Introduction
A newly activated CentOS 7 server has to be customized before it can be put into use as a production system. In this article, the most important customizations that you’ll have to make are given in an easy-to-understand manner.
Prerequisites
A newly activated CentOS 7 server, preferably setup with SSH keys. Log into the server as root.
ssh -l root server-ip-address
Step 1: Create a Standard User Account
For security reasons, it is not advisable to be performing daily computing tasks using the root account. Instead, it is recommended to create a standard user account that will be using sudo to gain administrative privileges. For this tutorial, assume that we’re creating a user named joe. To create the user account, type:
adduser joe
Set a password for the new user. You’ll be prompted to input and confirm a password.
passwd joe
Add the new user to the wheel group so that it can assume root privileges using sudo.
gpasswd -a joe wheel
Finally, open another terminal on your local machine and use the following command to add your SSH key to the new user’s home directory on the remote server. You will be prompted to authenticate before the SSH key is installed.
ssh-copy-id joe@server-ip-address
After the key has been installed, log into the server using the new user account.
ssh -l joe server-ip-address
If the login is successful, you may close the other terminal. From now on, all commands will be preceded with sudo.
Step 2: Disallow Root Login and Password Authentication
Since you can now log in as a standard user using SSH keys, a good security practice is to configure SSH so that the root login and password authentication are both disallowed. Both settings have to be configured in the SSH daemon’s configuration file. So, open it using nano.
sudo nano /etc/ssh/sshd_config
Look for the PermitRootLogin line, uncomment it and set the value to no.
PermitRootLogin no
Do the same for the PasswordAuthentication line, which should be uncommented already:
PasswordAuthentication no
Save and close the file. To apply the new settings, reload SSH.
sudo systemctl reload sshd
Step 3: Configure the Time Zone
By default, the time on the server is given in UTC. It is best to configure it to show the local time zone. To accomplish that, locate the zone file of your country/geographical area in the /usr/share/zoneinfo directory and create a symbolic link from it to the /etc/localtime directory. For example, if you’re in the eastern part of the US, you’ll create the symbolic link using:
sudo ln -sf /usr/share/zoneinfo/US/Eastern /etc/localtime
Afterwards, verify that the time is now given in localtime by running the date command. The output should be similar to:
Tue Jun 16 15:35:34 EDT 2015
The EDT in the output confirms that it’s localtime.
Step 4: Enable the IPTables Firewall
By default, the active firewall application on a newly activated CentOS 7 server is FirewallD. Though it is a good replacement for IPTables, many security applications still do not have support for it. So if you’ll be using any of those applications, like OSSEC HIDS, it’s best to disable/uninstall FirewallD.
Let’s start by disabling/uninstalling FirewallD:
sudo yum remove -y firewalld
Now, let’s install/activate IPTables.
sudo yum install -y iptables-services
sudo systemctl start iptables
Configure IPTables to start automatically at boot time.
sudo systemctl enable iptables
IPTables on CentOS 7 comes with a default set of rules, which you can view with the following command.
sudo iptables -L -n
The output will resemble:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
You can see that one of those rules allows SSH traffic, so your SSH session is safe.
Because those rules are runtime rules and will be lost on reboot, it’s best to save them to a file using:
sudo /usr/libexec/iptables/iptables.init save
That command will save the rules to the /etc/sysconfig/iptables file. You can edit the rules anytime by changing this file with your favorite text editor.
Step 5: Allow Additional Traffic Through the Firewall
Since you’ll most likely be going to use your new server to host some websites at some point, you’ll have to add new rules to the firewall to allow HTTP and HTTPS traffic. To accomplish that, open the IPTables file:
sudo nano /etc/sysconfig/iptables
Just after or before the SSH rule, add the rules for HTTP (port 80) and HTTPS (port 443) traffic, so that that portion of the file appears as shown in the code block below.
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
Save and close the file, then reload IPTables.
sudo systemctl reload iptables
With the above step completed, your CentOS 7 server should now be reasonably secure and be ready for use in production.