Sysadmin [Question] How to secure a CMM install?

CSF Firewall takes care of failed login scans via LFD - login failure daemon CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS

You can change SSHD port via centmin.sh menu option 16 - it will prompt for existing SSHD port number = 22 and then ask for desired new port number for SSHD and then proceed to automatically change the port and change it at CSF Firewall level too

As to SSH keys for login. Before you look into ssh key only (+disable password authentication), make sure your web host is setup with features that allow you to regain access to your server if you ever loose your ssh key's private key and that you know how to use those features to regain access.

If you don't know how to use those features, setup a test instance/VPS with that web host and test it out. If you're with web host with hourly billed VPSes like Linode, DigitalOcean, and Vultr then it is relatively cheap to test out for a few hours on a test VPS.

Here's a example text you can use to ask your web host to be sure

There's numerous how to use ssh key login guides online, but not many go beyond that to explain what to do if you loose your ssh private key and are unable to use password logins. And that can come down to your web host and what measures they have in place i.e. out of band console access etc and recovery ISO/cds available.

And some relevant guides with different web hosts about setting up SSH key authentication and also about recovery as well general need to know info.

DigitalOcean

Has out of band console access

• How To Use SSH Keys with DigitalOcean Droplets | DigitalOcean
• How To Recover from File System Corruption Using Fsck and a Recovery ISO | DigitalOcean. Just the part about using Console but not the Fsck and file system recovery steps Don't need to do that just to get ssh access when you loose normal ssh access to your server i.e. loose ssh private key for ssh public key authentication.

Linode

Has out of band console access called Lish

• Use Public Key Authentication with SSH
• Using the Linode Shell (Lish)

Vultr

Has out of band console access

• How Do I Generate SSH Keys? - Vultr.com
• Access Single User Mode (Reset Root Password) - Vultr.com
• Using Finnix Rescue CD to Rescue, Repair, or Backup Your Linux System - Vultr.com

OVH

• Installation of OVH SSH key — OVH Documentation 0.0.1 documentation
• SSH key for Public Cloud — OVH Documentation 0.0.1 documentation
• Creating SSH keys- OVH
• Replacing your lost SSH key pair - OVH
• Become root and select a password - OVH

RamNode

• How do I add an SSH key to my VPS? - Knowledgebase - RamNode

Others

• Finnix Recovery CD - Mammoth Cloud

Secure out of the box, but see FAQ item 2 covers users accounts you can't lock site accounts down to user level like cpanel/WHM as there is no 100% user isolation between site accounts on Centmin Mod.

Pure-ftpd virtual ftp users only isolates ftp Pure-FTPD Virtual FTP Users but isn't fully jailed like cpanel/WHM as Centmin Mod is not made or setup for shared hosting like cpanel/WHM but more for usage by trusted user (myself/yourself). If paranoid, you can also stop pure-ftpd service within SSH and only start the service when you are intending to use FTP/transfer files.

So the pure-ftpd virtual ftp user can lock that ftp user to the nginx vhost directory but because files are owned by nginx user/group, it wouldn't stop a hacker using php/file based transversal of other nginx vhosts. If you want isolation, setup 1 server for each site your want to host. It's how I usually host my centmin mod sites/subdomain sites i.e. this forum is hosted on separate server from centminmod.com site and separate server from my other subdomain sites for *.centminmod.com subdomains.

Full chroot/jailed user/site isolation is on the long term to do list but nothing immediate is planned. There's a preview of what isolation may look like here.

Some other items folks overlook are mentioned at Sysadmin - protect root user over ssh