Secure RedHat

Step by step secure Linux based RedHAT/Centos Server

Secure Server

Steps to Secure Linux (RedHat/Centos Linux) Server.

  • Create new user in RedHat Linux Server and allow
  • Enable Automatic update server or manually regular basic
  • enable ssh-key
  • Disable Root Login
  • Change default SSH port enable SElinux
  • Enable firewall allow http and https access to firewall
  1. Create New User with sudo privileged

Creating Sudo User

Log in to your server

ssh root@server_ip_address or putty ssh

useradd username

[root@rserver8 ~]# sudo useradd Sharique

[root@rserver8 ~]# sudo useradd syed

Set the user password

passwd username

useradd Sharique

[root@rserver8 ~]# sudo passwd Sharique

Add the new user to the sudo group

By default, on RedHAT/CentOS systems, members of the group wheel are granted with sudo access. Add the new user to the wheel group

Sudo usermod -aG wheel username

[root@rserver8 ~]# sudo usermod -aG wheel Sharique

[root@rserver8 ~]# sudo usermod -aG wheel syed

How to use Sudo 

su – username

[root@rserver8 ~]# su Sharique

[root@rserver8 ~]# su – Sharique

[root@rserver8 ~]# su syed

[root@rserver8 ~]# su – syed

  • Enable Automatic update server or manually regular basic

{

YUM is the primary package management tool for installing, updating, removing, and managing software packages in Red Hat Enterprise Linux.

}

Manually update

[sharique@rserver8 ~]$ sudo yum update –y

You can installing deleting and upgrading from created user

Install yum-cron on RedHat/CentOS  Automatic

[sharique@centos ~]$ sudo yum -y install yum-cron

After the installation is complete, start the yum-cron service

[sharique@centos ~]$ sudo systemctl start yum-cron

[sharique@centos ~]$ sudo systemctl status yum-cron

Configure Yum-Cron for automatic updates

[sharique@centos ~]$ sudo  vi /etc/yum/yum-cron.conf

update_cmd = security

update_messages = yes

download_updates = yes

apply_updates = yes

emit_via = email

email_from = root@mycenserver

email_to = sharique@querypanel.com

email_host = localhost

[sharique@centos ~]$ sudo systemctl restart yum-cron

Configure exclude packages

If we don’t want to apply automatic updates on some packages.

Just Disable that automatic update

[sharique@centos ~]$ sudo  vi /etc/yum/yum-cron.conf

Check yum-cron logs

[sharique@centos ~]$ sudo cat /var/log/cron | grep yum-daily

[sharique@centos log]$ tail -10 /var/log/yum.log

SSH ACCESS – GENERATING A PUBLIC/PRIVATE KEY

enable ssh-key

[sharique@rserver8 ~]$ ssh-keygen -t rsa

[syed@rserver8 ~]$ ssh-keygen -t rsa

[syed@rserver8 ~]$ sudo chmod 700 ~/.ssh/

Here renaming the public keys and assign the full read and write permission(full read and write 600)

[syed@rserver8 ~]$ cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

[syed@rserver8 ~]$ chmod 600 ~/.ssh/authorized_keys

Export the private keys for without password login

[root@rserver8 ~]# vi /etc/ssh/sshd_config

[root@rserver8 ~]# sudo systemctl restart sshd

Once we are exporting public key it is text format first need to change it on

PPK file stores a private key, and the corresponding public key

Save txt format to your local pc and convert it to ppk format

Change the format to pem

Start ssh key generator (PuttyKenGen)

Click on load

Once done save it

Now importing for login without password

Now no need for password authentication user

  • Change default SSH port

[syed@rserver8 ~]$ sudo vi /etc/ssh/sshd_config

if you are not using Linux firewall it’s will be okay here otherwise if you are using firewall need to associate ssh port to firewall

Firewall

[root@sharique ~]# systemctl enable firewalld

[root@sharique ~]# systemctl start firewalld

[root@sharique ~]# systemctl status firewalld

Testing Https and http services

Adding http and https in firewall

sudo firewall-cmd –zone=public –add-service=http

sudo firewall-cmd –zone=public –add-service=https

sudo firewall-cmd –zone=public –list-services

Once you have tested that everything is working as it should, you will probably want to modify the permanent firewall rules so that your service will still be available after a reboot. We can make our “public” zone change permanent

Port will be assign as per your ports.

sudo firewall-cmd –zone=public –permanent –add-service=http

sudo firewall-cmd –zone=public –permanent –add-service=https

Testing adding ports in Firewall

[sharique@centos ~]$ sudo firewall-cmd –zone=public –add-port=6162/tcp

[sharique@centos ~]$ sudo firewall-cmd –zone=public –add-port=6162/udp

[sharique@centos ~]$ sudo firewall-cmd –zone=public –add-port=2023/tcp

Permanent assign TCP/UDP ports to firewall

[sharique@centos ~]$ sudo firewall-cmd –zone=public –permanent –add-port=6162/udp

[sharique@centos ~]$ sudo firewall-cmd –zone=public –permanent –add-port=6162/tcp

If you are looking for add ssh port don’t include zone

sudo firewall-cmd –permanent –add-port=2023/tcp

[sharique@centos ~]$ sudo firewall-cmd –permanent –add-port=2023/udp

sudo firewall-cmd –reload

[sharique@centos ~]$ sudo systemctl status firewalld

 Allow new SSH port on SELinux

semanage port -a -t ssh_port_t -p tcp 2023

semanage port -m -t ssh_port_t -p tcp 2023

Active Running Firewall Ports public and private

Public Zone

[sharique@centos ~]$ sudo firewall-cmd –zone=public –list-services

[sharique@centos ~]$ sudo firewall-cmd –list-services

Open ports on server

[sharique@centos ~]$ sudo firewall-cmd –list-all

Leave a Reply

Your email address will not be published. Required fields are marked *