How to Properly Configure Security Settings on a CentOS 7 Cloud Server?

10-01-2024 05:28:05

After the cloud server is provisioned, it's important to perform initial security settings to adapt to the complex real-world network environment. This article focuses on the popular CentOS 7 operating system, explaining how to step-by-step secure your system initially.

Before completing the full setup, please ensure you can remotely log in to the system with the default root account.

Step One: Create a Non-root Standard User Account

For security reasons, it's not recommended to operate the cloud server using the root account for daily management. A better practice is to create a standard user account, and then perform operations under this account with administrative privileges. This article assumes the creation of an account named "zhaomu," with the following creation command:

adduser zhaomu

Then change this account's password using the passwd command.

passwd

Next, add this account to the wheel group so that it can obtain administrative privileges using the sudo command.

gpasswd -a zhaomu wheel

Finally, test whether you can log into the system normally using this newly created account.

Step Two: Disable Root Account Login

Since we plan to remotely manage the cloud server using the non-root standard account, there's no need to keep the root account login enabled. Disabling the root account login can further enhance system security. We open the SSH configuration file with the following command:

sudo vi /etc/ssh/sshd_config

Search for the following two lines using the :w/ command, remove the comment # in front of these lines, and set their values to no.

PermitRootLogin     no
PasswordAuthentication      no

Save the changes using the :wq command, then enter the following command to apply the recent settings.

sudo systemctl reload sshd

Step Three: Set the Time Zone

The default time zone of the CentOS system is UTC (Coordinated Universal Time). It's better to change the time zone to your local time, so that the application program's time displays accurately. Set the time zone to Beijing time with the following command.

sudo ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

After setting, confirm the time zone change is successful using the date command, ensuring the server time matches your local computer time.

root@zhaomu:/# date
Mon 17 Feb 2020 04:53:31 PM CST

CST represents China Standard Time.

Step Four: Enable iptables Firewall

As known, CentOS 7 introduced a new firewall program called firewalld, which is a good replacement for iptables. However, many security softwares still do not support firewalld. Therefore, for maximum compatibility, you can uninstall firewalld and continue using the traditional iptables firewall.

The command to uninstall firewalld is:

sudo yum remove -y firewalld

Install and enable iptables:

sudo yum install -y iptables-services
sudo systemctl start iptables
sudo systemctl enable iptables

After iptables is installed, it will come with several default firewall rules, which can be viewed using the following command.

root@zhaomu:/# sudo iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Notably, the fourth rule allows TCP protocol access on port 22, so remote SSH login is still possible even with the iptables firewall enabled.

Since these firewall rules are loaded into memory and will be lost after a system restart, it's best to save them to a file. Use the following command to save the initial iptables rules.

sudo /usr/libexec/iptables/iptables.init save

Step Five: Allow Common Ports

As we know, one of the most common applications of cloud servers is running websites. Therefore, it's necessary to add website-related ports to the firewall's allow list for normal website access. First, open the iptables rule file.

sudo vi /etc/sysconfig/iptables

At the end of the rule file, add the following rules to allow access to SSH (port 22), HTTP (port 80), and HTTPS (port 443).

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Finally, execute the following command to make the iptables settings take effect.

sudo systemctl reload iptables

After completing these five steps, your CentOS 7 cloud server is ready with initial security settings, fully prepared to enter the production environment.

Search

Latest

What are the differences between cloud servers and dedicated servers?
23-02-2024 02:02:07
How to Test the Bandwidth and Speed of Your Cloud Server?
22-02-2024 03:19:32
Regarding IP Address Allocation, Changing IP Addresses, and Testing IPs in Cloud Server IP Address Management
22-02-2024 03:16:03
How to Change the DNS Server on a Linux Cloud Server?
22-02-2024 03:14:03
How to Install cURL on a Linux Cloud Server?
22-02-2024 03:11:58