Introduction

Securing stock CentOS

Setup AWS Security Groups

Setup CentOS 7.4

CMSMS Tweaks

Securing a non-AWS stock CentOS install

Securing the root account

Assuming setup has complete and you have configured only a root account:

Set a password: 

passwd

Now, lets set up a private key. Do: 

mkdir .ssh && chmod 700 .ssh && ssh-keygen -t rsa -T myKeyfile

This will output myKeyfile and myKeyfile.pub.

Do:

cp myKeyfile.pub .ssh/authorized_keys
vi .ssh/authorized_keys

Once in vi, remove the last part of the file that begins with username@hostname

Then Esc, :wq

Do:

chmod 600 .ssh/authorized_keys

Now copy the private key and save it locally:

vi myKeyfile

Copy the contents of the file and save them to your local machine as: myKeyfile
Use PuttyGen to open the key: myKeyfile
Save Private Key as myKeyfile.ppk

Clean up the keys: 

rm -f myKeyfile myKeyfile.pub

Creating a sudo account

We DONT use root for our sudo account, so lets add a new user:

adduser centos

Set the password for the user:

passwd centos
*enter password twice*

Add them to the wheel (sudo) group:

gpasswd -a centos wheel

Switch the new user:

su centos

Change to their home dir:

cd ~/

Now, lets set up a(nother) private key. Do:

mkdir .ssh && chmod 700 .ssh && ssh-keygen -t rsa -T myKeyfile

This will output myKeyfile and myKeyfile.pub

Do:

cp myKeyfile.pub .ssh/authorized_keys
vi .ssh/authorized_keys

Once in vi, remove the last part of the file that begins with username@hostname

Then Esc, :wq

Do:

chmod 600 .ssh/authorized_keys

Now copy the private key and save it locally:

vi myKeyfile

Copy the contents of the file and save them to your local machine as: myKeyfile
Use PuttyGen to open the key: myKeyfile
Save Private Key as myKeyfile.ppk

Clean up the keys. Do:

rm -f myKeyfile myKeyfile.pub

Disable root logins via SSH

Verify that you can log in to both root and the new account with your keys before proceeding.

Following assumes you have created a new sudo account called 'centos'.

We don't need to log in as root now that we have our sudo account, so we may as well disable logins. While we're here we're going to disable password-based logins too, and only allow key-based auth. 

vi /etc/ssh/sshd_config

Find and modify the following values: 

ChallengeResponseAuthentication no
PasswordAuthentication yes
#PermitRootLogin yes
UsePAM yes

To:

ChallengeResponseAuthentication no
PasswordAuthentication no
PermitRootLogin no
UsePAM yes

Reload ssh:

systemctl reload sshd

IMPORTANT: Don't log out at this point. You could lock yourself out completely.
Make sure you can log in with the sudo 'centos' account we previously created and tested.

  • You SHOULD be able to log in as CENTOS with your Keyfile
  • You SHOULD NOT be able to log in as CENTOS with your password
  • You SHOULD NOT be able to log in as ROOT with your Keyfile
  • You SHOULD NOT be able to log in as ROOT with your password

If this is working correctly then you can close all sessions and continue with the 'centos' account from this point on.

Optional: disable sudo password for user centos

Easy way: add the following to end of /etc/sudoers

centos ALL=(ALL) NOPASSWD: ALL

Better way (if using Virtualmin):

sudo vi /etc/sudoers.d/10-passwordless-sudoers

Insert the following:

centos ALL=(ALL) NOPASSWD: ALL