Security-Enhanced Linux (SELinux) is an enhanced security mechanism at the kernel level. Follow this guide to reinstall SELinux and reset the policy to default settings. If SELinux is not already installed, go directly to step 2.

Perform these steps as a sudo-enabled user, or root. This guide has been tested on:

• CentOS 8
• CentOS 7
• CentOS 6

1. Disable and Remove SELinux

# setenforce 0

# yum remove selinux-policy\*

# rm -rf /etc/selinux/targeted /etc/selinux/config

2. Install SELinux

# yum install selinux-policy-targeted

# yum install selinux-policy-devel policycoreutils

# touch /.autorelabel; reboot

SELinux will detect the /.autorelabel file on reboot, and then relabel all files with the correct SELinux contexts. If you have many files, the instance may be unavailable for a long time.

AKLWEB HOST provides a feature that allows you to pre-install SSH keys when creating a new instance, so you can SSH to the instance as root with the key. However, the key doesn’t work for non-root users. This tutorial describes three methods to use SSH keys with non-root users.

Requirements

• A AKLWEB HOST Linux or BSD instance
• A non-root user account (it is example_user in this tutorial)

Option 1: Create a New SSH Key

1. SSH to the instance as root.
2. Create an SSH key for example_user.# sudo -u example_user ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/example_user/.ssh/id_rsa): Created directory '/home/example_user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/example_user/.ssh/id_rsa Your public key has been saved in /home/example_user/.ssh/id_rsa.pub
3. Save the private key, /home/example_user/.ssh/id_rsa, to your computer. For example, you might copy it to your local .ssh folder as ~/.ssh/example_user_id_rsa.
4. Delete the private key from your instance.# rm /home/example_user/.ssh/id_rsa
5. Rename the public key to authorized_keys.# mv /home/example_user/.ssh/id_rsa.pub /home/example_user/.ssh/authorized_keys

If you saved the private key as ~/.ssh/example_user_id_rsa, you can SSH to the server as your non-root example_user:

$ ssh -i ~/.ssh/example_user_id_rsa example_user@192.0.2.123

Option 2: Move the root SSH Key to the Non-root User

In this case, we’ll move the root key to the example_user, which also disables the root user’s SSH key access.

1. SSH to the instance as root.
2. Create the .ssh directory for example_user.# mkdir /home/example_user/.ssh
3. Move the root key to example_user’s SSH directory.# mv /root/.ssh/authorized_keys /home/example_user/.ssh/
4. Change the ownership of the .ssh directory from root to example_user so OpenSSH can read it.# chown -R example_user:example_user /home/example_user/.ssh

Option 3: Use Startup Scripts

If you are deploying many instances, you may use the AKLWEB HOST Startup Scripts feature to create a non-root user and move the SSH key automatically.

Create a Startup Script

1. Select Scripts in the Customer Portal.
2. Click the plus button to create a new startup script.
3. Paste the following script.#!/bin/sh useradd -m -s /bin/bash example_user mv /root/.ssh /home/example_user/ chown -R example_user:example_user /home/example_user/.ssh

You can deploy instances with this script and one or more SSH keys. When the instance deploys, the script creates example_user, then moves the public SSH keys from root to example_user. Now you can SSH to the new instance as example_user with the keys you provided.

Create a new user

As the root user, you have privileges to do anything that you want with the server – no restrictions. Because of this, it is better to avoid using the root user account for every task on your server. Let’s start by making a new user. Replace username with the desired user name:

adduser username

Choose a new secure password and respond to the questions accordingly (or just hit ENTER to use the default value).

Giving user root privileges

New user accounts don’t have privileges outside of their home folder and cannot run commands that will alter the server (like install, update, or upgrade). To avoid the use of the root account, we will give the user root privileges. There are two ways of doing this:

Adding user to sudo group

The easy way is to add the user to the sudo group. Replace username with the desired user name:

adduser username sudo

This will add the user to the group sudo. This group has the privilege of running the commands with sudo access.

Modifying sudoers file

The other way is to put your user in the sudoers file. If your server has multiple users with root privileges, then this approach is somewhat better because if someone messes with the sudo group, you will be still able to run commands with root privileges to work on the server.

First, run this command:

visudo

This will open the sudoers file. This file contains the definitions of groups and users who can run commands with root privileges.

root    ALL=(ALL:ALL) ALL

After this line, write your user name and grant it full root privileges. Replace username accordingly:

username    ALL=(ALL:ALL) ALL

Save and close the file (Ctrl + O and Ctrl + X in nano).

Testing your new user

To login to your new user account without logout and login, simply call:

su username

Test sudo permissions using this command:

sudo apt-get update

The shell will ask for your password. If sudo was configured properly, then your repositories should be updated. Otherwise, review the previous steps.

