CentOS 7 is among the most secure and stable Linux distributions in the world. That’s why we use CentOS on our virtual private servers and dedicated servers. But server administrators should be familiar with a few security configuration tweaks.
In this article, I’m going to take a look at three security commands. They give you more control over user authentication, the services your server runs, and software updates.
Sudo for safer root
Sudo allows an ordinary user to run commands as the root user. The root user can read and write to every file on a server. It can execute any command on any file. The root user is all-powerful. That’s useful, but logging in as the root user is like walking around with a live hand grenade. A single slip can have disastrous consequences. Running rm -rf in the wrong directory can wipe out your server.
The sudo command is used to give an ordinary user the same power as root, but temporarily. Most of the time, they will execute commands as the ordinary user, only using root’s superpowers when they’re confident it’s a good idea.
To use sudo, the user must be listed in the sudoers file. The file is edited using the visudo command. Add the following to the file that opens when you run visudo as root:
username ALL=(ALL) ALL
Replace username with your user. The visudo command uses the vi text editor, which can be confusing if you aren’t familiar with its modal interface. Take a look at Editing Text On The Linux Command Line for more information. Once you have edited the sudoers file and you are logged in as the ordinary user, you can run the ls command as root with:
To make your server even more secure, disable root logins over SSH. You will be able to login as the ordinary user and execute commands as root with sudo, but you — or an attacker — won’t be able to log in as the root user.
To prevent root logins, open the /etc/ssh/sshd_config file in an editor. Find the line which reads:
And change it to:
Be sure to give your ordinary user permission to use sudo before changing sshd_config, or you won’t be able to execute any commands with root permissions.
Take control of services
All Linux distributions use an init system to start services after the operating system boots. It is responsible for starting the web server, email server, and everything else that needs to run on your CentOS server. CentOS 7 uses the systemd init system, which is controlled with the systemctl command. You can use systemctl to start and stop services, to list running services, and to enable and disable services.
To see which services are running on your server, use this command:
systemctl -t service
A list of running services is displayed. If you want more specific information about the SSH server, for example, run:
systemctl status sshd.service
You should run as few services as possible. Each additional service is a potential security vulnerability. Services can be started and stopped with:
sudo systemctl start application.service
sudo systemctl stop application.service
A word of warning: do not stop the sshd service, or you won’t be able to access your server. Before stopping a service, make sure you know what it does, why it is running, and that it is safe to stop it.
The start and stop commands are temporary. If your server reboots, it will start everything that is listed in its configuration files. To permanently remove a service so that it is not restarted on boot, use disable instead of stop. Using enable adds a service to the list to be started at boot.
Keep software up-to-date
Out-of-date software is a security vulnerability. Updates include patches that fix vulnerabilities. Server administrators should regularly update their server to ensure that it remains secure. On CentOS 7, updates are managed with the yum package manager.
Updating is as simple as running the following command:
Your server will check for updates, download new versions, and install them.
If you would like our server administration team to help out with service configuration, updates, and more, choose a managed server hosting option with Future Engineer Pro.