How to configure and secure the server setup on centos 7

Centos 7Linux

In this article, we will learn some configuration steps that should be taken care for security purpose and usability, just after a new server is installed. This will help us in building a solid foundation.

Avoiding the ‘root’ user Login

The root is the administrator or the super user in the Linux environment, who has all the privileges on the system. Generally, it is highly recommended to use the root user directly, as it may cause many issues or any accidental loss of data or due to any changes which may be done accidentally.

In the next step, we will be setting up an alternative user with root right, which reduces the scope of influence of the day-to-day activities of the System administrators.

Creating a New User

Once we log in as the root user we can create a new user to log into the server, we can use the below command to create a user

# adduser manager

Once we create the user assign a password it is recommended to have a strong password

# passwd manager

Assign Root Privileges

Now, once the new user is created with normal privileges, we needed to have administrative permissions to do some tasks for that, we will assign the root privileges and the user needed to add ‘sudo’ before the command where the root user permissions are needed.

To add the user with administrative privileges, we need to login as a root user, and to add the user to as super user we need to add the new user to the “wheel” group, by default in Centos 7 the user in the wheel group is allowed to run the command with “sudo”

Below is the command to add the new user to the wheel group

# gpasswd –a manager wheel

Adding Public Key Authentication for Login

In this step, we will secure the server by setting a public key authentication for the new user which will increase the security of your server by requiring a private SSH key to log in.

Generating a Key Pair

If we do not have an SSH key pair (which consists of public and private keys). We need to generate the new key.

Below is the command to generate a new key pair –

# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
a3:5d:58:cc:7f:94:30:bf:ae:1e:5c:11:25:f7:96:41 root@server1
The key's randomart image is:
+--[ RSA 2048]----+
|            o +Eo|
|           o + =+|
|            + =.o|
|         o . . + |
|         S . . + |
|         o o . + |
|         . . o . |
|               o |
|              .o |
+-----------------+

By default, if we have not provided the file name, it will automatically take the filename as id_rsa.pub and id_rsa_ppk which will be generated and files will be located in .ssh directory of the user’s home directory.

Copying the Publick Key

After we generate the SSH keys, we need to copy the public key, then we should not be sharing the private key to anyone who should not be accessing the server.

We can copy the public key using two ways –

Using ssh-copy-id

If we have installed the ssh-copy-id we can use this to install the public key to any other user or machine.

Run the below command to copy the public key –

# ssh-copy-id manager@ipaddress-of-machine

The public key will be added to the .ssh/authorized_keys in the user or machine. We needed to use the corresponding private key to log into the server.

Adding the Key Manually

Assuming we have already generated the keys, print the key using the below command

$ cat .ssh/id_rsa.pub

Copy the key printed with the command in the clipboard

We needed to add this key to .ssh/authorized_keys file

If we don’t have the .ssh folder and the authorized_keys file we need to follow these steps to create.

$ mkdir .ssh
$ chmod 700 .ssh
$ touch .ssh/authorized_keys
$ chmod 600 .ssh/authorized_keys

Then we needed to open the authorized_keys file and paste the text from the clipboard

# vi .ssh/authorized_keys

Copy the text from the clipboard and save the file

Disabling the root login using SSH

As we have already created a new user with root or super user permission, we can now disable the root user login using SSH.

Open the ssh configuration file using the below command

$ vi /etc/ssh/sshd_config

Here we need to find the line “#PermitRootLogin yes” and uncomment the line and change the line to look like below

PermitRootLogin no

Now just reload the SSH services so that the configuration effects

# systemctl reload sshd

Now the ‘root’ login is prevented from using the SSH, we can use the root user on the machine directly.

In this article we have learned how to secure the server using the best practices like creating the user with root privileges and preventing the root login so that we can avoid the accidental loss of data from unexpected commands, and preventing the use of passwords using the SSH key files and securing the server from using the root user from outside of the machine using SSH.

raja
Published on 18-Oct-2019 11:15:36
Advertisements