Release Notes - CentOS 7 Overview
Posted by on 14 May 2015 04:37 PM
Applicable Plans - All CentOS 7 Server Plans
CentOS 7 Overview
CentOS 7 is the latest version of the Community ENTerprise Operating System, which is compiled from the upstream sources of Red Hat Enterprise Linux (RHEL). CentOS aims to be functionally compatible with Red Hat Enterprise Linux, minus the Red Hat branding and logos. CentOS Linux is open source and available free of charge.
CentOS 7 has several changes and improvements over previous versions of CentOS. There are changes from the vendor (Red Hat and CentOS) and also security improvements from eApps Hosting. The full Release Notes for CentOS 7 are available here - Release Notes.
NOTE - due to licensing issues, many of the links to vendor specific information will point to the original Red Hat Enterprise Linux (RHEL) source documentation.
Vendor Changes for CentOS 7
Vendor changes for CentOS 7 include the following:
Security Improvements for CentOS 7
With CentOS 7, eApps has implemented some security improvements that will help provide a more secure environment for your server. These improvements consist of two tools: the eApps Security Package and Fail2ban.
eApps Security Package
The eApps Security Package consists of two parts: a cron job that runs every day to check for security updates, and an iptables security script that only allows firewall (iptables) connections for ports that are actually in use by an application.
NOTE - the iptables security script is only available on servers WITHOUT a built-in Control Panel. For example, if your server template uses the ISPmanager, Plesk, or cPanel/WHM control panels, then the security script is not enabled and you will use the tools built-in to those Control Panels to manage the security of your server. However, the cron update will still run on ALL CentOS 7 servers.
eApps Installed cron Script for Critical Security Updates
All servers running a CentOS 7 OS template have an eApps installed cron script called eapps-security.cron. This cron script will run on on all CentOS 7 servers, whether they have a built-in Control Panel or not. The purpose of the script is to install critical security updates that are deemed necessary by the eApps technical department.
This cron script will run every night to check for critical security updates that have been staged by eApps. The cron script will not automatically apply available updates. It is used only in those situations where a patch to a critical security vulnerability is required to protect your server and the eApps network.
As an example, here is how the cron script might be used: If an exploit is discovered for an application offered by eApps, and eApps makes the determination that the exploit poses a significant threat, the fix for the exploit will be tested to ensure that it can be safely installed. The fix will then be placed in the eApps Security Package. When the cron script runs it will find that fix and update the vulnerable application.
To view the cron script for the eApps Security Package, run the
NOTE: Please do not disable this cron script, it is important for the security of your server. Also, this cron script will not perform regular software updates. You are responsible for the security of the software you use on your server.
eApps Security Package iptables Security Script
The iptables security script is an iptables configuration utility that only opens a default set of ports for commonly used applications and services. If you add applications, such as Tomcat or WildFly, then the iptables security script will open the firewall ports for those applications, and update the existing iptables rules for the new ports. This security script is only available on servers without a built-in Control Panel.
The default iptables security configuration is found in the /etc/sysconfig/iptables files. The default rules are between these lines:
Manual iptables Security Script Configuration
You can also use the iptables Configuration Tool that is part of the iptables Security Script to manually add or remove iptables entries. This will allow you to manage the security for custom applications or services.
To see the options for the iptables Configuration Tool, connect to the server using SSH, and as the root user, run the
For example, if you wanted to manually add the port for the MariaDB or MySQL database (3306) to iptables, you would use the following command:
And if you wanted to remove the port for the PostgreSQL database (5432) from iptables, you would use the following command:
Removing the eApps Security Package
This will disable the cron task and remove the iptables Configuration Tool, but will leave any existing iptables rules in place. To disable iptables run the
If you would like to put the default CentOS 7 iptables configuration back in place, copy the /etc/sysconfig/iptables-centos.default file to /etc/sysconfig/iptables and restart (and if necessary enable) the iptables service.
Security for CentOS 7 Templates with a Control Panel
If your server template includes a built-in Control Panel, such as ISPmanager, cPanel/WHM, or Plesk, then you will use the existing tools in the Control Panel to manage security. The eApps Security Package cron updates will be available to you, but the iptables Security Script will not.
Fail2ban is an application that scans log files, and bans IP addresses that show signs of attempting to gain unauthorized access to the server. For CentOS 7, eApps has configured Fail2ban to scan the log files for SSH, FTP, and e-mail services. More information about Fail2ban can be found here - Fail2ban Main Page.
Fail2ban is included in your server because it provides an extra level of local security in addition to the eApps network-level Intrusion Detection systems.
You can make changes by modifying the Fail2ban configuration then restarting the service. How you manage the Fail2ban configuration will depend on which template you have installed.