Applicable Plans - All CentOS 7 Server Plans

CentOS 7 Overview

Overview

CentOS 7 is the latest version of the Community ENTerprise Operating System, which is compiled from the upstream sources of Red Hat Enterprise Linux (RHEL). CentOS aims to be functionally compatible with Red Hat Enterprise Linux, minus the Red Hat branding and logos. CentOS Linux is open source and available free of charge.

CentOS 7 has several changes and improvements over previous versions of CentOS. There are changes from the vendor (Red Hat and CentOS) and also security improvements from eApps Hosting. The full Release Notes for CentOS 7 are available here - Release Notes.

NOTE - due to licensing issues, many of the links to vendor specific information will point to the original Red Hat Enterprise Linux (RHEL) source documentation.

Vendor Changes for CentOS 7

Vendor changes for CentOS 7 include the following:

• No 32-bit version - CentOS 7 is only available as a 64-bit operating system. There are some tools and libraries available to run 32-bit applications. More information can be found here - Are 32-bit applications supported in RHEL 7?.

• New Linux Kernel - CentOS 7 includes kernel version 3.10, which includes a number of new features. More information can be found here - Kernel

• systemd (SysV replacement) - The systemd system and service manager replaces the SysV and Upstart applications. An overview of systemd can be found here - Systems and Services - systemd. A list of the new systemctl commands and the service and chkconfig commands they are replacing can be found here - Managing System Services.

• Apache HTTP Server 2.4 - CentOS 7 includes the Apache HTTP Server version 2.4. New features in Apache HTTP 2.4 include improved asynchronous request processing, native FastCGI support in mod_proxy, and support for embedded Lua scripting. More information about the new features in Apache HTTP 2.4 can be found here - New features overview, and the complete ChangeLog for Apache 2.4 and all point releases can be found here - Changes with Apache 2.4.

• MariaDB - MariaDB replaces MySQL in CentOS 7. MariaDB is a fork of the MySQL database server, created by the original author of MySQL. MariaDB is a drop-in replacement for MySQL, and adds additional features such as enhanced replication, Aria and XtraDB storage engines, and a non-blocking client API library. More information about MariaDB can be found here - About MariaDB.

  eApps offers both MariaDB and MySQL CentOS 7 templates. The MariaDB templates will include packages from the CentOS 7 Base yum repository, and the MySQL templates will include packages from the MySQL Community yum repository.

Security Improvements for CentOS 7

With CentOS 7, eApps has implemented some security improvements that will help provide a more secure environment for your server. These improvements consist of two tools: the eApps Security Package and Fail2ban.

eApps Security Package

The eApps Security Package consists of two parts: a cron job that runs every day to check for security updates, and an iptables security script that only allows firewall (iptables) connections for ports that are actually in use by an application.

NOTE - the iptables security script is only available on servers WITHOUT a built-in Control Panel. For example, if your server template uses the ISPmanager, Plesk, or cPanel/WHM control panels, then the security script is not enabled and you will use the tools built-in to those Control Panels to manage the security of your server. However, the cron update will still run on ALL CentOS 7 servers.

eApps Installed cron Script for Critical Security Updates

All servers running a CentOS 7 OS template have an eApps installed cron script called eapps-security.cron. This cron script will run on on all CentOS 7 servers, whether they have a built-in Control Panel or not. The purpose of the script is to install critical security updates that are deemed necessary by the eApps technical department.

This cron script will run every night to check for critical security updates that have been staged by eApps. The cron script will not automatically apply available updates. It is used only in those situations where a patch to a critical security vulnerability is required to protect your server and the eApps network.

As an example, here is how the cron script might be used: If an exploit is discovered for an application offered by eApps, and eApps makes the determination that the exploit poses a significant threat, the fix for the exploit will be tested to ensure that it can be safely installed. The fix will then be placed in the eApps Security Package. When the cron script runs it will find that fix and update the vulnerable application.

To view the cron script for the eApps Security Package, run the crontab -l command as the root user, or view the /var/spool/cron/root file.

NOTE: Please do not disable this cron script, it is important for the security of your server. Also, this cron script will not perform regular software updates. You are responsible for the security of the software you use on your server.

eApps Security Package iptables Security Script

The iptables security script is an iptables configuration utility that only opens a default set of ports for commonly used applications and services. If you add applications, such as Tomcat or WildFly, then the iptables security script will open the firewall ports for those applications, and update the existing iptables rules for the new ports. This security script is only available on servers without a built-in Control Panel.

