5 Steps to (Secure)Hardening your Server (Centos 7)
I am not DevOps or sysadmin, but in the meantime, I work in a small company (startup) as CTO.
I should take care of many things like developers, code review, problem-solving, recruit, manage the servers, Participate in business meetings, help QA to write the automated test and many other things.
I think maybe my experience in some of the title above would be good for others. so I decided to write and share them.
when our startup grows, we never think about server attack and this is my mistake as CTO. I have a chance that the unpredictable event has not happened before we secure our server.
Here are the steps we took to improve server security:
1. Create a new user :
We have many access logs on our server with default user like “root, centos, ubuntu,…”, so this step is important to confuse attackers.
# adduser someWeirdName# passwd someWeirdName
to generate Password, you can use LastPass.com.
2. Disable root remote login
open the ssh configuration file with your text editor as root:
# vi /etc/ssh/sshd_configTo disable remote root logins, we need to find the line that looks like this:
PermitRootLogin yesand change “yes” to “no”
PermitRootLogin noType this to restart SSH:
systemctl reload sshdHint: before logout, make sure you can log in to the server with the created new user.
3. Add Public-key Authentication
Setting this up will increase the security of your server by requiring a private SSH key to log in.
print your Public-Key on console from your machine using this command :
local$ cat ~/.ssh/id_rsa.pubthen select and copy printed text.
login to server with created user and open a file in .ssh called authorized_keys with a text editor. We will use vi to edit the file:
$ vi .ssh/authorized_keysEnter insert mode, by pressing i, then enter your public key (which should be in your clipboard) by pasting it into the editor. Now hit ESC to leave insert mode. Enter :wq then ENTER to save and exit the file.
4. Configuring a Basic Firewall
Firewalls provide a basic level of security for your server.
CentOS ships with a firewall called firewalld. A tool called firewall-cmd can be used to configure your firewall policies.
First install firewalld:
# sudo yum install firewalld
# sudo systemctl start firewalldIn this step, we will only be adjusting the policies for the default zone. When we reload our firewall, this will be the zone applied to our interfaces. We should start by adding exceptions to our firewall for approved services. The most essential of these is SSH, since we need to retain remote administrative access to the server.
If you have not modified the port that the SSH daemon is running on, you can enable the service by name by typing:
$ sudo firewall-cmd — permanent — add-service=sshIf you plan on running a conventional HTTP/HTTPS web server, you will need to enable the http/https service:
# sudo firewall-cmd --permanent --add-service=http
# sudo firewall-cmd --permanent --add-service=httpsif you use custom port for something else, use below command to enable it:
# sudo firewall-cmd — permanent — add-port=(customPort)/tcpTo see any additional services that you can enable by name, type:
# sudo firewall-cmd — get-servicesWhen you are finished, you can see the list of the exceptions that will be implemented by typing:
# sudo firewall-cmd — permanent — list-allWhen you are ready to implement the changes, reload the firewall:
# sudo firewall-cmd — reloadIf, after testing, everything works as expected, you should make sure the firewall will be started at boot:
# sudo systemctl enable firewalldRemember that you will have to explicitly open the firewall (with services or ports) for any additional services that you may configure later.
5. Disable login by Password
if you add your Public-Key in step 3, now you can secure your server from brute-force with disabling login by password.
open the ssh configuration file with your text editor as root:
# vi /etc/ssh/sshd_configFind ChallengeResponseAuthentication and set to no:
ChallengeResponseAuthentication noFind PasswordAuthentication set to no:
PasswordAuthentication noFind UsePAM and set to no:
UsePAM noFind PermitRootLogin and set to no:
PermitRootLogin noNow hit ESC to leave insert mode. Enter :wq then ENTER to save and exit the file.
Type this to restart SSH:
systemctl reload sshdHint: before logout, make sure you can log in to the server with your Public-Key.
