Basic CentOS Setup Before Building A Working Server
All essential things you have to do in the first time to build a web server on CentOS 6. You may simply straight forward to install Apache, Nginx, Lighthttpd, or any web server you want but it is strongly recommended to firstly follow some basic and common practices of initial server setup. This is aimed to tweak and apply some basic security protection on your server and make it real private. For instance, to change default root login, change default SSH port and so on.
Following all steps in this initial CentOS server setup is not a must but strongly recommended. However the decision is up to you. I assumed you have either VPS or Dedicated server already so you can follow this guide.
In this example, I use a VPS with 512Mb of RAM running CentOS 6.3 x32 located in Amsterdam hosted by DigitalOcean.
Step 1 – Login to your remote server via SSH connection. You can use either use Terminal (Mac / Linux) or Putty in Windows. You should login as root. Read my previous articles:
During your first login, Putty (or Terminal) will ask you to cache server’s host key in the registry and remember server’s ras2 key fingerprint. Don’t panic and simply hit Yes.
Step 2 – Change default password for root. Sometimes a VPS or server is created using random password generated by the provider’s management software. It is good practice to change it to something easier to remember by you but hard to crack or guess by others. Use this command syntax:
passwd
You’ll then be asked to enter your new password twice.
Make sure you use strong words and numbers combination but also make sure you can easily remember it.
Step 3 – Create new user. This new user will be used for you to login to your server in the next time because you have to also disable root login (I’ll tell you in the next steps) because “root” is really a standard username hackers can easily guess. It’s just like “admin” or “administrator” in Windows. Use command below to create new username:
/usr/sbin/adduser newuser
*change “newuser” above with your own new username. In this example I use my name “sawiyati”.
Then issue this command to setup password for that user:
passwd newuser
Upon hitting Enter on your keyboard your server will ask you to type the password for that user.
Step 4 – Setup root privileges to that user so once you logged in to your server using that new user you will still be able to perform any root only tasks. To do that simply issue this command:
/usr/sbin/visudo
then look for the line / section called:
# User privilege specification root ALL=(ALL) ALL
or in different CentOS release it may also like this:
## Allow root to run any commands anywhere root ALL=(ALL) ALL
Then add this line right after the root line:
## Allow root to run any commands anywhere root ALL=(ALL) ALL newuser ALL=(ALL) ALL
it should look like this:
How to edit? If you don’t have Nano editor installed yet, simply hit “a” (without quotes). Once done adding new line, simply hit Esc key to exit editing mode. Now press Shift key + ZZ to save and exit vi editor.
Step 5 – Change SSH default port and disable root login. This is what I mean in step 3 above. In this case you’ll need to edit “sshd_config” file which is the main configuration file of SSH service in your server. You can either use vi or Nano to edit it. In this example I use Nano editor:
nano /etc/ssh/sshd_config
Then fine following lines:
#port 22
Remove the # symbol and change the “22” (it is default port) to to any number between 1025 and 65536, For example is port 22000. Example:
port 22000
Next, also find:
#PermitRootLogin yes
Remove the # symbol and change yes to no
PermitRootLogin no
So it will look like this:
Next, find this line as well:
#UseDNS yes
Remove the # symbol and change yes to no
UseDNS no
It may look like this:
Don’t close Nano editor just yet, now proceed to the next step:
Step 6 – Allow new user to login via SSH to your server. Simply add this line in the very bottom of that file:
AllowUsers newuser
Of course you have to replace “newuser” with your own username created in the step 3 above. Example:
Once done, hit Control+O to save then Control+X to exit Nano editor.
Step 7 – Reload SSH service. To make sure the new configuration is used by the service, simply reload SSH by using this command:
/etc/init.d/sshd reload
It should return with the OK message.
Step 8 – Give it a try! I assumed currently you are still logging in as root. Don’t close that SSH session yet before you test it and make sure all the settings you defined in SSH config file really works. Now launch another Terminal window or launch another Putty instance then login using new SSH port, new username, and of course new password.
After the changes, you’ll see your new username instead of root:
Enjoy..
hi/سلام
Really helpful
Thanks
Thanks be blessed,,,,,,i am a newbie in Centos, thanks for the well detailed tutorial
A very well detailed tutorial. Thank you. I am trying out my hands on linux for the first time and your tutorial was both very well illustrated and helpful.
Glad to know it is helpful 🙂
hi you i am a newbie, i want to config webserver on centos, but i donot how to begin, please help me, myemail: congit@nhakhoalienthanh.com.vn , thanks
it seems that the most basic thing is missing; how to actually install the OS itself, that I cannot find?? I am interested in learning how to install a centos LAMP from the netinstall to run headless.
