Security-Enhanced Linux (SELinux) is an enhanced security mechanism at the kernel level. Follow this guide to reinstall SELinux and reset the policy to default settings. If SELinux is not already installed, go directly to step 2.
Perform these steps as a sudo-enabled user, or root. This guide has been tested on:
# setenforce 0
# yum remove selinux-policy\*
# rm -rf /etc/selinux/targeted /etc/selinux/config
# yum install selinux-policy-targeted
# yum install selinux-policy-devel policycoreutils
# touch /.autorelabel; reboot
SELinux will detect the /.autorelabel file on reboot, and then relabel all files with the correct SELinux contexts. If you have many files, the instance may be unavailable for a long time.
]]>AKLWEB HOST provides a feature that allows you to pre-install SSH keys when creating a new instance, so you can SSH to the instance as root with the key. However, the key doesn’t work for non-root users. This tutorial describes three methods to use SSH keys with non-root users.
# sudo -u example_user ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/example_user/.ssh/id_rsa): Created directory '/home/example_user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/example_user/.ssh/id_rsa Your public key has been saved in /home/example_user/.ssh/id_rsa.pub
/home/example_user/.ssh/id_rsa
, to your computer. For example, you might copy it to your local .ssh folder as ~/.ssh/example_user_id_rsa
.# rm /home/example_user/.ssh/id_rsa
authorized_keys
.# mv /home/example_user/.ssh/id_rsa.pub /home/example_user/.ssh/authorized_keys
If you saved the private key as ~/.ssh/example_user_id_rsa
, you can SSH to the server as your non-root example_user:
$ ssh -i ~/.ssh/example_user_id_rsa example_user@192.0.2.123
In this case, we’ll move the root key to the example_user, which also disables the root user’s SSH key access.
.ssh
directory for example_user.# mkdir /home/example_user/.ssh
# mv /root/.ssh/authorized_keys /home/example_user/.ssh/
.ssh
directory from root to example_user so OpenSSH can read it.# chown -R example_user:example_user /home/example_user/.ssh
If you are deploying many instances, you may use the AKLWEB HOST Startup Scripts feature to create a non-root user and move the SSH key automatically.
#!/bin/sh useradd -m -s /bin/bash example_user mv /root/.ssh /home/example_user/ chown -R example_user:example_user /home/example_user/.ssh
You can deploy instances with this script and one or more SSH keys. When the instance deploys, the script creates example_user, then moves the public SSH keys from root to example_user. Now you can SSH to the new instance as example_user with the keys you provided.
]]>As the root user, you have privileges to do anything that you want with the server – no restrictions. Because of this, it is better to avoid using the root user account for every task on your server. Let’s start by making a new user. Replace username
with the desired user name:
adduser username
Choose a new secure password and respond to the questions accordingly (or just hit ENTER to use the default value).
New user accounts don’t have privileges outside of their home folder and cannot run commands that will alter the server (like install
, update
, or upgrade
). To avoid the use of the root account, we will give the user root privileges. There are two ways of doing this:
The easy way is to add the user to the sudo
group. Replace username
with the desired user name:
adduser username sudo
This will add the user to the group sudo
. This group has the privilege of running the commands with sudo access.
The other way is to put your user in the sudoers
file. If your server has multiple users with root privileges, then this approach is somewhat better because if someone messes with the sudo
group, you will be still able to run commands with root privileges to work on the server.
First, run this command:
visudo
This will open the sudoers
file. This file contains the definitions of groups and users who can run commands with root privileges.
root ALL=(ALL:ALL) ALL
After this line, write your user name and grant it full root privileges. Replace username
accordingly:
username ALL=(ALL:ALL) ALL
Save and close the file (Ctrl + O and Ctrl + X in nano).
To login to your new user account without logout
and login
, simply call:
su username
Test sudo permissions using this command:
sudo apt-get update
The shell will ask for your password. If sudo was configured properly, then your repositories should be updated. Otherwise, review the previous steps.
Now, logout from the new user:
exit
Sudo setup is complete.
The next part of this guide involves securing the ssh login to the server. First, change the root password:
passwd root
Choose something hard to guess, but that you can remember.
SSH keys are a safer way to login. If you are not interested in SSH keys, skip to the next part of the tutorial.
Use the following AKLWEB Host Doc to make an SSH key: How Do I Generate SSH Keys?
After you get your public key, login with your new user again.
su username
Now make the .ssh
directory and the authorized_keys
file in the home directory of that user account.
cd ~
mkdir .ssh
chmod 700 .ssh
touch .ssh/authorized_keys
Add the public key that you generated from the other tutorial to the authorized_keys
file.
nano .ssh/authorized_keys
Save the file, then change the permissions of that file.
chmod 600 .ssh/authorized_keys
Return to the root user.
exit
Now we will make the SSH daemon more secure. Let’s start with the config file:
nano /etc/ssh/sshd_config
This step will change the port used to access the server, it is entirely optional but recommended.
Find the line with the Port
config, should look like this:
Port 22
Now change this port to any port that you want. It must be greater than 1024.
Port 4422
This step will disable root login through SSH, it is entirely optional but highly recommended.
Find this line:
PermitRootLogin yes
… and change it to:
PermitRootLogin no
This will make the server more secure against bots that try brute force and/or common passwords with user root
and port 22.
This step will disable X11 forwarding, don’t do this if you use some remote desktop program to access to your server.
Find the X11 line:
X11Forwarding yes
… and it change to:
X11Forwarding no
Now that we made the changes to secure the SSH Login, restart the SSH service:
service ssh restart
This will restart and reload the server settings.
