Hardening CentOS

Hardening CentOS Linux Servers:

The Ninja way

Lorenzo Martnez R. (@lawwait)

Hardening CentOS Linux

Thanks Karanbir!

Hardening CentOS Linux

[root@localhost ~]# whoami

13 years of security professional experience

Integrators -> Vendors -> Entrepeneur
CTO && Founder www.securizame.com
ANCITE (www.ancite.es)
www.SecurityByDefault.com editor
Tools: Securewin, amispammer, scalparser
Twitter: @lawwait, @securizame, @secbydefault
Email: lorenzo@securizame.com
Hardening CentOS Linux

Why did I choose CentOS?

Red Hat 8 & 9

Fedora Core
LTS Distros: Debian, RHEL, Suse, Ubuntu,...
Now: RHEL, CentOS, Scientific Linux, Oracle

Hardening CentOS Linux

Hardening CentOS Linux

What will the server do?

Hardening CentOS Linux

What will the server do?

Hardening CentOS Linux

Linux and the NSA

Hardening CentOS Linux

Disabling SELinux

Hardening CentOS Linux

Linux Internals
Virtual Filesystem /proc

Hardening CentOS Linux

Kernel Parameters

Hardening CentOS Linux

Sysctl Support

Hardening CentOS Linux

Disabling IPv6

Hardening CentOS Linux


Hardening CentOS Linux

net.ipv4.ip_for ward = 0 -> # Controls IP packet
for warding
net.ipv4.conf.default.rp_filter = 1 -> # Controls source
route verification
net.ipv4.conf.default.accept_source_route = 0 -> # Do
not accept source routing
kernel.sysrq = 0 -> # Controls the System Request
debugging functionality of the kernel
kernel.core_uses_pid = 1 -> # Controls whether core
dumps will append the PID to the core filename
net.ipv4.tcp_syncookies = 1 -> # Controls the use of TCP
Hardening CentOS Linux

net.bridge.bridge-nf-call-ip6tables = 0 -> # Disable
netfilter on bridges
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
kernel.panic=5 -> #Reboot 5 seconds after kernel panic
net.ipv4.tcp_fin_timeout = 15 -> # Decrease the time
default value for tcp_fin_timeout connection
net.ipv4.tcp_keepalive_time = 1800 -> # Decrease the
time default value for tcp_keepalive_time connection
net.ipv4.tcp_window_scaling = 0 -> # Turn off the

Hardening CentOS Linux

net.ipv4.tcp_sack = 0 -> # Turn off the tcp_sack
net.ipv4.tcp_timestamps = 0 -> # Turn off the tcp_timestamps
net.ipv4.icmp_echo_ignore_broadcasts = 1 -> # Enable ignoring
broadcasts request
net.ipv4.icmp_ignore_bogus_error_responses = 1 -> # Enable bad
error message Protection
net.ipv4.conf.all.log_martians = 1 -> # Log Spoofed Packets,
Source Routed Packets, Redirect Packets
kernel.shmmax = 268435456 -> # Set maximum amount of
memory allocated to shm to 256MB

Hardening CentOS Linux

net.ipv4.tcp_max_syn_backlog = 1280 -> # Increases the
size of the socket queue (effectively, q0)
net.ipv4.tcp_mem = 57344 57344 65536 -> # Increase the
maximum total TCP buffer-space
allocatablenet.ipv4.tcp_wmem = 32768 65536 524288 ->
# Increase the maximum TCP write-buffer-space allocatable
net.ipv4.tcp_rmem = 98304 196608 1572864 -> # Increase
the maximum TCP read-buffer space allocatable
net.core.rmem_max = 524280 -> # Increase the maximum
receive socket buffer size
net.core.rmem_default = 524280 -> # Increase the default
receive socket buffer size
Hardening CentOS Linux

net.core.wmem_max = 524280 -> # Increase the
maximum send socket buffer size
net.core.wmem_default = 524280 -> -> # Increase
the default send socket buffer size
net.ipv4.tcp_max_t w_buckets = 1440000 -> #
Increase the tcp-time-wait buckets pool size
net.ipv4.ip_local_port_range = 16384 65536 -> #
Allowed local port range
net.ipv4.ipfrag_high_thresh = 512000 -> #
Increase the maximum memory used to reassemble
IP fragments
Hardening CentOS Linux

net.ipv4.ipfrag_low_thresh = 446464
net.core.optmem_max = 57344 -> # Increase the
maximum amount of option memory buffers
net.ipv4.conf.all.accept_redirects=0 -> # Do not
accept redirects. Avoid MiTM
net.ipv4.conf.all.send_redirects=0 -> # Forbid
sending ICMP redirect
net.ipv6.conf.all.disable_ipv6 = 1 -> #Disable IPv6