A tutorial on that would be great! I love the other stuff that you have in your blog. it is the most comprehensive and well written, easy to understand blog I have ever come across. A lot of sites assume the user already knows the commands to edit and save configs, you don’t make that assumption and I love it for that!
Hi Neville, usually, most VPS providers are already installed the OS of your choice during setup. So it is ready-to-use. Well, some providers also provide their users with VPS control panel where users can re-install OS from there
hello in the begining i’d like to thank you for your efforts making such beautiful tutorial, can you please explain how do we install the os because some of the viewers are setting there own home web servers at home for personal websites and dont know how to install it or set and config there ip addresses
thx alot 😀
very nice, i have learn something new today…
bookmarked
Thanks for your Tut madame. but i have problems
Why I get error after doing this, when I open putty and access my server to the new port I configured.
Network Error: Connection timed out.,,
Thanks for this great and clear tutorial for a VPS beginner like me!
This is a great tutorial, thank-you heaps.
You forgot to mention that they need to allow the new ssh port through iptables.
thanks
Yes, it worked great AFTER setting up iptables! These are really great tutorials. I wish you had social media links so I could share them easier.
Great tutorial. You should also add how to forward the new SSH port in iptables though, many people might get locked out if they forget not to close their active section or if their computer crashes while they’re working on it. Thanks! 😉
Very understandable , i am just a begginer user of vps and I could do it thanks a lot.
Glad you liked it 🙂
Hi!
I follow the tutorial, but when I try to test the configuration openning another SSH connection, shows me a error message: “Network error: Connection timed out”.
On Putty, I put the IP address of the CentOS server with 22000 port.
I already close the first SSH connection where I was logged with root, thinking that’s was the problem.
If you can help me with this.
Thanks.
Open your ports in iptables. See my original comment. 🙂
Yes, but if you closed the default root ssh connection, you can’t run commands anymore. What have I done!? Please help me.
You should follow all procedure correctly. Also do not close current ssh session while trying to establish new ssh session to test new username 🙂
About itables it’s true, don’t forget! Anyway, I am confused. If you disable root account and use just other one with su priveleges to connect withh ssl, you leave the port open. If you close ssh port as root, you can’t enable ssh with su or I am not right?
Just use another port. If it is closed then open that port first while you can leaving default port (22) open or closed that’s up to you 🙂 but you better close any unnecessary ports. Anyway, this is just a very basic security setup to avoid kiddies bruteforcing your server, not total protection but at least slow ’em down. For advanced protection then you’ll need advanced security setup. 🙂
I was getting connection time outs until I manually opened the port in iptables using the following command:
Hope this helps someone.
There’s two dashes before dport. Correction:
this should be added to the very end of the tutorial in red big capital letters, so people who are learning understand better the all configuration process, regards and thanks.
I had to use append not insert, otherwise Bad argument `–-dport’
iptables -A INPUT -p tcp –dport YOUR-PORT-NUMBER -j ACCEPT
thanks for the tip Michael
Sweet. Thanks dude!
Makasi banyak Tante.. That’s really helps..
btw, i got this error note, Tan..
mkdir: cannot create directory `/var/www’: Permission denied
you should login as root or user with root privilege
I can’t
$ sufrom the newly created user.I fixed the issue with
$ chmod 4755 /bin/su, is this ok security wise ?It is very bad mate.
Thank you for the tutorial,
Logging in from ssh works good with the new user, theres only one problem i have right now: as soon as i try to acces the /usr/sbin/visudo along with some other folders with root acces i cannot acces it. When trying to acces the file i get this error: visudo /etc/sudoers permission denied
I followed every step in your tutorial and i cannot figure out why it does not work . Does anyone have this same problem or does anyone know a good solution?
Thanks,
Wisse
Thanks for this guide.
It has been very helpful to me and I learned something very important today.
Great tutorial. this is my first time install Linux and all working excellent.
btw what is the difference between using UseDNS yes and UseDNS no
in /etc/ssh/sshd_config
Luckily I followed the advice not to close the current connection until testing is ok. Changing the port takes more steps than editing the sshd_config, so one should be very carefull with this in order not to lock him self out of the system.
