How to setup a CentOS 7 Server

The following is my procedure for setting up a new CentOS server.

Login as root

The first thing is to login as root. Once you've done so, you may wish to change the password if your server came with one (i.e. you got this server from a place like Digital Ocean). To change the password, use the passwd command which will ask you for a new password twice. If you want to be super safe, you can generate a new password using a site like this one.

Add a new user

You shouldn't use your Linux machine as root until you actually need to do things that require root privileges, so we'll create a normal user account for day-to-day tasks.

The useradd command is the ticket here and in the simplest case we only need to provide it with the name of the account we wish to create:

useradd john

This will create a new user with the default settings yet we still need to give this user a password. Use the passwd command again for this, but provide the user whose password you wish to change:

passwd john

Finally, we need to give this user the privilege of gaining root privileges for the times that we do actually need to do something as root. We can use the usermod command to add this new user to the "wheel" group which contains all users capable of gaining root privileges:

usermod -a -G wheel john

Now, anytime john wants to elevate to root, he issues the sudo command, provides his password, and he gains root privileges. This might be kind of annoying so you may optionally disable the password prompt if you trust John enough. Do this by issuing the command visudo which will open a file in the vi editor (or Vim) and add the following line:

john ALL=(ALL) NOPASSWD: ALL

If you search through the file, you'll see an example of that syntax, I like to put the new line right after the example so things are grouped together nicely.

Enable the Firewall

There's really no reason not to run the built-in firewall so we'll enable it to run on boot and start it now with the following two commands:

systemctl enable firewalld

systemctl start firewalld

Soup up SSH

Next we'll make some changes to SSH so that it's a little more secure. Before logging out of an SSH session after making changes to the SSH configuration, it's always a good idea to verify that you can connect over a separate session just in case something went wrong. Otherwise, you may not be able to connect again to fix things.

First, we need to disable the root user from logging in over SSH. This forces normal users to login and then elevate to root once on the system which makes it easier to track down who did something malicious. Edit the file found at /etc/ssh/sshd_config and add the following line to the bottom:

PermitRootLogin no

Next, let's change the port number which is used for SSH connections to make it a little tougher for an attacker to get in to your machine. Even if they do find your password, they'll also need to find the correct port to connect to; this will slow them down a bit, but not block them completely. Add a line like this to the same file that we just edited:

Port 5394

You can use this link to generate a list of valid ports. Pick one at random!

Verify that your config changes were acceptable by testing the file before we reload these changes:

sshd -t

If everything is good then no output will be printed.

Now let's add firewall rules to allow traffic over that port with the following commands:

firewall-cmd --zone=public --add-port=5394/tcp --permanent

firewall-cmd --reload

And finally, restart the SSH daemon to load these new changes. But don't disconnect yet.

systemctl restart sshd

If there were any issues, check /var/log/messages or /var/log/secure for more information.

Keep your current session going, but try a few separate connections with the following conditions:

  • connect as root over the correct port, you shouldn't be allowed in even with the correct password
  • connect as any user over port 22, the connection should be refused
  • connect as your normal user over the port you chose, this should work

If you can connect back as your normal user, try issuing the sudo su command to verify that you can gain root privileges to make other changes.

Use SSH keys

This step is optional, but can be a nice touch for connecting to many Linux machines without having to deal with lots of passwords. Login with your normal user account and then follow these steps.

Generate some SSH keys using the ssh-keygen command. Password protect them (using a password you'll remember, or generate one) since these keys will allow anyone to access your server if they know your username.

Add the keys to your list of authorized keys:

cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys

And set the permissions on your authorized keys file appropriately:

chmod 600 ~/.ssh/authorized_keys

Now download the private key found at ~/.ssh/id_rsa so that you'll be able to connect to your server. We'll now disable password authentication to force the use of the key files by finding the following line in the /etc/ssh/sshd_config file (requires root privileges):

PasswordAuthentication yes

And changing the 'yes' to 'no'.

Restart SSH and try connecting (with a separate session!) using password authentication; it should refuse your connection. Now connect using the id_rsa file you downloaded. When you access that key remember to enter the key password, not your user password. Once you enter in the password for the key you should be logged in to the system without entering your user password.

Enjoy your new server

That's it for setting up your new server. You should now have a normal user who can elevate to root along with the ability to connect over SSH (maybe with keys if you chose to set that up). Have fun!

links

social