Learn about Centmin Mod LEMP Stack today
Register Now

Security

Discussion in 'Install & Upgrades or Pre-Install Questions' started by Jimmy, Nov 8, 2015.

  1. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    12:33 PM
    1.13.x
    MariaDB 10.1.x
    I'm going to be setting up Centmin on CentOS 7. I was wondering if additional security hardening to the OS was necessary. I found the guide below and I was going to apply *some* of their recommendations. I wanted to check here on the forum before I started.

    Security Harden CentOS 7

    Is there anything on the list the members / admin would recommend?

    Is there anything on the list the members / admin would advise NOT to do?

    Thanks!
     
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    2:33 AM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app specific configurations are left to the Centmin Mod user to deal with. So I do not provide any free support for such. Centmin Mod out of the box has enough security however, not everything is locked down as tight as some software or configurations used require end user to understand fully what they are doing - not being able to understand such you could either lock yourself out or render the server unusable or just plain not useful if you don't know what the warnings mean (or difference between a warning, notice or something that MAY apply) (i.e. SELINUX enabling, AIDE etc).

    However, Centmin Mod users are free to help each other out and ask questions or give answers on this community forum. My hopes are that this community forum evolves so that more veteran long time Centmin Mod users help new Centmin Mod users out :)

    As to that linked list of items, some I'd be careful with unless you know 100% what you're doing and what implications deploying such measures means. These include

    • Enabling secure mounts
    • Enabling SELINUX
    • Installing and configuring AIDE and AuditD both of which only applies to non-OpenVZ VPS systems
    • TCP Wrappers
    • Securing Cron
    • IPTables not needed as CSF Firewall takes care of most rules
    • Disabling DHCP
    • Securing SSHD most covered by Centmin Mod
     
    • Like Like x 1
  3. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    12:33 PM
    1.13.x
    MariaDB 10.1.x
    Thanks for the list of what to avoid!

    I'm making the leap to Centos 7 (from Centos 6) and nginx (from Apache). I'm going to deploy a live testing server and see how everything runs.

    Centmin looks really nice. Looking forward to using it.
     
    • Like Like x 1
  4. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    2:33 AM
    Nginx 1.13.x
    MariaDB 5.5
    Indeed a test server is a good way to start understanding and learning about Centmin Mod :)

    Just a reminder of some threads to read, pages to bookmark and threads to watch/subscribe to get to know Centmin Mod would include:
    Premium Membership
     
    • Like Like x 1
  5. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    12:33 PM
    1.13.x
    MariaDB 10.1.x
    Thanks! I've got 2 weeks to learn everything. Thankfully you have a ton of resources on the site and the install is one line of code. I did a test install on my local VM and, besides waiting for everything to install, it was pretty easy. I just have to figure out the conf for the IPB forum.
     
    • Like Like x 1
  6. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    12:33 PM
    1.13.x
    MariaDB 10.1.x
    Everything seems to be working great. I had one question which, for the life of me, I can't find online. Cpanel has a great feature called Host Access Control which blocks everything except a specific IP address (I have a static IP address at my office). I wanted to have that ability to only allow a specific IP address to login, on my new Centmin server running CentOS 7, but I can't find any docs online how to setup so that my static IP and localhost is "allow" and everything else is "deny". Does anyone know how I can achieve that or can point me to a tut online?

    Thanks!
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    2:33 AM
    Nginx 1.13.x
    MariaDB 5.5
    you maybe referring to Security Harden CentOS 7

     
    • Like Like x 1
  8. RoldanLT

    RoldanLT Well-Known Member

    3,901
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    12:33 AM
    1.11
    10.2
    "SSH disallows password-based login" is really good enough.
     
  9. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    12:33 PM
    1.13.x
    MariaDB 10.1.x
  10. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    12:33 PM
    1.13.x
    MariaDB 10.1.x
    Someone will try to hack my server the minute it goes online. You're probably right, but I'm not taking any chances.
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    2:33 AM
    Nginx 1.13.x
    MariaDB 5.5
    CSF Firewall's LFD prevents such for SSHD CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS

     
    • Like Like x 1