In this article, we'll guide you through some of the basic steps in securing your new Dedicated Server from malicious users.

Not all installations of Linux are the same, it may be the case that your installation differs to the one we used, in which case, you'll need to use a bit of research to get the same results, please do note that during this process, you can very easily lock yourself out of your machine and do irreversible damage, so, please be way and follow the guide exactly as stated and make sure if anything fails to contact us directly if your system is hosted with us so we can help you with the steps.

We'll need to SSH into the server before we can start to set this up, to do so, you'll want to follow our guide to SSH'ing into your new server here.

Updating Everything

First things first, you will want to updating the system to ensure it has the latest security patches and program versions.

You'll need to run the following commands in your terminal window - yum upgrade -y && yum update -y
Reboot the machine, by typing reboot and pressing enter. This will disconnect you from SSH and it'll take a few minutes before that is back online, you'll want to SSH back in once online.

Adding a new user

You'll want to run the following commands in your terminal window, make sure to use the username you desire:

adduser username - This should return an empty prompt once you run it:

passwd username - This will set the password for the user. You will need to type your password twice, it will not display while doing so, once set you'll see the confirmation as seen below

usermod -aG wheel username - Give the user access to use sudo level permissions. You'll be greeted with an empty prompt if done correctly.

exit - Log out of the root account of the machine
SSH back into the machine as the user you've just created instead of root.
You'll be prompted to enter the password, you'll need to enter the password you set earlier, not the root password.
Now that you're logged into the new user, you can disable the root user completely
sudo vim /etc/ssh/sshd_config - To do so, you'll need to edit your SSHD config file. Notice we need to use sudo at the start, this is because we're no longer the root user, so, we need to ask the machine for sudo access to run this command, as, we're editing a file that can only be seen by and edited by root, you'll be asked to confirm your password once more when issuing this as seen below:

Once in this file, you'll want to look for the line under the Authentication heading that says: #PermitRootLogin yes. This will be roughly halfway through the file. Once you find this, you'll need to hit i on your keyboard to enter edit mode on the vi editor, this will allow for changes in the file.
You'll want to change that line to PermitRootLogin no. You can see what it should look like below:

Now that you've made the needed changes, hit the escape key on your keyboard to leave edit mode, you'll now want to press : on your keyboard, this will enter command mode on the editor.

You'll now want to type wq, which stands for write and quit. Then hit enter and it should save your changes and exit out of the editor bringing you back to the normal SSH window.
sudo systemctl restart sshd - To commit to these changes, we'll need to restart the sshd service on our server for it to read the changes.
Once this has been done, open a new SSH session as root and attempt to log in with the password, it should fail to log in.

Changing SSH Port

To get started, we need to disable SELinux on the machine, this will cause fewer issues down the line. To disable SELinux, you'll need to run sudo setenforce 0 && sudo sed -i 's/SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
Now that SELinux is disabled, you'll want to run the command for editing the sshd config file as we did in previous steps - sudo vim /etc/ssh/sshd_config
Now within the editor what we'll be changing is the ssh port, to do so, you'll want to find the line #Port 22 this will be near the top of the sshd config file. Once found, you'll want to hit i again to enter editor mode, remove the # at the start of the line, then, change the port number to a random number over 1024 and below 32767, do not go any lower than 1024 as this will cause issues. Now that you've changed the port, your config file should look like this:


Installing Fail2Ban

This is, of course, another optional step and only really recommended if you're an advanced user and want even more security. To get started, you'll need to add the EPEL repository to fetch fail2ban, you'll do so with the following command:

sudo yum install epel-release -y
Once that's installed, you'll install fail2ban with the following command: sudo yum install fail2ban -y
Now that you have fail2ban added, you'll need to configure this to work on the new port you had configured, to do so, you'll need to create and edit the following config file: sudo vim /etc/fail2ban/jail.local
You should add the following to the file, of course, within the port section, you'll be entering whatever port you set in your sshd_config.
[ssh]
enabled = true
port = PORT_HERE

Once edited, you'll need to write and quit from the file with : & type wq followed by hitting enter to confirm as we did previously.
You'll need to restart both fail2ban & sshd using the following commands: systemctl restart sshd and systemctl restart fail2ban
Once both of those have been run, you'll want to open a new SSH window and attempt to log in with your new port, if this fails, you'll want to open a ticket with us so we can make sure your configuration is correct, do not close the previously opened SSH window as otherwise you may be locked out of your machine.
Was this article helpful?
Cancel
Thank you!