Hardening CentOS 7/8: 15 Essential Security Configurations

Linux Security Baseline – CentOS 7/8 Hardening Guide

1. Create a regular user and disable direct root login

Scenario: The root account has unrestricted privileges; its misuse or compromise can give an attacker full control.

Steps:

Create a non‑root user, e.g. adduser ecs-user, then set a password with passwd ecs-user.

Grant the user password‑less sudo rights by editing /etc/sudoers and adding ecs-user ALL=(ALL) NOPASSWD:ALL.

Disable direct root login by setting PermitRootLogin no in /etc/ssh/sshd_config.

Explanation: Using sudo instead of logging in as root limits the exposure of the super‑user account and adds an audit trail.

2. Set SSH idle timeout

Scenario: An idle SSH session can be hijacked if left unattended.

Steps:

Edit /etc/ssh/sshd_config and add:

ClientAliveInterval 600
ClientAliveCountMax 2

Explanation: The server will terminate the session after 10 minutes of inactivity (600 s) without client response, reducing the risk of unauthorized takeover.

3. Enforce a minimum password change interval

Scenario: Frequent password changes can be abused to bypass password policies.

Steps:

Set PASS_MIN_DAYS 7 in /etc/login.defs (or use chage --mindays 7 username for individual users).

Explanation: Users cannot change their password more often than once every seven days, preventing rapid‑change attacks.

4. Set password expiration period

Scenario: Stale passwords increase the chance of brute‑force compromise.

Steps:

Configure PASS_MAX_DAYS 90 in /etc/login.defs (or chage --maxdays 90 username).

Explanation: Passwords must be changed at least every 90 days, limiting the window for credential theft.

5. Restrict password reuse

Scenario: Allowing users to recycle recent passwords weakens security.

Steps:

Add remember=5 to the password sufficient pam_unix.so line in both /etc/pam.d/password-auth and /etc/pam.d/system-auth.

Explanation: A user must use at least five different passwords before an old one can be reused.

6. Enforce password complexity

Scenario: Weak passwords are vulnerable to guessing and cracking.

Steps:

Edit /etc/security/pwquality.conf and set:

minlen=10
minclass=3

Explanation: Passwords must be at least ten characters long and contain characters from at least three of the four categories (upper, lower, digits, symbols).

7. Disallow SSH login with empty passwords

Scenario: Allowing empty passwords creates a trivial backdoor.

Steps:

Set PermitEmptyPasswords no in /etc/ssh/sshd_config.

Explanation: All SSH accounts must have a non‑empty password.

8. Limit SSH authentication attempts

Scenario: Brute‑force attacks try many password guesses.

Steps:

Set MaxAuthTries 4 in /etc/ssh/sshd_config.

Explanation: After four failed attempts the SSH daemon disconnects the client.

9. Ensure rsyslog service is enabled

Scenario: System logs are essential for audit and troubleshooting.

Steps:

Enable and start the service:

systemctl enable rsyslog
systemctl start rsyslog

Explanation: Guarantees that events are recorded and can be reviewed.

10. Set secure permissions on configuration files

Scenario: Unauthorized modification of config files can compromise the system.

Steps:

Set ownership and mode:

chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/passwd /etc/group
chmod 0400 /etc/shadow /etc/gshadow

Explanation: Only root can edit these files; other users can only read them.

11. Secure hosts.allow and hosts.deny

Steps:

Apply ownership and permissions:

chown root:root /etc/hosts.allow /etc/hosts.deny
chmod 644 /etc/hosts.allow /etc/hosts.deny

12. Verify no non‑root UID 0 accounts exist

Steps:

Run:

cat /etc/passwd | awk -F: '($3 == 0) { print $1 }' | grep -v '^root$'

Explanation: Any additional UID 0 accounts should be removed or have their UID changed.

13. Configure password expiration warning

Steps:

Add PASS_WARN_AGE 7 to /etc/login.defs and optionally run chage --warndays 7 root.

Explanation: Users receive a warning seven days before their password expires.

14. Set SSH log level to INFO

Steps:

Set LogLevel INFO in /etc/ssh/sshd_config.

Explanation: More detailed logs (e.g., login attempts, failures) aid forensic analysis.

15. Enable Address Space Layout Randomization (ASLR)

Steps:

Add kernel.randomize_va_space = 2 to /etc/sysctl.conf or a file under /etc/sysctl.d/, then apply immediately with: sysctl -w kernel.randomize_va_space=2 Explanation: Randomizing memory layout makes exploitation of memory‑corruption bugs significantly harder.