Initial Server Set Up – CentOS

Initial Server Set Up – CentOS

You’ve just ordered your new HostDoc VPS, you’re wondering where to go from here.  You’ve come to the right place!

In this tutorial, we will be going through a couple of basic security hardening steps.  These are just a few things that you can do, security is a game of cat and mouse, so there’s never going to be a completely secure system.

Following this guide will go a long way towards securing your VPS smile

Creating a new user

The first and most basic thing we can do is to create a new user that will become our main account to use.  The benefit of this is that the username isn’t root, therefore it’s one thing that an attacker wouldn’t know immediately.  The most common attacks come to the root user, so having a different name is a great help.

In this example, we will call our new user “secretnewuser” – I suggest using your own secret user name.

root@tutorial:~# adduser secretnewuser

We now need to create a password for the user secretnewuser. To do so we use the passwd command.

root@tutorial:~# passwd secretnewuser
Setting a strong password

The best password is one that is as random as possible, not containing any words found in the dictionary, not easy to guess.  My preferred method is to use a random password generator like this one.  Each time you visit or refresh that page it will generate a new password. 

Once you’ve put the password in, you will have to enter it twice to confirm the password.

Before we continue, it’s a good idea to give the root user a new strong password.  Generate a new password from this page and use it below.

root@tutorial:~# passwd

We’ve just given the root user a strong password, nice!

Giving that new user ‘sudo’ access

Now that we have our new user, in this case called “secretnewuser” we need to give it sudo access.  Because I know you didn’t just use the same username, replace secretnewuser with your chosen username.

root@tutorial:~# gpasswd -a secretnewuser wheel
Disabling root login with SSH

Because logging in as a root user with SSH is generally not a secure thing to do, we are going to disable the ability to SSH into your VPS as the root user.  After we do this, you’ll need to log in with your secret new user and start using sudo.

 

We’re going to use an editor called nano, because it’s very easy to use.  If you prefer your own editor, use that instead.

root@tutorial:~# nano /etc/ssh/sshd_config

Find the line that says PermitRootLogin yes and change it so that it says PermitRootLogin no

Changing default SSH port

Now is a good time to change the default SSH port from 22 to something else.  Here I will use 12922 from now on, please choose your own.

In the /etc/ssh/sshd_config file, find the line that says Port 22 and change it to your chosen port, in my example it will be Port 12922 and be sure to remove # from the start of the port option.

Now that we’ve changed that, we need to restart the ssh server.  Note that this will prevent you logging in as root anymore!  (Which is great!)

root@tutorial:~# systemctl restart sshd.service

NOTE: Be sure to test the new user in a seperate terminal before closing the main terminal.

Log out now.

Log in as your new user, on your new port (don’t forget that!)

secretnewuser@tutorial:~$ 
Setting up a firewall

From this point forward, we’ll be using sudo because we’re logged in as our new user. 

We’re going to use a tool called ufw, which is a firewall.  If it’s not installed, you can do that first with either apt or yum, depending on your distro. I use ubuntu, so..

secretnewuser@tutorial:~$ yum -y install ufw

We are going to by default block all incoming ports except for the new SSH port, which in my example is 12922.

secretnewuser@tutorial:~$ sudo ufw default deny incoming 
secretnewuser@tutorial:~$ sudo ufw default allow outgoing
secretnewuser@tutorial:~$ sudo ufw allow 19222
secretnewuser@tutorial:~$ sudo ufw enable

Now your system is very secure.  Don’t forget you can add other ports later, for example 80 and 443 if you plan to use a web server.

Protecting against brute force password attacks

The final thing we’ll do here is simple, we’re going to install a tool called ‘fail2ban’ which scans logs and if it notices too many failed attempts to sign in, will temporarily ban an IP address to prevent them guessing your password.

secretnewuser@tutorial:~$ yum -y install fail2ban
Adding a SSH Key

This guide will assume you have already generated your key pair with an agent such as puttygen https://www.chiark.greenend.org.uk/~sgt … atest.html.
We now need to add the public key of that pair to a specific file in “secretnewuser” home file.

secretnewuser@tutorial:~$ mkdir .ssh 
secretnewuser@tutorial:~$ chmod 700 .ssh
secretnewuser@tutorial:~$ nano .ssh/authorized_keys

Now, copy and paste your public key and save and exit.
We will now restrict permissions to this file.

secretnewuser@tutorial:~$ chmod 600 .ssh/authorized_keys

We can now reconfigure SSH config to disable password login also.

secretnewuser@tutorial:~# nano /etc/ssh/sshd_config

Find the line that says PasswordAuthentication yes and change it so that it says PasswordAuthentication no

Now, restart sshd service

root@tutorial:~# systemctl restart sshd.service

NOTE: Be sure to test the new configuration in a seperate terminal before closing the main terminal.

Increase Entropy

Entropy is the randomness of the data that is used when an application or operating system uses cryptography. An example would be SSL connections to your web server.
/dev/random and /dev/urandom are the general random devices.
Randomness comes from /dev/random which is a blocking device that will stall it’s operations until adequate entropy becomes available for continued output.
/dev/urandom is a non-blocking device that continues producing random data despite the lack of entropy.
Production server should never run out of entropy as this leads to bad things happening when the system uses cryptographic functions.

You may require epel for this so lets install that first

yum -y install epel-release

Now, we can check the available entropy the system has first.

root@tutorial:~# cat /proc/sys/kernel/random/entropy_avail
867

The output will show your entropy level. A good entropy level to sustain would be 2800 – 3900.
To increase entropy, we will need to install and start haveged.

root@tutorial:~# yum -y install haveged
root@tutorial:~# service haveged start

You can check haveged is running by checking the status.

root@tutorial:~# systemctl status haveged
root@tutorial:~# systemctl enable haveged

The final command will ensure haveged persist after a reboot.
Now, let us check our entropy level again.

root@tutorial:~# cat /proc/sys/kernel/random/entropy_avail
3419

Now lets update everything.

root@tutorial:~# yum -y update

And we’re done!  Your linux VPS is now very secure, but it doesn’t end here.  Since this is a basic security setup, there are out of scope guides not included in this guide.

I hope this was easy to follow, as always.