By Francis Ndungu, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.
Alibaba Cloud Elastic Compute Service (ECS) provides a faster and more powerful way to run your cloud applications as compared with traditional physical servers. You can achieve great results on your cloud needs. With ECS, you can achieve more with the latest generation of CPUs as well as protect your instance from DDoS and Trojan attacks.
In this guide, we will talk about the best practices for provisioning your CentOS 6 server hosted on an Alibaba Cloud Elastic Compute Service (ECS) instance.
Locate the Internet IP address (Public IP address) associated with your Alibaba Cloud ECS Instance.
If you are running Linux or Mac, use a terminal application to connect to the instance via SSH. If you are on Windows, you can use PuTTy (download here) to connect to your server. You will have to provide the IP address, username and password that you set up when creating your Alibaba Cloud ECS instance to log in via SSH.
There are other ways to connect to your ECS instance as well. Visit the official ECS documentation to learn more.
The hostname is a default identifier when you communicate to a Linux server. It is like a computer name that is associated with your home PC or laptop. Naming your CentOS 6 server with a descriptive hostname helps you to differentiate your machines especially if you are running a bunch of them.
To begin, ensure your CentOS 6 system is up-to-date by typing the command below:
$ sudo yum update To check your hostname, type the command below on a terminal window:
$ hostnameTo change your hostname, we need to install nano text editor using the command below:
$ sudo yum install nanoThen, edit the /etc/cloud/cloud.cfg file and find the entry preserve_hostname. Change its value from false to true.
$ sudo nano /etc/cloud/cloud.cfg
preserve_hostname truePress CTRL + X, Y then Enter to exit and save the changes.
Then, edit the /etc/sysconfig/network file using a nano editor by typing the command below:
$ sudo nano /etc/sysconfig/networkFind the HOSTNAME entry and overwrite its value with your preferred hostname. For instance, if your hostname is miami, the value should be entered as follows:
HOSTNAME=miamiPress CTRL + X, Y then Enter to save the changes.
You will also need to add some entries on the Linux hosts file. Open the file using a text editor:
$ sudo nano /etc/hostsYou will need to add two entries on this file just below the 127.0.0.1 localhost entry. The first entry you are adding uses the loopback interface address 127.0.1.1. Please note that this is different from the address 127.0.0.1 which have a 'localhost' value in the same file.
So assuming your server's public IP address is 111.111.111.111 and your hostname is miami, your /etc/hosts file should have the below entries at the very top:
127.0.0.1 localhost
127.0.1.1 miami
111.111.111.111 miamiReboot your Alibaba Cloud ECS instance for the changes to take effect by typing the command below:
$ sudo rebootYou can check the default date and time zone on your Alibaba CentOS 6 server by typing the command below:
$ ls -l /etc/localtimeYou will get an output like the one shown below:
You must set the correct time zone especially if you are running cron jobs on your CentOS 6 server because they rely heavily on date/time. To change the time zone, use the commands below:
$ sudo rm /etc/localtime
$ sudo ln -s /usr/share/zoneinfo/ /etc/localtimeIn the above command, we are deleting the old symbolic link (address of the old time zone file name) using 'rm' command and creating another one (using 'ln' command ) depending on our new time zone.
CentOS 6 maintains all time zone files under the /usr/share/zoneinfo directory and we need to create symbolic link to the right file that contains our preferred time zone.
For instance, to set your CentOS 6 server time zone to London, use the commands below:
$ sudo rm /etc/localtime
$ sudo ln -s /usr/share/zoneinfo/Europe/London /etc/localtimeYou can run the date command to check if the changes were effected successfully:
$ dateLogging into your CentOS 6 server using a root user can cause a lot of problems. For instance, a simple 'rm' command with incorrectly typed parameters can wipe your entire production's server data.
Therefore, you need to create a non-root user with sudo privileges. You can then temporary elevate privileges by using the sudo command where necessary.
To create the user, use the command below:
$ sudo adduser For instance, to add a user identified as james on your server, use the command below:
$ sudo adduser jamesNext, we assign a password to the user we have created above:
$ sudo passwd jamesYou will be prompted to enter the password for the user.
Then, we need to add the user to the wheel group to assign the ability to run administrative tasks with the sudo command by typing the following:
$ sudo gpasswd -a james wheelor
$ sudo usermod -aG wheel jamesRemember to replace james with the correct username.
If you get an error that the user is not on the sudoers group when performing administrative tasks using the user we have created, you will need to edit the file /etc/sudoers and change the line '# %wheel ALL=(ALL) ALL' to '%wheel ALL=(ALL) ALL'
So type:
$ sudo nano /etc/sudoersand change the entry to:
%wheel ALL=(ALL) ALLNote we have removed the '#' to uncomment the file.
Logging in to your CentOS 6 server using a private/public key pair is more secure than using a password. In this mode, you keep the private key on your local computer and the public key under the .ssh/authorized_keys file on your Alibaba Cloud server.