I just fckdup my new entos install with this guide… As a new user I can’t install nothing not a sudoer not a sh!t. How am I going to reverse these changes since I screw up denying root to ssh????
ok, got it! ssh as new user and when in just type “su -” and then root’s pass and you’re in, destroy the damn thing whatever… two stupid posts from me but it will help some newbie like me :/
thanks for the tutorial. I was greatly helped. I am also looking for the same tutorial for “debian OS”. hopefully I also find it here.
I followed the directions on a server I setup on a digital hosting website. After creating the user, and after altering the necessary files, when I try to log-in via ssh with the new user, I get a “connection refused” message.
What did I do wrong? I just edited “iptables” and included port 22 and 22000, but still the connection is refused. I made sure ssh and iptables both reloaded, and were running, and still no connection allowed.
(Fortunately, I’m still connection via “root.”)
What am I doing wrong?
make sure you edit /etc/ssh/sshd_config and add to allow the new user (step 6)
Thanks a ton! I’m very new to setting up my own server and this is really useful information 🙂
Just one quick question. It seems I can login with the new user perfectly fine but the new user does not seem to have root privileges. I tried adding a new user from this new user login and for certain things it kept saying ‘you do not have enough priviledges’. How do I enable root login again?
you can always add “sudo” in every command you want. Or, you can simply type “su” to switch login as root user.
Thank you so much, I get it done easily..
Thanks for all the time you have put into your work here.. As a total newbie using your tutorials I am setting up my vps with nginx and wordpress. Has been smooth and I’m learning so much along the way… Again thanks…
mbaknya indonesia ya? lg bingung nih setup vps unmanaged saya
Same problem than a lot of us… Don’t have root privileges on my user account, but it tells I have root privileges when doing sudo -l.
if someone can help…
Tks for the nice tutorial.
I have one questions. when I upload the files by SFTP, it always says : Permission denied
Please help.
Tks
THANKS for this!!!
Really Helpfull
Excellent tutorials! Unfortunately,I set up my Digital Ocean VPS without changing my ssh port. I also installed fail2ban. Everything works.
When I now change the port number in the sshd config file and in Putty to a non-standard port, I can no longer connect with Putty.
I suspect I must do something with iptables and fail 2 ban as well to make this work.
Could you suggest how I could make this change?
Hi, i follow exactly you basic centos setup, i even check a new user to make sure i can logon to it, but when i want to proceed to install httpd, it said i dont have root permission. I already disable root logon therefore i could not login using “root” anymore, i can’t even edit sshd_config to reenable root login. Appreciate your help.
Truc sudo yum install httpd or su root yum install httpd.it Williams as si you for the root password and let you install httpd.
Hope this helps
there are two options:
First, you can switch from current user to root by typing su hit Enter then type password for root. Another option is to use sudo prefix in each / every command that needs root privilege (eg: sudo yum install httpd). I hope that helps. 🙂
Damn autocorrection on french mobile.please remove previous comment
Why you didn’t mentioned that we need to change ports in iptables!!! Now i can’t access to my vps!
Thanks!
I follow your steps, but i got a big problem!
Now when i want login in putty, appear this:
“Putty Fatal Error
Network Error: Connection refused”
How can i resolve? Please help me!
That most likely because Putty uses different port as what you defined on your vps
I followed this tutorial. You forgot to mention about the iptables. So now I exited it without adding it to the iptables. I only have the ipaddress and password of the server. There is no online control panel for it.
Now I can’t login to it via PuTTy. Could someone help me?
i have one doubt.cent os install normal home pc .it’s possible or not.please tell me
In CENTOS 7, the command to reload SSH service is:
service sshd restart
at least, it is on the VPS, I was using.
Hi,
I noticed I didn’t have to open the new ports via iptables and was still able to connect. Why is that?
Kamal
Some vendors leave higher ports than 1024 open by default, you can know more about your open ports using netstat -an
Hello, i’m newbie in Linux, and i’m stuck at “Step 1: Login to your remote server via SSH connection. ”
I don’t have a remote server, i want to set the server on my pc, so what should i do?
you can skip that step if you just want to do this on local pc
I did everything except keeping the ssh port unchanged, but putty shows Connection refused error. I now can’t login. Any help?
Hi,
i cant run the command:
iptables -l INPUT -m state -state NEW -m tcp -p tcp -dport 22000 -j ACCEPT
i get the error:
[root@h2191522 ~]# iptables -l INPUT -m state -state NEW -m tcp -p tcp –dport 22000 -j ACCEPT
iptables v1.4.7: option `-l’ requires an argument
I’ve tried to replicate exactly the same steps on a fresh CENTOS VPS server and the connection via the new user fails every time I tried to login from my Mac terminal. After some debugging, I found this is happening due to change of default port to 22000. Besides the steps mentioned above, is there anything else I need to do to make sure my connections recognise port 22000? When I revert the post to 22, I can login with my new username and password. Unfortunately not when I change the port form 22 to 22000.
