Basic Security Measures For Setting Up A CentOS 7 Server

This is number 2 in a series of 4 articles designed to help newbies (like myself) get to grips with managing your own VPS server when you have never done it before.
In this article, I'm going to show you some basic security measures you should take before doing anything else with your newly obtained VPS server.

Having signed up to a VPS Cloud Server account with HostPresto!, I am working with a server that has CentOS 7.x with 1Gb of RAM installed and 25 Gb of disk space - but nothing else. It's a very low end VPS package, which I've obtained while I learn how to be a proper server administrator, so it suits my needs for now. I can always add more disk space and RAM as I need it.

I will be installing the free CentOS Web Panel a little later in this series of articles, but before I do that, I'm going to take a few basic security measures to reduce the risk of someone getting unauthorised access to my server.

Step 1. Log in via a SSH connection.

SSH stands for Secure Shell and it's a network protocol that provides administrators with a secure way to access a remote computer. I have a Windows PC and I will be using a program called PuTTY to make the connection. If you're not familiar with PuTTY, you should read this article.

Your Hosting Provider will normally send you the username (usually root) and IP address for your new server. Login using these details using PuTTY (Mac users would normally use a program called Terminal which does the same thing on MacOS as PutTTY does on Windows).

 

 

Step 2. Change the Default Password For 'root'.

In the console window type:

then press enter. Note the spelling - this is important.

You will be asked to enter a new password (twice) to ensure you have typed it correctly. Note: the cursor doesn't move when you're typing in passwords so make sure you type carefully !

Use a mixture of capitals, lower case, numbers and symbols (@, -, ! etc). I tend to go for a mix of vehicle registration numbers and telephone numbers or  partial telephone numbers separated by the special characters. Make the password strong, because this is the gateway to your server and you really don't want some vagrant squatting on your server (or worse). Did you notice how many failed login attempts there have been in the space of a day or so in the previous image !

 

 

Step 3. Create a New User.

Username is one half of the first level of security guarding access to your server, and every man and his dog knows about 'root' (well the bad guys who want to break in and either steal from you or do damage to your websites certainly do !), so it's good practise to create a new user and give them root privileges so you can lock out anyone (including yourself) who may want to log in under the username 'root'.

So, enter :

and press Enter. Obviously, you will need to change newuser for the actual username you want to use. On the console, the cursor simply moves down one line - there's no message to say the new user has been created (or how well you've done !) so don't be disconcerted by that (as I was at first).

Although you can use fullstops, underscores and hyphens in usernames (as long as the username doesn't start with a hyphen), I would personally avoid this and stick to a-z, A-Z and 0-9. I'd also maintain a convention of either uppercase only or lowercase only - it just keeps things standard.

Next we need to give the user a password, so enter:

 

Again you will need to enter the password twice. And again the cursor won't move as you're typing the password.

 

Step 4. Give the New User Root Privileges.

Next we enter:

 

Now this user can execute comands as a superuser. More on that later !

 

 

Step 5. Edit the SSH Default Port and Disable Access to User 'root'.

The next thing to do is edit the SSHD configuration file in order to add some more security measures. 

We are going to be using Vi which is a VERY basic text editor. Pronounced (vee-aye), it stands for 'visual instrument'. Before we get on to the task of editing the file though, you should familiarise yourself with the way vi works - it's not at all intuitive. 

There is a useful Quick Reference Guide here which I copied from lagmonster.org. I found that I could navigate around the text editor using the arrow keys and delete by using the backspace, so I only really needed to know about 'Modes' and 'Quitting', but all of the functions are shown if the backspace and / or arrow keys don't work for you.

So now that we're experts (!) on vi, lets get editing the SSHD configuration file.

On the command line, enter:

 

Using the cursor keys, find:

 

Position your cursor on that line and press the i key. Note that the word 'INSERT' appears at the bottom of the window.

Remove the '#' and change the port number. You can use any number in the range 1025 to 65535

Next we're going to disable 'root' login. Using the cursor keys, find:

 

and change this to without-password if you want to be able to access the root user using SSH-Key authentication, or no if you don't. 

Then find:

 

Remove the '#' and change to no.

Next, we're going to correct a problem that occurs when uploading files using FTP.

Find:

 

and replace with:

 

Press ESC to return to 'command' mode, then press Shift + ZZ to save and exit the configuration file.

If you check back to the previous image, you will see that just above the 'Port 22' entry, there is a message that if we change the port, we must tell SELinux about the change. (Security-Enhanced Linux (SELinux) is a Linux kernel security module). Helpfully, it tells us the command we should use.

So, if you changed the Port number to (for example) 45678, you would now enter the command:

 

You can check that the configuration has worked correctly by entering:

 

If it has worked as it should, you should see something along the lines of:

 

Now restart the SSHD service:

 

 

 

Step 6. Check That Your New Username is Working Correctly.

Open a new instance of PuTTY and login as newuser (you will now have two separate windows running). Don't forget to update the port number to the one you have just set.

To check that newuser has root access rights, enter:

 

You will be prompted for a password. The password that is required is the 'root' password.

On successful login, the prompt character changes from a '$' to a '#'. This means that your newuser has superuser privileges.

Enter:

 

to return to normal privileges (the prompt character becomes a '$' once more), then

 

again to close the SSH window.

 

Open another new instance of PuTTY and log in as user 'root'.

After entering the correct password, you should get the error message:

 

If that is the case, then you have created a new user with access to root privileges, and have prevented anyone logging in directly as root.

You can now close the PuTTY window(s) and either get yourself a well earned cup of coffee, or carry on to the the next stage of getting your server ready for hosting websites.

 

The next article in this series covers the installation of Centos Web Panel, a popular, free, feature rich web hosting control panel.

 

Next Article