This guide describes best practices for initial setup of ** CentOS 7 ** servers hosted on ** Alibaba Cloud Elastic Compute Service (ECS) **.
Written by Alibaba Cloud Tech Share, Francis Ndungu. Tech Share is an Alibaba Cloud incentive program that encourages sharing of technical knowledge and best practices within the cloud community.
Alibaba Cloud Elastic Compute Service (ECS) provides a faster and more powerful way to run cloud applications compared to traditional physical servers. You can achieve great results for your cloud needs. With ECS, you can not only get more results with the latest generation CPUs, but also protect your instances from DDoS and Trojan horse attacks.
This guide describes best practices for provisioning CentOS 7 servers hosted on Alibaba Cloud Elastic Compute Service (ECS) instances.
Find the Internet IP address (public IP address) associated with your Alibaba Cloud ECS instance.
If you're running Linux or Mac, use a terminal application to connect to your instance via SSH. If you are using Windows, you can use PuTTy (Download here (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html?spm=a2c65.11461447.0.0.58c15c52TxUkDC)) to connect to the server. To log in via SSH, you need to enter the IP address, user name, and password that you set when you created the Alibaba Cloud ECS instance.
There are other ways to connect to your ECS instance. See ECS Official Documents for more information.
The host name is the default identifier when communicating with the Linux server. It's like the computer name associated with your home PC or laptop. Having a descriptive host name for your CentOS 7 server can help you distinguish between machines, especially if you are running multiple machines.
To get started, make sure your CentOS 7 system is up to date by typing the following command:
$ sudo yum update
To check the host name, enter the following command in a terminal window.
$ hostname
To change the host name, you need to install the nano text editor with the following command.
$ sudo yum install nano
Then edit the /etc/cloud/cloud.cfg file to find the entry preserve_hostname. Change its value from false to true.
$ sudo nano /etc/cloud/cloud.cfg
preserve_hostname true
Press CTRL + X, Y and then Enter to exit and save your changes.
Then enter the following command to edit the/etc/hostname file using the nano editor.
$ sudo nano /etc/hostname
Overwrite the current host name at the top of the file, press CTRL + X, Y, then press Enter to save your changes.
You also need to add some entries to the Linux hosts file. Open the file using a text editor.
$ sudo nano /etc/hosts
You need to add two entries just below the 127.0.0.0.1 localhost entry in this file. The first entry you add uses the loopback interface address 127.0.1.1. Note that this is different from 127.0.0.1, which has a value of'localhost' in the same file.
Assuming the server's public IP address is 111.111.111.111.111 and the host name is miami, you should see an entry at the top of the/etc/hosts file that looks like this:
127.0.0.1 localhost
127.0.1.1 miami
111.111.111.111 miami
Enter the following command to restart your Alibaba Cloud ECS instance for the changes to take effect.
$ sudo reboot
You can check the default date and time zone of Alibaba Cloud CentOS 7 server by entering the following command.
$ timedatectl
Especially if you are running a cron job on a CentOS 7 server, you need to set the correct timezone as it is highly date and time dependent. To change the time zone, use the following command.
$ sudo timedatectl set-timezone
For example, to set the server time zone to London, use the following command:
$ sudo timedatectl set-timezone Europe/London
You can run the date command to see if the change was successful.
$ date
There are many issues that can occur when logging in to a CentOS 7 server as the root user. For example, entering the wrong parameters and running a simple'rm'command can erase the entire production server data.
Therefore, you need to create a non-root user with sudo privileges. If desired, you can use the sudo command to temporarily elevate privileges.
To create a user, use the following command.
$ sudo adduser
For example, to add a user identified as james to the server, use the following command:
$ sudo adduser james
Then assign a password to the user created above.
$ sudo passwd james
You will be prompted to enter the user's password.
Then you need to add the user to the wheel group to assign the ability to perform administrative tasks with the sudo command by typing:
$ sudo gpasswd -a james wheel
Don't forget to replace james with the correct username of your choice.
Using a private/public key pair to log in to a CentOS 7 server is more secure than using a password. In this mode, the private key is kept on the local computer and the public key is kept under the .ssh/authorized_keys file on the Alibaba Cloud server.
This technology encrypts the data sent from the server via the public key, allowing the user to decrypt it using the correct private key that only you know. The keys used in this way cannot be guessed by even the most witty hackers. You can also protect your private key with a passphrase to add another layer of security in case it falls into the wrong hands.
You can use a tool like PuTTY key Generator (Download here) to generate a private/public key pair.
