Securing Fresh VPS Install by disabling root.
What is a VPS?
VPS hosting is a Virtual Private Server, and is a virtualized server. A VPS hosting environment mimics a dedicated server within a shared hosting service provider. There are two types of VPS Services, KVM and OpenVZ, but thats another topic.
Securing a vps on fresh install.
After you have bought your VPS , the first thing that you need to do is to completely lock down the root access and add a custom user with SUDO access.In this case we are using CentOS , but any other distro will work in the similar way.CentOS differs from many other distros by enabling root account during setup. I prefer the Ubuntu’s (and OS X’s) way of using a separate admin account and having root account disabled. When there is a need to perform administrative task, just run the command with
sudo and easily prevent the risk of abusing root privileges and doing stupid things. The arch linux wiki has a guide about disabling the password of root and limiting the access, we will be applying the same to the CentOS.
- First, log in as root account. You can switch to root account from any account by running
suand typing the root password.
- Enabling sudo. If you are not comfortable with
first. Now run
The lines starting with
#are comment lines and will be ignored. Just uncomment the following line:
# %wheel ALL=(ALL) ALL
by removing the
#at the beginning. This line means that anybody in the group
sudoto run anything from anywhere.
- Add an account to group wheel. For example, if the account you use to perform administrative task is
gpasswd -a isteering wheel
Now you can sudo from user
- Disable root account. This is done by running
passwdto lock the account:
passwd -l root
It is quite obvious after we perform the above steps, we have just created a second root account: the user
isteering is exactly the same as root user, just having a different name. So we have not added much protection, if the attacker can guess the name of this new account. So you might want to consider limiting where the user can log in from. Use your favorite editor to edit file
/etc/security/access.conf. Add the following lines for the admin group:
-:wheel:ALL EXCEPT LOCAL 10.10.2.4 220.127.116.11
This will deny user in group
wheel to log in from anywhere but
192.168.1.subnetwork (note the suffix dot) or host
18.104.22.168. You still need to add this line
auth required pam_access.so
Add the above line to
/etc/pam.d/sshd to tell SSH server to consult the access control, otherwise SSH server by default will ignore this access control mechanism built in PAM.
And thats it folks!