NOTE: Not yet complete!

This is a step-by-step guide on the initial setup and configuration of an unmanaged VPS or dedicated server running Centos 5. It will include detailed explanations of all of the concepts and commands being run, and as such is written for people new to Linux administration. More advanced users can skim through the guide and simply enter in the commands (or write a script to automate this setup process).

What is covered in this guide

• Initial updating of all software currently installed
• Creation of a new user account with sudo privileges in order to run commands as root to administer the server
• Securing SSH by switching the default port, disallowing direct root logins, and generating SSH keys for added security
• iptables (firewall) setup and configuration
• Creating a custom shell prompt that is much more informative and useful than the standard prompt
• Creating aliases for commonly-used commands and options
• Setting the correct time zone
• Generating and selecting the correct locale
• Installing essential tools for adding software, including build tools for software for which there are no pre-built packages

Initial Login via SSH

As soon as you have the IP address and root password for your new server, log in via SSH.

ssh -l root 1.2.3.4

CentOS should have already set up the proper $PATH environment variable to run the commands in the rest of this guide, but we will first verify this. The $PATH environment variable defines a list of directories to search through when looking for a command to execute.

To check the current $PATH, run the following command:

echo $PATH

You should see the following:

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

If you do not, this command will set the correct path:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

With the path properly set, we can now begin setting up your new server. 

Changing the root password

You should immediately change the root password by using the passwd command.

passwd

You will be prompted to enter the root password twice. After completing this setup guide, logging on as the root user is not recommended for security reasons. In fact, later on we will be removing the ability to log in directly as root via SSH. Instead, an additional user account will be created with the ability to run commands as root with a tool called sudo.

Package managers and updating the server

The CentOS operating system is frequently updated with new versions of installed software, security updates, and bug fixes. There is a good chance that the version which is installed on your server is out of date, so we will use the yum tool to update the system.

Yum is a package manager — a tool that allows you to easily install, update, or remove various software packages on your server. Often, a certain piece of software requires other software packages to be present on your system in order to run. These additional pieces of software are called dependencies, and in the past (before package managers existed) it could be a difficult and time-consuming task to find and install all of the dependencies. Often, one piece of software would depend on several other software packages, each of which had dependencies of their own, and so forth. Keeping track of all of the dependencies could quickly become close to impossible.

Things got even more complicated when you needed to remove a piece of software. It is never good to have pieces of software on your server that you do not need, because every piece of software is a potential security vulnerability or source of bugs. So when removing software packages, it is best to remove its dependencies as well. But more often than not, a dependency of abc is also a dependency of xyz, and removing that dependency will break xyz. So the trick is to only remove what are known as orphaned depedencies — dependencies that are only required by the package that is to be removed.

It should be obvious that keeping track of dependencies can quickly become overwhelmingly difficult and prone to errors. This is the reason why package managers such as yum are essential to the system administrator. Package managers keep track of the dependencies of each piece of software installed on the system. When you install a new piece of software with a package manager, all of its dependencies (and all of each dependency’s own dependencies) are installed automatically. Similarly, package managers allow you to remove a piece of software without accidentally removing one of its dependencies required by other packages installed on your system.

So now that you know what a package manager does, let’s use the CentOS yum package manager to automatically update all of the software packages already installed on your server.

yum -y upgrade

The -y option will install the updates automatically without further prompting from you.

Creating a new user account with sudo privileges

Now that your server is up to date, we will create a new user account. For this command and all that follow, replace justin with the desired username.

adduser justin

Next we set the password for the new user.

passwd justin

You will be asked to enter a password twice for the new account.

Next, we need to give your next user account the ability to run administrative tasks as the root user, via the sudo command. A file called the sudoers file controls this access, and it is located at /etc/sudoers. However, this file need not (and should not) be edited directly. Instead, we will use the visudo command.

visudo

If you get a command not found error, the sudo tool might not be installed. This is rare, but still possible depending on the specific CentOS image used by your VPS or dedicated server provider. Install the sudo package with the following command:

yum -y install sudo

Visudo launches the standard CentOS text editor vi to edit the /etc/sudoers file. We need to add a line to the bottom of this file in order to give the new user the proper permissions to use the sudo tool.

1. Scroll down to the end of the file by pressing Shift-G (a capital G).
2. Press i to enter insert mode.
3. Type or copy and paste the following text:

   ## Allow user 'justin' to run any commands anywhere
   justin    ALL=(ALL)       ALL

4. Leave insert mode by pressing Esc.
5. Save the file and quit by typing :wq (colon wq) then pressing Enter.

Configuring and securing SSH

SSH is a common target for attacks, because every server uses it, and it gives direct access to the filesystem. Therefore, there are measures that need to be taken to improve security.

Normally, you connect to a server via SSH with a username and password. An optional feature is the requirement to use a key pair for authentication instead of a password. A key pair consists of two keys (in simple terms, a very long and complex password) — a public key and a private key. The public key is stored on the server, and the private key on the computer you use to connect to the server. When you attempt to log in to your server, it uses a mathematic algorithm to match up the public and private keys.

The strength of this method of authentication is the fact that the algorithm used is one-way — it is very simple to verify that the private key stored on your computer matches the public key on the server, but extremely difficult to generate or guess the correct private key, even if you already know the public key.

Public key cryptography is commonly used for browsing the Internet using SSL — when you log in to your bank’s website to manage your account, public key cryptography is used to encrypt the data to protect it from prying eyes. It is a proven system, and makes your server much less vulnerable to attack via SSH.

The downside is that you must have the private key stored on the computer you want to use to access your server. This is only practical and secure if you only need to connect to your server from a single computer, and that you are the only user of that computer. If you need or want to be able to connect to your server from another location (when you are away from home, for example), or you are on a shared workstation, it would be best to simply use a normal password. Don’t worry, we will be taking additional steps to secure your server from SSH attacks.
(much, much more to come)