First Steps In Securing Your Linux Server

.

Some notes here to keep it in mind when you manage your Linux server security:

  • Keep your system clean: Install ONLY the packages you need.
  • Check the enabled services and disable the services that you don’t need. The disabled services will NOT run automatically when system boot. To display the enabled services, execute this:

# systemctl list-unit-files –type=service | grep enabled

The unit files of the enabled services exist in “/usr/lib/systemd/system/”. To stop a running service, execute: # systemd stop $serviceName. To disable a service: # systemd disable $serviceName

  • Change the port of the sshd:
    • Edit the configuration file of the SSH daemon: # vim /etc/ssh/sshd_config
    • For Example, change the port to 1866:  “Port 1866” in the configuration file.
    •  If SELinux is enabled,  you have to tell SELinux about this change:
      # semanage port -a -t ssh_port_t -p tcp
    • Restart sshd : # systemctl restart sshd
    • By doing that, you need to use the option -p1866 when you login.
  • Disable sshing as root:
    • Disable Root Login:
      • Edit the configuration file of the SSH daemon: # vim /etc/ssh/sshd_config
      • Uncomment and change yes to no in the line “PermitRootLogin no”
      • Restart the SSH daemon: # systemctl restart sshd
    • Create an admin user so you can ssh into the server as an administrator:  As a root, do these: Create a new user and its password  using useradd and passwd. Then to make the new user (lets say it is binan) an administrator, execute visudo and do one of these:
      • Search for the line “%wheel  ALL=(ALL)       ALL” and uncomment it (delete the # at the begining of the line). This allows people in group wheel to run all commands. Add the user binan to the group wheel so the user binan can execute all commands using sudo: # usermod -aG wheel binan.
      • OR Instead of adding the user binan to the group wheel, you can add “binan ALL=(ALL) ALL”.  

Everything sudo users do will be logged so “who did what” is determined (that’s why we disable logging as root).

  • Generate SSH key pair on your machine:  # ssh-keygen  -t rsa. The generated private and the public keys will be stored in the .ssh directory in the home directory (e.g. private key: ~/.ssh/id_rsa and public key: ~/.ssh/id_rsa.pub).
  • You must have the public key installed on the server (appended in ~/.ssh/authorized_keys). To copy the public key to the server, you can temporarily enable the sshing using passwords (“PasswordAuthentication yes” in the /etc/ssh/sshd_config and restart the sshd daemon).  Now copy the public key to the server as following: # cat ~/.ssh/id_rsa.pub | ssh -p 1866 binan@Hostname/IP-Address “mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys
  • Disable sshing using passwords: “PasswordAuthentication no” in the /etc/ssh/sshd_config. Restart the daemon. Now the login will be using public key authentication.
  • Check that you can login from another terminal using : Assuming you have the key pair (the public and private keys) on your local machine:

# ssh -p 1866 binan@Hostname/IP-Address
Last login: Wed Nov  4 09:40:00 2015
-bash-4.2$


Advertisements

Permit Root Login Into Instance Launched From Centos Official Image

Introduction

If you tried to access your instance using SSH as root:

# ssh -i PrivateKey.pem  root@Floating-IP-Address Where Flaoting-IP-Address is the flaoting IP address associated with your instance. You might get this message: “Please login as the user “centos” rather than the user “root”.” Then the connection will close.

Steps To Allow Root Access Through SSH

  • Login as the user “centos”: # ssh -i PrivateKey.pem  centos@Floating-IP-Address
  • Change to root: # sudo -s
  • Edit the file “/root/.ssh/authorized_keys” (# vi /root/.ssh/authorized_keys) and keep it only contains the key  (starts with “sh-rsa”) without the restrictions that exist at the begining of the file.
  • Open the file “/etc/ssh/sshd_config” and uncomment the line “PermitRootLogin yes”
  • Restart SSH daemon: # systemctl restart sshd

Now you can SSH as root to your instance.

Note: You need to automate the above if your servers are created/ deleted on demand and SSH public keys are inserted in servers on boot by Openstack.


Running An Instance In OpenStack

.

