How to Harden CentOS 6.7: A Complete Account and System Security Guide

1. Account Management

1.1 Password lockout policy

Use the pam_tally2.so or pam_faillock.so module to lock accounts after a configurable number of failed login attempts. Example entry to add to /etc/pam.d/system-auth and /etc/pam.d/password-auth:

auth required pam_tally2.so deny=3 onerr=fail no_magic_root unlock_time=180 even_deny_root root_unlock_time=10

Modify the auth section of the two files accordingly.

Parameters:

deny – maximum authentication failures before lockout.

lock_time – lock duration in seconds.

unlock_time – automatic unlock interval.

magic_root – ignore failures for UID 0.

even_deny_root – also lock the root account on failure.

root_unlock_time – lock duration for the root account.

1.2 Password lifespan

Set PASS_MAX_DAYS (commonly 90) in /etc/login.defs so users are forced to change passwords periodically, reducing the window for password cracking.

1.3 Password complexity

Enable pam_cracklib.so in the PAM stack to enforce minimum length, character classes, and reject dictionary words.

1.4 Remove irrelevant accounts

Identify system‑provided accounts whose password fields are not locked (i.e., not starting with * or !!) and either delete them, lock them, or set their shell to /bin/false. Example commands for deletion, locking, or shell change are illustrated with screenshots.

1.5 Password reuse limit

Configure pam_unix.so with remember=5 to prevent users from reusing any of their last five passwords.

1.6 Restrict non‑admin users from using su to become root

Create a wheel group and allow only its members to execute su -. Adjust /etc/pam.d/su accordingly and add users to the group when needed.

2. File and Directory Permissions

2.1 Default permission control

Back up target files before changing permissions. Use chmod and chattr to set appropriate modes (e.g., 640 for log files) and immutable attributes where required.

2.2 Minimum privilege for users

Assign the least privileges necessary to each user, removing unnecessary sudo rights and limiting access to only required directories.

2.3 Protect critical files

Ensure files such as /var/log/messages are set to append‑only mode ( a) so they cannot be altered, only added to.

3. Log Security

3.1 Record security events

Enable audit logging for authentication failures, privilege escalations, and configuration changes.

3.2 Secure log file permissions

Set log files to 640 (or stricter) and verify with ls -l. Adjust any files with overly permissive modes.

4. System Services

4.1 Restrict root SSH login

Edit /etc/ssh/sshd_config and set PermitRootLogin no and AllowUsers as needed, then restart the SSH daemon.

4.2 Login timeout

Define TMOUT in /etc/profile (e.g., TMOUT=600) to automatically log out idle sessions.

4.3 Remove dangerous files

Delete or backup .rhosts, .netrc, and hosts.equiv if present.

4.4 NFS service restrictions

Verify NFS daemons are not running, or if needed, limit access via /etc/hosts.allow and /etc/hosts.deny. Stop or disable the services rpc.lockd, rpc.nfsd, rpc.statd, rpc.mountd.

5. Network Security

5.1 Disable source routing

Set net.ipv4.conf.all.accept_source_route = 0 and net.ipv6.conf.all.accept_source_route = 0 in /etc/sysctl.conf and apply with sysctl -p.

5.2 Control remote IP access

Use /etc/hosts.allow and /etc/hosts.deny to restrict which IP ranges may connect to services.

5.3 Disable ICMP redirects

Set net.ipv4.conf.all.accept_redirects = 0 and net.ipv4.conf.all.secure_redirects = 0 in /etc/sysctl.conf.

5.4 Alias dangerous commands for root

Add aliases such as alias rm='rm -i' and alias ls='ls --color=auto' to root’s .bashrc to prevent accidental deletions.

5.5 Update Bash

Check the current Bash version with bash --version. Upgrade via the package manager (e.g., yum update bash) or compile a newer version from source if the repository does not provide the latest release.