Now, logout from the new user:

exit

Sudo setup is complete.

Securing SSH

The next part of this guide involves securing the ssh login to the server. First, change the root password:

passwd root

Choose something hard to guess, but that you can remember.

SSH key

SSH keys are a safer way to login. If you are not interested in SSH keys, skip to the next part of the tutorial.

Use the following AKLWEB Host Doc to make an SSH key: How Do I Generate SSH Keys?

After you get your public key, login with your new user again.

su username

Now make the .ssh directory and the authorized_keys file in the home directory of that user account.

cd ~
mkdir .ssh
chmod 700 .ssh
touch .ssh/authorized_keys

Add the public key that you generated from the other tutorial to the authorized_keys file.

 nano .ssh/authorized_keys

Save the file, then change the permissions of that file.

chmod 600 .ssh/authorized_keys

Return to the root user.

exit

SSH configuration

Now we will make the SSH daemon more secure. Let’s start with the config file:

nano /etc/ssh/sshd_config

Change SSH inbound port

This step will change the port used to access the server, it is entirely optional but recommended.

Find the line with the Port config, should look like this:

Port 22

Now change this port to any port that you want. It must be greater than 1024.

Port 4422

Disable root ssh login

This step will disable root login through SSH, it is entirely optional but highly recommended.

Find this line:

PermitRootLogin yes

… and change it to:

PermitRootLogin no

This will make the server more secure against bots that try brute force and/or common passwords with user root and port 22.

Disable X11 forward

This step will disable X11 forwarding, don’t do this if you use some remote desktop program to access to your server.

Find the X11 line:

X11Forwarding yes

… and it change to:

X11Forwarding no

Restart SSH daemon

Now that we made the changes to secure the SSH Login, restart the SSH service:

service ssh restart

This will restart and reload the server settings.

Testing changes

Without disconnecting your current ssh session, open a new terminal or PuTTY window and test another SSH login.

ssh -p 4422 username@SERVER_IP_OR_DOMAIN

If everything checks out, we have successfully hardened the security of your server. Enjoy!

CentOS 7 uses firewalld rather than iptables. A quick internet search will show that many faithful CentOS users find firewalld far too complicated for their needs and are reverting back to iptables. Iptables was the standard firewall for CentOS 5 and 6.

This guide shows you how to disable firewalld, install IP tables, CSF dependencies, and CSF.

Install CSF

Stop and disable firewalld.

   systemctl disable firewalld
   systemctl stop firewalld

Install iptables.

   yum -y install iptables-services

Create files needed by iptables.

  touch /etc/sysconfig/iptables
  touch /etc/sysconfig/iptables6

Start iptables.

  systemctl start iptables
  systemctl start ip6tables

Enable iptables at boot.

  systemctl enable iptables
  systemctl enable ip6tables

Install the CSF dependencies.

  yum -y install wget perl unzip net-tools perl-libwww-perl perl-LWP-Protocol-https perl-GDGraph -y

Download and launch the CSF installer.

  cd /opt
  wget https://download.configserver.com/csf.tgz
  tar -xzf csf.tgz
  cd csf
  sh install.sh

Remove the installation files.

 rm -rf /opt/csf
 rm /opt/csf.tgz 

(Optional) Webmin integration

If you use Webmin, then you can install the CSF Webmin module.

Login to Webmin and navigate to the following page.

Webmin > Webmin Configuration > Webmin Modules >

Click “From local file” and insert the following.

  /usr/local/csf/csfwebmin.tgz > 

Install the module.

On Windows machines, SNMP is run through the ‘SNMP’ service. To change the community string:

1. Open Control Panel -> Administrative Tools -> Services
2. Find ‘SNMP Service’, right click it, and choose Properties
3. On the Security tab, click the ‘Add’ button near ‘Accepted community names’
4. Enter a secure password for this (do not reuse any existing password)
5. Make sure to remove any insecure passwords (default values such as ‘public’ or ‘private’ are commonly abused)
6. Click OK
7. Restart the SNMP service

On Linux machines, SNMP is commonly run through the net-snmp library:

1. Open your snmpd.conf file (usually /etc/snmp/snmpd.conf)
2. Find the line that looks like: ‘com2sec notConfigUser default public’ (the line will begin with com2sec and end with a password. In this example, the password is ‘public’)
3. Change the ‘public’ at the end of the line to a more secure password
4. Restart the SNMP server with: ‘service snmpd restart’

To prevent abuse:

1. Open your ntp.conf file (generally in /etc/ntp.conf)
2. Remove any existing lines that begin with ‘restrict’
3. Add the following four lines to the beginning of the file:
4. restrict default kod limited nomodify notrap nopeer noquery
5. restrict -6 default kod limited nomodify notrap nopeer noquery
6. restrict 127.0.0.1
7. restrict -6 ::1
8. Restart your NTP server with ‘service ntpd restart’ or ‘service ntp restart’

By default the firewall in Ubuntu is disabled. In this article we’ll explain how to use uncomplicated firewall (ufw) to configure iptables, which you may use this guide on other distributions if ufw is installed.

