Chinook Webs Tech Tips
General security for new centos servers
Last Post 29 Jul 2015 04:02 PM by SuperUser Account. 0 Replies.
Printer Friendly
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages
SuperUser AccountUser is Offline
New Member
New Member

29 Jul 2015 04:02 PM

    Set network with nmtui
    systemctl restart network.service
    implement firewall ( we use config server wget
    tar -xzf csf.tgz)
    disable ssh (if you want to leave ssh enabled then make sure the firewall is blocking world access and only letting you thru)
    disable selinux on whm/cpanel systems (edit the 'SELINUX=' line in /etc/selinux/config for either 'enforcing', 'permissive', or 'disabled'.)

    disable but do not remove avahi-daemon
    systemctl stop avahi-daemon.socket avahi-daemon.service
    systemctl disable avahi-daemon.socket avahi-daemon.service
    install whm/cpanel cd /home && curl -o latest -L && sh latest

    inside whm:
    Enable open_basedir protection
    Disable Compilers for all accounts(except root)
    Enable Shell Bomb/memory Protection
    Enable cPHulk Brute Force Protection

    disable shell access
    disable anoymous ftp

    set mysql password
    enable suexec

    edit php.ini
    safe_mode = On
    expose_php = Off
    Enable_dl= Off
    magic_quotes = On
    register_globals = off
    display errors = off
    disable_functions = system, show_source, symlink, exec, dl,
    shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd

    Edit the /etc/sysctl.conf file and add the following line in order to enable SYN cookies protection:

    # Enable TCP SYN Cookie Protection
    net.ipv4.tcp_syncookies = 1

    yum install clamav
    run crontab -e then add @daily root clamscan -R /home

    cd /root/

    tar -zxvf rkhunter-1.4.0.tar.gz
    cd rkhunter-1.4.0
    ./ --install

    Harden /tmp partition
    Run the /scripts/securetmp script to mount your /tmp partition to a temporary file for extra security.

    disable compilers in whm

    host access control to specific ranges
    ignore any recommendations regarding xfs,gpm,saslauthd,nfs,chargen,ypbind,anacron,hidd,cups. They are either not running on default minimal or are needed

    You are not authorized to post a reply.