How to Set Up and Harden a Centos Server on Digital Ocean

This post is part of a series. This list contains all of the posts:

I am moving my webhosting from GoDaddy to Digital Ocean so that I run this blog on my own python software instead of on PHP/Wordpress. This post will document the moving process.

I was paying $10/month for Godaddy hosting. I wanted to pay the same or cheaper, for my own dedicated VM with root access.

I ended up with Digital Ocean. I've relied on their help articles so many times that I gave them a chance by reading their product listing. $5 for a VM with 500MB RAM and 20GB of storage didn't sound like much, but my blog doesn't get enough traffic to justify using more than that anyways. Plus I get full root access unlike the shared hosting providers.

I've used Heroku before, and while thought the service was pretty neat, I was interested in root access and didn't want an ephemeral file system like Heroku offers.

Digital Ocean is a IaaS provider that is pretty easy to setup. I created a droplet, which is Digital Ocean's term for a VM, in minutes, chosing the cheapest option at $5 per month to start with.

I didn't set up an SSH key, so Digital Ocean emailed me the root password. After logging in I was forced to change passwords. I used a strong password, and was relieved I did so after discovering I had about 50K break in attempts after only 7 days.

Setting up the Centos Droplet

I used the following sources of information which I would recommend highly:

Basic System Administration

First we will add our user and enable his sudo:

adduser myuser
passwd myuser
# Add new user to the "wheel group" so they can do sudo
gpasswd -a myuser wheel

Disabling root access from ssh is a good security measure.

# Disable root access from ssh
# Find the line "#PermitRootLogin yes"
# And change to "PermitRootLogin no"
vi /etc/ssh/sshd_config
# Restart SSH
systemctl reload sshd

Let's turn on the firewall and only open up ports for SSH, HTTP/S, and SMTP.

# Turn on firewall
sudo systemctl start firewalld
# Whitelist SSH
sudo firewall-cmd --permanent --add-service=ssh
# Whitelist http/s
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=smtp
# Confirm exceptions
sudo firewall-cmd --permanent --list-all
# Reload fierwall
sudo firewall-cmd --reload

# Activate firewall on boot
sudo systemctl enable firewalld

By the way, to temporarily open up a port, issue the following:

sudo firewall-cmd --zone=public --add-port=5000/tcp
# The port should be opened immediately. Confirm with:
firewall-cmd --list-all 
# To close the port again, simply reload the config:
sudo firewall-cmd --reload

DigitalOcean suggested installing NTP for time sychronization:

sudo yum install ntp
sudo systemctl start ntpd
sudo systemctl enable ntpd

Add a swap file. Digital ocean recommended a 4GB swap file but I thought that was way too much and settled on 500MB.

sudo fallocate -l 500M /swapfile
# Make invisible to other users
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
# Get Centos to use it on boot
sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'

Denyhosts

After I set up my server, I almost immediately started having malicious users attempt to break in over SSH. I was astonished to find that in the first week there was over 50K such attempts.

Denyhosts is a python app that will restrict IPs from being able to attempt to login if they are attempting to brute force.

sudo yum install denyhosts

It will start working right away. You may want to take a look at the configuration file at /etc/denyhosts.conf. I set BLOCK_SERVICE = ALL, which will prevent malicious users from accessing any service, including my webserver, on my machine. The documentation mentions that this may be bad, as anyone whose computer is unwillingly in a botnet can not access my webpage.

After changing this file, make sure to restart denyhosts:

service denyhosts restart

This post is part of a series. This list contains all of the posts:


Comments

Add Comment

Name

Email

Comment

Are you human? + nine = 14