As of June 30, 2024, the community support for "CentOS 7" will end (EOL), posing a significant challenge for many users. 

Of course, servers currently using CentOS 7 can still be used after the support ends, but various security risks accompany this, such as the lack of new security patches and updates from the community. This article introduces these security risks and temporary methods to maintain security.

※ This information is as of January 2024.

Increasing Security Risks and Information Security Governance

In the future, as patches and security updates for CentOS vulnerabilities will no longer be provided by the community, because of that the risk of becoming a target for cyber-attacks exploiting these vulnerabilities increases, along with the overall security risk. 

The stability of the system may decrease due to the lack of OS updates and maintenance, increasing the risk of unforeseen failures and complicating their resolution. 

Also, some companies may have specific information security governance policies that mandate enhanced security for certain systems.

Potential Security Risks

• Attacks exploiting unknown vulnerabilities (zero-days)

• Attacks exploiting known vulnerabilities

• Infections with malware or ransomware

• Service interruptions or system failures

• Loss of trust from customers and partners

Methods to Eliminate Security Risks

The surest way to avoid the security risks associated with the end of CentOS 7 support is to "migrate to an alternative Linux distribution" such as AlmaLinux or Red Hat Enterprise Linux (RHEL). 

Although migration from CentOS 7 to another Linux distribution requires knowledge, technical ability, and presents certain difficulties, it ensures ongoing provision of security patches and support.

However, when migrating from CentOS 7 to another Linux distribution, the following points must be considered:

Checking System Configuration and Usage

First, check the configuration and usage of the system to be migrated. By confirming the following points, you can understand the necessary tasks and risks for migration:

• Versions of software, middleware, and modules in use

• Settings and customizations of applications

• Dependencies with other systems

Consideration of Migration Schedule, Method, and Budget

The method of migration depends on the system configuration and usage, affecting the schedule, methods, and budget.

• Plan the migration schedule early: Migration requires a specific schedule, and it's challenging to respond immediately. Planning a schedule with some leeway allows for a smooth transition.

• Choose a migration method: Consider risks associated with system downtime and data migration, and conduct a risk assessment. Even with careful preparation, unexpected issues can occur during actual migration.

• Plan the budget for migration: Migration requires some effort and cost. If in-house migration is difficult, consider consulting with external IT vendors. Outsourcing migration to an external vendor can make the process safer and more efficient.

【Emergency Measures】Ways to Extend Life While Maintaining Security

As previously mentioned, the most optimal method is "migrating to an alternative Linux distribution". 

However, immediate action might not be possible due to organizational constraints. For instance, migration may involve dealing with dependencies on middleware versions like Apache, MySQL, and PHP, or require code modifications in customized applications, which may be challenging if the responsible personnel or IT vendors are not available.

Here we discuss temporary emergency measures to maintain security while CentOS 7 is unsupported.

*However, while these methods can reduce security risks to some extent, we hope that they can be viewed as temporary and stopgap measures.

Implement IPS/IDS security services

Introducing IPS/IDS into the server environment can help detect, block, or isolate unauthorized access and actions.

Our company, Beyond, also offers an IPS/IDS service called 'Trend Micro Cloud One (C1WS)', which features a function known as 'virtual patching'. This concept plays a critical role in protecting against security vulnerabilities. Furthermore, it can automatically apply signatures, allowing for optimal protection with minimal operational burden.

Introduce WAF security services

WAF (Web Application Firewall) is a security service specifically designed to protect internet protocols used in http (port 80) / https (port 443) connections, primarily focusing on the protection of websites and applications.

At our company, Beyond, we also offer a cloud-based WAF service called 'Scutum'. This service can protect websites and applications, particularly those that generate dynamic pages in response to requests, from various types of attacks, including SQL injection and cross-site scripting.

Request services from an MSP

Outsourcing server and infrastructure operations to an MSP (Managed Service Provider) offers continuous technical support, including system construction, operational maintenance, monitoring, system updates, security management, data backup, and recovery during system failures.

It's important to note that these methods can mitigate security risks to a certain extent but should be seen as temporary and emergency measures.

Conclusion

This article introduced the security risks of leaving CentOS 7 as is and methods to temporarily maintain security. Whether migrating to a new Linux distribution or maintaining and extending server environment security, specialized knowledge, skills, and experience are essential. If difficult to handle in-house, consider consulting with IT vendors or experts.

This blog post is translated from a blog post written by Ohara on our Japanese website Beyond Co..