In this article, we will learn some configuration steps that should be taken care for security purpose and usability, just after a new server is installed. This will help us in building a solid foundation.
The root is the administrator or the super user in the Linux environment, who has all the privileges on the system. Generally, it is highly recommended to use the root user directly, as it may cause many issues or any accidental loss of data or due to any changes which may be done accidentally.
In the next step, we will be setting up an alternative user with root right, which reduces the scope of influence of the day-to-day activities of the System administrators.
Once we log in as the root user we can create a new user to log into the server, we can use the below command to create a user
# adduser manager
Once we create the user assign a password it is recommended to have a strong password
# passwd manager
Now, once the new user is created with normal privileges, we needed to have administrative permissions to do some tasks for that, we will assign the root privileges and the user needed to add ‘sudo’ before the command where the root user permissions are needed.
To add the user with administrative privileges, we need to login as a root user, and to add the user to as super user we need to add the new user to the “wheel” group, by default in Centos 7 the user in the wheel group is allowed to run the command with “sudo”
Below is the command to add the new user to the wheel group
# gpasswd –a manager wheel
In this step, we will secure the server by setting a public key authentication for the new user which will increase the security of your server by requiring a private SSH key to log in.
If we do not have an SSH key pair (which consists of public and private keys). We need to generate the new key.
Below is the command to generate a new key pair –
# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: a3:5d:58:cc:7f:94:30:bf:ae:1e:5c:11:25:f7:96:41 root@server1 The key's randomart image is: +--[ RSA 2048]----+ | o +Eo| | o + =+| | + =.o| | o . . + | | S . . + | | o o . + | | . . o . | | o | | .o | +-----------------+
By default, if we have not provided the file name, it will automatically take the filename as id_rsa.pub and id_rsa_ppk which will be generated and files will be located in .ssh directory of the user’s home directory.
After we generate the SSH keys, we need to copy the public key, then we should not be sharing the private key to anyone who should not be accessing the server.
We can copy the public key using two ways –
If we have installed the ssh-copy-id we can use this to install the public key to any other user or machine.
Run the below command to copy the public key –
# ssh-copy-id manager@ipaddress-of-machine
The public key will be added to the .ssh/authorized_keys in the user or machine. We needed to use the corresponding private key to log into the server.
Assuming we have already generated the keys, print the key using the below command
$ cat .ssh/id_rsa.pub
Copy the key printed with the command in the clipboard
We needed to add this key to .ssh/authorized_keys file
If we don’t have the .ssh folder and the authorized_keys file we need to follow these steps to create.
$ mkdir .ssh $ chmod 700 .ssh $ touch .ssh/authorized_keys $ chmod 600 .ssh/authorized_keys
Then we needed to open the authorized_keys file and paste the text from the clipboard
# vi .ssh/authorized_keys
Copy the text from the clipboard and save the file
As we have already created a new user with root or super user permission, we can now disable the root user login using SSH.
Open the ssh configuration file using the below command
$ vi /etc/ssh/sshd_config
Here we need to find the line “#PermitRootLogin yes” and uncomment the line and change the line to look like below
Now just reload the SSH services so that the configuration effects
# systemctl reload sshd
Now the ‘root’ login is prevented from using the SSH, we can use the root user on the machine directly.
In this article we have learned how to secure the server using the best practices like creating the user with root privileges and preventing the root login so that we can avoid the accidental loss of data from unexpected commands, and preventing the use of passwords using the SSH key files and securing the server from using the root user from outside of the machine using SSH.