Alibaba Cloud Elastic Compute Service (ECS) provides a faster and more powerful way to run your cloud applications as compared with traditional physical servers. You can achieve great results on your cloud needs. With ECS, you can achieve more with the latest generation of CPUs as well as protect your instance from DDoS and Trojan attacks.
In this guide, we will talk about the best practices for provisioning your CentOS 7 server hosted on an Alibaba Cloud Elastic Compute Service (ECS) instance.
- A valid Alibaba Cloud account. If you don’t have one already, sign up to the Free Trialto enjoy up to $300 worth in Alibaba Cloud products.
- An ECS instance running CentOS 7. You can select your preferred region and configurations; this will not affect the outcome of the server setup.
- A root password for your server.
Step 1: Connect to your Alibaba Cloud CentOS 7 Server
Locate the Internet IP address (Public IP address) associated with your Alibaba Cloud ECS Instance.
If you are running Linux or Mac, use a terminal application to connect to the instance via SSH. If you are on Windows, you can use PuTTy (download here) to connect to your server. You will have to provide the IP address, username and password that you set up when creating your Alibaba Cloud ECS instance to log in via SSH.
There are other ways to connect to your ECS instance as well. Visit the official ECS documentation to learn more.
Step 2: Change the Hostname on Your CentOS 7 Server
The hostname is a default identifier when you communicate to a Linux server. It is like a computer name that is associated with your home PC or laptop. Naming your CentOS 7 server with a descriptive hostname helps you to differentiate your machines especially if you are running a bunch of them.
To begin, ensure your CentOS 7 system is up-to-date by typing the command below:
$ sudo yum update
To check your hostname, type the command below on a terminal window:
To change your hostname, we need to install nano text editor using the command below:
$ sudo yum install nano
Then, edit the /etc/cloud/cloud.cfg file and find the entry preserve_hostname. Change its value from false to true.
$ sudo nano /etc/cloud/cloud.cfg
Press CTRL + X, Y then Enter to exit and save the changes.
Then, edit the /etc/hostname file using a nano editor by typing the command below:
$ sudo nano /etc/hostname
Overwrite the current hostname written at the very top of the file and press CTRL + X, Ythen Enter to save the changes.
You will also need to add some entries on the Linux hosts file. Open the file using a text editor:
$ sudo nano /etc/hosts
You will need to add two entries on this file just below the 127.0.0.1 localhost entry. The first entry you are adding uses the loopback interface address 127.0.1.1. Please note that this is different from the address 127.0.0.1 which have a ‘localhost’ value in the same file.
So assuming your server’s public IP address is 220.127.116.11 and your hostname is miami, your /etc/hosts file should have the below entries at the very top:
Reboot your Alibaba Cloud ECS instance for the changes to take effect by typing the command below:
$ sudo reboot
Step 3: Configure Time Zone on Your CentOS 7 Server
You can check the default date and time zone on your Alibaba Cloud CentOS 7 server by typing the command below:
You must set the correct time zone especially if you are running cron jobs on your CentOS 7 server because they rely heavily on date/time. To change the time zone, use the command below:
$ sudo timedatectl set-timezone
For instance, to set your server time zone to London, use the command below:
$ sudo timedatectl set-timezone Europe/London
You can run the date command to check if the changes are successful:
Step 4: Create a Non-Root User with Sudo Privileges on CentOS 7
Logging into your CentOS 7 server using a root user can cause a lot of problems. For instance, a simple ‘rm’ command with incorrectly typed parameters can wipe your entire production’s server data.
Therefore, you need to create a non-root user with sudo privileges. You can then temporary elevate privileges by using the sudo command where necessary.
To create the user, use the command below:
$ sudo adduser
For instance, to add a user identified as james on your server, use the command below:
$ sudo adduser james
Next, we assign a password to the user we have created above:
$ sudo passwd james
You will be prompted to enter the password for the user.
Then, we need to add the user to the wheel group to assign the ability to run administrative tasks with the sudo command by typing the following:
$ sudo gpasswd -a james wheel
Remember to replace james with the correct username of your choice.
Step 5: Create Authentication Key Pair for Logging onto Your CentOS 7 Server
Logging in to your CentOS 7 server using a private/public key pair is more secure than using a password. In this mode, you keep the private key on your local computer and the public key under the .ssh/authorized_keys file on your Alibaba Cloud server.