Make sure you are logged in as the user who will generate the key. Also, do not run the following commands with'sudo'.
Use the following command to copy the public key part to the CentOS 7 server.
$ mkdir ~/.ssh
Then use the nano editor to type and paste your public key into the authorized_keys file.
$ nano ~/.ssh/authorized_keys
Protect the file by entering the following command:
$ chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys
Once you have created the key, you will be able to log in to the CentOS 7 server using the username and private key you created with the SSH connection.
Once you have set up your private / public key pair, disable password-based login. This will ensure that only those with the correct private key can access her CentOS 7 server.
To do this, edit the SSH configuration file with the following command:
$ sudo nano /etc/ssh/sshd_config
Find the "PasswordAuthentication" line and change the value from "yes" to "no".
PasswordAuthentication no
Restart the SSH daemon.
$ sudo service sshd restart
After creating a non-root user with sudo privileges and password login disabled, disable root login via SSH. This will prevent anyone from logging in to the CentOS 7 server via SSH using the root username.
Administrative work from this point on will be done by a non-root user with sudo privileges.
To disable root access via SSH, edit the SSH configuration file in the nano editor, look for the PermitRootLogin directive, and change its value from yes to no.
$ sudo nano /etc/ssh/sshd_config
PermitRootLogin no
For the changes to take effect, restart the SSH daemon by typing the following command:
$ sudo service sshd restart
In CentOS 7, you can manipulate IPtables using a tool called UFW (Uncomplicated Firewall). UFW is a tool aimed at simplifying the IPtables setup process, especially for beginners who are new to the Linux environment.
UFW is a good way to add additional security to your CentOS 7 server running on Alibaba Cloud.
You can install it using the following command.
$ sudo yum install ufw
Then enter the following command to allow all outgoing calls and reject or receive incoming calls.
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
You can use the following UFW commands to allow traffic to specific ports and services.
$ sudo ufw allow
To prevent it from being completely locked from the CentOS 7 server, the first port/service allowed by UFW is listening for an SSH connection on port 22.
To do this, add the rule by entering the following command:
$ sudo ufw allow 22
Or
$ sudo ufw allow ssh
Also, if you are operating a web server, enable the http and https ports.
$ sudo ufw allow http
$ sudo ufw allow https
After whitelisting the service, run the following command to start UFW.
$ sudo ufw enable
You can delete the created rule by first checking the number and then deleting it with the following command.
$ sudo ufw status numbered
$ sudo ufw delete
Where
Before checking the rule list, make sure UFW is enabled.
You can disable UFW at any time by entering the following command:
$ sudo ufw disable
Alternatively, type to reset all rules.
$ sudo ufw reset
Fail2Ban is a tool that leverages IPtables to add another layer of security to your CentOS 7 server. Fail2Ban prohibits users from trying to access the server based on the number of failed login attempts.
To install Fail2Ban, enter the following command:
$ sudo yum install fail2ban
The server can be used with the default Fail2Ban settings, but you can edit and change the configuration file as needed. All Fail2Ban configuration files are located in the'/ etc/fail2ban /'directory.
By default, the .conf file is read first, followed by the .local file. Therefore, if you want to override the settings, you need to make changes to the .local file and leave the .conf file in place.
For example, you can use the following command to make a copy of the jail.conf file and create a local file for editing.
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After that, you can change the Fail2Ban settings by editing the new file with the following command.
$ sudo nano /etc/fail2ban/jail.local
In most cases, you will set the maximum number of SSH connection prohibitions, search times, and retries. This all depends on the level of security required for your CentOS 7 server.
That's it. You have successfully provisioned a CentOS 7 server running on Alibaba Cloud Elastic Compute Service (https://www.alibabacloud.com/ja/product/ecs) (ECS). This is not a definitive list of Linux security measures to take when setting up a server, but it can keep hackers away, especially if you are just starting out with ECS. You can now install a web server and database server to run your website or web application. Did you enjoy reading the tutorial?
New to Alibaba Cloud? Sign up for an account and try 40+ products for free. Or see Getting Started with Alibaba Cloud (https://www.alibabacloud.com/getting-started?spm=a2c65.11461447.0.0.58c15c52TxUkDC).
This blog is a translation from the English version. You can check the original from here. We use some machine translation. We would appreciate it if you could point out any translation errors. *
Alibaba Cloud is the No. 1 (2019 Gartner) cloud infrastructure operator in the Asia-Pacific region with two data centers in Japan and more than 60 availability zones in the world. Click here for more information on Alibaba Cloud. Alibaba Cloud Japan Official Page *
Recommended Posts