Hardening my VPS, how can I qualify it's done correctly?

PhoenixUK

• August 27, 2015 12:11

Hi There, I'm going through the process of hardening my CentOS 6.7 VPS and I've created a new user via SSH, added the new password and I've also added this new user in the sudoers file, giving [ALL] root permissions. However, I'd like to see if there's a specific command I can use to actually check everything is as should be expected, before I go ahead and 'disable root login' for obvious reasons. It it also now lets me login to the server via ssh as the new user and it did let me run 'yum update' as this new user - of which it found an update and that was successful, but I'm just wondering if there's some other way that I can truly tell all is ok, before disabling root login. I look forward to hearing from you. Regards,

• 

  quizknows

  • August 27, 2015 17:17

  Make sure you can 'su -' to root from the additional user. If you can, then you should be fine disabling direct root login in the ssh server configuration. Generally I don't use sudoers, I just add the additional user to the wheel group so that it can 'su -' to get root privileges in a way that requires a password. This way if the password for the additional user is compromised, they won't have root privileges without the root password as well.

  0
• 

  PhoenixUK

  • August 27, 2015 17:35

  Make sure you can 'su -' to root from the additional user. If you can, then you should be fine disabling direct root login in the ssh server configuration. Generally I don't use sudoers, I just add the additional user to the wheel group so that it can 'su -' to get root privileges in a way that requires a password. This way if the password for the additional user is compromised, they won't have root privileges without the root password as well.

  
  Hi There, Thanks for the prompt reply and I have to admit having heard what you've put above, I maybe better carrying it out the way you mention via wheel group. Would I still leave my new user with root privileges in the sudoers, or need to remove this now and do it the wheel group way instead? Hmmm if I enter; su - to root from the newuser, I get the following; -bash: /bin/su: Permission denied So it would seem something isn't 100%, gutted I thought I was going well grrrr. I will await your feedback on the above before I do anything else. Thank you.

  0
• 

  PhoenixUK

  • August 27, 2015 17:47

  My apologies, it does seem that I can but I got myself all confused. mynewuser@[~]# su - Password: entered root pass here root@vps [~]# Bingo.

  0
• 

  quizknows

  • August 27, 2015 18:00

  It seems you have it straightened out, but if you add a user to the wheel group it allows them to run the 'su -' command. You would not need to leave the user in sudoers, and it is more secure this way given the password auth to run commands as root. Cheers.

  0
• 

  cPanelMichael

  • September 02, 2015 18:39

  Hello :) To note, for other users that may see this thread, the SSH hardening guide that's referenced here is found at:

  0

Please sign in to leave a comment.