Basic Centos 7 setup and security
In this series of articles we will prepare our newly installed Centos 7 for web development: create new user, setup private/public key authentication, disable root access, disable password authentication, enable firewall and file2ban and setup time synchronization. Then we will install LAMP and NodeJS.
1. Create new user and grant root privileges
2. Generate key pair to authenticate on the server
On the client (e.g. your home machine) we have to generate private/public key pair. It will be used to authenticate to the server instead of password.
It will then create two files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. The former id_rsa is your private key and id_rsa.pub is your public key.
We have to change permissions of private key on the client
3. Copy public key to the server
Login as your new user into new ssh session. Then public key should be copied to the server and installed to the authorized_keys list of the new user:
Then set public key permissions (on the server)
Make sure that SELinux contexts are set correctly
4. Test new user
Don’t close current ssh (root) session yet. Try connecting to your server with new user and private key.
If everything is ok, ssh won’t ask you for password (if you haven’t set passphrase when generated keys).
If key authentication fails for some reason, ssh will ask for password.
Now we can protect our server.
5. Protect ssh
Let’s protect ssh by changing default port number, blocking root access and password authentication. Also we will force protocol 2.
Add following lines to /etc/ssh/sshd_config
Then restart ssh
Try connecting to your server with new port (24653 in this example), it should work fine. You shouldn’t be able to connect as root user anymore and will have to use sudo.
If you have troubles connecting to different port, check next section. Sometimes firewalld is already installed and blocks unknown port and you will have to add it.
6. Install firewall
Since firewall isn’t aware of ssh yet (and our changed port), we need to add port to firewall.
We plan to run additional services and have to open the firewall for them explicitly.
Enable http service
If you need web server with SSL/TLS, enable https service
If you will need to open other ports, you can do it the same way we did here.
To check other available services, you can use this command
Now let’s load all added exceptions
Again, connect to the server to test everything. Then make firewall load on boot.
7. Time synchronization
8. Installing file2ban
File2ban bans malicious IPs - too many failed logins, etc. We will install it from EPEL repository. Then you will get updates as they are released. There are other tutorials that show how to install rpm from another repos. It may work, but do it at your own risk.
Install EPEL & file2ban for Centos 7
There are no jails configured by default, let’s create basic sshd jail.
Save file and start fail2ban
Have it start at boot
To restart do following
Check the log file
Try to connect to your server again, and if everything works fine, congratulations! You have just configured and protected your Centos 7 server.
In the next article we will install LAMP stack. Stay tuned.