I'm going to be setting up Centmin on CentOS 7. I was wondering if additional security hardening to the OS was necessary. I found the guide below and I was going to apply *some* of their recommendations. I wanted to check here on the forum before I started. Security Harden CentOS 7 Is there anything on the list the members / admin would recommend? Is there anything on the list the members / admin would advise NOT to do? Thanks!
Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app specific configurations are left to the Centmin Mod user to deal with. So I do not provide any free support for such. Centmin Mod out of the box has enough security however, not everything is locked down as tight as some software or configurations used require end user to understand fully what they are doing - not being able to understand such you could either lock yourself out or render the server unusable or just plain not useful if you don't know what the warnings mean (or difference between a warning, notice or something that MAY apply) (i.e. SELINUX enabling, AIDE etc). However, Centmin Mod users are free to help each other out and ask questions or give answers on this community forum. My hopes are that this community forum evolves so that more veteran long time Centmin Mod users help new Centmin Mod users out As to that linked list of items, some I'd be careful with unless you know 100% what you're doing and what implications deploying such measures means. These include Enabling secure mounts Enabling SELINUX Installing and configuring AIDE and AuditD both of which only applies to non-OpenVZ VPS systems TCP Wrappers Securing Cron IPTables not needed as CSF Firewall takes care of most rules Disabling DHCP Securing SSHD most covered by Centmin Mod
Thanks for the list of what to avoid! I'm making the leap to Centos 7 (from Centos 6) and nginx (from Apache). I'm going to deploy a live testing server and see how everything runs. Centmin looks really nice. Looking forward to using it.
Indeed a test server is a good way to start understanding and learning about Centmin Mod Just a reminder of some threads to read, pages to bookmark and threads to watch/subscribe to get to know Centmin Mod would include: Getting Started Guide, FAQ and What's New and centmin.sh guide. How to Install Centmin Mod 1.2.3-eva2000.08 Stable - you'd want to bookmark or subscribe to this thread for updates to the code, bug fixes, security updates etc. How to upgrade Centmin Mod 1.2.3-eva2000.08+ stable How to troubleshoot initial installs (as well as find the log files for all software for troubleshooting). Centmin Mod Configuration Files Overview Centmin Mod + Youtube Resources - recently created to illustrate visually what Centmin Mod can do. Alot of the vidoes are to showcase Centmin Mod .08 betas features which eventually will become the next stable release. All things SSL https related at SSL - HTTPS as a Google ranking signal Centmin Mod Insights forum - delve deeper into Centmin Mod code if you want to tweak it or extend it yourself. Find out how PHP Opcode cachers like APC Cache, Zend Opcache and Xcache are configured and installed and how Memcached server is setup etc. Several ways to follow Centmin Mod code development and changes/commits via Github Commit forum or directly on Centmin Mod Github repository - 123.08stable branche For forums, also check threads in dedicated Forum Software Usage forums. Some Xenforo users including myself have posted out Nginx vhost configs at Xenforo - My Xenforo Nginx vhost configuration For Nginx Pagespeed check out the official site page for Centmin Mod's integration of ngx_pagespeed module. Also check out the prefix linked forum url Nginx, PHP-FPM & MariaDB MySQL | Centmin Mod Community easy way to jump into all threads and info related to ngx_pagespeed. In particular bookmark the Nginx PageSpeed Troubleshooting sticky thread as there is high chance you need to tweak your Nginx pagespeed.conf config file for your web apps and styles used. You can see an example of this forum's pagespeed.conf tweaked for Xenforo and my particular used Xenforo style/theme and some discussion of troubleshooting advertising and ngx_pagespeed. Premium Membership Centmin Mod Premium Membership Benefits
Thanks! I've got 2 weeks to learn everything. Thankfully you have a ton of resources on the site and the install is one line of code. I did a test install on my local VM and, besides waiting for everything to install, it was pretty easy. I just have to figure out the conf for the IPB forum.
Everything seems to be working great. I had one question which, for the life of me, I can't find online. Cpanel has a great feature called Host Access Control which blocks everything except a specific IP address (I have a static IP address at my office). I wanted to have that ability to only allow a specific IP address to login, on my new Centmin server running CentOS 7, but I can't find any docs online how to setup so that my static IP and localhost is "allow" and everything else is "deny". Does anyone know how I can achieve that or can point me to a tut online? Thanks!
you maybe referring to Security Harden CentOS 7 Explain: Linux and UNIX TCP Wrappers – Find Out If a Program Is Compiled With TCP Wrappers https://access.redhat.com/documenta...ml/Reference_Guide/s1-tcpwrappers-access.html using /etc/hosts.allow and /etc/hosts.deny to secure unix | Smart Domotik World Host Access Control - Documentation - cPanel Documentation
Someone will try to hack my server the minute it goes online. You're probably right, but I'm not taking any chances.
CSF Firewall's LFD prevents such for SSHD CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS