[LINUX] Setting up a CentOS 7 server hosted on Alibaba Cloud ECS

This guide describes best practices for initial setup of ** CentOS 7 ** servers hosted on ** Alibaba Cloud Elastic Compute Service (ECS) **.

Written by Alibaba Cloud Tech Share, Francis Ndungu. Tech Share is an Alibaba Cloud incentive program that encourages sharing of technical knowledge and best practices within the cloud community.

Alibaba Cloud Elastic Compute Service (ECS) provides a faster and more powerful way to run cloud applications compared to traditional physical servers. You can achieve great results for your cloud needs. With ECS, you can not only get more results with the latest generation CPUs, but also protect your instances from DDoS and Trojan horse attacks.

This guide describes best practices for provisioning CentOS 7 servers hosted on Alibaba Cloud Elastic Compute Service (ECS) instances.

Prerequisites

  1. A valid Alibaba Cloud account. If you don't have one yet, sign up for a free trial (https://www.alibabacloud.com/campaign/free-trial?spm=a2c65.11461447.0.0.58c15c52TxUkDC) and enjoy Alibaba Cloud products worth up to $ 300.
  2. An ECS instance running CentOS 7. You can choose your preferred region and configuration. 3, the root password of the server.

Step 1: Connect to Alibaba Cloud CentOS 7 server

Find the Internet IP address (public IP address) associated with your Alibaba Cloud ECS instance.

If you're running Linux or Mac, use a terminal application to connect to your instance via SSH. If you are using Windows, you can use PuTTy (Download here (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html?spm=a2c65.11461447.0.0.58c15c52TxUkDC)) to connect to the server. To log in via SSH, you need to enter the IP address, user name, and password that you set when you created the Alibaba Cloud ECS instance.

There are other ways to connect to your ECS instance. See ECS Official Documents for more information.

Step 2: Change the host name of the CentOS 7 server

The host name is the default identifier when communicating with the Linux server. It's like the computer name associated with your home PC or laptop. Having a descriptive host name for your CentOS 7 server can help you distinguish between machines, especially if you are running multiple machines.

To get started, make sure your CentOS 7 system is up to date by typing the following command:

$ sudo yum update

To check the host name, enter the following command in a terminal window.

$ hostname

To change the host name, you need to install the nano text editor with the following command.

$ sudo yum install nano

Then edit the /etc/cloud/cloud.cfg file to find the entry preserve_hostname. Change its value from false to true.

$ sudo nano /etc/cloud/cloud.cfg
preserve_hostname true

Press CTRL + X, Y and then Enter to exit and save your changes.

Then enter the following command to edit the/etc/hostname file using the nano editor.

$ sudo nano /etc/hostname

Overwrite the current host name at the top of the file, press CTRL + X, Y, then press Enter to save your changes.

You also need to add some entries to the Linux hosts file. Open the file using a text editor.

$ sudo nano /etc/hosts

You need to add two entries just below the 127.0.0.0.1 localhost entry in this file. The first entry you add uses the loopback interface address 127.0.1.1. Note that this is different from 127.0.0.1, which has a value of'localhost' in the same file.

Assuming the server's public IP address is 111.111.111.111.111 and the host name is miami, you should see an entry at the top of the/etc/hosts file that looks like this:

127.0.0.1 localhost
127.0.1.1 miami
111.111.111.111 miami

Enter the following command to restart your Alibaba Cloud ECS instance for the changes to take effect.

$ sudo reboot

Step 3: Set the time zone on the CentOS 7 server

You can check the default date and time zone of Alibaba Cloud CentOS 7 server by entering the following command.

$ timedatectl 

Especially if you are running a cron job on a CentOS 7 server, you need to set the correct timezone as it is highly date and time dependent. To change the time zone, use the following command.

$ sudo timedatectl set-timezone 

For example, to set the server time zone to London, use the following command:

$ sudo timedatectl set-timezone Europe/London

You can run the date command to see if the change was successful.

$ date

Step 4: Create a non-root user with Sudo privileges on CentOS 7

There are many issues that can occur when logging in to a CentOS 7 server as the root user. For example, entering the wrong parameters and running a simple'rm'command can erase the entire production server data.

Therefore, you need to create a non-root user with sudo privileges. If desired, you can use the sudo command to temporarily elevate privileges.

To create a user, use the following command.

$ sudo adduser 

For example, to add a user identified as james to the server, use the following command:

$ sudo adduser james

Then assign a password to the user created above.

$ sudo passwd james

You will be prompted to enter the user's password.

Then you need to add the user to the wheel group to assign the ability to perform administrative tasks with the sudo command by typing:

$ sudo gpasswd -a james wheel

Don't forget to replace james with the correct username of your choice.

Step 5: Create an authentication key pair to log in to the CentOS 7 server

Using a private/public key pair to log in to a CentOS 7 server is more secure than using a password. In this mode, the private key is kept on the local computer and the public key is kept under the .ssh/authorized_keys file on the Alibaba Cloud server.

This technology encrypts the data sent from the server via the public key, allowing the user to decrypt it using the correct private key that only you know. The keys used in this way cannot be guessed by even the most witty hackers. You can also protect your private key with a passphrase to add another layer of security in case it falls into the wrong hands.

You can use a tool like PuTTY key Generator (Download here) to generate a private/public key pair.

Make sure you are logged in as the user who will generate the key. Also, do not run the following commands with'sudo'.

Use the following command to copy the public key part to the CentOS 7 server.

$ mkdir ~/.ssh

Then use the nano editor to type and paste your public key into the authorized_keys file.

$ nano ~/.ssh/authorized_keys

Protect the file by entering the following command:

$ chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys

Once you have created the key, you will be able to log in to the CentOS 7 server using the username and private key you created with the SSH connection.

Step 6: Disable password authentication on the CentOS 7 server

Once you have set up your private / public key pair, disable password-based login. This will ensure that only those with the correct private key can access her CentOS 7 server.

To do this, edit the SSH configuration file with the following command:

$ sudo nano /etc/ssh/sshd_config

Find the "PasswordAuthentication" line and change the value from "yes" to "no".

PasswordAuthentication no

Restart the SSH daemon.

$ sudo service sshd restart

Step 7: Disable SSH root access on the CentOS 7 server

After creating a non-root user with sudo privileges and password login disabled, disable root login via SSH. This will prevent anyone from logging in to the CentOS 7 server via SSH using the root username.

Administrative work from this point on will be done by a non-root user with sudo privileges.

To disable root access via SSH, edit the SSH configuration file in the nano editor, look for the PermitRootLogin directive, and change its value from yes to no.

$ sudo nano /etc/ssh/sshd_config
PermitRootLogin no

For the changes to take effect, restart the SSH daemon by typing the following command:

$ sudo service sshd restart

Step 8: Install a firewall on your CentOS 7 server

In CentOS 7, you can manipulate IPtables using a tool called UFW (Uncomplicated Firewall). UFW is a tool aimed at simplifying the IPtables setup process, especially for beginners who are new to the Linux environment.

UFW is a good way to add additional security to your CentOS 7 server running on Alibaba Cloud.

You can install it using the following command.

$ sudo yum install ufw

Then enter the following command to allow all outgoing calls and reject or receive incoming calls.

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

You can use the following UFW commands to allow traffic to specific ports and services.

$ sudo ufw allow 

To prevent it from being completely locked from the CentOS 7 server, the first port/service allowed by UFW is listening for an SSH connection on port 22.

To do this, add the rule by entering the following command:

$ sudo ufw allow 22

Or

$ sudo ufw allow ssh

Also, if you are operating a web server, enable the http and https ports.

$ sudo ufw allow http
$ sudo ufw allow https

After whitelisting the service, run the following command to start UFW.

$ sudo ufw enable

You can delete the created rule by first checking the number and then deleting it with the following command.

$ sudo ufw status numbered
$ sudo ufw delete 

Where is the above value obtained from the list of available rules.

Before checking the rule list, make sure UFW is enabled.

You can disable UFW at any time by entering the following command:

$ sudo ufw disable

Alternatively, type to reset all rules.

$ sudo ufw reset

Step 9: Install Fail2Ban on CentOS 7 server

Fail2Ban is a tool that leverages IPtables to add another layer of security to your CentOS 7 server. Fail2Ban prohibits users from trying to access the server based on the number of failed login attempts.

To install Fail2Ban, enter the following command:

$ sudo yum install fail2ban

The server can be used with the default Fail2Ban settings, but you can edit and change the configuration file as needed. All Fail2Ban configuration files are located in the'/ etc/fail2ban /'directory.

By default, the .conf file is read first, followed by the .local file. Therefore, if you want to override the settings, you need to make changes to the .local file and leave the .conf file in place.

For example, you can use the following command to make a copy of the jail.conf file and create a local file for editing.

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

After that, you can change the Fail2Ban settings by editing the new file with the following command.

$ sudo nano /etc/fail2ban/jail.local

In most cases, you will set the maximum number of SSH connection prohibitions, search times, and retries. This all depends on the level of security required for your CentOS 7 server.

Summary

That's it. You have successfully provisioned a CentOS 7 server running on Alibaba Cloud Elastic Compute Service (https://www.alibabacloud.com/ja/product/ecs) (ECS). This is not a definitive list of Linux security measures to take when setting up a server, but it can keep hackers away, especially if you are just starting out with ECS. You can now install a web server and database server to run your website or web application. Did you enjoy reading the tutorial?

New to Alibaba Cloud? Sign up for an account and try 40+ products for free. Or see Getting Started with Alibaba Cloud (https://www.alibabacloud.com/getting-started?spm=a2c65.11461447.0.0.58c15c52TxUkDC).

Recommended Posts

Setting up a CentOS 7 server hosted on Alibaba Cloud ECS
Setting up grub on CentOS 8
PySpark: Set up PySpark on your Alibaba Cloud CentOS instance
Install Odoo on Alibaba Cloud ECS instance
Set up a simple local server on your Mac
Set up a file server on Ubuntu 20.04 using Samba
How to deploy a Django application on Alibaba Cloud
Set up a free server on AWS in 30 minutes
[Part 1] Let's set up a Minecraft server on Linux
Until docker-compose up on CentOS7
Set up a web server with CentOS7 + Anaconda + Django + Apache
Set up a Google Cloud service account key on heroku
Build a python environment on CentOS 7.7 for your home server
How to deploy a web application on Alibaba Cloud as a freelancer
Setting up OpenSSH on Arch Linux
Run a Linux server on GCP
Set up Python environment on CentOS
Create a python environment on centos
Run TensorFlow2 on a VPS server
Build a python3 environment on CentOS7
Set up a yum repository server on CentOS7 system and refer to it locally and from other servers.
Build a Pypi cache server on QNAP
Set up a Samba server with Docker
Make Jupyter Notebook a service on CentOS
Build a simple WebDAV server on Linux
A memo with Python2.7 and Python3 on CentOS
Set up a mail server using Twisted
Notes for setting up pydicom on macOS
Build a Samba server on Arch Linux
Build jupyter notebook on remote server (CentOS)
Build a web server on your Chromebook
Build a Python + OpenCV environment on Cloud9
Run Jupyter notebook on a remote server
From nothing on Ubuntu 18.04 to setting up a Deep Learning environment in Tensor