It would be best to use certificate instead of obfuscating access. Just enable login only by certificate and you are set 😀
when I’m trying to ssh client, it’s always asking for root password. can you help me to solve this?
Hi Sawiyati,
I have setup my server and able to view my site on my unit. But, if I try to access the website thru internet, I cannot access it though.
Thank You.
For some reason I can’t install the nano…
Reconfigure the baseurl/etc. for the repository, to point to a working upstream.
Why did you port the ssh on port 22000. It is better to put it below 1024 because most Linux and Unix like machines only the root can bind ports below 1024. If it is above port 1024 someone can grain access and replace it with something else. Better option is if it needs to be open to use something like fail2ban. And if you want more security replace the password login with a certificate.
22000 is just an example. User can put ssh to any port he/she like and better to any unique number he/she can remember. Yes indeed, using passwordless ssh login and installing fail2ban will be more secure but this article covers only the basic parts. I mean if you did not implement better security setup, then at least you do these. 🙂
mom, I follow all your steps to change port and everything. Now I can’t log.in to my puTTy. What should I do? please help me.
THANKS,
jj
You should try login using difference Putty instance before closing the active one to avoid such thing happens
Hi, nice tutorial.
I haven’t tried it yet but would like to see if I can use the security it provides. but I have a brand spanking new CentOS 7 setup on my home server waiting for me to finish oVirt install/setup and my question is do you have post for a good network setup on standalone server to be used with virtuallisation.
I have 4 NICs and still confused on how to use them best.
thanks
Using Centos 6. Followed the instructions to edit visudo. CTRL+ZZ doesn’t work – tried to re-open visudo and was told:
[1]+ Stopped /usr/sbin/visudo
Looks like that’s the wrong command, at least for me. Try typing:
:wq
and then press Enter.
https://www.digitalocean.com/community/questions/command-not-working-please-help-me
It is Shift+ZZ not Control+ZZ
🙂
Hi Sawiyati,
Great tutorial with useful comments, setting up a centOS 6.7 VPS webserver for the first time and this has been very useful.
Many Thanks
Dave
I have set centos 7 up locally on a spare laptop. followed along with a video that showed me how to install most stuff and I followed along with this page and I was having this same issue with not being able to ssh into the server once I changed the port to 22000 it would deny me. I finally found a page that instructed to install semanage and gave a couple commands which fixed the issue I also had to go change a line in iptables which had 22 in the entry I changed to 22000 and it all works. ( http://www.dropbit.ch/change-ssh-port-centos-7/ )
that page is where it said this: On a minimal CentOS 7 System the command “semanage” is missing therefore install it with “sudo yum install policycoreutils-python”
Afterwards you can use “semanage port -a -t ssh_port_t -p tcp 4444″, now SELinux allows sshd to listen on the new port 4444. which helped out on this one issue
Thanks for the tip. At most VPS SELinux is disabled in many OS templates while dedicated or personal PC / laptop may have SELinux installed.
Awesome, that works. Just two things. The command to release the port 4444 on iptables doesnt work for me, I had to disable it. And the new user with the
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
newuser ALL=(ALL) ALL
thats not sufficient to disable root account, the new user can’t enter /usr/sbin/visudo
can’t start services
Thanks a lot, I was really looking something for newbie.
i change ssh port 22 to 22000 and iptables off. But I can not log on ssh
Its a good well done tutorial, BUT, doesnt work.
Just the command to liberate the port number, isn’t suficiente.
Hey Mom,
You may add another step, i.e. to configure and open 22000 port in CentOS 6 or > version.
Here is what worked for me in CentOS 6.7, to open up the port for new user:
How to open a port in the firewall on CentOS or RHEL
Posted on October 26, 2014 by Dan Nanni 2 Comments
Question: I am running a web/file server on my CentOS box, and to access the server remotely, I need to modify a firewall to allow access to a TCP port on the box. What is a proper way to open a TCP/UDP port in the firewall of CentOS/RHEL?
Out of the box, enterprise Linux distributions such as CentOS or RHEL come with a powerful firewall built-in, and their default firewall rules are pretty restrictive. Thus if you install any custom services (e.g., web server, NFS, Samba), chances are their traffic will be blocked by the firewall rules. You need to open up necessary ports on the firewall to allow their traffic.
