable scheduling jobs with CRON / AT only to users which are
listed in cron.allow and at.allow (white list approach) add users to the files in order to permit CRON /
AT use.
Action
The /etc/cron.d/cron.allow file MUST be exist and owned by root (600)
The /etc/cron.d/cron.deny file MUST be exist and owned by root (600)
The /etc/cron.d/at.allow file MUST be exist and owned by root (600)
The /etc/cron.d/at.deny file MUST be exist and owned by root (600)
If one of the above files does not exist, 'touch' the relevant file )make sure "root" is
allowed to schedule crons by adding him to the .allow files)

3.4.7. Other File System Security Requirements

Action
Only root SHOULD have permissions to the /root directory.
The system SHOULD prevent SUID and device files on removable media via vfstab file
using the "nosuid" option.
The /tmp partition SHOULD be mounted with the 'nosuid' and acl option set.
The user's home directories partition SHOULD be mounted with the 'nosuid' option
set.
The /home partition SHOULD be mounted with the 'nosuid' and acl option set.
The /var partition SHOULD be mounted with the nosuid and option set.
Executable files under /bin and /usr/bin MUST NOT have write permissions.
The following files MUST NOT be writable for group and for other.
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow
The /etc/services file SHOULD be immutable
File /usr/sbin/tcpdump MUST have permissions only for the root user.
File /etc/syslog.conf permissions MUST be set without other permissions.
Non root users MUST NOT be able to run the following applications:
CentOS Server Hardening

Page 19 of 23
Version 1.0

 Confidential and Proprietary

halt
poweroff
reboot
xserver
The user environment variable PATH MUST NOT include the current directory (i.e. . )
The user environment variable LD_LIBRARY_PATH MUST NOT include the current
directory (i.e. . )
The /etc/sysctl.conf owner MUST be root.
Only root MUST have write permissions to /etc/sysctl.conf.
The file /etc/sysctl.conf SHOULD be immutable.
The /var/log/wtmp owner MUST be root.
The /var/log/wtmp MUST be readable for root only (600).
World-writable directories should have their sticky bit set
Use the following command to obtain a list of these directories:
find / \( -fstype nfs -o -fstype cachefs \) -prune -o\
-type d \( -perm -0002 -a ! -perm -1000 \) print
When the so-called "sticky bit" is set on a directory, then only the owner of a file may
remove that file from the directory (as opposed to the usual behavior where anybody
with write access to that directory may remove the file).

3.5. Networking
3.5.1. General Networking Requirements
The following network settings SHOULD be implemented.
Note: Bold lines should be repeated for all Ethernet adapters.
Action
Disable IP source routing:
Edit the /etc/sysctl.conf and add the following lines:
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
Disable ICMP Redirect:
Edit the /etc/sysctl.conf and add the following lines:
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
CentOS Server Hardening

Page 20 of 23
Version 1.0

 Confidential and Proprietary

net.ipv4.conf.default.accept_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects =0
net.ipv4.conf.default.accpet_source_route = 0
Disable the magic-sysrq key:
Edit the /etc/sysctl.conf and add the following line:
kernel.sysrq = 0
Disable the packet forwarding option:
Edit the /etc/sysctl.conf and add the following line:
net.ipv4.ip_forward=0
Enable the TCP SYN Cookie Protection:
Edit the /etc/sysctl.conf and add the following line:
net.ipv4.tcp_syncookies = 1
Configure the system to ignoring broadcasts request:
Edit the /etc/sysctl.conf and add the following line:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Enable bad error message Protection
Edit the /etc/sysctl.conf and add the following line:
net.ipv4.icmp_ignore_bogus_error_responses = 1

CentOS Server Hardening

Page 21 of 23
Version 1.0

 Confidential and Proprietary

3.6. General Requirements

3.6.1. General Subjects
Action
NTP service MUST be enabled.
Note: NTP should be configured according to the company policy. This is a crucial
service regarding security investigations.
motd/issue files SHOULD be set with a warning banner. See Appendix A for a
suggestion.
An auto idle console logout time for 15 minutes SHOULD be set by editing the
/etc/profile file with the following line:
TMOUT=900
Restricting system reboots through the console:
The system MAY prevent the option to reboot the system through the console without
being logged in to the system:
Verify the following line exist at /etc/inittab:
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

CentOS Server Hardening

Page 22 of 23
Version 1.0

 Confidential and Proprietary

Appendix A
The Following Text is a suggestion for /etc/issue and /etc/motd:
This computer system, including all related equipment, networks and network devices (specifically including
Internet access), is provided only for authorized use.

The computer systems may be monitored for all lawfull purposes, including to ensure that their use is
authorized, for management of the system, to facilitate protection against unauthorized access and to verify
security procedures, survivability and operational security.
Monitoring includes active attacks by authorized entities to test or verify the security of this system.

During monitoring, information may be examined, recorded, copied and used for authorized purposes.
All information, including personal information, placed on or sent over this system may be monitored. Use of
this computer system, authorized or unauthorized, constitutes consent to the monitoring of this system.

Unauthorized use may subject you to criminal prosecution.

Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or
adverse action.
Use of this system constitutes consent to monitoring for these purposes.

CentOS Server Hardening

Page 23 of 23
Version 1.0