Table of Contents
- Step 1 - Update Your Server
- Step 2 - Change the Default Root Password
- Step 3 - Create a New User with sudo Privileges
- Step 4 - Disable Root Login Via SSH
- Step 5 - Change SSH Default Port
- Step 6 - Configure a Firewall
- Step 7 - Install NTP for Time Synchronization
- Step 8 - Disable IPv6
- Step 9 - Create a Swap Space
- Conclusion
Security is an essential consideration for any server you launch into a production environment. The latest version of Rocky Linux 8 comes with robust security features. However, not all of them are active or properly configured by default, so a fresh installation is always vulnerable to hacks and intrusion attacks.
In this guide, we will have a look at a few important tasks to perform on the server for the initial setup and basic server hardening.
Step 1 – Update Your Server
First, install the latest security patches and updates to your server. Run the following command to update them.
dnf update -y
Next, install some basic software packages by running the following command:
dnf install wget git curl bind-utils tree net-tools -y
Step 2 – Change the Default Root Password
When you launch a new server, your servers are automatically set with secure passwords. However, it is recommended to change your root password every 60-90 days thereafter in order to ensure it remains secure. You should create a root password with a minimum of 8 characters, including lowercase characters, uppercase characters, and numbers.
You can change the root password using the following command:
passwd root
Step 3 – Create a New User with sudo Privileges
By default, the root is the default admin user for many Linux operating systems, including Rocky Linux 8, so it’s recommended to create a new user with sudo/root permissions and use it for day-to-day administration tasks. Generally, hackers target the root user because they know it’s the default admin user. Creating a new user with root permissions will increase the security of your server access.
First, create a new user with the following command:
adduser user1
Next, set the password user1 using the following command:
passwd user1
After creating a new user, you will need to add this user to the sudo wheel group. In Rocky Linux 8, once you add them to the sudo wheel group, they are automatically assigned sudo/root permissions.
Run the following command to add the user to the sudo wheel group.
usermod -aG wheel user1
Once you created the user with sudo/root permissions, log in to user1 with the following command:
su - user1
Once you are logged in, run the following command using sudo:
sudo dnf update -y
You will be asked to provide the user1 password to update your system.
This will confirm that your sudo user is working as expected.
Step 4 – Disable Root Login Via SSH
We already created an admin user with sudo/root permissions to perform all tasks. You don’t need to keep the root user available and vulnerable over SSH on your server, so you will need to disable the root login via SSH.
Edit the SSH main configuration file with the following command:
sudo nano /etc/ssh/sshd_config
Find the following line:
PermitRootLogin yes
Change it to the following line:
PermitRootLogin no
Save and close the file, then restart the SSH service to apply the changes:
systemctl restart sshd
Step 5 – Change SSH Default Port
By default, SSH listens on port 22. Generally, hackers and bots continuously target the default SSH port 22, so it is recommended to change the default SSH port to any other port.
To change the SSH port, edit the SSH main configuration file:
sudo nano /etc/ssh/sshd_config
Find the following line:
#Port 22
Change it to the following lines:
Port 2020
Save and close the file, then restart the SSH service to apply the changes:
systemctl restart sshd
You can now log in to your Atlantic server remotely via SSH using the following command:
ssh user1@your-server-ip -p 2020
Step 6 – Configure a Firewall
By default, your Atlantic.Net’s Rocky Linux 8 is loaded with a default firewall named firewalld, but it is not enabled. You can check the status of the firewall using the following command:
firewall-cmd --state
You should see that firewall is not running:
not running
It is recommended to enable the firewall and allow necessary ports for external access.