Without disconnecting your current ssh session, open a new terminal or PuTTY window and test another SSH login.
ssh -p 4422 username@SERVER_IP_OR_DOMAIN
If everything checks out, we have successfully hardened the security of your server. Enjoy!
]]>CentOS 7 uses firewalld rather than iptables. A quick internet search will show that many faithful CentOS users find firewalld far too complicated for their needs and are reverting back to iptables. Iptables was the standard firewall for CentOS 5 and 6.
This guide shows you how to disable firewalld, install IP tables, CSF dependencies, and CSF.
Stop and disable firewalld.
systemctl disable firewalld
systemctl stop firewalld
Install iptables.
yum -y install iptables-services
Create files needed by iptables.
touch /etc/sysconfig/iptables
touch /etc/sysconfig/iptables6
Start iptables.
systemctl start iptables
systemctl start ip6tables
Enable iptables at boot.
systemctl enable iptables
systemctl enable ip6tables
Install the CSF dependencies.
yum -y install wget perl unzip net-tools perl-libwww-perl perl-LWP-Protocol-https perl-GDGraph -y
Download and launch the CSF installer.
cd /opt
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Remove the installation files.
rm -rf /opt/csf
rm /opt/csf.tgz
If you use Webmin, then you can install the CSF Webmin module.
Login to Webmin and navigate to the following page.
Webmin > Webmin Configuration > Webmin Modules >
Click “From local file” and insert the following.
/usr/local/csf/csfwebmin.tgz >
Install the module.
]]>On Windows machines, SNMP is run through the ‘SNMP’ service. To change the community string:
On Linux machines, SNMP is commonly run through the net-snmp library:
To prevent abuse:
By default the firewall in Ubuntu is disabled. In this article we’ll explain how to use uncomplicated firewall (ufw) to configure iptables, which you may use this guide on other distributions if ufw is installed.
1. Gain root access within the console/SSH by executing ‘sudo su’
2. Add a rule to allow SSH so we don’t disconnected by executing ‘ufw allow [sshportnumberhere]/tcp’
You also may add other services such as http with ‘ufw allow 80/tcp’
3. Enable the firewall by executing ‘ufw enable’
To allow udp ports, replace tcp with udp. For example: ‘ufw allow portnumberhere/udp’
If you need open a range of ports you can execute ‘ufw allow 100:200/tcp’ to allow connects from port 100 to port 200.
– You may replace ‘tcp’ with ‘udp’ if you need to open udp ports.
If you need to deny a specific IP, execute ‘ufw deny from ipaddresshere’
-You can deny an entire subnet/block by executing ‘ufw deny from ipaddress/subnetprefix’
Removing a rule in the firewall is a very simple task.
1. Execute ‘ufw status numbered’ and look for the rule you’d like to remove.
2. Execute ‘ufw delete rulenumberhere’ to remove the rule.
We suggest if you’re using this command, also remove the IPv6 rules by following steps 2 and 3. Each time you delete a rule, the numbering changes.
==============
Advanced settings
==============
You can specify an IP or IP subnet to only have access to a specific port. For this example: SSH.
1. We need to add the rule to allow the IP to connect port 22 and ignore all others by executing ‘ufw allow from theipyouwanttopasshere to any port 22 proto tcp’
You can change ‘tcp’ to ‘udp’ if you need to open an udp port.
2. Remove any other rule that allows port 22 to all connections by executing ‘ufw status numbered’
3. Remove the rule by executing ‘ufw delete rulenumberhere’
We suggest if you’re using this command, also remove the IPv6 rules by following steps 2 and 3. Each time you delete a rule, the numbering changes.
Also please keep in mind that when you apply this rule, if you’re not in the IP or in the IP subnet specified, you will get disconnected.
]]>On Windows machines, SSDP is run through the ‘SSDP Discovery’ service. To disable this:
On Linux machines SSDP is generally run through some type of UPNP server. The exact one varies significantly.
For Linux, we suggest blocking this with an iptables rule, such as:
iptables -I INPUT 1 -p udp -m udp –dport 1900 -j DROP
]]>On Windows machines, you can disable recursive DNS:
On Linux machines, there are a few common DNS servers:
BIND:
Open your BIND configuration file
In the ‘options’ section, make sure you have ‘recursion no;’ and ‘additional-from-cache no;’
Restart BIND after making any changes
DNSMasq:
Unfortunately, there is not a straight forward way to disable this within DNSMasq. You would either need to modify the DNSMasq configuration so that it no longer listens on public IP addresses, or firewall off UDP port 53 to all hosts except your desired ones.
If for some reason you cannot make the necessary changes and you are not hosting your own DNS, we would suggest that you firewall off all incoming UDP port 53 traffic.
]]>1. Login as the server as root (or gain root access by executing ‘sudo su’)
2. Check to see the status of the firewall by executing ‘ufw status’
If the firewall is active then we need to add a rule to allow connections for our new SSH port.
This can be done by executing ‘ufw allow newportnumberhere/tcp’
3. Execute ‘nano /etc/ssh/sshd_config’ and look for the line that contains ‘Port 22’
4. Change the number ’22’ to any unused port you’d like
Save and exit by holding down ‘ctrl’ and ‘x’
5. Restart the SSH service by executing ‘restart ssh’ within the command line
For Debian, execute ‘service ssh restart’
6. If you can still access the command line, type ‘ss -tnlp | grep ssh’ to verify SSH is listening on the new port. (optional)
7. Start a new SSH session on the new port.
8. Delete the old firewall rule for the old port by executing ‘ufw delete allow 22/tcp’
]]>