Hardening CentOS Linux

Understanding services

The purpose the machine was built for

Load at startup time
Init process
netstat -[t | u]anp | grep LISTEN
Path -> /etc/rc<runlevel>.d/SXX<service> && KXX<ser vice>
/sbin/chkconfig --list | less
RPMs: setuptool && ntsysv
The less ser vices, the better
Hardening CentOS Linux

Understanding services

Hardening CentOS Linux

By Default Enabled services

iptables && ip6tables
net work


Hardening CentOS Linux


Firewalling rule set

iptables is made command line
GUIs: fbuilder, shorewall, firestarter, etc,..
Script started before net work/ser vices are
Hardening CentOS Linux

Firewall Policy: Best Practices

Mgmt IPs To Firewall IFs - Mgmt
ports -> Allow
Any To Firewall IFs - Mgmt ports
-> Deny [Stealth Rule]
<Needed Services rules> -> Allow
[Cleanup Rule]

Hardening CentOS Linux

Hardening SSH

Auth: User/pass vs certificates

Change default SSH port (TCP/22)
Protocol 2
PermitRootLogin -> NO

Hardening CentOS Linux

Hardening SSH

MaxAuthTries (Default 6) -> 3

LoginGraceTime (Default 120) -> 60
PasswordAuthentication (Default Yes) -> NO
Banner (none)
AllowAgentFor warding y AllowTcpFor warding (Default Yes) ->
If it is not going to be used, change to NO
MaxStartups (Default 10) -> If few connected users, change
to 3

Ciphers -> aes128-ctr, aes256-ctr, arcfour256, arcfour,

aes128-cbc, aes256-cbc
X11for warding y PermitEmptyPasswords -> If not needed, NO
Hardening CentOS Linux

Hardening BASH
Define Read-Only environment variables -> To avoid
being over writen by users (declare r
HISTFILE=~/.bash_history && chattr +I .bash_history)
HISTFILESIZE -> Maximum number of lines to keep
HISTFSIZE -> Maximum stored commands in memory
HISTTIMEFORMAT -> Date/Time format to store
commands execution
Force to commit HISTFILE every time a command is
typed instead of logout -> readonly || declare -r
PROMPT_COMMAND="history -a"
Hardening CentOS Linux

Hardening BASH
Limit Timeout login session -> declare -r TMOUT=120
Limits -> ulimit command
-c maximum size core files
-s maximum stack size
-t maximum CPU seconds
-u maximum time available per process users
-v maximum virtual memory size available for shell
-x maximum file block

Default file mask for every user -> umask 077 r wx --- ---
Hardening CentOS Linux

Hardening Apache
Use rpm package or static compilation
Right permissions: chown + chroot
chmod R go-r /etc/httpd
chmod R go-r /var/log/httpd

Disable not needed/used default modules (http://


Hardening CentOS Linux

Hardening Apache
Listen [IP Address:]<Port>
Allow from Directives
Deny from All
Allow from 192.168.X.Y/24

Security through obscurity

ServerTokens ProductOnly
ServerSignature Off

With mod_security
SecSer verSignature Powered by Securizame 8.0

Disable Trace method

TraceEnable Off
Hardening CentOS Linux

Patches Management
Optional package: yum-cron

Hardening CentOS Linux

Auditing Tools
Check security/health
Misconfigurations && Malware
Lynis, checklist-linux,
rkhunter, chkrootkit

Filesystems Integrity
AFICK, AIDE, Tripwire

Other stuff: IDS/IPS

Hardening CentOS Linux


Hardening CentOS Linux

Send to a remote event collector: syslog
NTP (Net work Time Protocol)

Hardening CentOS Linux


Hardening CentOS Linux


CentOS Linux FTW!

Corporate Distribution
Community support
Security concepts in mind
Minimalism is the key
Harden, audit and monitor

Hardening CentOS Linux

Email me: lorenzo@securizame.com

Twitter: @lawwait @securizame @secbydefault
