Initial Steps to Secure Rocky Linux 8

Introduction

This guide describes some best security practices for a new Rocky Linux server. You'll learn how to:

• Use an SSH key
• Create a new standard user account and grant it sudo privileges
• Disable SSH access for the root user
• Change the default SSH port
• Disable firewall zone drifting

Prerequisites

You should have a local workstation with OpenSSH installed like Windows 10 or higher, macOS, or Linux.

If you don't have an SSH key, you should create one and add it to your Vultr account before you deploy the server.

1. Open a terminal session on you local workstation.

2. Use ssh-keygen to generate a new SSH key.

    $ ssh-keygen -t ed25519 -C email@example.com -f ~/.ssh/id_ed25519-vultr-example

   * The -t option specifies the key type. ed25519 is recommended because it is more secure than RSA. If you prefer RSA or DSA keys, change id_ed25519 to id_rsa or id_dsa.

   • The -C flag specifies the comment for the key. This is optional. Adding your email address is a good idea.
   • The -f flag specifies the file to save the key to. This is optional. The default name for ed25519 format is ~/.ssh/id_ed25519. You may want to use another name to identify the key, like shown above.

This creates a private/public keypair. Assuming you named your key as shown above, the keypair is in the ~/.ssh/ folder and named:

• Private key: id_ed25519-vultr-example
• Public key: id_ed25519-vultr-example.pub

You should keep the private key secret. You'll upload the *.pub file to Vultr and install it on the server.

1. Log in to the Customer Portal.

2. Click your name in the upper-right, then select SSH Keys from the dropdown menu.

3. Click the blue "plus sign" button to add a key.

4. Enter a descriptive name for the key.

5. View your public key in your terminal. It should look something like this:

    $ cat ~/.ssh/id_ed25519-vultr-example.pub
    ssh-ed25519 AAAAC3N/EXAMPLE/EXAMPLE/EXAMPLE/8Tlzou61bXpnMemiFfDbS/LRha7uFQu9iEWyI email@example.com

6. Copy the output string into the SSH Key field. It looks something like this:

   

7. Click the Add SSH Key button to add it to your account.

Deploy a Server

In the Vultr customer portal, deploy a new Rocky Linux cloud server. Make sure to select your SSH key in the customer portal while deploying, and Vultr will automatically install that key for the root user.

This guide uses 192.0.2.123 as the server's IP address in all the following examples.

From your local terminal, SSH to the server as root:

$ ssh root@192.0.2.123

If your private key is not in the standard location, use the -i parameter, like this:

$ ssh -i /path/to/your/key/privatekeyfile root@192.0.2.123

If everything is working properly, you'll log in without being prompted for a password.

1. Add a Standard User with sudo Access.

It's a good security practice to do normal maintence tasks as a standard user, and use sudo for commands that need higher access. For most purposes, you shouldn't routinely log in as root. Here's how to do that:

1. Create a new user account.

    # adduser example_user

2. Specify a strong password for the new user.

    # passwd example_user
    Changing password for user example_user.
    New password: 
    Retype new password: 
    passwd: all authentication tokens updated successfully.

3. Add the new user to the wheel group with usermod.

    # usermod -aG wheel example_user

4. Check the sudoers file with visudo.

    # visudo

5. Look for the wheel group. Remove the comment if the line is disabled. It should look like this when you are ready to save the file.

    ## Allows people in group wheel to run all commands
    %wheel  ALL=(ALL)       ALL

6. Save and exit vi. Type Esc, then ColonWQ, then Enter.

   Note: The visudo utility performs syntax checking before committing your edits to the file. A malformed sudoers file can break your system. Never edit /etc/sudoers directly. For example, if you make an error, you'll see this when exiting visudo.

    visudo: >>> /etc/sudoers: syntax error near line 64 <<<
    What now?
    Options are:
    (e)dit sudoers file again
    e(x)it without saving changes to sudoers file
    (Q)uit and save changes to sudoers file (DANGER!)

7. Switch to the new user to test the sudo access.

    # su - example_user

   Verify you are the new user with whoami, then test sudo access with sudo whoami, which should return root.

