Initial Setup of a CentOS 7 Server

Introduction

A newly activated CentOS 7 server has to be customized before it can be put into use as a production system. In this article, the most important customizations that you’ll have to make are given in an easy-to-understand manner.

Prerequisites

A newly activated CentOS 7 server, preferably setup with SSH keys. Log into the server as root.

[root@development]# ssh -l root server-ip-address

Step 1: Create a Standard User Account

For security reasons, it is not advisable to be performing daily computing tasks using the root account. Instead, it is recommended to create a standard user account that will be using sudo to gain administrative privileges.

[root@development www]# adduser pankaj

Set a password for the new user. You’ll be prompted to input and confirm a password.

[root@development www]# passwd pankaj

Add the new user to the wheel group so that it can assume root privileges using sudo.

[root@development www]# gpasswd -a pankaj wheel

Finally, open another terminal on your local machine and use the following command to add your SSH key to the new user’s home directory on the remote server. You will be prompted to authenticate before the SSH key is installed.

[root@development www]# ssh-copy-id pankaj@server-ip-address

After the key has been installed, log into the server using the new user account.

[root@development www]# ssh -l pankaj server-ip-address

If the login is successful, you may close the other terminal. From now on, all commands will be preceded with sudo.

Step 2: Disallow Root Login and Password Authentication

Since you can now log in as a standard user using SSH keys, a good security practice is to configure SSH so that the root login and password authentication are both disallowed. Both settings have to be configured in the SSH daemon’s configuration file. So, open it using nano.

[root@development www]# sudo nano /etc/ssh/sshd_config

Look for the PermitRootLogin line, uncomment it and set the value to no.

PermitRootLogin     no

Do the same for the PasswordAuthentication line, which should be uncommented already:

PasswordAuthentication      no

Save and close the file. To apply the new settings, reload SSH.

sudo systemctl reload sshd

Step 3: Enable the IPTables Firewall

By default, the active firewall application on a newly activated CentOS 7 server is FirewallD. Though it is a good replacement for IPTables, many security applications still do not have support for it. So if you’ll be using any of those applications, like OSSEC HIDS, it’s best to disable/uninstall FirewallD.
Let’s start by disabling/uninstalling FirewallD:

[root@development www]# sudo yum remove -y firewalld

Now, let’s install/activate IPTables.

[root@development www]# sudo yum install -y iptables-services [root@development www]# sudo systemctl start iptables

Configure IPTables to start automatically at boot time.

[root@development www]# sudo systemctl enable iptables

IPTables on CentOS 7 comes with a default set of rules, which you can view with the following command.

[root@development www]# sudo iptables -L -n

The output will resemble:


Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
You can see that one of those rules allows SSH traffic, so your SSH session is safe.

Because those rules are runtime rules and will be lost on reboot, it’s best to save them to a file using:

[root@development www]# sudo /usr/libexec/iptables/iptables.init save

Step 5: Allow Additional Traffic Through the Firewall

Since you’ll most likely be going to use your new server to host some websites at some point, you’ll have to add new rules to the firewall to allow HTTP and HTTPS traffic. To accomplish that, open the IPTables file:

[root@development www]# sudo nano /etc/sysconfig/iptables

Just after or before the SSH rule, add the rules for HTTP (port 80) and HTTPS (port 443) traffic, so that that portion of the file appears as shown in the code block below.


-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Save and close the file, then reload IPTables.

[root@development www]# sudo systemctl reload iptables

With the above step completed, your CentOS 7 server should now be reasonably secure and be ready for use in production