Hardening CentOS

What will this script do?

  • Install useful packages such as tcpdump, mtr, zsh, perl and logrotate
  • Setup automatic yum updates
  • Set password policies
    • Passwords will expire every 180 days
    • Passwords may only be changed once a day
  • Set OS policies
    • Set idle users to be disconnected after 15 minutes
  • Install (if it is not installed) and configure IPTables firewall
    • Open specified TCP/UDP ports
    • Set rules to block common attacks
      • Syn Floods
      • Fragmented Packets
      • Malformed XMAS Packets
      • Drop NULL packets
      • Limit pings to 3 per second and bursts of 25
      • Discourage Port Scanning
    • Set up Connection Tracking
  • Install DDoS Deflate
  • Install CHKROOTKIT
    • Scheduled to check daily for issues and email your Admin Email
    • More information about CHKROOTKIT is available at http://www.chkrootkit.org/
  • Install rkhunter (Root Kit Hunter)
  • Install LSM (Linux Socket Monitor)
    • Runs in the background and watches for changes in sockets
  • Secure the SSH Daemon
    • Change the SSH port to a random number
    • Create an “admin” user
    • Make it so only the “admin” user can be logged into over SSH

Downloading the Script

Modifying the Variables

You may customize TCPPORTS and UDPPORTS, however the defaults in there now should cover most common processes.

Run the Script

What to do afterwards

After it completes, you will get a message like:


Rate This Article

(84 out of 156 people found this article helpful)

About The Author