In this tutorial you will learn hot to set up a CentOS server. Upon creating a new CentOS server, it’s essential to perform several initial configuration tasks. These steps are crucial for improving server security and overall usability, laying the groundwork for subsequent operations.
Why use CentOS?
CentOS is a popular choice for server operating systems due to several key advantages:
- Robust and reliable: Based on RHEL, known for its stability.
- Secure: Strong security updates and a large community.
- Cost-effective: Free and open-source, eliminating licensing costs.
- Widely compatible: Supports a wide range of enterprise applications.
- Community-backed: Strong community support and extensive resources.
These factors make CentOS an excellent choice for a wide range of server applications, including web servers, database servers, file servers, and more.
CentOS login as root
To log in, you’ll require your server’s public IP address and the appropriate authentication credentials for the root user account. This may include a password or a private key if you’ve configured SSH key-based authentication.
If you haven’t already established a connection to your server, log in as the root user by executing the following command. Replace <your_server_ip> with the actual public IP address of your server:
ssh root@your_server_ip
If a warning about host authenticity appears, acknowledge and proceed. If you’re using password authentication, enter the root user’s password.
If you’re using an SSH key with a passphrase, you may be prompted to enter the passphrase each session initially.
Additionally, if this is your first login with the password, you’ll likely be prompted to change the root password for security reasons.
About Root
In a Linux environment, the root user possesses the highest level of privileges. Due to the significant power associated with the ‘root’ account, including the potential for accidental system damage, it’s strongly recommended to avoid using it for routine tasks.
As a best practice, create a dedicated user account for your daily work. This account will have limited privileges by default but can be granted elevated permissions when necessary.
How to create a new user
Now that you are logged in as the root user, you can proceed to create a new user account that will be used for subsequent logins.
This example demonstrates creating a user named tim; feel free to substitute this with your preferred username.
adduser tim
tim user:
passwd tim
sudo command. This will enable the user to execute commands with root privileges whenever required. Configuring administrative access
Currently, our new user account possesses standard user privileges. However, situations may arise where we need to perform administrative tasks.
To avoid the inconvenience of logging out and logging back in as the root user, we can configure our new user account with superuser privileges, also known as root privileges.
This allows us to execute commands with elevated administrative rights by simply prefixing the command with sudo. To grant these privileges, we will add our new user to the wheel group.
In CentOS, users belonging to the wheel group are inherently authorized to utilize the sudo command.
As root, run this command to add your new user to the wheel group (substitute ‘tim’ with your new username):
usermod -aG wheel tim
While logged in as your regular user, you can now prefix any command with sudo to execute it with the elevated privileges of the ‘root’ user
Implementing basic firewall rules
Firewalls play a crucial role in server security by implementing a defense-in-depth strategy. They function by blocking all incoming and outgoing network traffic by default, except for specific ports and services that have been explicitly authorized.
CentOS incorporates firewalld as its default firewall service. The firewall-cmd tool is used to manage and configure the firewall rules within firewalld.
NOTE: Alternatively, if your servers are hosted on LifeinCloud, consider using LifeinCloud Firewalls instead of firewalld. For optimal security, avoid using both simultaneously to prevent potential rule conflicts. First install firewalld:
dnf install firewalld -y
The default configuration of firewalld already allows SSH connections, so we can safely enable the firewall without disrupting our ability to access the server.
systemctl start firewalld
Check the status of the service to make sure it started:
systemctl status firewalld
Output
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-02-06 16:39:40 UTC; 3s ago
Docs: man:firewalld(1)
Main PID: 13180 (firewalld)
Tasks: 2 (limit: 5059)
Memory: 22.4M
CGroup: /system.slice/firewalld.service
└─13180 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
The firewall is currently active and configured to start automatically upon server reboot.
Now that the firewall service is running, we can utilize the firewall-cmd utility to view and modify the firewall’s policy information.
First let’s list which services are already allowed:
firewall-cmd --permanent --list-all
Output
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
To see the additional services that you can enable by name, type:
firewall-cmd --get-services
To enable a specific service through the firewall, utilize the --add-service flag.
firewall-cmd --permanent --add-service=http
This command will add the http service to the list of allowed services, enabling incoming TCP traffic on port 80. To apply these changes, it is necessary to reload the firewall.
firewall-cmd --reload
It’s important to remember that any additional services you configure will require explicit firewall rules to allow incoming traffic.
Configuring remote access for your account
Now that we have created a non-root user account for our daily activities, we need to configure it to allow SSH access to the server.
It's recommended to remain logged in as therootuser until you've successfully logged in and verified that you can use thesudocommand with your newly created user account. This will facilitate troubleshooting and allow you to make any necessary adjustments if you encounter any problems.
The specific steps involved in configuring SSH access for your new user will vary depending on whether the root account is currently using password-based authentication or SSH key-based authentication.
If the root account uses a password for authentication
f you successfully logged in to your root account using your password, this indicates that password-based authentication is currently enabled for SSH access. To log in to your newly created user account, open a new terminal session and utilize the SSH command, specifying your new username.
ssh tim@your_server_ip
Once you have entered the password for your regular user account, you will successfully log in to the server. Remember, whenever you need to execute a command that requires administrative privileges, simply prefix the command with sudo.
sudo command_to_run
You will be prompted to enter your regular user’s password the first time you use the ‘sudo’ command within each session, and periodically thereafter.
To significantly enhance the security of your server, we strongly recommend implementing SSH key-based authentication instead of relying on passwords.
If the root account utilizes SSH Key authentication
If you successfully logged in to your root account using SSH keys, this indicates that password-based authentication for SSH has been disabled. To enable SSH access for your new user account, you’ll need to add a copy of your public SSH key to the ~/.ssh/authorized_keys file within your new user’s home directory.
As your public key is already present in the ~/.ssh/authorized_keys file within the root user’s home directory, we can efficiently copy this directory structure and its contents to your new user’s home directory.
The rsync command provides a convenient method for achieving this, ensuring that the copied files retain the correct permissions and ownership.
Remember to replace <your_username> with your actual username in the following command:
Important: Thersynccommand behaves differently depending on whether the source directory ends with a trailing slash. When specifying the source directory (~/.ssh), do not include a trailing slash.
If you accidentally add a trailing slash,rsyncwill only copy the files and folders inside the~/.sshdirectory, instead of copying the entire~/.sshdirectory structure.
This will result in the SSH configuration files being placed in the wrong location, preventing SSH from functioning correctly.
rsync --archive --chown=tim:tim ~/.ssh /home/tim
And now, let’s go back in a new terminal on your local machine, open up a new SSH session with your non-root user:
ssh tim@your_server_ip
You should now be successfully logged in to your new user account without the need to enter a password.
Remember, whenever you need to execute a command that requires elevated administrative privileges, simply prefix the command with sudo.
sudo command_to_run
When you first use the sudo command within each session, and periodically afterwards, you will be prompted to enter your regular user’s password for authentication.
Conclusion
Your server is now ready for action! You successfully completed setting up a CentOS server. You have the foundation in place to install and run any software you require.