1. Gain root access within the console/SSH by executing ‘sudo su’

2. Add a rule to allow SSH so we don’t disconnected by executing ‘ufw allow [sshportnumberhere]/tcp’

You also may add other services such as http with ‘ufw allow 80/tcp’

3. Enable the firewall by executing ‘ufw enable’

To allow udp ports, replace tcp with udp. For example: ‘ufw allow portnumberhere/udp’

If you need open a range of ports you can execute ‘ufw allow 100:200/tcp’ to allow connects from port 100 to port 200.

– You may replace ‘tcp’ with ‘udp’ if you need to open udp ports.
If you need to deny a specific IP, execute ‘ufw deny from ipaddresshere’

-You can deny an entire subnet/block by executing ‘ufw deny from ipaddress/subnetprefix’
Removing a rule in the firewall is a very simple task.

1. Execute ‘ufw status numbered’ and look for the rule you’d like to remove.

2. Execute ‘ufw delete rulenumberhere’ to remove the rule.

We suggest if you’re using this command, also remove the IPv6 rules by following steps 2 and 3. Each time you delete a rule, the numbering changes.

==============

Advanced settings

==============

You can specify an IP or IP subnet to only have access to a specific port. For this example: SSH.

1. We need to add the rule to allow the IP to connect port 22 and ignore all others by executing ‘ufw allow from theipyouwanttopasshere to any port 22 proto tcp’

You can change ‘tcp’ to ‘udp’ if you need to open an udp port.
2. Remove any other rule that allows port 22 to all connections by executing ‘ufw status numbered’

3. Remove the rule by executing ‘ufw delete rulenumberhere’

We suggest if you’re using this command, also remove the IPv6 rules by following steps 2 and 3. Each time you delete a rule, the numbering changes.

Also please keep in mind that when you apply this rule, if you’re not in the IP or in the IP subnet specified, you will get disconnected.

On Windows machines, SSDP is run through the ‘SSDP Discovery’ service. To disable this:

1. Click Start, type ‘services.msc’
2. Find the SSDP service, right click it, and choose Properties
3. Change ‘Startup Type’ to Disabled
4. Click ‘Stop’
5. Click OK

On Linux machines SSDP is generally run through some type of UPNP server. The exact one varies significantly.

For Linux, we suggest blocking this with an iptables rule, such as:

iptables -I INPUT 1 -p udp -m udp –dport 1900 -j DROP

On Windows machines, you can disable recursive DNS:

1. Open ‘Server Manager’
2. Expand Roles -> DNS Server -> DNS -> (Your Server’s Name)
3. Right click on your server name, choose Properties
4. On the ‘Advanced’ tab, select ‘Disable recursion (also disables forwarders)’
5. Click OK

On Linux machines, there are a few common DNS servers:

BIND:

Open your BIND configuration file
In the ‘options’ section, make sure you have ‘recursion no;’ and ‘additional-from-cache no;’
Restart BIND after making any changes

DNSMasq:

Unfortunately, there is not a straight forward way to disable this within DNSMasq. You would either need to modify the DNSMasq configuration so that it no longer listens on public IP addresses, or firewall off UDP port 53 to all hosts except your desired ones.

If for some reason you cannot make the necessary changes and you are not hosting your own DNS, we would suggest that you firewall off all incoming UDP port 53 traffic.

1. Login as the server as root (or gain root access by executing ‘sudo su’)

2. Check to see the status of the firewall by executing ‘ufw status’
If the firewall is active then we need to add a rule to allow connections for our new SSH port.
This can be done by executing ‘ufw allow newportnumberhere/tcp’

3. Execute ‘nano /etc/ssh/sshd_config’ and look for the line that contains ‘Port 22’

4. Change the number ’22’ to any unused port you’d like

Save and exit by holding down ‘ctrl’ and ‘x’

5. Restart the SSH service by executing ‘restart ssh’ within the command line

For Debian, execute ‘service ssh restart’

6. If you can still access the command line, type ‘ss -tnlp | grep ssh’ to verify SSH is listening on the new port. (optional)

7. Start a new SSH session on the new port.

8. Delete the old firewall rule for the old port by executing ‘ufw delete allow 22/tcp’