Well now that you have installed a basic server install of CentOS we are going to setup the environment we need in order to use our server. What you haven’t installed CentOS 5 yet? You might want to check out part one of this then. For those of you who have already installed it lets move on.
This section covers the configuration of the firewall, ssh, and creating user accounts. The final part will cover the install of MySQL, PHP, and Pure-ftp.
Now this part is all command line baby!!! So I’m not going to provide any screen shots since you shouldn’t need them. If you think you need screen shots for this section just stop reading now. Seriously leave! Okay so first I’m going to setup ssh. It should already be installed so all we need to do is configure it.
I’m kind of a security freak so I’m going to walk you through how to do public-key authentication, and how to change the port of the ssh server so you aren’t logging in on the standard port 22. But before we do that I’m going to show you how to setup the firewall. This is a basic setup but should be pretty secure. If you want to know more about configuring the firewall check out this tutorial.
cd ~
mkdir scripts
vim .ssh/myfirewall
Just paste in this script (make modifications where you see fit):
#!/bin/bash
#
# iptables firewall configuration script
# flush all current rules from iptables
iptables -F
# allow ssh connections on tcp port 8768 <-- this is just random pick anything over 6000
iptables -A INPUT -p tcp --dport 8768 -j ACCEPT
# allow ftp connections on tcp port 21 <-- for more security you can change this
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# set access for localhost
iptables -A INPUT -i lo -j ACCEPT
# accept packets belonging to esablished and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# save settings
/sbin/service iptables save
# list the rules
iptables -L -v
Finally make this file executable and you have a script:
chmod +x myfirewall
To run it you just type (you must be logged in as root):
~/scripts/myfirewall
This will make it easier when you want to add rules. It flushes all the rules, rebuilds the rules, saves them, and lists all the rules at the end. Once this is done we should reboot to let the firewall settings take effect.
shutdown -r now
Another thing we want to do before we configure ssh is to create a user. We aren’t going to allow root access to ssh so we need someone to login as. Once it’s restarted we are going to login as root and create a user. (just replace username and password with your desired username and password)
useradd username
passwd username password
Now when you login to that username you can always switch to the root user by typing:
su -
Then it will prompt you for the root password. To switch back:
logout
Rule of thumb is to never login to root unless you absolutely have to in order to change something. It can be really dangerous to login as root all the time because if you make a mistake there is most likely no way of going back. Now that I gave you that warning we are going to login as root because we need to setup the ssh server.
First let’s create a backup of the sshd_config file so we can go back if we make a mistake.
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Now let’s edit the original file.
vim /etc/ssh/sshd_config
And just copy this configuration and paste it into the window. Or you can type it in manually, just make sure to double check everything at the end.
After you have done that all you need to do is to create the .ssh folder with the authorized keys file. Make sure you are logged in as a user other than root and do this.
mkdir ~/.ssh
chmod 700 ~/.ssh
Now all you have to do is to upload your public key to the server. If you do not have one it’s pretty easy to make.
Now that you have the public-key authentication set up we need to disable the password authentication. Just go edit the sshd_config file:
vim /etc/ssh/sshd_config
Find the line that says:
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
and change it to:
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
Warning: only disable the password authentication if you for sure can login using public-key authentication. If you don’t then you will have to have console access to fix it.
Okay so I didn’t plan on having a part 3 to this tutorial, but there is a lot more than I thought there would be. So now that we have ssh setup properly and have the firewall configured then we are good to move on to the next part.
