Note for beginners
This guide is easy to follow by copy pasting commands and hitting Enter. If you are unsure on how to edit configuration files, install nano command line editor first by SSH command: yum -y install nano
. You can edit files by issuing command nano
followed by configuration file name. Navigate text by arrow keys and hit Ctrl + X followed by Y and Enter to save.
Prerequisites
You need to have a VPS, or virtual machine, or a dedicated server with CentOS 7 minimal image installed. Have a look at the list of our recommended VPS hosts, in case you’re still looking for a good VPS plan with CentOS 7.
Hostname
First things first. Setting the hostname is the very first thing that needs to be done on a Linux server.
Select meaningful hostname
- Contains keyword specifying main server function, i.e. db, or web
- Hostname is a FQDN, i.e. web.example.com
- It is not a FQDN where you host any website of yours. It should not equal to www.example.com or example.com
Assuming we have decided on web.example.com as the hostname, set the hostname with:
hostnamectl set-hostname web.example.com
Basic security
Create a sudo user
It is a good practice to have a user other from root. So we are going to create centos user who will able to run administrative commands by prepending sudo
keyword in front of them:
useradd centos && passwd centos
usermod -aG wheel centos
After this, attempt to establish SSH connection under the centos
user. Once connected, verify that you are capable of gaining root privileges via su
(“turns” you into a root
), or sudo whoami
(prepend sudo
prior to running any command to run it under root
user).
Following this, you can harden your SSH configuration by disallowing direct root
SSH login.
In /etc/ssh/sshd_config
set PermitRootLogin no
, then run systemctl restart sshd
.
Virus scanner?
For those super crazy about viruses, even on Linux, here is an excellent tutorial for you.
Enable The Firewall
CentOS 7 comes with different firewall software than CentOS 6.5 – firewalld. Iptables can still be used, but let’s follow up with what is provided by default (which is always better when it comes to security related software alternatives).
For easier storage of firewall rules related to many IP addresses, we need ipset command line tool. It will interact with IP Sets functionality of Linux kernel.
yum -y install ipset
Usually, we have a single IP address on a server. It is the IP address which hosts our websites. Firewalld comes with the concept of zones. Let’s enable the firewall to start automatically, run it immediately and configure our IP address to be part of public zone.
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --zone=public --change-interface=eth0
firewall-cmd --permanent --zone=public --add-service=http # Enable access to HTTP
firewall-cmd --reload # Applies changes immediately
To check firewall run status, issue systemctl status firewalld
command.
Install the convenience Linux tools
The file editor
The default file viewer and editor of choice in Linux is vim
. However, it is quite complex to master. And since you’re reading this tutorial, you likely want something easy, like the nano
editor.
The downloader
You will often want to download stuff to your Linux machine, whether it’s some software packages or data files. You can get around with curl
which is pre-installed by default, but wget
will be somewhat easier to work with:
So to install these tools, run:
yum -y install wget nano
We can tell the operating system, what is our file editor of choice:
cat <>/etc/profile.d/nano.sh
export VISUAL="nano"
export EDITOR="nano"
EOF
Fail2ban
Fail2ban protects your server by blocking malicious users who try to brute-force it.
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install fail2ban
Make a copy of configuration template. Fail2ban expects you to always use jail.local and not jail.conf:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Add SSH-related configuration to our jail.local file (at the end of the file):
[ssh]
enabled = true
filter = sshd
action = firewallcmd-ipset
logpath = /var/log/secure
maxretry = 3
bantime = 7200
Next, add custom settings to ban action. This will make sure that it matches ban time in jail definition:
cat << _EOF_ > /etc/fail2ban/action.d/firewallcmd-ipset.local
[Init]
bantime = 7200
_EOF_
Copy source supplied system unit file so that we can manage fail2ban service using systemctl:
cp /usr/local/src/fail2ban-0.8.14/files/fail2ban.service /usr/lib/systemd/system/
Next, we need to configure directory /var/run/fail2ban to be automatically created each time server boots. This is done by making use of tmpfiles.d configuration. Simply add special config file for it, and the directory is always recreated.
Even if we use non-packaged software, which is compiled into /usr/local, we should not be using /var/local/var/run for state files, because the system takes care of state files only under /var/run. This is something to always account for when configuring compiled software.
echo '# fail2ban runtime directory' > /etc/tmpfiles.d/fail2ban.conf
echo 'd /run/fail2ban 0755 root root -' >> /etc/tmpfiles.d/fail2ban.conf
systemctl start fail2ban
systemctl enable fail2ban
TODO, describe app-specific fail2ban rules:
http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection/25592
Add client IP to trusted zone (all connections are allowed from your IP):
firewall-cmd --permanent --zone="trusted" --add-source="82.209.102.7"
Adjust root mail alias to your own email address. This will allow you to receive system related emails that your server generates:
sed s/^root.*/root:\ someuser@gmail.com/ -i /etc/aliases && newaliases
Install development tools for compiling software (Risky!)
Proceed with this step if you know what you’re doing. Only a few programs are not available via RPM packages and only if you require that particular program that is not available via packaged version, you would want to compile it from the sources.
For compilation, you will need a group of utility software. You can install it via:
yum -y groupinstall "Development tools"