This how-to will help you with your initial setup on CentOS 6 so that you can successfully secure your server while giving you the peace of mind knowing your server is protected. With any server, the primary goal should always be security. Many users are victims of malicious infiltration on their servers due to the lack of security boundaries established from the beginning. Let us begin on the right path by laying our foundation with security.
What Do You Need?
You need a CentOS 6.x server that is configured with a static IP address. If you do not have a server already, you can visit Atlantic.Net’s Cloud Hosting page and spin a new server up in under 30 seconds.
To get started, log in to your CentOS 6 server via SSH or the VNC Console located here. Atlantic.Net Cloud servers are setup as minimal installations in order to avoid having unnecessary packages from being installed and never used. If some software packages that you’re used to using aren’t installed by default, feel free to install them as needed.
Let’s make sure that your server is fully up-to-date.
With the server up-to-date, we can continue the process and secure your server.
Update the CentOS 6 Root Password
By default, your Atlantic.Net servers are automatically set with secure passwords. However, we still recommend updating your password after creating your server and every 60-90 days thereafter in order to ensure it remains secure. A minimum of 8 characters, including lowercase, uppercase, symbols and numbers are recommended to increase the level of security.
Type the following command to activate your request and follow the on-screen instructions to update/confirm your root password:
Create a new user with sudo privileges
After successfully updating your password, it’s recommended that you create a new user with sudo/root permissions. Since the common admin user for many Linux Operating Systems like CentOS 6 is “root”, we’re going to make a new admin user that will be used for day-to-day administration tasks. Creating a new user with root permissions will increase the security in the way your server is accessed. Unwanted users target the root user because they know its the default admin user but when you create a new user with sudo/root permissions and then disable the default root user, they will never know what user to login with.
Type the following command to create your new user replacing “user1” with your own username and confirm.
Create a password for that user by typing the following command to activate your request and following the on-screen instructions to update/confirm your “user1” password:
CentOS 6 uses VIM as the default text editor which we will use to grant sudo privileges for user1.(i – is to insert/edit the text, ESC – will disable the editing and :wq – Saves and Quit)
The permissions are located under the following line:
## Allow root to run any commands anywhere) root ALL=(ALL) ALL
Once you’ve located, the line listed above add the following code underneath the root user.
user1 ALL=(ALL) ALL
You could now close the VIM editor and save the file.
Esc button :wq
Upon completion, exit out of your session and log back in to your server with the new user1 and password.
Configure SSH Access
In Linux systems, port 22 is the default port for remote connections via SSH. By changing the ssh port, you will increase the security of your server in preventing brute force attacks and unwanted users from reaching your server using the default port. For this tutorial, I will use Port 5022 as an example.
Open your SSH Configuration file, find the Port line, remove the # and change 22 number to your Custom port Save and exit.
sudo vi /etc/ssh/sshd_config
#Port 22 Port 5022
In order for your system to update the settings from the SSH Configuration file, we must restart sshd.
service sshd reload or service sshd restart
SSH has now been configured to use Port 5022 and if you attempt to login using Port 22, your login will fail. However, do not exit your session as we need to configure the custom port on the firewalls configuration part first, which we will configure in the upcoming steps.
Limit Root Access
Since we’ve created a new user with root permissions and created a custom ssh port, there’s no need keep the actual root user available and vulnerable over SSH on your server. Let us restrict the root users access to be available on the local server and granting permission to the new user over SSH only.
Open the SSH Configuration file, find the PermitRootLogin line, remove the # and change it from yes to no.
sudo vi /etc/ssh/sshd_config #PermitRootLogin yes PermitRootLogin no
Furthermore, add the following command all the way to the bottom of the page so that your new user can access the Server remotely using SSH. Save your work and exit.
In order for your system to update all the settings that took place in the SSH Configuration file, we must restart the sshd service.
service sshd reload or service sshd restart
Note: Do not exit your session as we need to configure the custom port on the firewall which we will continue in the following steps.
Create a Private SSH Key
Private/Public SSH Keys are great additional features that increases security in the method a server is accessed. However, it takes a bit more effort to setup. The question is, Is your server worth the extra security? If you would like to implement the following security features you can continue with the following steps. Let us proceed and generate the SSH Key.
If you want to change the location where the SSH Key will be saved, you can specify it here. However, the default location where its stored should be OK. Press enter when you are prompted with the following question then enter a pass phrase, unless you don’t want one.
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
You will then see the following information on the screen.
Configuring the SSH Key is crucial, we must copy the full key string to a Word/ Notepad Document. The Key can be viewed in the following location with the cat command.
Copy the SSH key beginning with ssh-rsa and ending with [email protected] into a Word/ Notepad document, so we can add it to the config file later on.
