How to secure CentOS 7 on Digital Ocean

OK so you have fired up your new CentOS 7 VM on DO and now want to make it as secure as possible to avoid potential intruders messing with your new shiny setup.

Let’s look at ways of securing your server in increments to avoid any serious mistakes.

Login to your VM using your root username and password provided by Digital Ocean. Assuming you are working on a Windows machine you will need to download and install Putty, a popular SSH client for Windows, or any other SSH terminal you are comfortable with.

Once connected let’s begin by running the following command. Keep you SSH session active at all times during this tutorial.

yum update -y && yum install firewalld -y

This command (yum update) will update and install the latest CentOS updates and (yum install firewalld) will install a firewall. Using -y after the command will install the packages without requiring your consent. The && combines commands, so you can run multiple commands in a single line.

OK so now that you have updated CentOS and installed the firewall. Lets start by enabling the firewall.

systemctl start firewalld
systemctl enable firewalld

First command starts the firewall and the second will enable it stopping it from having to be restarted every time you restart your VM.

Lets now check that the firewall is up and running.

firewall-cmd –list-all

You should now see a screen displaying enabled services such as SSH and DHCPV6-Client

SELinux

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

Now that the firewall is up and running let’s just check that SELinux is enabled as this will come in handy later on if you want to change SSH ports. By default Digital Ocean has SELinux enabled but this is not the case with other providers such as with Vultr and Linode.

To check the status of SELinux type in sestatus.

sestatus

The sestatus command will check if SELinux is enabled. You could also use getenforeced.

If SELinux mode is set to Enforced you are good to go.

Creating a new user

You should never really use the root user to configure your machine for various reasons, main ones being security and human errors that can not be reversed. So lets go ahead and create a new sudo user (super user do! ). A sudo user will have the ability to tun root commands.

useradd username

The useradd command will create a new user, change username to whatever “username” you want to use.

Now create a new password for the new user.

passwd username

This command will prompt you to enter a new password for the new user.

So you now have new user. The new user now needs to have sudo powers otherwise you will not be able to run super user commands. Lets give the new user some muscle.

usermod -aG wheel username

This command will add the new user to the wheel group which will enable sudo powers. Remember that username should be replaced with the new username you have just created.

Double check that the user has been added to the wheel group.

groups username

This command will display what group the new user belongs to.

OK so now that the new user has been created and granted sudo powers lets login with the new user via SSH. Keep the root session open, and launch Putty once again. Enter your server IP address and your new username and password.

Success.

OK, now lets check that the new user has sudo powers.

sudo cat /etc/shadow

This command will display the shadow file which displays all stored passwords in encrypted format.

Success. OK so we now know that we can connect through SSH and the new user has sudo powers.

Your Putty root user session should still be active. Switch back to your root user window and lets disable SSH root access.

vi /etc/ssh/sshd_config

This command instructs the vi editor to open the sshd_configuarion file

Now look for the line #PermitRootLogin yes and change it to PermitRootLogin no removing the hash (#) at the beginning. To be able to edit the file you must hit the letter i (Insert) on your keyboard. Once you have made the change enter :wq to save the changes and exit.

#PermitRootLogin yes
i
PermitRootLogin no
:wq

For the changes to take effect we now need to restart ssh.

systemctl restart sshd

This command will restart ssh

Do not end your current root session but if you try and initiate a new SSH session with the root user it should no longer allow to login.

Lets now look at disabling password logins and setting up new public key authentication which will reduce the chances of brute force attacks. Switch back to the new user session that has sudo powers.

mkdir .ssh

This command will create a hidden directory named ssh

Now with Putty KEYGEN generate a new public key. Make sure you paraphrase the key to something you will remember. Next copy the public key entirely (select all) and add it to your server. Video tutorial.

vi .ssh/authorized_keys
[paste key]
:wq

Paste your public key by clicking on your right mouse key. Then type :wq

You have succesfully added the public key to the server. Now save the private key on your computer, remember to store it somewhere safe and somewhere you will be able to find it because without it you will not be able to login.

Now we need to set the correct read/write permissions to the .ssh directory and the authorized_keys file.

chmod 700 -R .ssh
cd .ssh
chmod 644 authorized_keys

Open a new SSH session with the new user and you should now be prompted to enter you SSH key passphrase.

Success!

Switch back to your to your root session. We are now going to enable PublicKeyAuthentication.

vi /etc/ssh/sshd_config

Look for #PublicKeyAuthentication yes and remove the hash (#)

#PublicKeyAuthentication yes
i
PublicKeyAuthentication yes

Remember press i to enable the editor, remove the # from PublicKeyAuthentication and make sure it remains set to yes.

Next we need to disable password authentication.

Look for PasswordAuthentication yes and change it to no, so it reads PasswordAuthentication no.

PasswordAuthentication yes
PasswordAuthentication no
:wq

By changing PasswordAuthentication to no you are disabling password logins.

Now we need to restart SSH for the changes to take affect.

systemctl restart sshd
systemctl status sshd

This command will restart SSH and the second command will check the status.

You will now no longer be able to login with your user password, you will now only be able to login with your public and private key passphrase.

No lets go back to the sshd_config file so we can disable empty password. You never want to have empty passwords.

vi /etc/ssh/sshd_config

Look for #PermitEmptyPasswords no and remove the hash (#).

#PermitEmptyPasswords no
i
PermitEmptyPasswords no

No go to the very bottom of the config file and add the following

Protocol 2

This option is set by default in most CentOS installations, but just make sure that there’s no version 1 instead as it’s a less secure protocol.

Now scroll back up and look for #LoginGraceTime 2m. Lets change this to 1 minute, the less time you have the login the safer.

#LoginGraceTime 2m
LoginTime 1m

Change #LoginGraceTime 2m to LoginGraceTime 1m

Now lets ignore RHosts. Looks for #IgnoreRhosts yes and remove the hash (#).

#IgnoreRhosts yes
IgnoreRhosts yes

Now scroll all the way back down to the bottom and lets restrict access to one user. This will be the new user you created with sudo powers. Under Protocol 2 add AllowUsers username.

AllowUsers username
:wq

This will restrict SSH access to only the user specified.

Again for this changes to take affect you should restart SSH.

systemctl restart sshd
systemctl status sshd

Restart SSH and check the status to make everything has gone to plan.

The next step is to change the default SSH port from 22 to 2662. Take this step at pace, do not rush this. Let’s open up the SSH config file once again.

vi /etc/ssh/sshd_config

Look for #Port 22 and change it to Port 2662.

#port 22
i
port 2662
:wq

Remove the # and replace the value from 22 to 2262.

At this point, do not restart SSH just yet as we need to make a few more changes to change the port from 22 to 2262. Type the following commands

semanage port -a -t ssh_port_t -p tcp 2662
firewall-cmd –remove-service=ssh –permanent
firewall-cmd –add-port=2662/tcp –permanent

We are disabling the SSH service and replacing it with port 2662.

That should now have changed your SSH port from 22 to 2262.

Lets restart SSH and reload the firewall.

systemctl restart sshd && firewall-cmd –reload
systemctl status sshd

This command will restart SSH and reload the firewall. Then we check the status of SSH to make sure nothing has gone wrong.

Now lets quickly check that SSH is no longer active and that port 2262 is working.

firewall-cmd –list-all

Look under services, SSH should not be listed. Ports should display 2262/tcp.

Success. Now open a new SSH session with Putty BUT with port 2262, so change the default port on Putty to 2262.

This should be enough to get you up and running. Just make sure you keep your machine updated with the latest software releases.

Leave a Comment