I recently showed everyone how to install a new CentOS server, and now that we have a running system, we need to do some basic configuration to SSH to make sure our server is secure. When you install your operating system, you should have created an initial root password. We will use this to log in to our system and start configuration.
One of the first things we need to do is create a user account for our self. Whenever we are logged in, we should be a normal user, not a super-user! This is one of the biggest problems with Windows operating systems; normal users are given administrative privileges by default. When you download something malicious on a Windows PC, the malicious software can easily wreak havoc on your computer, because you have the permissions necessary to do so! Under Linux, we are just a normal user, and only request administrative (root) privileges when necessary. This way, even if I did download a virus on my Linux machine, unless I executed the virus as root, there is very little damage that the virus can do, because my normal user only has a restricted set of privileges.
Create a new user using the
useradd command. This will allow us to add a new user, and then we can create a password for this new user using the
passwd command. So, go ahead and create a new account for yourself, as I am doing below. Replace [username] with your desired username. Remember that we have to be an administrative (root) user to run the useradd command.
[root@machine ~]# useradd [username] [root@machine ~]# passwd [username] Changing password for user username. New UNIX Password: Retype new UNIX password: Passwd: all authentication tokens updated successfully. [root@machine ~]#
Next, we will need to enable sudo access for our newly created user, so that we will still be able to run commands as root. To do this, run the
visudo command, and add the following line to the bottom of the file, replacing [username] with the username you created above.
[username] ALL=(ALL) ALL
visudo command will have you editing the sudoers file with the vi editor. If you’re not familiar with vi, here are some basics. Pressing
i will put you into insert mode, where you can make changes much like any other editor. Pressing
esc will take you out of the editor mode. You can then type
:wq! to write your changes and exit, or just
:q! to quit without saving.
Now that we have our own user account set up, and our user has sudo access, we want to disable root SSH logins. Script kiddies will often search for machines configured with weak root passwords, and gain access using a brute-force or dictionary password attack. I’ve seen it before;
wallpaper isn’t a very good choice for a root password… But for some extra security, lets disable the ability of root logging on via SSH.
/etc/ssh/sshd_config in your favorite text editor, and find the line containing
PermitRootLogin and change the entire line to this:
Now, to make our changes to the sshd_config file take effect, we must restart the SSHD service. Run a simple
service sshd restart as root, and you should see something like this:
[root@machine ~]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] [root@machine ~]#
Now, before going any further, test that you can log in with the account that you created earlier, and that you can use the
sudo -i command to enter an interactive sudo session. If everything is working, then lets keep going! BARK!
Next, we can optionally change the port that SSH is listening on. There are some pro’s and con’s of changing the port. We can hopefully avoid some of the script kiddies who are only scanning port 22. This won’t keep any determined hacker from finding the port number with a simple
nmap command however. Also, if you change the port, keep the port number below 1024. Only users in the root group can listen on ports below 1024, so a standard user can’t replace our SSH daemon with their own, listening to incoming requests, stealing passwords, etc.
To change the SSH listening port, open
/etc/ssh/sshd_config in your favorite text editor, find the
Port 22 line, and change it to look like the line below:
This will have our SSHD server listening to port 1000 for SSH connections. Note that we must again restart the sshd service for our changes to take effect.
That should take care of securing our SSHD configuration. Next time we can work on configuring our firewall!