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApDJtSeXDMqM0+xmUW73AECrOmQ1n6Nut5/fn3CsdUv/ozuJDxsAkGptZ s2JkKwhjPdrBb98SD9imOIT1+jT5wGcglNQK6kuSfjSQRA35YiYdamOxl2flR/2rGfyJsQmn5/tqoebvcPKu SB1e+aquSMumYJ6stQIAj/ +j/BFDVL49tVEz75Wrr17Oj4Gshu7sSOHzqXH3VY/AeCY7i4UqEKv4U3r5nH3vkxcIZxkGpNcy5JEctydFhM sEi0/1UA5KWv3pT4ao/rPzJrPlRs +9L8OEYxZYXKMAcov16oFJbC/Xn8bFQUHsu4qXt23OD5Ib1Y5dkwbDXjKdQu+Vq3+82Q== [email protected]
Once the SSH Key is stored safely, the directory for the SSH Keys needs limited permissions which only the owner can read, write and execute the file.
su - user1
The directory for the SSH Keys needs limited permissions which only the owner can read, write and execute the file.
mkdir .ssh chmod 700 .ssh
Within the SSH directory, a file containing the SSH Key must to be added, simply using your editor (in this case VI) the following location:
Paste the SSH Key then save and exit using the VI format.
Finally, we have to limit the privileges of the authorized_keys file that we just created so only owner can read and write.
chmod 600 .ssh/authorized_keys
We can no verify that the key is working by closing your session and by typing the following in your SSH Console [email protected] or your servers host name. Furthermore, you can click “here” to see our How To Generate and Use SSH Keys article.
Basic Firewall Rules
By default your Atlantic.Net’s CentOS6 Server is loaded with IPTABLES and basic security rules that only allow SSH/Remote access publicly.We will need to update that rule with the custom port that was created earlier. Once you log in to the firewall you will see the following:
sudo vi /etc/sysconfig/iptables
Update the SSH port from 22 to 5022(your custom port)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5022 -j ACCEPT
If you have a web server you may want to allow the following rules so your sites could be accessed over the internet.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
If you have a mail server you may want to allow the following rules if you will be using your server for incoming POP3 settings. Port 110 is the standard port and port 995 is for a more secure connection using SSL.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 995-j ACCEPT
Furthermore, you may want to allow the following rules if you will be using your server for outgoing SMTP settings. Port 25 is the standard port and 465 is for a secure connection using SSL.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
Finally, you may want to allow the following rules if you will be using your server with IMAP settings.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
Save your work and exit.
In order for IPTABLES to accept those settings you must restart the server.
service iptables restart
Your settings will have been saved and you are ready to proceed.
NTP Time Sync
The NTP (Network Time Protocol) is a basically used to synchronize the time and date of computers over the network in order to remain accurate and up to date. Let us begin by installing the NTP(If it hasn’t been installed) and configuring the service to synchronize with their servers.
yum install ntp ntpdate
Once the NTP service is installed, we need to make sure that the service is ON.
chkconfig ntpd on
With the service ON, its time to synchronize the server’s time information with NTP’s server with the following command:
Finally, we can start the NTP server with the following command which will constantly update the server’s time from the NTP server.
Add Swap File
A Swap file is simply a small amount of space created on a servers hard drive to simulate Ram. In the event that the server is running low on memory, it will look at the hard drive and ease the load, tricking the system to think it has more memory than it thinks. We will now set the swap file on the hard drive to increase the performance of the server just a bit more.
Begin by checking your resources to make sure we can add the file. When you run the following command you will see the percentage space on your Hard drive that is currently being used.
When creating a Swap file usually you want to add half of your existing RAM up to 4GB(If you have 1GB of actual Ram then you add a 512MB file). In this part I will be adding a adding a 512MB swap file to the drive.
sudo dd if=/dev/zero of=/swapfilename bs=1024 count=512k
Now that we have added a swap file, a Swap file area needs to be created in order to proceed.
sudo mkswap /swapfilename
With the Swap file created and the Swap file area added we can go ahead and add permissions to the file so that only the owner can read and write.
sudo chown root:root /swapfile sudo dfchmod 600 /swapfile
Now that the swap file has the appropriate permissions we can go ahead and activate the it.
sudo swapon /swapfile
You can verify your newly added Swap file with the following.
sudo swapon -s
In order to make the Swap file always active even after a reboot, we must configure it accordingly.
sudo vi /etc/fstab
Paste the following command at the bottom of the file save your work and exit.
/swapfile swap swap defaults 0 0
Finally, verify if your swapfile is activated by typing the following command:
With that, you now have a reliable CentOS 6 cloud server with a strong security foundation which will give you the peace of mind knowing that your server is protected. You may now proceed building your platform according to your needs. Thank you for following along and feel free to check back with us for further updates.