Initial Server Setup With CentOS 6 _ DigitalOcean

Published on January 2017 | Categories: Documents | Downloads: 60 | Comments: 0 | Views: 325
of 9
Download PDF   Embed   Report

Comments

Content


4/17/2014 Initial Server Setup with CentOS 6 | DigitalOcean
https://www.digitalocean.com/community/articles/initial-server-setup-with-centos-6 1/9
Sign Up Log In
Community
Tutorials
Questions
Projects
Explore
IRC
Before you continue...
You are about to enter a community-supported IRC chat. DigitalOcean is not responsible for its content. If you require immediate assistance, please open a support ticket.
Continue to IRC Chat
Search the Community
Initial Server Setup with CentOS 6
Tagged In: Linux Basics, Cent Os
The Basics
When you first begin to access your fresh new virtual private server, there are a few early steps you should take to make it more secure. Some of
the first tasks can include setting up a new user, providing them with the proper privileges, and configuring SSH.
Step One—Root Login
Once you know your IP address and root password, login as the main user, root.
It is not encouraged to use root on a regular basis, and this tutorial will help you set up an alternative user to login with permanently.
ssh [email protected]
The terminal will show:
The authenticity of host '69.55.55.20 (69.55.55.20)' can't be established.
ECDSA key fingerprint is 79:95:46:1a:ab:37:11:8e:86:54:36:38:bb:3c:fa:c0.
Are you sure you want to continue connecting (yes/no)?
Go ahead and type yes, and then enter your root password.
Step Two—Change Your Password
Currently your root password is the default one that was sent to you when you registered your droplet. The first thing to do is change it to one of
your choice.
passwd
CentOS is very cautious about the passwords it allows. After you type your password, you may see a BAD PASSWORD notice. You can either
set a more complex password or ignore the message—CentOS will not actually stop you from creating a short or simple password, although it will
advise against it.
Step Three— Create a New User
After you have logged in and changed your password, you will not need to login again to your VPS as root. In this step we will make a new user,
with a new password, and give them all of the root capabilities.
First, create your user; you can choose any name for your user. Here I’ve suggested Demo
/usr/sbin/adduser demo
Second, create a new user password:
passwd demo
4/17/2014 Initial Server Setup with CentOS 6 | DigitalOcean
https://www.digitalocean.com/community/articles/initial-server-setup-with-centos-6 2/9
Step Four— Root Privileges
As of yet, only root has all of the administrative capabilities. We are going to give the new user the root privileges.
When you perform any root tasks with the new user, you will need to use the phrase “sudo” before the command. This is a helpful command for 2
reasons: 1) it prevents the user from making any system-destroying mistakes 2) it stores all the commands run with sudo to the file ‘/var/log/secure'
which can be reviewed later if needed.
Let’s go ahead and edit the sudo configuration. This can be done through the default editor, which in CentOS is called ‘vi’
/usr/sbin/visudo
Find the section called user privilege specification.
It will look like this:
# User privilege specification
root ALL=(ALL) ALL
Under the details of root's privileges, add the following line, granting all the permissions to your new user.
To began typing in vi, press “a”.
demo ALL=(ALL) ALL
Press Escape, :, w, q, then Enter to save and exit the file.
Step Five— Configure SSH (OPTIONAL)
Now it’s time to make the server more secure. These steps are optional. They will make the server more secure by making login more
difficult.
Open the configuration file
sudo vi /etc/ssh/sshd_config
Find the following sections and change the information where applicable:
Port 25000
Protocol 2
PermitRootLogin no
UseDNS no
We’ll take these one by one.
Port: Although port 22 is the default, you can change this to any number between 1025 and 65536. In this example, I am using port 25000. Make
sure you make a note of the new port number. You will need it to login in the future, and this change will make it more difficult for unauthorized
people to log in.
PermitRootLogin: change this from yes to no to stop future root login. You will now only login as the new user.
Add this line to the bottom of the document, replacing demo with your username:
AllowUsers demo
Save and Exit
Step Six— Reload and Done!
Reload SSH, and it will implement the new ports and settings.
/etc/init.d/sshd reload
To test the new settings (don’t logout of root yet), open a new terminal window and login into your virtual server as your new user.
Don’t forget to include the new port number.
ssh -p 25000 [email protected]
Contents
Step One—Root Login
Step Two—Change Your Password
Step Three— Create a New User
Step Four— Root Privileges
Step Five— Configure SSH (OPTIONAL)
Step Six— Reload and Done!
See More
May 22, 2012
Beginner
4/17/2014 Initial Server Setup with CentOS 6 | DigitalOcean
https://www.digitalocean.com/community/articles/initial-server-setup-with-centos-6 3/9
Your prompt should now say:
[demo@yourname ~]$
See More
As you start securing your droplet with SSH, you can continue to improve its security by installing programs, such as Fail2Ban or Deny Hosts, to
prevent against brute force attacks on the server.
You can also find the tutorial to install the LAMP stack on the server here or the LEMP stack on the server here.
By Etel Sverdlov
Related Articles
An Introduction to File Compression Tools on Linux Servers
How To Use DVTM and Dtach as a Terminal Window Manager on an Ubuntu VPS
How To Download Software and Content onto your Linux VPS
How To Use cd, pwd, and ls to Explore the File System on a Linux Server
An Introduction To Regular Expressions
How To Use IPRoute2 Tools to Manage Network Configuration on a Linux VPS
How To Use Bash History Commands and Expansions on a Linux VPS
How To Read and Set Environmental and Shell Variables on a Linux VPS
Share this Tutorial
Tweet 2
Share
2

