This article will cover basic security in CentOS, from securing SSH to installing and configuring a basic firewall. Since your VPS is pretty bare when we activate it, it is important to implement security as soon as you can to avoid being compromised. You will learn how to restrict access to your VPS to a small number of selected individuals (or PCs) and design a very simple but effective firewall solution.

Once of the fundamentals of linux security is to never work with a root account to avoid having your password sniffed or keylogged while working from a remote location. For that reason, we will create a new user account that will be used to administrate your VPS. Lets start by creating such an account and calling it vpsuser.

# adduser vpsuser

After creating the user we have to give it a password and add some basic permissions to the account. By adding the user to the wheel group we are giving it some administrative rights.

# passwd vpsuser

# usermod -a -G wheel vpsuser

You can now log in to your new account, but lets stay in root throughout the length of the article. Note that if you cant get a command to run for some reason (most likely because environmental variables haven’t been set up for new user), you can always switch to root by giving the command

# su -

We will not disable the root account, even though you should if you are really concerned about your security. Disabling the root account will require installing sudo and setting up some environmental variables, which will not be covered in this article. Now that we created the new account lets take a look at SSH and firewall security.

SSH Configuration

Let’s take a look at the default SSH configuration:

# nano /etc/ssh/sshd_config

We want to change the port SSH uses to an ambiguous, indistinct number. Look for the line that says ‘#Port 22’ and change it. Don’t forget to take out the # symbol in front of the line. For example,

Port 12345

The next level of security to apply to SSH is to disallowing login by the root user. This way you will only be able to log in with your new user we just created. You’ll want to search for the “#PermitRootLogin yes” line and change it to deny root login attempts, as such:

PermitRootLogin no

Save the configuration file and restart the SSH service. Don’t forget to change the port in your SSH client when you reconnect

# /sbin/service ssh restart

You should now have a pretty tightened down machine when it comes to SSH, stopping most brute force crack attempts in their tracks. Let’s move on to the next topic.

APF (Advance Policy Firewall) Configuration

If you run a website, blog, or any other type of service that opens your VPS to the internet it’s a good idea to close off any services that may leave your VPS vulnerable. We’ll be installing a free and lightweight APF (Advance Policy Firewall) to address these issues.

First, make sure to have iptables and cron are installed.

yum install vixie-cron iptables

Then, download the latest version of APF:

# wget http://www.r-fx.ca/downloads/apf-current.tar.gz

Next, unzip and install it:

# tar -xvf apf-current.tar.gz

# cd apf-current.tar.gz

# ./install.sh

APF will now be installed to /etc/apf on CentOS. You can find the configuration file the firewall in /etc/apf/conf.apf. Now lets open and make some changes to match our SSH config.

# nano /etc/apf/conf.apf

First look for the line that says

DEVEL_MODE=”1″

Leaving this option as “1″ will disable your firewall after 5 minutes, so make sure to change it to “0″. Next, take a look at the allowed inbound ports. You should see something like

IG_TCP_CPORTS=”22,80,443″

Notice that port 22, the default SSH port is open. We want to change this to the port we gave SSH earlier. You can leave port 80 (HTTP) and 443 (HTTPS) open if you plan on running a website. Next, take a look out outbound filtering. By default, APF will not filter outbound traffic but if would like to change that look for the following line

EGF=”0″

And change this value to “1″. On the line directly below it you should see the allowed outbound ports

EG_TCP_CPORTS=”21,25,80,443″

Change these if you have enabled outbound filtering and save the firewall config. Now we should add the firewall to start when we reboot our VPS and enable it

# /sbin/chkconfig –add apf

# /sbin/chkconfig –level 345 apf on

# /sbin/service apf start

You might get kicked out of your VPS if you haven’t relogged after changing the SSH config. Just log back in if you need to do any post-install stuff. Remember to use ’su -’ if some of these commands aren’t registering with the server. You should not have a pretty secure box ready face the dangers of the internet.