Join the community today
Register Now

Sysadmin root login

Discussion in 'System Administration' started by dooma, Dec 10, 2016.

  1. dooma

    dooma Premium Member Premium Member

    222
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    5:41 PM
    Hello,

    What is the best way to harden your server which centminmod installed at ?, I know that ./centmin.sh is accessible only via root user.

    Should I made changes at the SSH Daemon and change the PermitRootLogin to "NO" and use super user with grant privileges ? or what ?

    Thanks a lot, I hope you got me :)
     
  2. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    11:41 AM
    1.13.x
    MariaDB 10.1.x
    Use keys instead of passwords.
    Buy a dedicated IP address and allow access to the server only via that IP address.
     
  3. dooma

    dooma Premium Member Premium Member

    222
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    5:41 PM
    Thanks a lot for your answer, do you have good documentations for this ?
     
  4. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    11:41 AM
    1.13.x
    MariaDB 10.1.x
    Code:
    ##################################################
    #### SSH KEYS / Server Access Security
    ##################################################
    
    Information
    http://www.server-world.info/en/note?os=CentOS_7&p=ssh&f=4
    
    Generate public and private key files with PuttyGen and save the files.
    Open the public key file.
    Copy the “Public key for pasting” information into the public key file overwriting the information in the file.
    Name both key files authorized_keys.
    
    Create key directory on server
    # mkdir ~/.ssh
    # chmod 700 ~/.ssh
    
    Upload the public authorized_keys file to /.ssh folder
    
    Change the permissions on the authorized_keys file
    # chmod 600 ~/.ssh/authorized_keys
    
    Open the sshd_conf file on the server
    # nano /etc/ssh/sshd_config
    > Set PubkeyAuthentication yes and PasswordAuthentication no
    
    Use the private key file with the various programs.
    DON'T LOSE THE KEY FILES!!!!!!
    
    Locking access to specific IP Address
    # nano /etc/ssh/sshd_config
    # AllowUsers root@111.22.3.44
    
    Restart the sshd
    # service sshd restart
     
    • Like Like x 1
    • Informative Informative x 1
  5. dooma

    dooma Premium Member Premium Member

    222
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    5:41 PM
    I secured everything with keys but my ISP using dynamic IP address so I can't define IP to login.. correct ?
     
  6. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    11:41 AM
    1.13.x
    MariaDB 10.1.x
    Correct. If you restart your modem you'll probably get a new IP and then be locked out of your system.

    You might want to contact your ISP and ask what they charge for a dedicated IP address. A lot of them don't advertise dedicated IPs, but offer them if you ask. Dedicated IPs are common on the business tier but not on the consumer tier. There are gamers on the consumer tier who want dedicated IPs, so the ISP does probably offer them.

    You can also get a dedicated IP from some VPN services. There were a few out there that offered dedicated IPs. Just do a search on Google if you're interested.
     
    Last edited: Dec 10, 2016
    • Like Like x 2
  7. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    11:41 AM
    1.13.x
    MariaDB 10.1.x
    I do want to add. Depending on your ISP, you might have a dedicated IP address. I didn't have a dedicated IP address for years, but my IP never changed even when I restarted my modem. I locked my server for about 3 years without paying for a dedicated IP until one day my ISP changed my IP and I was locked out. I accessed the server via the hosts terminal and removed the restriction, then I inquired about buying a dedicated IP address.
     
    • Like Like x 1
  8. eva2000

    eva2000 Administrator Staff Member

    29,044
    6,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,785
    Local Time:
    1:41 AM
    Nginx 1.13.x
    MariaDB 5.5
    FYI, CSF Firewall is installed on Centmin Mod servers and if you have dynamic ISP ip address might also want to read the page fully at CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS for outlined dynamic ISP ip whitelisting

    FAQ item 4 also outlines how to whitelist your other VPS ip addresses for each server, so you can ssh access each VPS from each other if you ever get an ISP ip blocked form one VPS.
     
  9. eva2000

    eva2000 Administrator Staff Member

    29,044
    6,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,785
    Local Time:
    1:41 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yup or setup your own dedicated VPN vps server.
     
  10. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    11:41 AM
    1.13.x
    MariaDB 10.1.x
    • Informative Informative x 1
  11. eva2000

    eva2000 Administrator Staff Member

    29,044
    6,590
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,785
    Local Time:
    1:41 AM
    Nginx 1.13.x
    MariaDB 5.5
    • Like Like x 1
  12. Colin

    Colin Premium Member Premium Member

    108
    32
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +80
    Local Time:
    4:41 PM
    1.11.#
    MariaDB 10.1.#
    The dynamic IP isn't just an issue for you at home, could be out in a cafe etc.

    The solution is as above, VPN and an older school approach of a jump host, also known as a bastion.
    -- Bastion--
    I use a ramnode $12USD a year as a bastion, so any other server can whitelist it's ip. That bastion sits with a non 22 port. To make life palatable you can use your ssh config to jump for you. This depends how and what you're connecting with.

    Configure a catch all bastion, this proxies requests to your target server.
    Code:
    Host *.bastion
     ProxyCommand ssh -W %h:%p YourBastionServerIP
     ForwardAgent yes
    /debate forward agent or not.

    Ten for your normal server entries
    Code:
    Host somserver.domain.tld someserver
      User abc
      Hostname #.#.#.#
      ForwardAgent yes
    
    Host someserver.bastion
      User abc
      Hostname #.#.#.#
    The other way, the vpn way, here is a really neat solution: GitHub - jlund/streisand: Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists. it just works and has the added benefit of covering your web browsing stuff too, so you can ip restrict parts of your site ;)

    I'm migrating to the VPN approach, but the bastion is a backpocket cellar door.
     
    • Informative Informative x 2