0 Submit
Try this tutorial on an SSD cloud server.
Includes 512MB RAM, 20GB SSD Disk, and 1TB Transfer for $5/mo! Learn more
Create an account or login:
Email
Password
Get Started!
31 Comments
Write Tutorial
rsongo over 1 year
If you set PermitRootLogin no, how are you gonna do # chkconfig vsftpd on ?
Reply
Moisey over 1 year
Setting SSH to not PermitRootLogin's just refers to logging in via password & ssh. Instead you will need to use SSH-keys which are much
more secure than just a root password it will not affect anything else.
Reply
rsongo over 1 year
Thx
4/17/2014 Initial Server Setup with CentOS 6 | DigitalOcean
https://www.digitalocean.com/community/articles/initial-server-setup-with-centos-6 4/9
Reply
coreydbarrett about 1 year
I cannot sign in under my account I keep getting a connection refused what should I do?
Reply
Moisey about 1 year
Open up a support ticket and we'll troubleshoot it with you directly, probably just a typo or something small missing.
Reply
Edwin Ang about 1 year
i can't edit visudo. it seems to be encrypted. any suggestion?
Reply
Edwin Ang about 1 year
forget my previous post. i should execute visudo directly :)
Reply
Peter about 1 year
In CentOS 6.3 it is: root ALL=(ALL) ALL and not: root ALL=(ALL:ALL) ALL
Reply
desiredpersona about 1 year
Here is how to edit the sudo configuration. This should be added to the tutorial for new users like me. It took me awhile to figure this out!!!
Please see "Using the vi text editor" heading here: http://www.libre-software.net/sudo-on-centos-scientific-linux-and-rhel
Reply
desiredpersona about 1 year
Make sure to uncomment the new Port otherwise you will not be able to login as your new user.
Reply
linuxtechjason 9 months
You forget to mention that when you change options in the ssh config file that you also need to remove the comment mark (#) at the
beginning or it won't change anything. Also, maybe it's just me but the Esc -> Shift ZZ didn't work for me. But having used vi before I just
used ESC -> :wq! instead. Thanks for this tutorial. Removing the ability to login as root to ssh is a good thing. :-)
Reply
davidshockey 8 months
Good advice and good instructions. You may want to mention that if you have configured iptables you will have to allow ssh on the new
4/17/2014 Initial Server Setup with CentOS 6 | DigitalOcean
https://www.digitalocean.com/community/articles/initial-server-setup-with-centos-6 5/9
port. When you are sure that it is working, you will want to disable port 22.
Reply
mollamirzaee 6 months
Configure iptables for new port (CentOS 6.4): Edit /etc/sysconfig/iptables and add the following before COMMIT. -A INPUT -m state --
state NEW -m tcp -p tcp --dport -j ACCEPT | OR | system-config-firewall-tui Customize SSH Forward Add: Port : Protocol : tcp
Reply
eric 6 months
user was added and ssh port was changed, still able to login via root?
Reply
eric 6 months
never mind, all is well
Reply
Pablo of vDevices.com 6 months
In trying to learn how to navigate CentOS, I spun up my first CentOS droplet (v6.4). RE: Step Four I, for the life of me, can not find the
line that reads:
# User privilege specification
Has it been replaced with...?
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
Reply
Pablo of vDevices.com 6 months
Like @linuxtechjason, Esc + Shift + ZZ did not work for me, either; but Esc + : + w + q + Enter did. As an aside, how 'bout showing
the CentOS LEMP stack article some love by tossing a link to it near the LAMP stack link?
Reply
Kamal Nasser 5 months
@Pablo: Shift ZZ works fine on vim for me, I'll edit it and replace it with Esc :wq as it is always guaranteed to work. Added a link, thanks :]
Reply
melanie 4 months
I get to step Step Five— Configure SSH (OPTIONAL) and I dont see anything that looks like Port 25000 Protocol 2 PermitRootLogin no
UseDNS no what there is however is Port 22 AddressFamily any ListenAddress 0.0.0.0 ListenAddress :: this is exactly what is there:
[root@mydomain ~]# sudo vi /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ #Port 22
#AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # This is the sshd server system-wide configuration file. See #
sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the
default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented.
Uncommented options change a # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy
(protocol version 1) support in the server for new so this is on a droplet with CentOS 6.4 x64 Does this tutorial need to be updated? please