First, enable the firewalld service with the following command:
systemctl start firewalld systemctl enable firewalld
Next, allow the SSH port 2020 through the firewall with the following command:
sudo firewall-cmd --permanent --add-port=2020/tcp
Next, reload the firewalld service to apply the changes:
sudo firewall-cmd --reload
You can now verify the added ports with the following command:
sudo firewall-cmd --list-ports
You should see the following output:
2020/tcp
If you have any web server installed and running on your server, you may need to allow the HTTP and HTTPS service through the firewall in order to access it over the Internet.
sudo firewall-cmd --permanent --add-service=http sudo firewall-cmd --permanent --add-service=https
To allow POP3, IMAP, and SMTP services for external access, run the following command:
sudo firewall-cmd --permanent --add-service=pop3s sudo firewall-cmd --permanent --add-service=imaps sudo firewall-cmd --permanent --add-service=smtp
Step 7 – Install NTP for Time Synchronization
It is also recommended to install an NTP server to synchronize the time and date of computers over the network in order to keep them accurate and up to date.
First, install the NTP server using the following command:
sudo dnf install chrony -y
Once the NTP service is installed, start it and enable it to start at system reboot:
sudo systemctl start chronyd sudo systemctl enable chronyd
Now, your NTP server is installed and will constantly update the server’s time from the NTP server.
Step 8 – Disable IPv6
If you are not using IPv6, then it is recommended to disable it for security reasons.
First, check whether IPv6 is enabled on your Rocky Linux 8 installation using the following command:
ip a | grep inet6
You should see the following lines if IPv6 is enabled:
inet6 ::1/128 scope host inet6 fe80::200:d8ff:fe62:817/64 scope link inet6 fe80::200:aff:fe62:817/64 scope link
You will need to create a new configuration file to disable IPv6:
sudo nano /etc/sysctl.d/70-ipv6.conf
Add the following lines:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
Save and close the file, then reload the configuration file with the following command:
sudo sysctl --load /etc/sysctl.d/70-ipv6.conf
You should see the following output:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
To verify IPv6 is disabled, run the following command:
ip a | grep inet6
If the command doesn’t return anything, you have confirmed that IPv6 has been disabled on all your network interfaces.
Step 9 – Create a Swap Space
A swap is a space on a disk that is used when the amount of physical RAM memory is full. When your server runs out of RAM, all inactive pages are moved from the RAM to the swap space.
When you launch a new instance on Atlantic.Net, it does not create a swap partition. You will need to create a swap space manually after launching the new instance.
Generally, swap space should be half of your existing RAM. If you have 1GB of actual Ram, then you will need to create a 512MB file.
First, create a swap space (of 512MB) with the following command:
sudo dd if=/dev/zero of=/swapfile bs=1024 count=524288
Output:
524288+0 records in 524288+0 records out 536870912 bytes (537 MB, 512 MiB) copied, 10.3523 s, 51.9 MB/s
You can calculate the block size using the formula 1024 x 512MB = 524288.
After creating the Swap space, format it with the following command:
sudo mkswap /swapfile
Output:
mkswap: /swapfile: insecure permissions 0644, 0600 suggested. Setting up swapspace version 1, size = 512 MiB (536866816 bytes) no label, UUID=8981408a-549d-47aa-a99a-72870b65212d
Next, set proper permissions on the /swapfile with the following command:
sudo chown root:root /swapfile sudo chmod 0600 /swapfile
Next, activate the Swap space using the following command:
sudo swapon /swapfile
Next, verify the Swap space using the following command:
swapon -s
Output:
Filename Type Size Used Priority /swapfile file 524284 0 -2
Next, you will need to add the Swap file entry to the /etc/fstab in order to make it active even after a reboot.
nano /etc/fstab
Add the following line:
/swapfile swap swap defaults 0 0
Save and close the file, then verify the Swap space using the following command:
free -m
You should see the following output:
total used free shared buff/cache available Mem: 1817 263 100 68 1452 1329 Swap: 511 0 511
Conclusion
In the above guide, we explained some basic steps to secure your Rocky Linux 8 server. You can now proceed to host any application in the secured environment – try it on your VPS hosting account from Atlantic.Net!