Introduction

The instance is a virtual machine that run inside the cloud. So when we say run an instance, we mean run an instance of a specific virtual machine image. The virtual machine image (or simply the image) is a single file that contains a bootable operating system with cloud support. The package “Cloud-init” is installed in the virtual machine image to enable instance activation and initialization. You can NOT use a classic image. You must use “Cloud-Aware” image.

The image format must be supported by the hypervisor. So see your hypervisor and image format compatibility. Here you can find descriptions of different formats.

Upload A Virtual Machine Image

In the dashborad, go to “Project” tab on the left-side navigation menu and click on “Images”. Then click on “Create Image” to upload the image. You will get this dialog box:

Screenshot from 2015-02-22 12:05:50

Here you can find explanations of dialog box fieldsCurrently only images available via an HTTP URL are supported. So i chose the “Image Location” as an “Image Source” and the “Image Location” is: http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/i386/Fedora-Cloud-Base-20141203-21.i386.qcow2

The selected image format “qcow2” which is commonly used with the KVM (default hypervisor). The size of image file is nearly 169 MB. It takes some time for image to be uploaded. Here you can find set of cloud ready images, copy the link location and paste it in the dialog box above in the “Image Location” field.

After the image has been uploaded successfully, you will be here:

Screenshot from 2015-02-22 12:25:00Enable SSH On Your Default Security Group

Click the “Project” tab on the left-side navigation menu. Then click on “Access & Security”. Under the “Security Groups” tab, Select the “default” security group. Click on the “Manage Rules” button, you will get this table of rules:

Screenshot from 2015-02-22 13:01:39Click on “Add Rule”, Enter the “22” in the “Port” field:

Screenshot from 2015-02-22 13:05:51

 Then click the “Add” button. The rule will be added and then SSH can be used.

Screenshot from 2015-02-22 13:09:56

If you create a new security group and you want to apply its rules to an instance, be aware to select it when you launch the instance so the rules of the new security group will be applied to the new instance (launch the instance in specific security group).

Create OR Import Key Pair

To access the instance through SSH, we need to create or import kay pair. Click on “Access & Security” on the left-side navigation menu, and then click on the tab “Key Pairs”.

To create a key pair, click on “Create Key Pair”. The key pair (private an public keys) will be generated. The public key will be registered and the the private key must be saved privately after download.

The public key is injected into the instance using “Cloud-init” package on boot.

Screenshot from 2015-02-22 13:47:53

Screenshot from 2015-02-22 14:05:31The option “Import Key pair” will prompt you to provide a name and a public key.

Launch The Virtual Machine

Go to the uploaded image and click on “Launch” button. You will get this dialog box:

Screenshot from 2015-03-15 18:13:35In the resulting dialog box and under “Details” tab, you can specify number of parameters like the “Instance Name” and “Flavor” (defines the hardware resources of the instance). Check also the configuration under other tabs (Access & Security, Networking, Post-Creation, and Advanced Options). Then click the “Launch” button to ask the Compute service (Compute Node) to launch an instance with your specified parameters.

Now The instance is created. Click “Instances” on the left-side navigation menu, to see the instantiated instances.

Connecting To The Instance Console

In the figure above, click on “Associate Floating IP” on the right side to associate “floating IP” to your instance. Both the floating and the internal IP addresses will be listed in the “IP Address” column for your instance. The internal IP address of the instance is a private IP address used to reach other OpenStack instances. The floating IP address is used to access the instance from other machines in your network (Private IP address) or from the internet (Public IP address). It is called floating because you can associate it to an instance and disassociate it so it is movable (It can move to another instance).

# ssh -i /home/binan/Downloads/binankeypair.pem  fedora@Floating-IP-Address

“fedora” is the default user for fedora instances.

Also you can access the instance console  via the dashboard or by specifying the network namespace where your instance resides:

# ip netns exec qrouter-f96c719a-56e9-4b52-b2cb-da326fc1a429 ssh -i /home/binan/Downloads/binankeypair.pem  fedora@Local-IP-Address

where the “qrouter-f96c719a-56e9-4b52-b2cb-da326fc1a429” is the namespace name.

Congratulation, You have successfully created an instance of a specific virtual machine image and you can SSH to your instance.


More Information