Initial setup of a CentOS 7 Server


To totally unlock this section you need to Log-in


Login

A newly activated CentOS 7 server has to be customized before it can be put into use as a production system. In this article, the most important customizations that you'll have to make are given in an easy-to-understand manner.

Prerequisites

A newly activated CentOS 7 server, preferably setup with SSH keys. Log into the server as root.

ssh -l root server-ip-address

Step 1: Create a Standard User Account

For security reasons, it is not advisable to be performing daily computing tasks using the root account. Instead, it is recommended to create a standard user account that will be using sudo to gain administrative privileges. For this tutorial, assume that we're creating a user named joe. To create the user account, type:

adduser joe

Set a password for the new user. You'll be prompted to input and confirm a password.

passwd joe

Add the new user to the wheel group so that it can assume root privileges using sudo.

gpasswd -a joe wheel

Finally, open another terminal on your local machine and use the following command to add your SSH key to the new user's home directory on the remote server. You will be prompted to authenticate before the SSH key is installed.

ssh-copy-id joe@server-ip-address

After the key has been installed, log into the server using the new user account.

ssh -l joe server-ip-address

If the login is successful, you may close the other terminal. From now on, all commands will be preceded with sudo.

Step 2: Disallow Root Login and Password Authentication

Since you can now log in as a standard user using SSH keys, a good security practice is to configure SSH so that the root login and password authentication are both disallowed. Both settings have to be configured in the SSH daemon's configuration file. So, open it using nano.

sudo nano /etc/ssh/sshd_config

Look for the PermitRootLogin line, uncomment it and set the value to no.

PermitRootLogin no

Do the same for the PasswordAuthentication line, which should be uncommented already:

PasswordAuthentication no

Save and close the file. To apply the new settings, reload SSH.

sudo systemctl reload sshd

Step 3: Configure the Time Zone

By default, the time on the server is given in UTC. It is best to configure it to show the local time zone. To accomplish that, locate the zone file of your country/geographical area in the /usr/share/zoneinfo directory and create a symbolic link from it to the /etc/localtime directory. For example, if you're in the eastern part of the US, you'll create the symbolic link using:

sudo ln -sf /usr/share/zoneinfo/US/Eastern /etc/localtime

Afterwards, verify that the time is now given in localtime by running the date command. The output should be similar to:

Tue Jun 16 15:35:34 EDT 2015

The EDT in the output confirms that it's localtime.

Step 4: Enable the IPTables Firewall

By default, the active firewall application on a newly activated CentOS 7 server is FirewallD. Though it is a good replacement for IPTables, many security applications still do not have support for it. So if you'll be using any of those applications, like OSSEC HIDS, it's best to disable/uninstall FirewallD.

Let's start by disabling/uninstalling FirewallD:

sudo yum remove -y firewalld

Now, let's install/activate IPTables.

sudo yum install -y iptables-services
sudo systemctl start iptables

Configure IPTables to start automatically at boot time.

sudo systemctl enable iptables

IPTables on CentOS 7 comes with a default set of rules, which you can view with the following command.

sudo iptables -L -n

The output will resemble:

Chain INPUT (policy ACCEPT)
target     prot opt source     destination         
ACCEPT     all  --  0.0.0.0/0     0.0.0.0/0     state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0    0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0     0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0     state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0     0.0.0.0/0     reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT) target     prot opt source     destination REJECT     all -- 0.0.0.0/0     0.0.0.0/0     reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT) target     prot opt source     destination

You can see that one of those rules allows SSH traffic, so your SSH session is safe.

Because those rules are runtime rules and will be lost on reboot, it's best to save them to a file using:

sudo /usr/libexec/iptables/iptables.init save

That command will save the rules to the /etc/sysconfig/iptables file. You can edit the rules anytime by changing this file with your favorite text editor.

Step 5: Allow Additional Traffic Through the Firewall

Since you'll most likely be going to use your new server to host some websites at some point, you'll have to add new rules to the firewall to allow HTTP and HTTPS traffic. To accomplish that, open the IPTables file:

sudo nano /etc/sysconfig/iptables

Just after or before the SSH rule, add the rules for HTTP (port 80) and HTTPS (port 443) traffic, so that that portion of the file appears as shown in the code block below.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Save and close the file, then reload IPTables.

sudo systemctl reload iptables

With the above step completed, your CentOS 7 server should now be reasonably secure and be ready for use in production.