October 25, 2017 434 Views 0 Comment

CentOS Server Security | Steps to Configuring SELinux

SHARE THIS ARTICLE

If your operating a website or blog on a shared hosting server and need the flexibility of tweaking the OS or simply installing additional daemon/software then it’s about time you switched to a Virtual Private Server(VPS). In shared hosting environments your a tenant sharing everything from OS configurations to bandwidth. That’s like sharing air condition(one setting for everyone) and the front door(shared pipeline for guests). Your right, it can work but lets face it it’s a nuisance. This type of environment hardly fosters growth or offer realistic security. Think about an intrusion for example, on a shared hosting server every customer would be at risk.

Virtual Private Servers provides fully configurable hosting environments capable of allowing individuals to install their own services (excluding the bloatware), configure their own settings and acquire dedicated bandwidth. The flip side to this type of service is that it’s now up to you to manage and monitor your web server.

Now, lets take a look at some of the steps you will need to take to ensure that you have a healthy, secure and well oiled web server.

Configuring SELinux instead of Turning it off

(setenforce=0 is bad for security)

Firstly, to see if SELinux is the culprit you could stop it using setenforce 0.

   1. SELinux: Allowing Apache to connect to MySQL on CentOS

#Stop the httpd service
service httpd stop

setsebool httpd_can_network_connect 1
setsebool httpd_can_network_connect_db 1

# Start the httpd service
service httpd start 

 

   2. SELinux: Allowing Apache to upload files

Configuring SELinux is important if you find that your upload directory has the correct permissions but you are still unable to upload files via your web application. The correct thing is to apply chmod -R 755 on the uploads directory as well as grant the Apache user access to the folder using chown -R apache:root


# Set SELinux context
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/(/.*)?"

# Apply context to directory
restorecon -Rv "/var/www/html/ec5online/"

# Apache user needs to have rights to create files in both directories
setfacl -R -m u:apache:rwX /

 

Security via TCP Wrappers (hosts.allow and hosts.deny)

On CentOS Web Severs one can selectively block or allow services via the hosts.deny and hosts.allow files. Both of which are located under /etc folder. It is important to note that you must be careful when editing these files as you could potentially lock yourself out permanently.

CAUTION:

ONLY restrict SSHD service if you are connecting from a static ip address.
ALWAYS update the hosts.allow before the hosts.deny (prevent lockout)
RESTART SSHD service after updating tcp wrappers (service sshd restart).

Restricting Services to a Specific IP via hosts.allow


sshd: 192.168.1.55
sshd: 67.89.21.55

 

Blocking Services via hosts.deny


sshd: all
ssh: all
ftp: all
smtp: all

 

Additional Services to Consider

– Fail2Ban
– LogWatch