This technology encrypts data sent from your server via the public key and users can only decrypt it using the correct private key, which is only known to you. Keys used in this manner can't be guessed even by the most resourceful attackers. You can also add another layer of security by protecting your private key with a passphrase in case it falls to the wrong hands.
You can generate a private/public key pair with a tool like PuTTY key Generator (download here).
Make sure you are logged in as the user who you are generating keys for. Also, the below commands should NOT be run using 'sudo'.
Copy the public key part to your CentOS 6 server using the commands below:
$ mkdir ~/.sshThen, use a nano editor to paste your public key on the authorized_keys file by typing:
$ nano ~/.ssh/authorized_keysProtect the file by typing the commands below
$ chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keysOnce the keys are created, you can now login on your CentOS 6 server using your username and the private key that you have created via a SSH connection.
Once you set up the private/public key pair, you should disable password based logins. This will ensure that only a person with the correct private key can gain access to your CentOS 6 server.
To do this, edit the SSH configuration file via the command below:
$ sudo nano /etc/ssh/sshd_configFind the line PasswordAuthentication and change it value from yes to no.
PasswordAuthentication noRestart the SSH daemon:
$ sudo service sshd restartOnce you have created non-root user with sudo privileges and password logins disabled, you can go ahead and disable root login over SSH. This will make sure that no one can login to your CentOS 6 server over SSH using the root username.
Any administrative tasks from this point forward will be done by the non-root user with sudo privileges.
To disable root access over SSH, edit the SSH configuration file on more time using a nano editor and look for the directive PermitRootLogin and change its value from yes to no.
$ sudo nano /etc/ssh/sshd_configThen,
PermitRootLogin noRestart the SSH daemon by typing the command below for the changes to take effect:
$ sudo service sshd restartWith your CentOS 6 you can utilize the power of interacting with IP tables via a tool known as UFW (Uncomplicated Firewall). UFW is a simplified tool which aims towards simplifying the process of setting up IP tables especially for beginners who are new to the Linux environment.
UFW is a right choice for adding another security to your CentOS 6 server running on Alibaba Cloud.
You can use the command below to install it:
$ sudo yum install ufwThen, type the command below to allow all outgoing calls and deny or incoming calls.
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoingYou can use the UFW command below to allow traffic to a particular port or service.
$ sudo ufw allow To avoid completely locking yourself from your CentOS 6 server, the first port/service that you should allow on UFW is port 22 which listens for SSH connections.
To do this, type the command below to add the rule:
$ sudo ufw allow 22Or
$ sudo ufw allow sshAlso if you are running a web server, you should enable the http and https ports:
$ sudo ufw allow http
$ sudo ufw allow httpsOnce you have whitelisted the services, run the command below to start UFW
$ sudo ufw enableYou can delete any rule that you have created by first checking its number and then deleting it using the commands below:
$ sudo ufw status numberedThen
$ sudo ufw delete Where <rule number> is the value that you obtained above from the list of rules available.
Make sure UFW is enabled before checking the list of rules.
You can disable UFW at any time by typing the command below:
$ sudo ufw disableOr just reset all rules by typing:
$ sudo ufw resetFail2Ban is a tool that adds another layer of security to your CentOS 6 server by utilizing IP tables. It simply bans users trying to access your server based on the number of failed logged in attempts.
You can Install Fail2Ban by typing the command below.
$ sudo yum install fail2banYou can use your server with the default Fail2Ban settings but when need arises, you can edit the configuration file to make changes. All Fail2Ban configuration files are located on the '/etc/fail2ban/' directory
By default .conf files are read first followed by .local files. So if you want to override settings, you should make changes to .local files and leave .conf files intact.
For instance, you can create your own copy of jail.conf file and create a local file for editing using the commands below:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local$ sudo nano /etc/fail2ban/jail.localIn most cases, you will be setting the ban time, find time and max retries for SSH connections. This will all depend on the level of security that you need on your CentOS 6 server.
That's it! You have successfully provisioned your CentOS 6 server running on Alibaba Cloud Elastic Compute Service (ECS). Although this is not a conclusive list of all Linux security measures that you should take when setting up your server, it can keep attackers away especially if you are just starting out with ECS. You can now install a web server and database server to run your website or web application. I hope you enjoyed reading the tutorial!
New to Alibaba Cloud? Sign up for an account and try over 40 products for free worth up to $1200. Or visit Getting Started with Alibaba Cloud to learn more.
2,605 posts | 747 followers
FollowAlibaba Clouder - August 16, 2019
Alibaba Clouder - June 8, 2018
Hiteshjethva - December 12, 2019
Alibaba Clouder - April 12, 2019
Sajid Qureshi - September 13, 2018
Alibaba Clouder - October 28, 2019
2,605 posts | 747 followers
Follow
ECS(Elastic Compute Service)
Elastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn More
OSS(Object Storage Service)
An encrypted and secure cloud storage service which stores, processes and accesses massive amounts of data from anywhere in the world
Learn MoreLearn More
More Posts by Alibaba Clouder