On CentOS/RHEL 6 or earlier, the iptables service allows users to interact with netfilter kernel modules to configure firewall rules in the user space. Starting with CentOS/RHEL 7, however, a new userland interface called firewalld has been introduced to replace iptables service.
To check the current firewall rules, use this command:
$ sudo iptables -L
Now let’s see how we can update the firewall to open a port on CentOS/RHEL.
Open a Port on CentOS/RHEL 7
Starting with CentOS and RHEL 7, firewall rule settings are managed by firewalld service daemon. A command-line client called firewall-cmd can talk to this daemon to update firewall rules permanently.
To open up a new port (e.g., TCP/80) permanently, use these commands.
$ sudo firewall-cmd –zone=public –add-port=80/tcp –permanent
$ sudo firewall-cmd –reload
Without “–permanent” flag, the firewall rule would not persist across reboots.
Check the updated rules with:
$ firewall-cmd –list-all
Open a Port on CentOS/RHEL 6
On CentOS/RHEL 6 or earlier, the iptables service is responsible for maintaining firewall rules.
Use iptables command to open up a new TCP/UDP port in the firewall. To save the updated rule permanently, you need the second command.
$ sudo iptables -I INPUT -p tcp -m tcp --dport 22000 -j ACCEPT
$ sudo service iptables save
And also include this step:
How to login with new user created with new port:
For Putty, in Windows:
Just open putty, type your host server ip (and not domain name which is pointed to the host, since you have changed the value of “useDNS” to no in Step 5 above), and instead of default port “22” in the putty windows, type “22000” or your port.
Then, in the “login as” question, input new domain instead of root, as root Login has been disabled in step 5.
For Linux/Mac OS terminals:
1. Open Terminal.
2. Type the command:
ssh newuser@123.234.456.234 -p 22000
or
ssh 123.234.456.234 -p 22000
</code
Replace newuser with the username you just created. Replace 123.234.456.234 with your server host IP and NOT SERVER POINTED DOMAIN NAME. Replace 22000, with your open port, and saved port in Step 5.
I guess this would better guide the newbies (some additional from your post).
Thanks,(and WELCOME to the person being helped)
This needs to be edited as it nearly caused me a heart attack.
If you make the mistake of changing the port to 22000 only to find that now you keep getting timed out and can’t log back in, log in to your website’s CPanel (or CPanel equivalent), go to the Server section and try and find the option to disable iptables. Then follow the advice in the comment above, and re-enable iptables after. Thankfully my panel, VestaCP, implements this.
Hi,
How do I change default ssh22 to 2022 or any other port?
Steps I did:
1.Change SSH default port with /etc/ssh/sshd_config
2.Added the following commands to run
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
iptables -A INPUT -p tcp –dport 110 -j ACCEPT
iptables -A INPUT -p tcp –dport 465 -j ACCEPT
iptables -A INPUT -p tcp –dport 143 -j ACCEPT
iptables -A INPUT -p tcp –dport 993 -j ACCEPT
iptables -A INPUT -p tcp –dport 587 -j ACCEPT
iptables -A INPUT -p tcp –dport 25 -j ACCEPT
iptables -A INPUT -p tcp –dport 995 -j ACCEPT
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
3.Saved the iptables
4.Updated firewall settings for new port by
deleting this
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
adding this
-A INPUT -m state –state NEW -m tcp -p tcp –dport 2022 -j ACCEPT
4.Restarted iptables
5.Restarted ssh service
Issue:
Then if I try to login using 22ssh it gives me connection timeout.
The same I try to do with 2022ssh it also gives me connection timeout.
Kindly help.
Much Thanks in advance.
Permissions’s aren’t working for new user.
Fragger.
Hey
thanks for your good blog 😡
Just to help people out.
My new user kept being “Permission Denied”.
The reason: DO NOT PASTE ‘AllowUsers username’ at the very end. It needs to come BEFORE THE ‘Match’ lines.
See here:
http://unix.stackexchange.com/questions/67334/openssh-how-to-end-a-match-block
Also I tried `/etc/init.d/sshd restart` instead of `reload`. Works much better and gives more feedback on what’s failing.
Hi
I did add another user like you said but when I want to get root back it I can’t I changed PermitRootLogin to yes but still can’t log in as root
Login as your new username and then type
suto login as rootHi
I want to build my own web server. I tying to install CentOs 7 as a webserver but cant. kindly help us how to install and build it
Thanking You
Suraj Gond
Its showing this error
-bash: /usr/sbin/visudo: No such file or directory