Initial Server Setup with CentOS 7

Estimated reading time: 4 min

Introduction

In this tutorial, we will have a look at a few important tasks to perform in the server for initial set up of the server and basic server hardening. These steps will increase the security of your server as well as usability. We will perform a series of tasks such as creating a new sudo user, updating packages, setting timezone and securing SSH server, etc.

Prerequisites

Step 1: Log in via SSH

When your server is created Snel sends you an email with the default username, password, and server IP address. For first time login, you need to use those credentials to log in to your server.

If you’re not familiar with how to connect please have a look at our “How to connect to your server with SSH” article.

Step 2: Change Logged in User Password

Upon the first login, it is very important to change the password of the current user. Use the following command for the same.

passwd

It will ask you to provide your existing password unless you are logged in as the root user.

Step 3: Create a New Sudo User

If you are logged in as root user, it is recommended to create a sudo user. If you are logged in as sudo user with username in format client_xxxxxx_x, which Snel already created for you, it is still a best practice to create a new sudo user.

A Sudo user is a user having superuser privileges. In simple terms, this user can perform administrative commands and tasks as the root user.

To create a new user, run the following command. You can replace the example username happysnel with anything you like.

sudo adduser happysnel

Note: You can omit using sudo command if you are logged in as root user.

Set a password to the newly created user by running the command.

sudo passwd happysnel

Add your newly created user to the wheel group. Users in the wheel group are sudo user in CentOS 7.

sudo usermod -aG wheel happysnel

Step 4: Logging in as the Newly Created User

Exit from the current terminal session by running the logout command and log in again using ssh as the new user.

ssh [email protected]

192.168.0.1 is an example IP address.

Step 5: Disable Root Login via SSH

Find the current setting for root login via SSH by running the following command.

sudo cat /etc/ssh/sshd_config | grep PermitRootLogin

You might see the following output.

[[email protected] ~]$ sudo cat /etc/ssh/sshd_config | grep PermitRootLogin
PermitRootLogin without-password
# the setting of "PermitRootLogin without-password".

As in the above output, we can see that, PermitRootLoginis set to without-password. It means that password authentication is disabled, however, public-key authentication is enabled. Which is fine in most cases. Make sure, it should not be commented out or should not be set to yes.

To completely disable root login, edit the file by running the following command.

sudo nano /etc/ssh/sshd_config

And change the line to the following.

PermitRootLogin no

Save the file and restart the SSH server by running the following command.

sudo systemctl restart sshd

Now, if you will try to login as the root user, it will not let you in.

Step 6: Update Your Server

It is important to install the latest security patches and updates to your server. Run the following command for the same.

sudo yum -y update

Note: If you get any prompts saying a updated package or file is avaiable, but the installed version is modified. Choose keep the local version currently installed option.

Step 7: Setting timezone

You may want your server in the same timezone as you. Run the following command to get a list of available timezones.

timedatectl list-timezones

The list of available timezones is also available here.

Once you have identified your timezone, set it using the following command.

sudo timedatectl set-timezone Europe/Amsterdam

You can confirm the timezone by running the following command.

timedatectl

Step 8: Set Hostname

Check your existing hostname by running the following command.

hostnamectl

You should see a similar output.

[[email protected] ~]$ hostnamectl
   Static hostname: vps.snelexample.site
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 
           Boot ID: 
    Virtualization: kvm
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-957.1.3.el7.x86_64
      Architecture: x86-64

To set a hostname, run the following command.

sudo hostnamectl set-hostname host.snelexample.site

Replace host.snelexample.site with your actual hostname. Preferably, it should be an FQDN(Fully Qualified Domain Name). But, if you are not sure if you want to add an FQDN, a label to identify the server also works.

To resolve the hostname in your local server, you will need to add it to /etc/hosts file. Edit the hosts file by running the following command.

sudo nano /etc/hosts

If nano editor is not installed on your server, install it by running the command.

sudo yum -y install nano

Append your hostname at the end of the line that starts with 127.0.0.1. For example.

127.0.0.1       localhost host.snelexample.site

Step 9: Configure a Firewall

In most cases, CentOS 7 comes with Firewall enabled by default. You can check the status of the firewall by running the following command.

sudo firewall-cmd --state

It should say running if your firewall is already running.

[[email protected] ~]$ sudo firewall-cmd --state
running

Step 10: SSH Port Change (Optional)

Malicious bots on the internet continuously target the default SSH port 22. You can change it to any other port so that your server is not a victim of continues attacks of bots on port 22. To change the SSH port, open the SSH configuration file again by running the following command.

sudo nano /etc/ssh/sshd_config

Find the line which says

#Port 22

Uncomment it and change it to any port you like between 1024 to 65535.

Eg.

Port 2200

Save the file and exit from the editor.

Now, tell SELinux about the SSH port by running the following command.

sudo yum -y install policycoreutils-python-utils
sudo semanage port -a -t ssh_port_t -p tcp 2200

Open port 2200 from the firewall by running the commands.

sudo firewall-cmd --permanent --add-port=2200/tcp
sudo firewall-cmd --reload

Now, restart the SSH server by running the following command.

sudo systemctl restart sshd

Now, if you will try to login from another terminal without specifying a port, it will not let you in. Modify the SSH command to log in to include the port number.

ssh -p 2200 [email protected]

192.168.0.1 is an example IP address.

Step 11: Reboot

Now that we have gone through updating the packages and configuring the server. Give the server a reboot so that if there are any pending changes, it will be applied.

sudo reboot

Conclusion

In this tutorial, we have learned how to set up a sudo user on newly created CentOS 7 instances. We configured hostname, time zone and updated the packages. We also saw how to set the timezone and hostname, harden SSH server and update packages.

Was this article helpful?
Dislike 0
Views: 21

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

snel-knowledgebase