nadnerB's CloudatCost Project Journal

scottalanmiller

CentOS is secure by default. Firewall is already locked down.

nadnerB

@scottalanmiller not 100% sure what you mean by

Firewall is already locked down.

After Googling I discovered that it's called firewalld.
I ran the following to check the status

systemctl status firewalld

Which resulted in:

Does that mean that the firewall is off or on?

A Former User

Looks like the last one is stopping. You can also start it by systemctl start firewalld and enable it at system start with systemctl enable firewalld

nadnerB

Thanks that got it

nadnerB

Following the instructions kindly provided by @JaredBusch on installing Fail2Ban
http://mangolassi.it/topic/4108/how-to-fail2ban-on-centos-7

nadnerB

Righto, so the firewall (enabled and on but no custom configs yet) and fail2ban are done.

nadnerB

So, today I'd like to set up SSH but I'll check on the fail2ban that I did yesterday.
 
Logged in as my non-root user account
fail2ban-client status sshd ... looks like it requires use of sudo to check
Apparently my non-root account requires listing in a 'sudoers file'... righto.
 
One goes the lab coat as I step into the research mode...

nadnerB

I think I'll do this by group permissions instead of individual permissions.
New group created groupadd <group name>
User added usermod <user> -G <groupname>
Check members of the group grep ^<group name> /etc/group

• success

nadnerB

Righto, so it looks like the Sudoers file, that I need to edit, is read only.
However, I have found what looks like a good set of instructions here: https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos
EDIT: This initial setup guide has a slightly different (I think) way of doing it (step 4) https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-12-04

nadnerB

Hmmm, perhaps editing the Sudoers file is not a good idea...
Should I edit the file and add my username or just use su?
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

thanksajdotcom

@nadnerB said:

Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

I log in as root directly to all my servers.

A Former User

@nadnerB said:

Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

You don't edit the file You'd gpasswd -a nadnerb wheel where nadnerb is the username you wish to give sudo privileges too.

A Former User

@thanksajdotcom said:

@nadnerB said:

Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

I log in as root directly to all my servers.

I personally would disable root access over SSH after the initial setup.

nadnerB

@thanksajdotcom said:

@nadnerB said:

Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

I log in as root directly to all my servers.

Thanks for your input but I won't be doing this

nadnerB

@thecreativeone91 said:

@nadnerB said:

Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

You don't edit the file You'd gpasswd -a nadnerb wheel where nadnerb is the username you wish to give sudo privileges too.

Fantastic! Thanks!

nadnerB

@thecreativeone91 said:

@thanksajdotcom said:

@nadnerB said:

Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

I log in as root directly to all my servers.

I personally would disable root access over SSH after the initial setup.

On the secret To-Do list

A Former User

@nadnerB said:

@thecreativeone91 said:

@nadnerB said:

Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

You don't edit the file You'd gpasswd -a nadnerb wheel where nadnerb is the username you wish to give sudo privileges too.

Fantastic! Thanks!

No Problem. It's just a group you add it to, as the group has sudo premissions (sudoers file) .

scottalanmiller

@thanksajdotcom said:

I log in as root directly to all my servers.

Why?

scottalanmiller

@nadnerB said:

Righto, so it looks like the Sudoers file, that I need to edit, is read only.

Just means you have to tell the editor that you "mean it" when you save. In vi that means :w! instead of :w

nadnerB

Righto, I've blocked root access via SSH and renamed the server to something more useful (for ron... later on)