Hardening CentOS 7/8: Essential Security Baseline Steps
This guide outlines a comprehensive set of security hardening measures for CentOS 7/8 servers, including creating non‑root users, disabling root SSH login, configuring password policies, tightening SSH settings, enabling logging, and applying kernel protections such as ASLR to reduce attack surface.
1. Create a regular user and disable direct root login
Scenario: The root account has unrestricted privileges; misuse or compromise can give an attacker full control. Creating a normal user with sudo rights reduces risk.
Create a new user: adduser ecs-user Set the user password: passwd ecs-user Verify the new account can log in: ecs-user Grant password‑less sudo to the new user by editing /etc/sudoers and adding: ecs-user ALL=(ALL) NOPASSWD:ALL Disable root SSH login by editing /etc/ssh/sshd_config, locating the PermitRootLogin directive and setting it to no (add the line if missing).
Explanation: Disabling direct root login forces administrators to use sudo, adding an extra protection layer.
2. Configure SSH idle timeout
Scenario: An idle SSH session can be hijacked by an unauthorized party.
Edit /etc/ssh/sshd_config and add:
ClientAliveInterval 600
ClientAliveCountMax 2This makes the server terminate the session after 10 minutes of inactivity without a client response.
Explanation: After two unanswered probes, the connection is closed, mitigating risks from abandoned sessions.
3. Set minimum password change interval
Scenario: Allowing frequent password changes can enable password‑reuse attacks.
Edit /etc/login.defs and set PASS_MIN_DAYS 7.
Apply the same rule to the root account: chage --mindays 7 root Explanation: Users cannot change their password more than once within seven days, preventing rapid‑change circumvention.
4. Set password expiration period
Scenario: Stale passwords increase the chance of brute‑force compromise.
Edit /etc/login.defs and set PASS_MAX_DAYS 90.
Apply to root: chage --maxdays 90 root Explanation: Passwords must be refreshed every 90 days, reducing exposure time.
5. Enforce password reuse restriction
Scenario: Preventing users from reusing recent passwords mitigates brute‑force reuse attacks.
Edit /etc/pam.d/password-auth and /etc/pam.d/system-auth, locate the line containing password sufficient pam_unix.so and append remember=5.
Explanation: Users must use at least five different passwords before an old one can be reused.
6. Enforce password complexity
Scenario: Stronger passwords resist dictionary and brute‑force attacks.
Edit /etc/security/pwquality.conf and set:
minlen=10
minclass=3This requires a minimum length of 10 characters and at least three character classes (uppercase, lowercase, digits, symbols).
Explanation: The policy raises the baseline strength of all user passwords.
7. Disallow SSH login with empty passwords
Scenario: Allowing empty passwords creates a trivial entry point for attackers.
Edit /etc/ssh/sshd_config and set PermitEmptyPasswords no.
Explanation: All SSH accounts must have a non‑empty password.
8. Limit maximum SSH authentication attempts
Scenario: Brute‑force attacks try many password guesses.
Edit /etc/ssh/sshd_config and add MaxAuthTries 4.
Explanation: After four failed attempts the connection is closed.
9. Ensure rsyslog service is enabled
Scenario: System logs are essential for audit and troubleshooting.
Start and enable the service:
systemctl enable rsyslog
systemctl start rsyslogExplanation: Guarantees that security‑relevant events are recorded.
10. Harden permissions of critical configuration files
Scenario: Unauthorized modification of config files can compromise the system.
Set ownership and mode:
chown root:root /etc/hosts.allow
chown root:root /etc/hosts.deny
chmod 644 /etc/hosts.allow
chmod 644 /etc/hosts.denyExplanation: Only root can edit; others can only read.
11. Secure user database files
Scenario: Files such as /etc/passwd, /etc/shadow, /etc/group contain sensitive credential data.
Apply restrictive permissions:
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/passwd /etc/group
chmod 0400 /etc/shadow /etc/gshadowExplanation: Only root can modify these files; other users have read‑only or no access.
12. Verify root is the only UID 0 account
Scenario: Any additional UID 0 account grants full system privileges.
Check for other UID 0 users:
cat /etc/passwd | awk -F: '($3 == 0) { print $1 }' | grep -v '^root$'Explanation: Remove or reassign any non‑root UID 0 accounts immediately.
13. Configure password expiration warning
Scenario: Users need advance notice before passwords expire.
Edit /etc/login.defs and set PASS_WARN_AGE 7.
Apply the same warning to root: chage --warndays 7 root Explanation: Users receive a 7‑day warning, allowing timely password changes.
14. Set SSH log level to INFO
Scenario: Detailed logs aid in security auditing.
Edit /etc/ssh/sshd_config and add LogLevel INFO.
Explanation: Records authentication successes, failures, and other relevant events.
15. Enable Address Space Layout Randomization (ASLR)
Scenario: Randomizing memory layout makes exploitation harder.
Add kernel.randomize_va_space = 2 to /etc/sysctl.conf or a file under /etc/sysctl.d/.
Apply immediately with: sysctl -w kernel.randomize_va_space=2 Explanation: Enables full ASLR, increasing resistance to memory‑corruption attacks.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.