CentOS server security tips

Needless to say, the system administrator, to improve server security is the most important thing. So there is a lot for this topic born articles, blog and forum posts.

A server by a large number of components with different functions, which makes it difficult to provide customized solutions based on each person’s needs. This article covers some of the possible benefit of tips to help ensure that the server administrator and user security.

There are some common sense that every system administrator should be learned by heart, so the following points in this article will not be mentioned:

Always ensure that the system is up to date
Change your password regularly – symbol combination of numbers, letters, and non-alphabetic
Giving users the minimum permissions required to meet their daily use
Install only those packages really need

Here are some more interesting content:
Change the default SSH port

In building a brand new server good after the first thing to do is to change the default port for SSH. This small change can make your server avoid thousands of violent attacks (LCTT Annotation: do not change the default port equivalent hackers know your home’s street number, so they only need a handful of test key on You may open your home lock).

To change the default SSH port, open sshd_config file:

sudo vim / etc / ssh / sshd_config

Locate the following line:

#Port 22

“#” Sign indicates that this line is a comment. First, remove the # sign, then the port number into a destination port. The port number can not be more than 65,535, be sure to specify the port number is not occupied by the system or other services. We recommend [Wikipedia] on view common port number list. In this article, we use the port number:

Port 16543

Then save and close the file, waiting for changes to take effect.

The next step is:
Using SSH key authentication

When accessing the server via SSH, using SSH key authentication is particularly important. Such as server adds extra protection to ensure that only those who have the key to access the server.

Run the following command on the local machine to generate SSH keys:

ssh-keygen -t rsa

You will see the following output, asking where you want to write a key file, and set a password:

Generating public / private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): my_key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in my_key.
Your public key has been saved in my_key.pub.
The key fingerprint is:
SHA256: MqD / pzzTRsCjZb6mpfjyrr5v1pJLBcgprR5tjNoI20A

Once done, you get two files:



Then copy the my_key.pub to ~ / .ssh / authorized_key in

cp my_key.pub ~ / .ssh / authorized_keys

Then use the following command to key uploaded to the server:

scp -P16543 authorized_keys user @ yourserver-ip: /home/user/.ssh/

At this point, you can access from the station local machine to the server without a password.
Close SSH password authentication

Now that you have SSH keys, then close the SSH password authentication will be safer. Open again and edit sshd_config, set as follows:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Close Root Login

The following is a key step to close the root user direct access to, and use sudo or su to perform administrative tasks. First you need to add a new user to have root privileges, so edit sudoers file under this path:

/ Etc / sudoers /

It recommended such as visudo command to edit the file because it will check for any syntax errors that may occur before closing the file. When you are wrong when you edit the file, which very useful.

Then give a user with root privileges. In this paper, using the user sysadmin. Ensure that users edit the document after using the system existing user. Locate the following line:

root ALL = (ALL) ALL

Copy this line, and then paste the next line, and then change the root of “sysadmin”, as follows:

root ALL = (ALL) ALL
sysadmin ALL = (ALL) ALL

Now explain the meaning of each option this line:

(1) root (2) ALL = (3) (ALL) (4) ALL

(1) specifies the user

(2) Specify the user terminal sudo

(3) Specify the user to take the user roles

(4) The user can use this command

(LCTT Annotation: So the above configuration is meant:. Root user can hold any user at any terminal, execute any command)

Using this configuration can give users access to some privileges system tools.

In this case, you can rest assured that saved files.

To turn off direct access via SSH root, we need to open sshd_config again, find the following line:

#PermitRootLogin Yes

Change to:

PermitRootLogin no

Then save the file and restart sshd daemon for the changes to take effect. Execute the following command:

sudo /etc/init.d/sshd restart

Setting Firewall

Firewall help filter out port and prevent the use of Violence Act login attempts. I tend to use SCF (Config Server Firewall) this powerful firewall. It uses iptables, easy to manage, but also not good for the user to enter commands provide a web interface.

To install the CSF, first log on to the server, switch to this directory:

cd / usr / local / src /

Then execute the following command as root:

wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Just wait for the installation process is complete, and then edit the CSF profile:


By default, the CSF is a test mode. By setting the “TESTING” value to 0, to switch to the product mode.


The following is to allow the port to be set by the server. Positioned in csf.conf into the following sections, change the port as needed:

# Allow inbound TCP port
TCP_IN = “20,21,25,53,80,110,143,443,465,587,993,995,16543”
# Allow outbound TCP port
TCP_OUT = “20,21,22,25,53,80,110,113,443,587,993,995,16543”
# Allow inbound UDP port
UDP_IN = “20,21,53”
# Allow outbound UDP port
# To allow the issue traceroute request, please add 33434: 33523 port range to the list
UDP_OUT = “20,21,53,113,123”

Each set up as needed, it is recommended to use only ports that need to avoid setting a wide range of port settings. Also, avoid the use of unsafe port unsafe services. For example, only allow port 465 and 587 to send e-mail, instead of the default SMTP port 25. (LCTT Annotation: provided that your mail server supports SMTPS)

Important: Do not forget to allow you to customize the ssh port.

Allow your IP address through the firewall, and never be blocked, this is very important. IP address is defined in the following files:


The IP address has been blocked will appear in this file:


Once you have completed the changes, use this command to restart csf:

sudo /etc/init.d/csf restart

Here are some content on a server of csf.deny file to illustrate CSF is useful:

.216.48.205 # Lfd: (sshd) Failed SSH login from (KR / Korea, Republic of / -): 5 in the last 3600 secs – Fri Mar 6 00:30:35 2015
.41.124.53 # Lfd: (sshd) Failed SSH login from (HK / Hong Kong / -): 5 in the last 3600 secs – Fri Mar 6 01:06:46 2015
.41.124.42 # Lfd: (sshd) Failed SSH login from (HK / Hong Kong / -): 5 in the last 3600 secs – Fri Mar 6 01:59:04 2015
.41.124.26 # Lfd: (sshd) Failed SSH login from (HK / Hong Kong / -): 5 in the last 3600 secs – Fri Mar 6 02:48:26 2015
.169.74.58 # Lfd: (sshd) Failed SSH login from (GB / United Kingdom / mail2.algeos.com): 5 in the last 3600 secs – Fri Mar 6 03:49:03 2015

You can see, try to log on through violence law IP addresses are blocked, the heart is not really out of sight bothersome!
Lock Account

If an account in a very long period of time will not be used, it can be locked to prevent other people to visit. Use the following command:

passwd -l accountName

Of course, this account can still be root user (LCTT Annotation: Available su switch for the account).
Understanding Server service on

The nature of the server is to provide access for the various services. So that the server is running only the required service, shut down the service does not use. This will not only free up some system resources, but also causes the server more secure. For example, if you just run a simple server, apparently it does not require X to display or desktop environment. If you do not need Windows network sharing feature, you can rest assured that closed Samba.

Use the following command can be viewed along with the system startup and startup of service:

chkconfig –list | grep “3n”

If the system is running systemd, execute this command:

systemctl list-unit-files –type = service | grep enabled

Then use the following command to shut down the service:

chkconfig service off
systemctl disable service

In the above example, the “service” replace service name really want to stop. Examples are as follows:

chkconfig httpd off
systemctl disable httpd


The purpose of this article is to cover some of the common security steps to help you to protect the server. You can take more ways to enhance the server protection. Remember to ensure server security is your responsibility, as much as possible while maintaining server security to make informed choices, and although there is no easy way to accomplish this thing, and to establish a “comprehensive” security needs to spend a lot of time and testing until you reach the desired result.