advise here on how to configure SSH because it's not happening as per your tutorial
4/17/2014 Initial Server Setup with CentOS 6 | DigitalOcean
https://www.digitalocean.com/community/articles/initial-server-setup-with-centos-6 6/9
Reply
Kamal Nasser 4 months
@melanie: I believe appending the non-existent directives to the config file should work.
Reply
carlos 4 months
For some reason it does not work (after editing the config file, reloading, etc.) when I use any other port than 22. I have trying connecting
using the ssh client included on Mac OS X (Maverick) as well as ssh clients on the iPad and iPhone. All other instructions work well, but
the configuration of port to anything but 22 seems to be ignored by Centos. Weird, it makes sense otherwise. The ssh connection just times
out. And I haven't changed anything on Centos, this is a vanilla image, with just a couple of utilities gummed in.
Reply
Kamal Nasser 4 months
@carlos: Do you have any firewall rules in place? What's the output of
sudo iptables -L -n -v
?
Reply
carlos 4 months
Hi, Kamal
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3385 2130K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7 520 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
12 580 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 1742 packets, 197K bytes)
pkts bytes target prot opt in out source destination
BTW: When I use the port directive in sshd_config, the directive DOES HAVE SOME EFFECT, because normal ssh through port 22
starts to timeout immediately after I reload sshd. But *connecting* through the new port doesn't work
Reply
Kamal Nasser 4 months
@carlos: You have your firewall set up to alow access to port 22 and drop all other packets. You have to allow access to the new port:
sudo iptables -D INPUT 5
sudo iptables -D INPUT 4
sudo iptables -P INPUT DROP
sudo iptables -I INPUT -p tcp --dport [new SSH port] -j ACCEPT
Save the new rules:
iptables-save | sudo tee /etc/sysconfig/iptables
sudo service iptables restart
Reply
Kamal Nasser 4 months
4/17/2014 Initial Server Setup with CentOS 6 | DigitalOcean
https://www.digitalocean.com/community/articles/initial-server-setup-with-centos-6 7/9
Make sure you do this through the Remote Console available from our control panel as you will temporarily not have access to the droplet
via SSH. Once you've updated the rules, go ahead and change the SSH port to whatever you want it to be.
Reply
techspecx 2 months
I have SSH keys installed and I can login fine with a SSH key but after I change the lines in the sshd_config it asks me for a password and I
do not use passwords. Could you help?
Reply
techspecx 2 months
This is the message I receive: Using username "root". Server refused our key Before I configured the sshd_config I was able to use my key.
Reply
techspecx 2 months
I have not disabled root login
Reply
Kamal Nasser 2 months
@techspecx: What exactly have you changed in sshd_config?
Reply
Ricardo Parraga 2 months
Thanks for the article. This is a must when having servers facing the Internet. @ Pablo Thanks for the correction. I am having CentOS 6.5
x64 and had the same problem there on Step 4.: ## Allow root to run any commands anywhere root ALL=(ALL) ALL Also, Shift + ZZ
worked for me in "vi" editor. On Step 5: I always do a copy of the file in case I need to go back to it: cp /etc/ssh/sshd_config{,.bck} Then I
just edit the normal /etc/ssh/sshd_config file.
Reply
techspecx 29 days
@Kamal I changed everything according to the article. If I make those changes I cannot login with SSH and it asks me for a password.
Reply
Leave a Comment
4/17/2014 Initial Server Setup with CentOS 6 | DigitalOcean
https://www.digitalocean.com/community/articles/initial-server-setup-with-centos-6 8/9
Leave a comment...
Create an account or login:
Email
Password
Submit Comment
Copyright © 2014
DigitalOcean ™ Inc.
Proudly Made in NY
Terms, Privacy, & Copyright Security
Product
Pricing
Features
Customers
One-Click Apps
API
Company
About Us
Blog
Jobs
Press
Logos & Badges
Events
Contact
Help
Knowledgebase
Getting Started
Feedback
Referral Program
Network Status
Community
Dashboard
Overview
Tutorials
Questions
Projects
Tutorial Suggestions
Get Paid to Write
Connect
Twitter
Facebook
LinkedIn
Google+
Instagram
4/17/2014 Initial Server Setup with CentOS 6 | DigitalOcean
https://www.digitalocean.com/community/articles/initial-server-setup-with-centos-6 9/9
1,480,902 Droplets Launched

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close