In this series of articles we will prepare our newly installed Centos 7 for web development: create new user, setup private/public key authentication, disable root access, disable password authentication, enable firewall and file2ban and setup time synchronization. Then we will install LAMP and NodeJS.

0. Prerequisites

1
2
sudo su # execute all commands as root
yum install nano # skip this, if you prefer another text editor

1. Create new user and grant root privileges

1
2
3
adduser bob # create user bob
passwd bob # set password for bob
gpasswd -a bob wheel # grant sudo privileges to bob

2. Generate key pair to authenticate on the server

On the client (e.g. your home machine) we have to generate private/public key pair. It will be used to authenticate to the server instead of password.

1
ssh-keygen -t rsa

It will then create two files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. The former id_rsa is your private key and id_rsa.pub is your public key.

We have to change permissions of private key on the client

1
2
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa

3. Copy public key to the server

Login as your new user into new ssh session. Then public key should be copied to the server and installed to the authorized_keys list of the new user:

1
cat id_rsa.pub >> ~/.ssh/authorized_keys # do it on the server, then delete id_rsa.pub

Then set public key permissions (on the server)

1
2
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Make sure that SELinux contexts are set correctly

1
restorecon -Rv ~/.ssh

4. Test new user

Don’t close current ssh (root) session yet. Try connecting to your server with new user and private key.

If everything is ok, ssh won’t ask you for password (if you haven’t set passphrase when generated keys).

If key authentication fails for some reason, ssh will ask for password.

Now we can protect our server.

5. Protect ssh

Let’s protect ssh by changing default port number, blocking root access and password authentication. Also we will force protocol 2.

1
nano /etc/ssh/sshd_config

Add following lines to /etc/ssh/sshd_config

1
2
3
4
Port 24653 # change to high number port instead of 22
PermitRootLogin no # prevent root login
PasswordAuthentication no # use only key authentication
Protocol 2 # use only protocol 2

Then restart ssh

1
service sshd restart

Try connecting to your server with new port (24653 in this example), it should work fine. You shouldn’t be able to connect as root user anymore and will have to use sudo.

If you have troubles connecting to different port, check next section. Sometimes firewalld is already installed and blocks unknown port and you will have to add it.

6. Install firewall

1
2
yum install firewalld # in case it's not installed
systemctl start firewalld

Since firewall isn’t aware of ssh yet (and our changed port), we need to add port to firewall.

1
2
firewall-cmd --permanent --remove-service=ssh # remove ssh port 22 in case firewalld was already configured
firewall-cmd --permanent --add-port=24653/tcp # set new port

We plan to run additional services and have to open the firewall for them explicitly.

Enable http service

1
firewall-cmd --permanent --add-service=http

If you need web server with SSL/TLS, enable https service

1
firewall-cmd --permanent --add-service=https

If you will need to open other ports, you can do it the same way we did here.

To check other available services, you can use this command

1
firewall-cmd --get-services

Now let’s load all added exceptions

1
firewall-cmd --reload

Again, connect to the server to test everything. Then make firewall load on boot.

1
systemctl enable firewalld

7. Time synchronization

1
2
3
4
5
timedatectl set-timezone UTC # set your desired timezone
timedatectl # check timezone
yum install ntp # synchronize with global servers
systemctl start ntpd
systemctl enable ntpd # start on boot

8. Installing file2ban

File2ban bans malicious IPs - too many failed logins, etc. We will install it from EPEL repository. Then you will get updates as they are released. There are other tutorials that show how to install rpm from another repos. It may work, but do it at your own risk.

Install EPEL & file2ban for Centos 7

1
2
yum install epel-release
yum install fail2ban

There are no jails configured by default, let’s create basic sshd jail.

1
nano /etc/fail2ban/jail.local

Add following

1
2
3
4
5
6
7
8
9
10
11
12
13
[DEFAULT]
bantime = 3600 # ban for 1 hour
banaction = firewallcmd-ipset # block hosts with firewalld
[DEFAULT]
# Ban hosts for two hours:
bantime = 7200
[sshd]
enabled = true
port = ssh,sftp,24653 # our ssh port
destemail = your@email.com
logpath = %(sshd_log)s

Save file and start fail2ban

1
systemctl start fail2ban

Have it start at boot

1
systemctl enable fail2ban

To restart do following

1
systemctl restart fail2ban

Check the log file

1
sudo tail /var/log/fail2ban.log

Try to connect to your server again, and if everything works fine, congratulations! You have just configured and protected your Centos 7 server.

In the next article we will install LAMP stack. Stay tuned.