Centos 7

Initial configuration and protection of the VPS server on CentOS 7

VPS server on CentOS 7: After you have installed your VPS server, it is extremely important to perform several additional actions to configure the server and ensure its protection from various attacks. Further, in the article, I will consider the most important, in my opinion, steps to create a full-fledged and secure VPS-server.

Step # 1: Change the password for the account – root

After the creation of a new VPS server, you will be given a password for the superuser root. Immediately after connecting to your server via SSH, you need to change it. very often the given password is not sustainable to its selection (brute-force).

Set a new password for root.

$ passwd

Step # 2: Create a new user

Initially, after installing CentOS and other Linux distributions, a user is available as root. The root superuser is a system administrator account and has the maximum privileges in the system. Due to its high capabilities, it is recommended to use the root account only in special cases. this contributes to the random fulfillment of destructive and irreversible errors, which will be very difficult to fix.

In this connection, the server administrator creates a new user, who is partially delegated the root privileges. Below we will look at the process of creating and setting up a new user account for the system.

Create a new account, from under which we will always work on the server.

$ adduser username

Add a password to log in.

$ passwd username

If you suddenly forget the password, you can set the new password with the same command, and the old password will be reset.

In order for a new user to install software packages and edit system files, it is necessary to delegate the superuser authority to him.

You can do this by adding an account to the superuser group wheel.

$ gpasswd -a username wheel

Now the new user usernamecan execute commands on behalf of rootusing the program sudo.

To switch to a new user account, use the su command:

$ su -l username

Step # 3: Enabling the firewall on CentOS 7

To protect against unwanted external connections to our server, you must install and enable the firewall.

Install the firewall service:

$ sudo yum install firewalld

Enable the firewall and add it to the list of services for autorun when restarting the system:

$ sudo systemctl start firewalld;
$ sudo systemctl enable firewalld;

Step # 4: Configuring SSH Configuration

Since the network has a large number of brute-force programs launched around the world that pick up passwords to the root user day and night and there is a high probability that your VPS will also be distributed. In this case, a reasonable solution would be to prohibit the possibility of connecting the root user to SSH.

Open the configuration file – /etc/ssh/sshd_config:

$ sudo vi /etc/ssh/sshd_config

Change the value of the directive  PermitRootLogin.

1  #PermitRootLogin yes
2  PermitRootLogin no

If you are not an experienced Linux system user and your host does not provide you with a VNC-panel, then it is not recommended to forbid root access by ssh. If there is a critical error that can be fixed, only from the root entry, you can not do anything.

Also, change the standard port number of SSH, because It’s on the standard 22 port that the brute force programs “knock”.

All ports can be divided into three groups:

  • 0 – 1023 – well-known ports, also refer to system ports;
  • 1024 – 49151 – registered ports, also refer to user ports;
  • 49152 – 65535 – dynamic ports, also refer to private ports.

First, we’ll select the port number on which SSH will work. Select the port number is recommended within 49152 – 65535. To select a port, you first need to check whether it is busy with another service. For example, I’ll select port number 63356.

Let’s check the busyness of port 63356 with the following command:

$ cat /etc/services | grep 63356/tcp

If, as a result of the team’s work, you did not receive an explicit answer, this indicates that this port is free. Otherwise, in response, you will see the name of the service, which has already occupied the selected port.

Now, in the file,  /etc/ssh/sshd_configchange the value of the Port directive:

1  #Port 22
2  Port 63356

Restart the SSH service to accept the settings.

$ sudo systemctl restart sshd

Specify a firewall to allow connections on the new SSH port – 63356

$ sudo firewall-cmd --zone=public --permanent --add-port=63356/tcp;
$ sudo firewall-cmd --reload;

Make sure that the added port is listening (active):

$ ss -lntu | grep 63356
[meliorem@centos ~]$ ss -lntu | grep 63356
tcp    LISTEN     0      128       *:63356                 *:*
tcp    LISTEN     0      128      :::63356                :::*

Now, in order to connect to the server via SSH, you will always need to explicitly specify the port number.

$ ssh username@server_ip_adress -p 63356

Step # 5: Changing the server name (hostname)

In a rented VPS server, hosters often set the value of a variable,$HOSTNAMEat their discretion. Let’s change the default hostname to another. The most common name for a host is a domain.

Full information about the hostname can be found by the following command:

$ hostnamectl status
[meliorem@centos ~]$ hostnamectl status
   Static hostname: hostername.com
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 1a7dd5067ac44318a143dae4b60da0ba
           Boot ID: 87e4dd5f9d9b4410b096c2768dea8235
    Virtualization: kvm
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-693.2.2.el7.x86_64
      Architecture: x86-64

Change the server name:

$ sudo hostnamectl set-hostname "example.com"

Make sure that the name has changed:

$ hostname

Step # 6: Setting the Time Zone

When renting a VPS server, its local time is often associated with the region in which it is located. If, for example, your VPS server is in Amsterdam, then the server will also run on Central European Time.

Let’s check, then for what time zone does our server work:

$ timedatectlame

Get a list of available time zones:

$ timedatectl list-timezones

I live in Assam (Asia) and my time zone is Kolkata and it’s convenient for me, and the server worked at the same time.

Set the server time in Kolkata as follows:

$ timedatectl set-timezone Asia/Kolkata

Step # 7: Configure the locale

Locales define the language that the system uses, as well as regional features, such as currency, number format, dates, and character sets.

A list of all available locales is stored in the directory – /usr/share/i18n/locales

To see the locales used, use the command below:

$ locale
[meliorem@centos ~]$ locale
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=

If you want to install the Indian locale for a particular format, for example, the time, then use the following command:

$ sudo localectl set-locale LC_TIME=en_IN.UTF-8

The language in the result of the command dateis changed to India (after the server is rebooted).

Step # 8: Disabling SELinux

SELinux  (English Security-Enhanced Linux – Linux with improved security) – implementation of a system of compulsory access control, which can work in parallel with the classical electoral access control system.

Despite the fact that SElinux allows improving security management, it more often hinders than it brings real benefits, so I recommend that you disable it.

You can check whether SElinux is enabled with the command below:

$ sestatus

To disable SElinux, edit the file – / etc / selinux / config and SELINUXset the value for the directive disabled.

$ sudo vi /etc/selinux/config
1  # This file controls the state of SELinux on the system.
2  # SELINUX= can take one of these three values:
3  #     enforcing - SELinux security policy is enforced.
4  #     permissive - SELinux prints warnings instead of enforcing.
5  #     disabled - No SELinux policy is loaded.
6  SELINUX=disabled
7  # SELINUXTYPE= can take one of three two values:
8  #     targeted - Targeted processes are protected,
9  #     minimum - Modification of targeted policy. Only selected processes are protected.
10 #     mls - Multi Level Security protection.
11 SELINUXTYPE=targeted

After you turn off SElinux, you must restart the server:

$ reboot

Conclusion

In this article, I have not talked about all the actions that are necessary to fully configure your VPS server. There are many more features that need to be considered after installing a fresh operating system on your VPS.

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    Your email address will not be published. Required fields are marked *