VPS server on CentOS 7: After you have installed your VPS server, it is extremely important to perform several additional actions to configure the server and ensure its protection from various attacks. Further, in the article, I will consider the most important, in my opinion, steps to create a full-fledged and secure VPS-server.
Step # 1: Change the password for the account – root
After the creation of a new VPS server, you will be given a password for the superuser root. Immediately after connecting to your server via SSH, you need to change it. very often the given password is not sustainable to its selection (brute-force).
Set a new password for root.
$ passwd
Step # 2: Create a new user
Initially, after installing CentOS and other Linux distributions, a user is available as root. The root superuser is a system administrator account and has the maximum privileges in the system. Due to its high capabilities, it is recommended to use the root account only in special cases. this contributes to the random fulfillment of destructive and irreversible errors, which will be very difficult to fix.
In this connection, the server administrator creates a new user, who is partially delegated the root privileges. Below we will look at the process of creating and setting up a new user account for the system.
Create a new account, from under which we will always work on the server.
$ adduser username
Add a password to log in.
$ passwd username
If you suddenly forget the password, you can set the new password with the same command, and the old password will be reset.
In order for a new user to install software packages and edit system files, it is necessary to delegate the superuser authority to him.
You can do this by adding an account to the superuser group wheel
.
$ gpasswd -a username wheel
Now the new user username
can execute commands on behalf of root
using the program sudo
.
To switch to a new user account, use the su command:
$ su -l username
Step # 3: Enabling the firewall on CentOS 7
To protect against unwanted external connections to our server, you must install and enable the firewall.
Install the firewall service:
$ sudo yum install firewalld
Enable the firewall and add it to the list of services for autorun when restarting the system:
$ sudo systemctl start firewalld; $ sudo systemctl enable firewalld;
Step # 4: Configuring SSH Configuration
Since the network has a large number of brute-force programs launched around the world that pick up passwords to the root user day and night and there is a high probability that your VPS will also be distributed. In this case, a reasonable solution would be to prohibit the possibility of connecting the root user to SSH.
Open the configuration file – /etc/ssh/sshd_config
:
$ sudo vi /etc/ssh/sshd_config
Change the value of the directive PermitRootLogin
.
1 #PermitRootLogin yes 2 PermitRootLogin no
If you are not an experienced Linux system user and your host does not provide you with a VNC-panel, then it is not recommended to forbid root access by ssh. If there is a critical error that can be fixed, only from the root entry, you can not do anything.
Also, change the standard port number of SSH, because It’s on the standard 22 port that the brute force programs “knock”.
All ports can be divided into three groups:
- 0 – 1023 – well-known ports, also refer to system ports;
- 1024 – 49151 – registered ports, also refer to user ports;
- 49152 – 65535 – dynamic ports, also refer to private ports.
First, we’ll select the port number on which SSH will work. Select the port number is recommended within 49152 – 65535. To select a port, you first need to check whether it is busy with another service. For example, I’ll select port number 63356.
Let’s check the busyness of port 63356 with the following command:
$ cat /etc/services | grep 63356/tcp
If, as a result of the team’s work, you did not receive an explicit answer, this indicates that this port is free. Otherwise, in response, you will see the name of the service, which has already occupied the selected port.
Now, in the file, /etc/ssh/sshd_config
change the value of the Port directive:
1 #Port 22 2 Port 63356
Restart the SSH service to accept the settings.
$ sudo systemctl restart sshd
Specify a firewall to allow connections on the new SSH port – 63356
$ sudo firewall-cmd --zone=public --permanent --add-port=63356/tcp; $ sudo firewall-cmd --reload;
Make sure that the added port is listening (active):
$ ss -lntu | grep 63356
[meliorem@centos ~]$ ss -lntu | grep 63356 tcp LISTEN 0 128 *:63356 *:* tcp LISTEN 0 128 :::63356 :::*
Now, in order to connect to the server via SSH, you will always need to explicitly specify the port number.
$ ssh username@server_ip_adress -p 63356
Step # 5: Changing the server name (hostname)
In a rented VPS server, hosters often set the value of a variable,$HOSTNAME
at their discretion. Let’s change the default hostname to another. The most common name for a host is a domain.
Full information about the hostname can be found by the following command:
$ hostnamectl status
[meliorem@centos ~]$ hostnamectl status Static hostname: hostername.com Icon name: computer-vm Chassis: vm Machine ID: 1a7dd5067ac44318a143dae4b60da0ba Boot ID: 87e4dd5f9d9b4410b096c2768dea8235 Virtualization: kvm Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-693.2.2.el7.x86_64 Architecture: x86-64
Change the server name:
$ sudo hostnamectl set-hostname "example.com"
Make sure that the name has changed:
$ hostname
Step # 6: Setting the Time Zone
When renting a VPS server, its local time is often associated with the region in which it is located. If, for example, your VPS server is in Amsterdam, then the server will also run on Central European Time.
Let’s check, then for what time zone does our server work:
$ timedatectlame
Get a list of available time zones:
$ timedatectl list-timezones
I live in Assam (Asia) and my time zone is Kolkata and it’s convenient for me, and the server worked at the same time.
Set the server time in Kolkata as follows:
$ timedatectl set-timezone Asia/Kolkata
Step # 7: Configure the locale
Locales define the language that the system uses, as well as regional features, such as currency, number format, dates, and character sets.
A list of all available locales is stored in the directory – /usr/share/i18n/locales
To see the locales used, use the command below:
$ locale
[meliorem@centos ~]$ locale LANG=en_US.UTF-8 LC_CTYPE="en_US.UTF-8" LC_NUMERIC="en_US.UTF-8" LC_TIME="en_US.UTF-8" LC_COLLATE="en_US.UTF-8" LC_MONETARY="en_US.UTF-8" LC_MESSAGES="en_US.UTF-8" LC_PAPER="en_US.UTF-8" LC_NAME="en_US.UTF-8" LC_ADDRESS="en_US.UTF-8" LC_TELEPHONE="en_US.UTF-8" LC_MEASUREMENT="en_US.UTF-8" LC_IDENTIFICATION="en_US.UTF-8" LC_ALL=
If you want to install the Indian locale for a particular format, for example, the time, then use the following command:
$ sudo localectl set-locale LC_TIME=en_IN.UTF-8
The language in the result of the command date
is changed to India (after the server is rebooted).
Step # 8: Disabling SELinux
SELinux (English Security-Enhanced Linux – Linux with improved security) – implementation of a system of compulsory access control, which can work in parallel with the classical electoral access control system.
Despite the fact that SElinux allows improving security management, it more often hinders than it brings real benefits, so I recommend that you disable it.
You can check whether SElinux is enabled with the command below:
$ sestatus
To disable SElinux, edit the file – / etc / selinux / config and SELINUX
set the value for the directive disabled
.
$ sudo vi /etc/selinux/config
1 # This file controls the state of SELinux on the system. 2 # SELINUX= can take one of these three values: 3 # enforcing - SELinux security policy is enforced. 4 # permissive - SELinux prints warnings instead of enforcing. 5 # disabled - No SELinux policy is loaded. 6 SELINUX=disabled 7 # SELINUXTYPE= can take one of three two values: 8 # targeted - Targeted processes are protected, 9 # minimum - Modification of targeted policy. Only selected processes are protected. 10 # mls - Multi Level Security protection. 11 SELINUXTYPE=targeted
After you turn off SElinux, you must restart the server:
$ reboot
Conclusion
In this article, I have not talked about all the actions that are necessary to fully configure your VPS server. There are many more features that need to be considered after installing a fresh operating system on your VPS.