Hardening CentOS

img Hunter Day

Mar 28, 2019


Hardening CentOS

What will this script do?

  • Install useful packages such as tcpdump, mtr, zsh, perl and logrotate
  • Setup automatic yum updates
  • Set password policies
    • Passwords will expire every 180 days
    • Passwords may only be changed once a day
  • Set OS policies
    • Set idle users to be disconnected after 15 minutes
  • Install (if it is not installed) and configure IPTables firewall
    • Open specified TCP/UDP ports
    • Set rules to block common attacks
      • Syn Floods
      • Fragmented Packets
      • Malformed XMAS Packets
      • Drop NULL packets
      • Limit pings to 3 per second and bursts of 25
      • Discourage Port Scanning
    • Set up Connection Tracking

  • Install DDoS Deflate
  • Install CHKROOTKIT
    • Scheduled to check daily for issues and email your Admin


    More information about CHKROOTKIT is available at
    :   <http://www.chkrootkit.org/>
  • Install rkhunter (Root Kit Hunter)
  • Install LSM (Linux Socket Monitor)
    • Runs in the background and watches for changes in sockets
  • Secure the SSH Daemon
    • Change the SSH port to a random number
    • Create an "admin" user
    • Make it so only the "admin" user can be logged into over SSH

Downloading the Script:

cd /root
wget http://mirror.lstn.net/scripts/hardening/centos.sh
chmod +x centos.sh

Modifying the Variables:

vim centos.sh

You may customize TCPPORTS and UDPPORTS, however the defaults in there now should cover most common processes.

Run the Script:


What to do afterwards

After it completes, you will get a message like:

SSH User: admin
SSH Pass: 254457cb9448226
SSH Port: 5575
Admin Email: admin@fake.lstn.net

You must now reconnect to this server using the information above
Changing the SSH port has caused this connection to freeze.
BEFORE CLOSING THIS WINDOW please note your information above.