Design and Implement a Secured
Centos 7 Based Web Server
System Overview
The POC system is installed and running on Centos 7 based Linux System and Apache Web
Server. The system allows the website to be accessed by the public on HTTP port 80. The
system allows the authorized users Web administrators to update/upload the content. The
system allows the authorized users Server administrators to manage the server remotely.
Network Diagram
● Centos 7 Linux Virtual Machine
● The role of VM is Linux based Web Server
● Apache Web Server and website is running on Virtual machine
Operations Procedure
● To access the website users need ipaddress of web server. To find the ipaddress type
ifconfig command in the terminal. Go to the web browser and type the ipaddress to
access the website on port 80 HTTP.
● To enable authorized users i.e; web administrators to update/upload web content
remotely create webadmin user account with admin privileges. To connect to the server
use ssh client and login as webadmin.
● To enable authorized users i.e; server administrators to manage the server remotely
create admin user account with root privileges. To connect to the server use ssh client
and login as admin.
Linux Server Security Measures
1. Update your Server
The first security measure to secure a linux server is to update the server.
sudo yum update.
2. Create New User
The second security measure is to create a new user account to login to your server and
give it root privileges.
To create a new user useradd admin
To create a password of new user passwd admin
3. Remove Packages
The third security measure is to remove unwanted packages from the system.
To list all installed packages rpm -qa
To remove package yum remove package
4. Stop Services
The fourth security measure is to remove services from the linux system.
To list all services systemctl --type=service
To remove a service systemctl stop firewalld.service
5. Stop Listening Ports
The next security measure is to view open ports/services and stop listening
ports/services.
To check listening ports netstat -tulpn
To stop services service sshd stop or
To stop services systemctl stop sshd.service
6. Setup SSH Keys
SSH keys allow you to connect to the server securely with a stored key pair.
To generate SSH key ssh-keygen -t rsa
To copy the public key cd ~/.ssh cp id_rsa.pub authorized_keys
To copy the public key to the root user’s SSH directory on the server cd ~/.ssh scp
authorized_keys root@xyz.example.com:/root/.ssh/
To connect to the server ssh root@xyz.example.com
7. Configure SSH
The next security measure is to disable root user ssh login.
To configure SSH open /etc/ssh/sshd_config in text editor
Change these lines
PasswordAuthentication yes
PermitRootLogin yes
To
PasswordAuthentication no
PermitRootLogin no
Then save and close the file
Restart the service
systemctl restart sshd.service
8. Enable Firewall
The most important security measure to secure a server is to install, enable and
configure the firewall.
To install firewall yum install firewalld
To check firewall status firewall-cmd --state
To start service systemctl start firewalld
To enable service systemctl enable firewalld
To get default firewall zone firewall-cmd --get-default-zone
To get a list of all available zones firewall-cmd --get-zones
To get active zones firewall-cmd --get-active-zones
To check configuration of all zones firewall-cmd --list-all-zones
To change default zone firewall-cmd --set-default-zone=home
To get a list of available services firewall-cmd --get-services
To allow HTTP Port 80 traffic firewall-cmd --zone=home --add-service=http
To list services firewall-cmd --zone=home --list-services
To remove services firewall-cmd --zone=home --remove-service=http
To add port firewall-cmd --zone=home --add-port=32400/tcp
To list all ports firewall-cmd --zone=home --list-ports
To remove port firewall-cmd --zone=home --remove-port=32400/tcp
9. Enable SELinux
Security Enhanced Linux is an access control security measure.
To check the status of SElinux sestatus
To enable SELinux vim /etc/selinux/config
Edit the line SELINUX=disabled to SELINUX=enforcing
10. Turn off IPV6
The last security measure is to disable IPV6.
To turn off IPV6 edit the network configuration file vim /etc/sysconfig/network
NETWORKING_IPV6=no IPV6INIT=no