Caution: If you have data on your server, it is best to take a back up of the files and database and store it off-site. That way, if things go wrong (e.g. if you get locked out of your server) you are not stranded (see the tutorial here for backing up the VPS).
(i) Update the Centos installation:
Yum update
(ii) Create a new sudo user and with “super user” privileges & disable root:
The super user will be added to the “Wheel Group”.
The wheel group is a group which limits the number of people who are able to su to root. This usually consists of a group named “wheel” and a set of users that are permitted to use the utility ‘su’ in order to change to root.
Open the sudo configuration file with the command
visudo
and find these lines towards the bottom of the file
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
Delete the # mark so that it reads
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
If the file opens in vi, enter the command :wq! to save the file and close it.
If the file opens in nano, enter ctrl + x + y & then enter to save the file and close it.
Now create the sudo user with the command:
useradd -m -G wheel -s /bin/bash superuser
This can also be done separately by first adding the user
adduser superuser
and then adding him to the wheel group
usermod -a -G wheel superuser
Create an encrypted password:
passwd superuser
Now open another session of putty, log in as the superuser and ensure that you have sudo ability by typing
sudo -s
Enter your password and you will receive a message (the first time) on how you have great power and great responsibility.
Disable root user:
Access your SSH configuration file by typing the command:
nano /etc/ssh/sshd_config
Three things have to be changed:
– Port (change from the default 22 to any 4 or 5 digit number of your choice. The highest acceptable value is 49151)
– PermitRootLogin no (change yes to no)
– AllowUsers superuser (add this line; change superuser to the name of the user)
Now type ctrl x + y + enter to save and exit the file.
Restart sshd with the command
service sshd restart
Caution: Don’t close the ssh terminal because sometimes (depending on the server configuration) changing the port means that the connection is not accepted. Open another terminal and try and login. If you get a “connection refused” or “Network error: connection refused” or such other error, then go back to nano /etc/ssh/sshd_config and change the port to the default 22.
Update:
If you have CSF pre-installed and the port you choose in the sshd configuration is not in the approved list, you can get locked out of your VPS. So do the following:
(i) Open the csf config file with the command
nano /etc/csf/csf.conf(ii) Add your chosen port here:
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096″
# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087,2089,2703″
# Allow incoming UDP ports
UDP_IN = “20,21,53,465,6277,24441″
# Allow outgoing UDP ports
UDP_OUT = “20,21,53,113,123,465,873,6277,24441,33434:33523″
and add the port number at the end of each line. See this example below where I add port 12345 to the incoming TCP ports section:
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,12345″(iii) Restart csf with the command:
csf -r(iv) Open a fresh SSH terminal and ensure that you are able to log-in as the superuser through the chosen port
(v) Be aware that if you make too many wrong logins, CSF will block your IP address and you will be unable to even access your website. There is more information about this here.
You can check whether the port is working with the command
netstat -ntlp | grep :port_no (insert the port number for port_no)
You can login on server localhost with the command
ssh -vv -p port_no localhost
i have read somewhere that it is not recommended to change port number higher than 1024
twk
[…] Set up VPSOptmize VPSSecure VPSCheap […]
[…] out, you can install a control panel like Webmin or Kloxo and configure your domain. Then you can secure your VPS by disabling root access and creating a sudo user and changing the default port. You can also also […]
[…] (a) Change Port, disable Root & Add sudo user; […]