Hardening CentOS

What will this script do?

  • Install useful packages such as tcpdump, mtr, zsh, perl and logrotate
  • Setup automatic yum updates
  • Set password policies
    • Passwords will expire every 180 days
    • Passwords may only be changed once a day
  • Set OS policies
    • Set idle users to be disconnected after 15 minutes
  • Install (if it is not installed) and configure IPTables firewall
    • Open specified TCP/UDP ports
    • Set rules to block common attacks
      • Syn Floods
      • Fragmented Packets
      • Malformed XMAS Packets
      • Drop NULL packets
      • Limit pings to 3 per second and bursts of 25
      • Discourage Port Scanning
    • Set up Connection Tracking
  • Install DDoS Deflate
  • Install CHKROOTKIT
    • Scheduled to check daily for issues and email your Admin Email
    • More information about CHKROOTKIT is available at http://www.chkrootkit.org/
  • Install rkhunter (Root Kit Hunter)
  • Install LSM (Linux Socket Monitor)
    • Runs in the background and watches for changes in sockets
  • Secure the SSH Daemon
    • Change the SSH port to a random number
    • Create an “admin” user
    • Make it so only the “admin” user can be logged into over SSH

Downloading the Script

Modifying the Variables

You may customize TCPPORTS and UDPPORTS, however the defaults in there now should cover most common processes.

Run the Script

What to do afterwards

After it completes, you will get a message like:

Tagged:

Rate This Article

Helpful Not Helpful
(324 out of 590 people found this article helpful)

About The Author

Jonathan is the Build Team Manager here at LSN. He works with his team to ensure you are getting a quality product every time you order.

  • Will this interfere with a cPanel installation? Can this script be run before installing cPanel? After installing cPanel?

    As I recall, the installation instructions for cPanel recommend (urge) that it be installed on a fresh, baseline install of CentOS, although There is some wiggle room, as, for example, one of the very first things I usually do when rolling out a new machine is to edit/customize my /etc/ssh/sshd_config for port numbers X11 forwarding, requiring logins via ssh keys only, and then adding an allowusers line so only specific users can ssh into the box. I’ve never had any problems installing cPanel after such things, but it’s been a while and things change lol.

    Anyway, a lot of those utils are a good first start, and @Dan, you can always just comment out the chkrootkit portion of the script and then just install it manually with rpm -ivh or by using yum 🙂