This technology encrypts data sent from your server via the public key and users can only decrypt it using the correct private key, which is only known to you. Keys used in this manner can’t be guessed even by the most resourceful hackers. You can also add another layer of security by protecting your private key with a passphrase in case it falls to the wrong hands.
You can generate a private/public key pair with a tool like PuTTY key Generator (download here).
Make sure you are logged in as the user who you are generating keys for. Also, the below commands should NOT be run using ‘sudo’.
Copy the public key part to your CentOS 7 server using the commands below:
$ mkdir ~/.ssh
Then, use a nano editor to paste your public key on the authorized_keys file by typing:
$ nano ~/.ssh/authorized_keys
Protect the file by typing the commands below
$ chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys
Once the keys are created, you can now login on your CentOS 7 server using your username and the private key that you have created via a SSH connection.
Step 6: Disable Password Authentication on Your CentOS 7 Server
Once you set up the private/public key pair, you should disable password based logins. This will ensure that only a person with the correct private key can gain access to your CentOS 7 server.
To do this, edit the SSH configuration file via the command below:
$ sudo nano /etc/ssh/sshd_config
Find the line PasswordAuthentication and change it value from yes to no.
Restart the SSH daemon:
$ sudo service sshd restart
Step 7: Disable SSH Root Access on Your CentOS 7 Server
Once you have created non-root user with sudo privileges and password logins disabled, you can go ahead and disable root login over SSH. This will make sure that no one can login to your CentOS 7 server over SSH using the root username.
Any administrative tasks from this point forward will be done by the non-root user with sudo privileges.
To disable root access over SSH, edit the SSH configuration file on more time using a nano editor and look for the directive PermitRootLogin and change its value from yes to no.
$ sudo nano /etc/ssh/sshd_config
Restart the SSH daemon by typing the command below for the changes to take effect:
$ sudo service sshd restart
Step 8: Install a Firewall on Your CentOS 7 server
With your CentOS 7 you can utilize the power of interacting with IP tables via a tool known as UFW (Uncomplicated Firewall). UFW is a simplified tool which aims towards simplifying the process of setting up IP tables especially for beginners who are new to the Linux environment.
UFW is a right choice for adding another security to your CentOS 7 server running on Alibaba Cloud.
You can use the command below to install it:
$ sudo yum install ufw
Then, type the command below to allow all outgoing calls and deny or incoming calls.
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
You can use the UFW command below to allow traffic to a particular port or service.
$ sudo ufw allow
To avoid completely locking yourself from your CentOS 7 server, the first port/service that you should allow on UFW is port 22 which listens for SSH connections.
To do this, type the command below to add the rule:
$ sudo ufw allow 22
$ sudo ufw allow ssh
Also if you are running a web server, you should enable the http and https ports:
$ sudo ufw allow http
$ sudo ufw allow https
Once you have whitelisted the services, run the command below to start UFW
$ sudo ufw enable
You can delete any rule that you have created by first checking its number and then deleting it using the commands below:
$ sudo ufw status numbered
$ sudo ufw delete
Where <rule number> is the value that you obtained above from the list of rules available.
Make sure UFW is enabled before checking the list of rules.
You can disable UFW at any time by typing the command below:
$ sudo ufw disable
Or just reset all rules by typing:
$ sudo ufw reset
Step 9: Install Fail2Ban on Your CentOS 7 Server
Fail2Ban is a tool that adds another layer of security to your CentOS 7 server by utilizing IP tables. It simply bans users trying to access your server based on the number of failed logged in attempts.
You can Install Fail2Ban by typing the command below.
$ sudo yum install fail2ban
You can use your server with the default Fail2Ban settings but when need arises, you can edit the configuration file to make changes. All Fail2Ban configuration files are located on the ‘/etc/fail2ban/’ directory
By default .conf files are read first followed by .local files. So if you want to override settings, you should make changes to .local files and leave .conf files intact.
For instance, you can create your own copy of jail.conf file and create a local file for editing using the commands below:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
You can then change any Fail2Ban settings by editing the new file with the command below:
$ sudo nano /etc/fail2ban/jail.local
In most cases, you will be setting the ban time, find time and max retries for SSH connections. This will all depend on the level of security that you need on your CentOS 7 server.
That’s it! You have successfully provisioned your CentOS 7 server running on Alibaba Cloud Elastic Compute Service (ECS). Although this is not a conclusive list of all Linux security measures that you should take when setting up your server, it can keep hackers away especially if you are just starting out with ECS. You can now install a web server and database server to run your website or web application. I hope you enjoyed reading the tutorial!