Introduction
When you first create a new CentOS 8 server, there are a few configuration steps that you need to follow from the beginning as part of the basic setup. This will increase the security and usability of your server and give you a solid foundation for further actions.
Step 1 — Log in as root
To log in to your server, you’ll need to know your server’s public IP address. You will also need the password or, if you installed an SSH key for authentication, the private key for the root user account. If you haven’t logged into your server yet, you may want to follow our documentation on how to connect to your Droplet with SSH, which covers this process in detail.
If you are not already connected to your server, log in as root now using the following command (replace the highlighted part of the command with your server’s public IP address):
- ssh root@your_server_ip
Accept the warning about host authenticity if it appears. If you are using password authentication, provide your root password to log in. If you are using a passphrase-protected SSH key, you may be prompted to enter the passphrase the first time you use the key in each session. If this is your first time logging on to the server with a password, you may also be prompted to change the root password.
About Root
The root user is the administrative user in a Linux environment and has very broad privileges. Due to the higher privileges of the root account, it is not recommended to use it regularly. This is because part of the power inherent in the root account is the ability to make very destructive changes, even by accident.
As such, the next step is to set up an alternate user account with a reduced scope of influence for day-to-day work. This account will still be able to get greater privileges when needed.
Step 2 — Create
a new user
Once you are logged in as root, you can create the new user account that we will use to log in from now on.
This example creates a new user named sammy, but you must replace it with the user name you prefer: adduser sammy Next, set a strong password for the user sammy
:
- passwd sammy
You will be prompted to enter the password twice. After doing so, your user will be ready to use, but first we will give you additional privileges to use the sudo command. This will allow us to execute commands as root when necessary.
Step 3 — Granting
administrative privileges
Now, we have a new user account with regular account privileges. However, we may sometimes need to perform administrative tasks.
To avoid having to log out of our normal user and log back in as the root account, we can set what is known as “superuser” or root privileges for our normal account. This will allow our normal user to execute commands with administrative privileges by putting the word sudo before each command.
To add these privileges to our new user, we need to add the new user to the wheel group. By default, on CentOS 8, users belonging to the wheel group can use the sudo command.
As root, run this command to add your new user to the wheel group (replace the highlighted word with your new username
):
- usermod -aG wheel sammy
Now, when you are logged in as your regular user, you can type sudo before the commands to perform actions with superuser privileges.
Step 4 — Setting up a basic firewall
Firewalls provide a basic level of security for your server. These applications are responsible for denying traffic to all ports on your server, except those ports/services that you have explicitly approved. CentOS has a service called firewalld to perform this function. A tool called firewall-cmd is used to configure firewall policies with firewall.
First installation firewalld:
- dnf install
firewalld -y
The default configuration of firewalld allows ssh connections, so we can activate
the firewall immediately: systemctl start firewalld
Check the status of the service to make sure it was started
:
- systemctl status
firewalld Output● firewalld.service – firewalld – dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/
- firewalld.service
; Enabled; vendor preset: enabled) Active: active (running) since Thu 2020-02-06 16:39
:
40 UTC; 3s Aug Documents: man:firewalld(1) Main PID: 13180 (firewalld) Tasks: 2 (limit: 5059) Memory: 22.4M CGroup: /system.slice/firewalld.service └─13180 /usr/libexec/platform-python -s /usr/sbin/firewalld -nofork -nopid Note that it is
enabled and enabled, which means that it will start by default if the server is restarted. Now that
the
service is up and running, we can use the firewall-cmd utility to obtain and set policy information for the firewall.
First let’s list which services are already allowed
: firewall-cmd -permanent -list-all Outputpublic (active) target: default icmp-block-inversion: no interfaces: eth0 eth1 sources: services: cockpit dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: To
view additional services that you can enable by name, type
: firewall-cmd -get-services
To add a service that should be allowed, use the –
add-service:
- firewall-cmd -permanent -add-service=http
flag
This would add the http service and allow incoming TCP traffic to port 80. The settings will be updated after reloading
the firewall: firewall-cmd
- -reload
Remember that you will have to explicitly open the firewall (with services or ports) for any additional services you can configure later
.
Step 5 — Enable external
access for your regular user
Now that we have a regular non-root user for daily use, we need to make sure we can use it
for SSH on our server.
The process for configuring SSH access for the new user depends on whether the root account of the server uses a password or SSH keys for authentication.
If the root account
uses
password authentication
If you logged in to your root account with a password, password authentication is enabled for SSH. You can SSH to your new user account by opening a new terminal session and using SSH with your new username:
- ssh sammy@your_server_ip
After entering the password of your usual user, you will log in. Remember, if you need to run a command with administrative privileges, type sudo before it like this:
sudo command_to_run
You will be prompted for your regular user password when you first use sudo in each session (and periodically thereafter).
To improve the security of your server, we strongly recommend configuring SSH keys instead of using password authentication . Follow our guide on how to set up SSH keys on CentOS 8 to learn how to set up key-based authentication.
If the root account uses SSH
key
authentication
If you are logged in to your root account with SSH keys, password authentication is disabled for SSH. You will need to add a copy of your public key to the new user’s ~/.ssh/authorized_keys file to successfully log in.
Since its public key is already in the root account’s ~/.ssh/authorized_keys file on the server, we can copy that file and directory structure to our new user account.
The easiest way to copy files with the correct ownership and permissions is with the rsync command. This will copy the root user’s .ssh directory, retain permissions, and modify the file’s owners, all in one command. Be sure to change the highlighted parts of the following command to match the name of
your regular user:
- rsync -archive -chown=sammy
:sammy ~/.ssh /home/sammy Now,
back in a new terminal on your local machine, open a new SSH session with your non-root user:
- ssh sammy@your_server_ip
You must log on to the new user account without using a password. Remember, if you need to run a command with administrative privileges, type sudo before it like this:
sudo command_to_run
You will be prompted for your regular user password when you first use sudo in each session (and periodically thereafter).
Conclusion
At this point, you have a solid foundation for your server. You can install any of the programs you need on your server now.