A newly activated CentOS 7 server has to be customized before it can be put into use as a production system. In this article, the most important customizations that you’ll have to make are given in an easy-to-understand manner.<\/p>\n
A newly activated CentOS 7 server, preferably setup with SSH keys. Log into the server as root.<\/p>\n
ssh -l root server-ip-address\r\n<\/code><\/pre>\nStep 1: Create a Standard User Account<\/h3>\n
For security reasons, it is not advisable to be performing daily computing tasks using the root account. Instead, it is recommended to create a standard user account that will be using\u00a0sudo<\/code>\u00a0to gain administrative privileges. For this tutorial, assume that we’re creating a user named\u00a0joe<\/strong>. To create the user account, type:<\/p>\nadduser joe\r\n<\/code><\/pre>\nSet a password for the new user. You’ll be prompted to input and confirm a password.<\/p>\n
passwd joe\r\n<\/code><\/pre>\nAdd the new user to the\u00a0wheel<\/strong>\u00a0group so that it can assume root privileges using\u00a0sudo<\/code>.<\/p>\ngpasswd -a joe wheel\r\n<\/code><\/pre>\nFinally, open another terminal on your local machine and use the following command to add your SSH key to the new user’s home directory on the remote server. You will be prompted to authenticate before the SSH key is installed.<\/p>\n
ssh-copy-id joe@server-ip-address\r\n<\/code><\/pre>\nAfter the key has been installed, log into the server using the new user account.<\/p>\n
ssh -l joe server-ip-address\r\n<\/code><\/pre>\nIf the login is successful, you may close the other terminal. From now on, all commands will be preceded with\u00a0sudo<\/code>.<\/p>\nStep 2: Disallow Root Login and Password Authentication<\/h3>\n
Since you can now log in as a standard user using SSH keys, a good security practice is to configure SSH so that the root login and password authentication are both disallowed. Both settings have to be configured in the SSH daemon’s configuration file. So, open it using\u00a0nano<\/code>.<\/p>\nsudo nano \/etc\/ssh\/sshd_config\r\n<\/code><\/pre>\nLook for the\u00a0PermitRootLogin<\/strong>\u00a0line, uncomment it and set the value to\u00a0no<\/strong>.<\/p>\nPermitRootLogin no\r\n<\/code><\/pre>\nDo the same for the\u00a0PasswordAuthentication<\/code>\u00a0line, which should be uncommented already:<\/p>\nPasswordAuthentication no\r\n<\/code><\/pre>\nSave and close the file. To apply the new settings, reload SSH.<\/p>\n
sudo systemctl reload sshd\r\n<\/code><\/pre>\nStep 3: Configure the Time Zone<\/h3>\n
By default, the time on the server is given in UTC. It is best to configure it to show the local time zone. To accomplish that, locate the zone file of your country\/geographical area in the\u00a0\/usr\/share\/zoneinfo<\/code>\u00a0directory and create a symbolic link from it to the\u00a0\/etc\/localtime<\/code>\u00a0directory. For example, if you’re in the eastern part of the US, you’ll create the symbolic link using:<\/p>\nsudo ln -sf \/usr\/share\/zoneinfo\/US\/Eastern \/etc\/localtime\r\n<\/code><\/pre>\nAfterwards, verify that the time is now given in localtime by running the\u00a0date<\/code>\u00a0command. The output should be similar to:<\/p>\nTue Jun 16 15:35:34 EDT 2015\r\n<\/code><\/pre>\nThe\u00a0EDT<\/strong>\u00a0in the output confirms that it’s localtime.<\/p>\nStep 4: Enable the IPTables Firewall<\/h3>\n
By default, the active firewall application on a newly activated CentOS 7 server is FirewallD. Though it is a good replacement for IPTables, many security applications still do not have support for it. So if you’ll be using any of those applications, like OSSEC HIDS, it’s best to disable\/uninstall FirewallD.<\/p>\n
Let’s start by disabling\/uninstalling FirewallD:<\/p>\n
sudo yum remove -y firewalld\r\n<\/code><\/pre>\nNow, let’s install\/activate IPTables.<\/p>\n
sudo yum install -y iptables-services\r\nsudo systemctl start iptables\r\n<\/code><\/pre>\nConfigure IPTables to start automatically at boot time.<\/p>\n
sudo systemctl enable iptables\r\n<\/code><\/pre>\nIPTables on CentOS 7 comes with a default set of rules, which you can view with the following command.<\/p>\n
sudo iptables -L -n\r\n<\/code><\/pre>\nThe output will resemble:<\/p>\n
Chain INPUT (policy ACCEPT)\r\ntarget prot opt source destination \r\nACCEPT all -- 0.0.0.0\/0 0.0.0.0\/0 state RELATED,ESTABLISHED\r\nACCEPT icmp -- 0.0.0.0\/0 0.0.0.0\/0 \r\nACCEPT all -- 0.0.0.0\/0 0.0.0.0\/0 \r\nACCEPT tcp -- 0.0.0.0\/0 0.0.0.0\/0 state NEW tcp dpt:22\r\nREJECT all -- 0.0.0.0\/0 0.0.0.0\/0 reject-with icmp-host-prohibited\r\n\r\nChain FORWARD (policy ACCEPT)\r\ntarget prot opt source destination \r\nREJECT all -- 0.0.0.0\/0 0.0.0.0\/0 reject-with icmp-host-prohibited\r\n\r\nChain OUTPUT (policy ACCEPT)\r\ntarget prot opt source destination\r\n<\/code><\/pre>\nYou can see that one of those rules allows SSH traffic, so your SSH session is safe.<\/p>\n
Because those rules are runtime rules and will be lost on reboot, it’s best to save them to a file using:<\/p>\n
sudo \/usr\/libexec\/iptables\/iptables.init save\r\n<\/code><\/pre>\nThat command will save the rules to the\u00a0\/etc\/sysconfig\/iptables<\/code>\u00a0file. You can edit the rules anytime by changing this file with your favorite text editor.<\/p>\nStep 5: Allow Additional Traffic Through the Firewall<\/h3>\n
Since you’ll most likely be going to use your new server to host some websites at some point, you’ll have to add new rules to the firewall to allow HTTP and HTTPS traffic. To accomplish that, open the IPTables file:<\/p>\n
sudo nano \/etc\/sysconfig\/iptables\r\n<\/code><\/pre>\nJust after or before the SSH rule, add the rules for HTTP (port 80) and HTTPS (port 443) traffic, so that that portion of the file appears as shown in the code block below.<\/p>\n
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT\r\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT\r\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT\r\n-A INPUT -j REJECT --reject-with icmp-host-prohibited\r\n<\/code><\/pre>\nSave and close the file, then reload IPTables.<\/p>\n
sudo systemctl reload iptables\r\n<\/code><\/pre>\nWith the above step completed, your CentOS 7 server should now be reasonably secure and be ready for use in production.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","manualknowledgebasecat":[231,242],"manual_kb_tag":[],"_links":{"self":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3204"}],"collection":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb"}],"about":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/types\/manual_kb"}],"author":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/comments?post=3204"}],"version-history":[{"count":1,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3204\/revisions"}],"predecessor-version":[{"id":3205,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/3204\/revisions\/3205"}],"wp:attachment":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/media?parent=3204"}],"wp:term":[{"taxonomy":"manualknowledgebasecat","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manualknowledgebasecat?post=3204"},{"taxonomy":"manual_kb_tag","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb_tag?post=3204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}