The following is my procedure for setting up a new CentOS server.
Login as root
The first thing is to login as root. Once you've done so, you may wish to change
the password if your server came with one (i.e. you got this server from a place
like Digital Ocean). To change the password, use the
passwd command which will
ask you for a new password twice. If you want to be super safe, you can generate
a new password using a site like this one.
Add a new user
You shouldn't use your Linux machine as root until you actually need to do things that require root privileges, so we'll create a normal user account for day-to-day tasks.
useradd command is the ticket here and in the simplest case we only need
to provide it with the name of the account we wish to create:
This will create a new user with the default settings yet we still need to give
this user a password. Use the
passwd command again for this, but provide the
user whose password you wish to change:
Finally, we need to give this user the privilege of gaining root privileges for
the times that we do actually need to do something as root. We can use the
usermod command to add this new user to the "wheel" group which contains all
users capable of gaining root privileges:
usermod -a -G wheel john
Now, anytime john wants to elevate to root, he issues the
provides his password, and he gains root privileges. This might be kind of
annoying so you may optionally disable the password prompt if you trust John
enough. Do this by issuing the command
visudo which will open a file in the
vi editor (or Vim) and add the following line:
john ALL=(ALL) NOPASSWD: ALL
If you search through the file, you'll see an example of that syntax, I like to put the new line right after the example so things are grouped together nicely.
Enable the Firewall
There's really no reason not to run the built-in firewall so we'll enable it to run on boot and start it now with the following two commands:
systemctl enable firewalld
systemctl start firewalld
Soup up SSH
Next we'll make some changes to SSH so that it's a little more secure. Before logging out of an SSH session after making changes to the SSH configuration, it's always a good idea to verify that you can connect over a separate session just in case something went wrong. Otherwise, you may not be able to connect again to fix things.
First, we need to disable the root user from logging in over SSH. This forces
normal users to login and then elevate to root once on the system which makes it
easier to track down who did something malicious. Edit the file found at
/etc/ssh/sshd_config and add the following line to the bottom:
Next, let's change the port number which is used for SSH connections to make it a little tougher for an attacker to get in to your machine. Even if they do find your password, they'll also need to find the correct port to connect to; this will slow them down a bit, but not block them completely. Add a line like this to the same file that we just edited:
You can use this link to generate a list of valid ports. Pick one at random!
Verify that your config changes were acceptable by testing the file before we reload these changes:
If everything is good then no output will be printed.
Now let's add firewall rules to allow traffic over that port with the following commands:
firewall-cmd --zone=public --add-port=5394/tcp --permanent
And finally, restart the SSH daemon to load these new changes. But don't disconnect yet.
systemctl restart sshd
If there were any issues, check
Keep your current session going, but try a few separate connections with the following conditions:
- connect as root over the correct port, you shouldn't be allowed in even with the correct password
- connect as any user over port 22, the connection should be refused
- connect as your normal user over the port you chose, this should work
If you can connect back as your normal user, try issuing the
sudo su command
to verify that you can gain root privileges to make other changes.
Use SSH keys
This step is optional, but can be a nice touch for connecting to many Linux machines without having to deal with lots of passwords. Login with your normal user account and then follow these steps.
Generate some SSH keys using the
ssh-keygen command. Password protect them
(using a password you'll remember, or generate one) since these keys will
allow anyone to access your server if they know your username.
Add the keys to your list of authorized keys:
cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys
And set the permissions on your authorized keys file appropriately:
chmod 600 ~/.ssh/authorized_keys
Now download the private key found at
~/.ssh/id_rsa so that you'll be able to
connect to your server. We'll now disable password authentication to force the
use of the key files by finding the following line in the
file (requires root privileges):
And changing the 'yes' to 'no'.
Restart SSH and try connecting (with a separate session!) using password authentication; it should refuse your connection. Now connect using the id_rsa file you downloaded. When you access that key remember to enter the key password, not your user password. Once you enter in the password for the key you should be logged in to the system without entering your user password.
Enjoy your new server
That's it for setting up your new server. You should now have a normal user who can elevate to root along with the ability to connect over SSH (maybe with keys if you chose to set that up). Have fun!