    $ whoami
    example_user
    $ sudo whoami
    [sudo] password for example_user:
    root

8. Exit and close the terminal session.

2. Enable SSH access for the New User

Open a new terminal on your local workstation, then use ssh-copy-id to add the SSH key to the new standard user. This copies the public SSH key to the new user's authorized_keys file.

$ ssh-copy-id -i ~/.ssh/id_ed25519-vultr-example.pub example_user@192.0.2.123

Never copy your private key to the server.

Log in to the server as the new user. If everything is working properly, you'll log in without being prompted for a password.

$ ssh example_user@192.0.2.123

3. Configure SSH

It's best practice to disable SSH for the root account, and to disable password-based SSH access.

1. Open the SSH server configuration file:

    $ sudo nano /etc/ssh/sshd_config

2. Disable SSH for root. Look for the PermitRootLogin line and change the directive to no.

    PermitRootLogin no

3. Disable SSH password authentication. Change the PasswordAuthentication directive to no.

    PasswordAuthentication no

   > With this setting, you must use SSH keys for authentication.

4. Save and close the file.

5. Activate the changes by restarting SSH:

    $ sudo systemctl reload sshd

From this point on, you must log in as your standard user. Use sudo for commands that require greater access.

4. Change the Default SSH Port

Changing the default SSH port is an optional task. Some administrators recommend this to reduce the number of port scanning attempts on the server. To change it:

1. Edit the SSH server configuration file.

    $ sudo nano /etc/ssh/sshd_config

2. Look for the Port 22 line, uncomment it, and change the port number to a port of your choice. Like this:

    Port 22022

   The port should be:

   • Greater than 1024
   • Less than 65535
   • Not in use by another service on your system
   • It's also a good idea to avoid using any of the IANA registered ports.

3. Save and close the file.

4. Notify SELinux about this change so that it will allow SSH to bind to the new port.

    $ sudo semanage port -a -t ssh_port_t -p tcp 22022

5. Verify that the port notification was successful.

    $ semanage port -l | grep ssh
    ssh_port_t                     tcp      22022, 22

6. Configure the firewall to allow traffic via the new port.

    $ sudo firewall-cmd --add-port=22022/tcp --permanent

7. All SSH traffic will go through the new port. Remove the default SSH service assignment from the firewall.

    $ sudo firewall-cmd --remove-service=ssh --permanent

8. Restart the firewall and SSH.

    $ sudo systemctl restart firewalld sshd

Open a new terminal session on your local workstation to test the connection. Use the -p option to specify the new SSH port.

$ ssh -p22022 example_user@192.0.2.123

5. Disable Zone Drifting in the Firewall

FirewallD, the firewall application for Rocky Linux 8, is installed and active. View the status using:

$ sudo systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2022-03-22 02:08:57 UTC; 2h 18min ago
     Docs: man:firewalld(1)
 Main PID: 4712 (firewalld)
    Tasks: 2 (limit: 5980)
   Memory: 27.8M
   CGroup: /system.slice/firewalld.service
       └─4712 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

Mar 22 02:08:56 rocky8 systemd[1]: Starting firewalld - dynamic firewall daemon...
Mar 22 02:08:57 rocky8 systemd[1]: Started firewalld - dynamic firewall daemon.
Mar 22 02:08:57 rocky8 firewalld[4712]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option

The last line in that output says that zone drifting is an insecure configuration that should be disabled. In a zone-based firewall like FirewallD, it's possible, depending on the configuration, for traffic configured to pass through one zone to also pass through another zone it's not intended for. This is called Zone Drifting. Disabling it is highly recommended by the developers of FirewallD.

To disable it:

1. Open the firewall configuration file.

    $ sudo nano /etc/firewalld/firewalld.conf

2. Look for the AllowZoneDrifting line (at the end of the file) and change the directive to no.

    AllowZoneDrifting=no

3. Save and close the file.

4. Restart the firewall.

    $ sudo systemctl restart firewalld

More Information

These basic steps greatly increase the security of your system. To learn more about Rocky Linux 8 and Firewalld, see these resources:

• Rocky Linux
• Zone drifting in FirewallD