Securing Fresh VPS Install by disabling root.

Securing Fresh VPS Install by disabling root.

What is a VPS?

VPS hosting is a Virtual Private Server, and is a virtualized server. A VPS hosting environment mimics a dedicated server within a shared hosting service provider. There are two types of VPS Services, KVM and OpenVZ, but thats another topic.

 

Securing a vps on fresh install.

After you have bought your VPS , the first thing that you need to do is to completely lock down the root access and add a custom user with SUDO access.In this case we are using CentOS , but any other distro will work in the similar way.CentOS differs from many other distros by enabling root account during setup. I prefer the Ubuntu’s (and OS X’s) way of using a separate admin account and having root account disabled. When there is a need to perform administrative task, just run the command with sudo and easily prevent the risk of abusing root privileges and doing stupid things. The arch linux wiki has a  guide about disabling the password of root and limiting the access, we will be applying the same to the CentOS.

  1. First, log in as root account. You can switch to root account from any account by running su and typing the root password.
  2. Enabling sudo. If you are not comfortable with vim, run
    export EDITOR=gedit

    first. Now run

    /usr/sbin/visudo

    The lines starting with # are comment lines and will be ignored. Just uncomment the following line:

    # %wheel ALL=(ALL) ALL

    by removing the # at the beginning. This line means that anybody in the group wheel can use sudo to run anything from anywhere.

  3. Add an account to group wheel. For example, if the account you use to perform administrative task is isteering, run
    gpasswd -a isteering wheel

    Now you can sudo from user isteering

  4. Disable root account. This is done by running passwd to lock the account:
    passwd -l root

 

It is quite obvious after we perform the above steps, we have just created a second root account: the user isteering is exactly the same as root user, just having a different name. So we have not added much protection, if the attacker can guess the name of this new account. So you might want to consider limiting where the user can log in from. Use your favorite editor to edit file /etc/security/access.conf. Add the following lines for the admin group:

-:wheel:ALL EXCEPT LOCAL 10.10.2.4 203.99.140.30

 

This will deny user in group wheel to log in from anywhere but 192.168.1.subnetwork (note the suffix dot) or host 72.14.207.99. You still need to add this line

auth       required     pam_access.so

 

Add the above line to /etc/pam.d/sshd to tell SSH server to consult the access control, otherwise SSH server by default will ignore this access control mechanism built in PAM.

 

And thats it folks!

0

Leave a Reply

avatar
  Subscribe  
Notify of