The default iptables security configuration is found in the /etc/sysconfig/iptables files. The default rules are between these lines: ## FWIABF - DO NOT REMOVE - ACCEPT BEFORE ## and ## FWIABF - DO NOT REMOVE - ACCEPT AFTER ##. These lines must be kept in place and as-is for the iptables Security Script to work correctly.

Manual iptables Security Script Configuration

You can also use the iptables Configuration Tool that is part of the iptables Security Script to manually add or remove iptables entries. This will allow you to manage the security for custom applications or services.

To see the options for the iptables Configuration Tool, connect to the server using SSH, and as the root user, run the /usr/local/bin/eapps-security_ipt_update.pl --help command:

[root@eapps-example ~]# /usr/local/bin/eapps-security_ipt_update.pl --help
Options:
-d | direction ( only inbound currently )
-m | method ( add or remove )
-p | port ( port number
-t | tcp ( 0 or 1 )
-u | udp ( 0 or 1 )
-x | udp ( only accept currently )

For example, if you wanted to manually add the port for the MariaDB or MySQL database (3306) to iptables, you would use the following command:

/usr/local/bin/eapps-security_ipt_update.pl -d "inbound" -m "add" -p "3306" -t "1" -u "0" -x "accept" && /bin/systemctl restart iptables (make sure the command is all on one line).

[root@eapps-example ~]# /usr/local/bin/eapps-security_ipt_update.pl -d "inbound" -m "add" -p "3306" -t "1" -u "0" -x "accept" && /bin/systemctl restart iptables

And if you wanted to remove the port for the PostgreSQL database (5432) from iptables, you would use the following command:

/usr/local/bin/eapps-security_ipt_update.pl -d "inbound" -m "remove" -p "5432" -t "1" -u "0" -x "accept" && /bin/systemctl restart iptables (make sure the command is all on one line).

[root@eapps-example ~]# /usr/local/bin/eapps-security_ipt_update.pl -d "inbound" -m "remove" -p "5432" -t "1" -u "0" -x "accept" && /bin/systemctl restart iptables

Removing the eApps Security Package

WARNING: We strongly recommend that you do not remove or disable the eapps-security.cron script. Doing so will expose your server to risks in the event that a patch is needed for a critical security vulnerability.

You can remove the eApps Security Package using the yum remove -y eapps-security command:

[root@eapps-example ~]# yum remove -y eapps-security

This will disable the cron task and remove the iptables Configuration Tool, but will leave any existing iptables rules in place. To disable iptables run the systemctl stop iptables and systemctl disable iptables commands:

[root@eapps-example ~]# systemctl stop iptables
[root@eapps-example ~]# systemctl disable iptables

If you would like to put the default CentOS 7 iptables configuration back in place, copy the /etc/sysconfig/iptables-centos.default file to /etc/sysconfig/iptables and restart (and if necessary enable) the iptables service.

Security for CentOS 7 Templates with a Control Panel

If your server template includes a built-in Control Panel, such as ISPmanager, cPanel/WHM, or Plesk, then you will use the existing tools in the Control Panel to manage security. The eApps Security Package cron updates will be available to you, but the iptables Security Script will not.

• For templates using ISPmanager, see the ISPmanager 5 Firewall rule settings documentation - Firewall rule settings

• For templates using cPanel/WHM, see the cPanel/WHM Firewall configuration guide - Firewall Configuration

• For templates using Plesk, see the Plesk Firewall Setup Guide - Setting Up Firewall

Fail2ban

Fail2ban is an application that scans log files, and bans IP addresses that show signs of attempting to gain unauthorized access to the server. For CentOS 7, eApps has configured Fail2ban to scan the log files for SSH, FTP, and e-mail services. More information about Fail2ban can be found here - Fail2ban Main Page.

Fail2ban is included in your server because it provides an extra level of local security in addition to the eApps network-level Intrusion Detection systems.

Modifying Fail2ban

You can make changes by modifying the Fail2ban configuration then restarting the service. How you manage the Fail2ban configuration will depend on which template you have installed.

• If you have a CentOS 7 template with the ISPmanager Control Panel, cPanel/WHM Hosting Control Panel, or with no Control Panel, your Fail2ban configuration is located in /etc/fail2ban/jail.local. Please see the official Fail2ban documentation for more information - Fail2ban Documentation.

• If you are using a CentOS 7 template with the Plesk Control Panel, you will configure and manage Fail2ban from the Plesk UI. Please see the official Plesk documentation for more information - Plesk Fail2ban Configuration.