Hardening CentOS 7/8: Essential Security Configurations to Protect Your Linux Servers

In production environments, the security of Linux servers—especially the root account—is critical. This article details step‑by‑step measures to harden CentOS 7/8 systems and lower the risk of attacks.

1. Create a regular user and disable direct root login

Scenario: The root user has unrestricted privileges; misuse or a compromised password can give an attacker full control. Creating a regular user with sudo rights mitigates this risk.

Create a new user: adduser ecs-user Set the user password: passwd ecs-user Verify login with the new account.

Add password‑less sudo for the user:

vim /etc/sudoers

root ALL=(ALL) ALL

ecs-user ALL=(ALL) NOPASSWD:ALL

Disable root SSH login by editing /etc/ssh/sshd_config and setting PermitRootLogin no (add the line if missing).

Explanation: Disabling direct root login forces administrators to use sudo, adding an extra protection layer.

2. Configure SSH idle timeout

Scenario: An idle SSH session can be hijacked. Setting a timeout automatically disconnects inactive sessions.

Edit /etc/ssh/sshd_config and add:

ClientAliveInterval 600
ClientAliveCountMax 2

Explanation: If no client response is received for 10 minutes, the server will probe twice and then terminate the session.

3. Enforce minimum password change interval

Edit /etc/login.defs and set PASS_MIN_DAYS 7.

Apply the same policy to root: chage --mindays 7 root Explanation: Users cannot change passwords more frequently than every 7 days, preventing rapid password‑change attacks.

4. Set password expiration period

Edit /etc/login.defs and set PASS_MAX_DAYS 90.

Apply to root: chage --maxdays 90 root Explanation: Passwords expire after 90 days, forcing regular updates and reducing the chance of credential compromise.

5. Restrict password reuse

Edit /etc/pam.d/password-auth and /etc/pam.d/system-auth, adding remember=5 after the password sufficient pam_unix.so line.

Explanation: Users must use at least five different passwords before reusing an old one.

6. Enforce password complexity

Edit /etc/security/pwquality.conf and set:

minlen=10
minclass=3

Explanation: Passwords must be at least 10 characters long and contain at least three character classes (e.g., uppercase, lowercase, digits, symbols).

7. Disallow SSH login with empty passwords

Edit /etc/ssh/sshd_config and set PermitEmptyPasswords no.

Explanation: All SSH accounts must have a password, preventing unauthenticated access.

8. Limit SSH authentication attempts

Edit /etc/ssh/sshd_config and set MaxAuthTries 4.

Explanation: After four failed password attempts, the connection is closed, mitigating brute‑force attacks.

9. Ensure rsyslog service is enabled

Start and enable the service:

systemctl enable rsyslog
systemctl start rsyslog

Explanation: Active logging is essential for audit trails and troubleshooting.

10. Secure configuration file permissions

Set ownership and permissions:

chown root:root /etc/hosts.allow /etc/hosts.deny
chmod 644 /etc/hosts.allow /etc/hosts.deny

Explanation: Only root can modify these files; others can only read them.

11. Protect user credential files

Run:

chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/passwd /etc/group
chmod 0400 /etc/shadow /etc/gshadow

Explanation: Restricts access to sensitive password and group information.

12. Ensure root is the only UID 0 account

Check for other UID 0 users:

cat /etc/passwd | awk -F: '($3 == 0) { print $1 }' | grep -v '^root$'

Explanation: Remove or reassign any non‑root UID 0 accounts to prevent privilege abuse.

13. Configure password expiration warning

Edit /etc/login.defs and set PASS_WARN_AGE 7.

Apply to root: chage --warndays 7 root.

Explanation: Users receive a warning seven days before password expiry.

14. Set SSH log level to INFO

Edit /etc/ssh/sshd_config and set LogLevel INFO.

Explanation: More detailed logs aid security auditing.

15. Enable Address Space Layout Randomization (ASLR)

Add kernel.randomize_va_space = 2 to /etc/sysctl.conf or a file under /etc/sysctl.d/.

Apply immediately: sysctl -w kernel.randomize_va_space=2.

Explanation: Randomizing memory layout makes exploitation of memory‑corruption bugs harder.