How to Secure a CentOS Server: 15 Essential Hardening Techniques (CentOS Stream 9/10 – 2026)

Below is a concise, production-focused list of the most impactful hardening measures for CentOS Stream servers. Emphasis is placed on rationale, correct modern defaults, and practical trade-offs rather than repeating long command blocks.

1. Automatic Security-Only Updates Use dnf-automatic with upgrade_type = security to apply CVEs without risking feature breakage. Combine with monitoring for reboot-required kernel patches (e.g. needs-restarting -r).
2. firewalld – Default Drop Zone + Minimal Allow Rules Set default zone to drop or internal. Only open explicitly needed services (ssh, http/https, perhaps 443 + custom ports). Avoid broad –add-port rules.
3. SSH – Key-Only Authentication + Restrictive Config Disable PasswordAuthentication, PermitRootLogin, ChallengeResponseAuthentication. Set MaxAuthTries 3, LoginGraceTime 20, ClientAliveInterval 300, ClientAliveCountMax 0. Move SSH to non-standard port only if you also use fail2ban (port change alone adds almost no security).
4. Password & Account Policies (PAM + login.defs) Enforce ≥12 characters, mixed case + digit + special via pwquality.conf. Set PASS_MAX_DAYS 90, PASS_MIN_DAYS 7, lock after 5 failed attempts (pam_faillock).
5. SELinux – Stay Enforcing, Understand Booleans Never set to permissive or disabled in production. Learn essential booleans: httpd_can_network_connect, httpd_unified, use_nfs_home_dirs, etc. Use semanage fcontext + restorecon religiously after moving files.
6. Principle of Least Privilege – Non-root sudo Account Create dedicated admin user in wheel group. Use sudo with Defaults env_reset, Defaults secure_path, and per-user command whitelisting when possible.
7. Fail2Ban or crowdsec – Active Brute-Force Protection Protect SSH + web services (apache/nginx). Prefer crowdsec in 2026 for better multi-service ban lists and bouncer integration (nftables/firewalld).
8. Remove or Mask Unnecessary Daemons Common candidates: avahi-daemon, cups, postfix (if not sending mail), bluetooth, ModemManager. systemctl mask is stronger than disable when removal is not desired.
9. Sysctl Hardening (CIS / NSA / Red Hat aligned) Critical settings:
   • net.ipv4.conf.all.{accept,send}_redirects = 0
   • net.ipv4.tcp_syncookies = 1
   • net.ipv4.icmp_echo_ignore_broadcasts = 1
   • kernel.yama.ptrace_scope = 1 or 2
   • kernel.kptr_restrict = 2, kernel.dmesg_restrict = 1
   • fs.protected_{hardlinks,symlinks} = 1
10. Umask 027 + Strict File Permissions Global umask 027 for services. Sensitive directories/files: 750 / 640 or stricter. Regularly audit with find / -perm -o+w excluding expected locations.
11. AIDE or Tripwire-style File Integrity Monitoring Initialize AIDE database after baseline setup. Schedule daily –check with email/reporting. Consider OSSEC or Wazuh agents for real-time alerting.
12. auditd – Focused Ruleset Monitor at minimum: /etc/{passwd,shadow,group,gshadow}, sudoers, SSH keys, web root write access, kernel module loading. Avoid flooding logs—use -a never,exit sparingly.
13. Disable Core Dumps & ptraceulimit -c 0 everywhere + * hard core 0 in limits.conf. kernel.core_pattern = |/bin/false or empty.
14. AppArmor / seccomp / Landlock for Containers & Critical Services Even on bare-metal: apply seccomp filters to high-risk daemons (e.g. via systemd SystemCallFilter=). For container hosts → podman + –security-opt seccomp=/path/to/profile.json.
15. Centralized Logging + Active Monitoring Forward logs to remote rsyslog / journald → Graylog / Loki / ELK. Deploy lightweight agents: Prometheus node_exporter + Alertmanager, or Falco for runtime syscall monitoring.

Quick Prioritization for Most Environments (2026)

Must-do (Day 1) → 1, 2, 3, 5, 6, 7, 9

High value / low effort (Week 1) → 4, 8, 10, 13

Defense-in-depth (Ongoing) → 11, 12, 14, 15

Recommended Validation Tools

• lynis audit system (very good scoring & advice)
• OpenSCAP with RHEL 9 profile (oscap xccdf eval)
• inspec or goss for automated compliance checks
• nmap –script safe + vulners from external scanner

Focus first on reducing attack surface and credential exposure, then add detection & response layers. Most breaches still succeed via weak SSH credentials, unpatched services, or overly permissive firewall rules — fix those before chasing exotic kernel exploits.

Let me know your primary workload (web, database, container host, mail…) for more role-specific hardening advice.