Secure & Harden Centos VPS Server (change Port, disable Root & Add sudo user)

Caution: If you have data on your server, it is best to take a back up of the files and database and store it off-site. That way, if things go wrong (e.g. if you get locked out of your server) you are not stranded (see the tutorial here for backing up the VPS).

(i) Update the Centos installation:

Yum update

(ii) Create a new sudo user and with “super user” privileges & disable root:

The super user will be added to the “Wheel Group”.

The wheel group is a group which limits the number of people who are able to su to root. This usually consists of a group named “wheel” and a set of users that are permitted to use the utility ‘su’ in order to change to root.


Open the sudo configuration file with the command

visudo

and find these lines towards the bottom of the file

## Allows people in group wheel to run all commands

# %wheel ALL=(ALL) ALL

Delete the # mark so that it reads

## Allows people in group wheel to run all commands

%wheel ALL=(ALL) ALL

If the file opens in vi, enter the command :wq! to save the file and close it.

If the file opens in nano, enter ctrl + x + y & then enter to save the file and close it.

Now create the sudo user with the command:

useradd -m -G wheel -s /bin/bash superuser

This can also be done separately by first adding the user

adduser superuser

and then adding him to the wheel group

usermod -a -G wheel superuser

Create an encrypted password:

passwd superuser

Now open another session of putty, log in as the superuser and ensure that you have sudo ability by typing

sudo -s

Enter your password and you will receive a message (the first time) on how you have great power and great responsibility.

Disable root user:

Access your SSH configuration file by typing the command:

nano /etc/ssh/sshd_config

Three things have to be changed:

– Port (change from the default 22 to any 4 or 5 digit number of your choice. The highest acceptable value is 49151)

– PermitRootLogin no (change yes to no)

– AllowUsers superuser (add this line; change superuser to the name of the user)

Now type ctrl x + y + enter to save and exit the file.

Restart sshd with the command

service sshd restart

Caution: Don’t close the ssh terminal because sometimes (depending on the server configuration) changing the port means that the connection is not accepted. Open another terminal and try and login. If you get a “connection refused” or “Network error: connection refused” or such other error, then go back to nano /etc/ssh/sshd_config and change the port to the default 22.

Update:

If you have CSF pre-installed and the port you choose in the sshd configuration is not in the approved list, you can get locked out of your VPS. So do the following:

(i) Open the csf config file with the command


nano /etc/csf/csf.conf

(ii) Add your chosen port here:


# Allow incoming TCP ports
TCP_IN = “20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096″
# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087,2089,2703″
# Allow incoming UDP ports
UDP_IN = “20,21,53,465,6277,24441″
# Allow outgoing UDP ports
UDP_OUT = “20,21,53,113,123,465,873,6277,24441,33434:33523″
and add the port number at the end of each line. See this example below where I add port 12345 to the incoming TCP ports section:
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,12345″

(iii) Restart csf with the command:


csf -r

(iv) Open a fresh SSH terminal and ensure that you are able to log-in as the superuser through the chosen port

(v) Be aware that if you make too many wrong logins, CSF will block your IP address and you will be unable to even access your website. There is more information about this here.

You can check whether the port is working with the command

netstat -ntlp | grep :port_no (insert the port number for port_no)

You can login on server localhost with the command

ssh -vv -p port_no localhost

5 thoughts on “Secure & Harden Centos VPS Server (change Port, disable Root & Add sudo user)

Leave a Reply

Your email address will not be published. Required fields are marked *