Introduction
In this tutorial, we will have a look at a few important tasks to perform in the server for initial set up of the server and basic server hardening. These steps will increase the security of your server as well as usability. We will perform a series of tasks such as creating a new sudo user, updating packages, setting timezone and securing SSH server, etc.
Prerequisites
- Cloud VPS or Dedicated Server with CentOS 7 installed.
Step 1: Log in via SSH
When your server is created Snel sends you an email with the default username, password, and server IP address. For first time login, you need to use those credentials to log in to your server.
If you’re not familiar with how to connect please have a look at our “How to connect to your server with SSH” article.
Step 2: Change Logged in User Password
Upon the first login, it is very important to change the password of the current user. Use the following command for the same.
passwd
It will ask you to provide your existing password unless you are logged in as the root user.
Step 3: Create a New Sudo User
If you are logged in as root
user, it is recommended to create a sudo user. If you are logged in as sudo user with username in format client_xxxxxx_x
, which Snel already created for you, it is still a best practice to create a new sudo user.
A Sudo user is a user having superuser privileges. In simple terms, this user can perform administrative commands and tasks as the root user.
To create a new user, run the following command. You can replace the example username happysnel
with anything you like.
sudo adduser happysnel
Note: You can omit using sudo
command if you are logged in as root
user.
Set a password to the newly created user by running the command.
sudo passwd happysnel
Add your newly created user to the wheel
group. Users in the wheel
group are sudo user in CentOS 7.
sudo usermod -aG wheel happysnel
Step 4: Logging in as the Newly Created User
Exit from the current terminal session by running the logout
command and log in again using ssh as the new user.
ssh [email protected]
192.168.0.1
is an example IP address.
Step 5: Disable Root Login via SSH
Find the current setting for root login via SSH by running the following command.
sudo cat /etc/ssh/sshd_config | grep PermitRootLogin
You might see the following output.
[happysnel@vps ~]$ sudo cat /etc/ssh/sshd_config | grep PermitRootLogin PermitRootLogin without-password # the setting of "PermitRootLogin without-password".
As in the above output, we can see that, PermitRootLogin
is set to without-password
. It means that password authentication is disabled, however, public-key authentication is enabled. Which is fine in most cases. Make sure, it should not be commented out or should not be set to yes
.
To completely disable root login, edit the file by running the following command.
sudo nano /etc/ssh/sshd_config
And change the line to the following.
PermitRootLogin no
Save the file and restart the SSH server by running the following command.
sudo systemctl restart sshd
Now, if you will try to login as the root user, it will not let you in.
Step 6: Update Your Server
It is important to install the latest security patches and updates to your server. Run the following command for the same.
sudo yum -y update
Note: If you get any prompts saying a updated package or file is avaiable, but the installed version is modified. Choose keep the local version currently installed
option.
Step 7: Setting timezone
You may want your server in the same timezone as you. Run the following command to get a list of available timezones.
timedatectl list-timezones
The list of available timezones is also available here.
Once you have identified your timezone, set it using the following command.
sudo timedatectl set-timezone Europe/Amsterdam
You can confirm the timezone by running the following command.
timedatectl
Step 8: Set Hostname
Check your existing hostname by running the following command.
hostnamectl
You should see a similar output.
[happysnel@vps ~]$ hostnamectl Static hostname: vps.snelexample.site Icon name: computer-vm Chassis: vm Machine ID: Boot ID: Virtualization: kvm Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-957.1.3.el7.x86_64 Architecture: x86-64
To set a hostname, run the following command.
sudo hostnamectl set-hostname host.snelexample.site
Replace host.snelexample.site
with your actual hostname. Preferably, it should be an FQDN(Fully Qualified Domain Name). But, if you are not sure if you want to add an FQDN, a label to identify the server also works.
To resolve the hostname in your local server, you will need to add it to /etc/hosts
file. Edit the hosts
file by running the following command.
sudo nano /etc/hosts
If nano
editor is not installed on your server, install it by running the command.
sudo yum -y install nano
Append your hostname at the end of the line that starts with 127.0.0.1
. For example.
127.0.0.1 localhost host.snelexample.site
Step 9: Configure a Firewall
In most cases, CentOS 7 comes with Firewall enabled by default. You can check the status of the firewall by running the following command.
sudo firewall-cmd --state
It should say running
if your firewall is already running.
[happysnel@vps ~]$ sudo firewall-cmd --state running
Step 10: SSH Port Change (Optional)
Malicious bots on the internet continuously target the default SSH port 22
. You can change it to any other port so that your server is not a victim of continues attacks of bots on port 22
. To change the SSH port, open the SSH configuration file again by running the following command.
sudo nano /etc/ssh/sshd_config
Find the line which says
#Port 22
Uncomment it and change it to any port you like between 1024 to 65535.
Eg.
Port 2200
Save the file and exit from the editor.
Now, tell SELinux about the SSH port by running the following command.
sudo yum -y install policycoreutils-python-utils sudo semanage port -a -t ssh_port_t -p tcp 2200
Open port 2200
from the firewall by running the commands.
sudo firewall-cmd --permanent --add-port=2200/tcp sudo firewall-cmd --reload
Now, restart the SSH server by running the following command.
sudo systemctl restart sshd
Now, if you will try to login from another terminal without specifying a port, it will not let you in. Modify the SSH command to log in to include the port number.
ssh -p 2200 [email protected]
192.168.0.1
is an example IP address.
Step 11: Reboot
Now that we have gone through updating the packages and configuring the server. Give the server a reboot so that if there are any pending changes, it will be applied.
sudo reboot
Conclusion
In this tutorial, we have learned how to set up a sudo user on newly created CentOS 7 instances. We configured hostname, time zone and updated the packages. We also saw how to set the timezone and hostname, harden SSH server and update packages.
Leave a Reply